35 #include "../suricata-common.h" 36 #include "../suricata.h" 37 #include "../decode.h" 75 static int DetectHttpClientBodyParserTest01(
void)
78 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; content:\"abc\"; nocase; http_client_body; sid:1;)",
true));
79 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; content:\"abc\"; endswith; http_client_body; sid:1;)",
true));
80 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; http_client_body; sid:1;)",
true));
81 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; endswith; http_client_body; sid:1;)",
true));
83 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; content:\"abc\"; rawbytes; http_client_body; sid:1;)",
false));
92 static int DetectHttpClientBodyParserTest02(
void)
95 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; nocase; sid:1;)",
true));
96 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; endswith; sid:1;)",
true));
97 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; startswith; sid:1;)",
true));
98 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; startswith; endswith; sid:1;)",
true));
101 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; rawbytes; sid:1;)",
false));
114 static int RunTest (
struct TestSteps *steps,
const char *sig,
const char *yaml)
123 memset(&th_v, 0,
sizeof(th_v));
124 memset(&f, 0,
sizeof(f));
125 memset(&ssn, 0,
sizeof(ssn));
144 f.
proto = IPPROTO_TCP;
158 while (b->
input != NULL) {
197 static int DetectEngineHttpClientBodyTest01(
void)
200 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 201 "Host: www.openinfosecfoundation.org\r\n" 202 "Content-Type: text/html\r\n" 203 "Content-Length: 46\r\n" 205 "This is dummy body1",
207 { (
const uint8_t *)
"This is dummy message body2",
212 const char *sig =
"alert http any any -> any any (content:\"body1This\"; http_client_body; sid:1;)";
213 return RunTest(steps, sig, NULL);
216 static int DetectEngineHttpClientBodyTest02(
void)
219 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 220 "Host: www.openinfosecfoundation.org\r\n" 221 "Content-Type: text/html\r\n" 222 "Content-Length: 19\r\n" 224 "This is dummy body1",
229 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; offset:5; sid:1;)";
230 return RunTest(steps, sig, NULL);
233 static int DetectEngineHttpClientBodyTest03(
void)
236 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 237 "Host: www.openinfosecfoundation.org\r\n" 238 "Content-Type: text/html\r\n" 239 "Content-Length: 46\r\n" 241 "This is dummy body1",
243 { (
const uint8_t *)
"This is dummy message body2",
248 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; offset:16; sid:1;)";
249 return RunTest(steps, sig, NULL);
252 static int DetectEngineHttpClientBodyTest04(
void)
255 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 256 "Host: www.openinfosecfoundation.org\r\n" 257 "Content-Type: text/html\r\n" 258 "Content-Length: 46\r\n" 260 "This is dummy body1",
262 { (
const uint8_t *)
"This is dummy message body2",
267 const char *sig =
"alert http any any -> any any (content:!\"body1\"; http_client_body; offset:16; sid:1;)";
268 return RunTest(steps, sig, NULL);
271 static int DetectEngineHttpClientBodyTest05(
void)
274 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 275 "Host: www.openinfosecfoundation.org\r\n" 276 "Content-Type: text/html\r\n" 277 "Content-Length: 46\r\n" 279 "This is dummy body1",
281 { (
const uint8_t *)
"This is dummy message body2",
286 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; depth:25; sid:1;)";
287 return RunTest(steps, sig, NULL);
290 static int DetectEngineHttpClientBodyTest06(
void)
293 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 294 "Host: www.openinfosecfoundation.org\r\n" 295 "Content-Type: text/html\r\n" 296 "Content-Length: 46\r\n" 298 "This is dummy body1",
300 { (
const uint8_t *)
"This is dummy message body2",
305 const char *sig =
"alert http any any -> any any (content:!\"body1\"; http_client_body; depth:25; sid:1;)";
306 return RunTest(steps, sig, NULL);
309 static int DetectEngineHttpClientBodyTest07(
void)
312 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 313 "Host: www.openinfosecfoundation.org\r\n" 314 "Content-Type: text/html\r\n" 315 "Content-Length: 46\r\n" 317 "This is dummy body1",
319 { (
const uint8_t *)
"This is dummy message body2",
324 const char *sig =
"alert http any any -> any any (content:!\"body1\"; http_client_body; depth:15; sid:1;)";
325 return RunTest(steps, sig, NULL);
328 static int DetectEngineHttpClientBodyTest08(
void)
331 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 332 "Host: www.openinfosecfoundation.org\r\n" 333 "Content-Type: text/html\r\n" 334 "Content-Length: 46\r\n" 336 "This is dummy body1",
338 { (
const uint8_t *)
"This is dummy message body2",
343 const char *sig =
"alert http any any -> any any (content:\"This is dummy body1This is dummy message body2\"; http_client_body; sid:1;)";
344 return RunTest(steps, sig, NULL);
347 static int DetectEngineHttpClientBodyTest09(
void)
350 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 351 "Host: www.openinfosecfoundation.org\r\n" 352 "Content-Type: text/html\r\n" 353 "Content-Length: 46\r\n" 355 "This is dummy body1",
357 { (
const uint8_t *)
"This is dummy message body2",
362 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:\"This\"; http_client_body; within:5; sid:1;)";
363 return RunTest(steps, sig, NULL);
366 static int DetectEngineHttpClientBodyTest10(
void)
369 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 370 "Host: www.openinfosecfoundation.org\r\n" 371 "Content-Type: text/html\r\n" 372 "Content-Length: 46\r\n" 374 "This is dummy body1",
376 { (
const uint8_t *)
"This is dummy message body2",
381 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:!\"boom\"; http_client_body; within:5; sid:1;)";
382 return RunTest(steps, sig, NULL);
385 static int DetectEngineHttpClientBodyTest11(
void)
388 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 389 "Host: www.openinfosecfoundation.org\r\n" 390 "Content-Type: text/html\r\n" 391 "Content-Length: 46\r\n" 393 "This is dummy body1",
395 { (
const uint8_t *)
"This is dummy message body2",
400 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:\"boom\"; http_client_body; within:5; sid:1;)";
401 return RunTest(steps, sig, NULL);
404 static int DetectEngineHttpClientBodyTest12(
void)
407 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 408 "Host: www.openinfosecfoundation.org\r\n" 409 "Content-Type: text/html\r\n" 410 "Content-Length: 46\r\n" 412 "This is dummy body1",
414 { (
const uint8_t *)
"This is dummy message body2",
419 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:!\"This\"; http_client_body; within:5; sid:1;)";
420 return RunTest(steps, sig, NULL);
423 static int DetectEngineHttpClientBodyTest13(
void)
426 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 427 "Host: www.openinfosecfoundation.org\r\n" 428 "Content-Type: text/html\r\n" 429 "Content-Length: 46\r\n" 431 "This is dummy body1",
433 { (
const uint8_t *)
"This is dummy message body2",
438 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:\"dummy\"; http_client_body; distance:5; sid:1;)";
439 return RunTest(steps, sig, NULL);
442 static int DetectEngineHttpClientBodyTest14(
void)
445 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 446 "Host: www.openinfosecfoundation.org\r\n" 447 "Content-Type: text/html\r\n" 448 "Content-Length: 46\r\n" 450 "This is dummy body1",
452 { (
const uint8_t *)
"This is dummy message body2",
457 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:!\"dummy\"; http_client_body; distance:10; sid:1;)";
458 return RunTest(steps, sig, NULL);
461 static int DetectEngineHttpClientBodyTest15(
void)
464 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 465 "Host: www.openinfosecfoundation.org\r\n" 466 "Content-Type: text/html\r\n" 467 "Content-Length: 46\r\n" 469 "This is dummy body1",
471 { (
const uint8_t *)
"This is dummy message body2",
476 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:\"dummy\"; http_client_body; distance:10; sid:1;)";
477 return RunTest(steps, sig, NULL);
480 static int DetectEngineHttpClientBodyTest16(
void)
483 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 484 "Host: www.openinfosecfoundation.org\r\n" 485 "Content-Type: text/html\r\n" 486 "Content-Length: 46\r\n" 488 "This is dummy body1",
490 { (
const uint8_t *)
"This is dummy message body2",
495 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:!\"dummy\"; http_client_body; distance:5; sid:1;)";
496 return RunTest(steps, sig, NULL);
499 static int DetectEngineHttpClientBodyTest17(
void)
502 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 503 "Host: www.openinfosecfoundation.org\r\n" 504 "Content-Type: text/html\r\n" 505 "Content-Length: 19\r\n" 507 "This is dummy body1",
512 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:\"bambu\"; http_client_body; sid:1;)";
513 return RunTest(steps, sig, NULL);
516 static int DetectEngineHttpClientBodyTest18(
void)
519 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 520 "Host: www.openinfosecfoundation.org\r\n" 521 "Content-Type: text/html\r\n" 522 "Content-Length: 19\r\n" 524 "This is dummy body1",
529 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:\"bambu\"; http_client_body; fast_pattern; sid:1;)";
530 return RunTest(steps, sig, NULL);
533 static int DetectEngineHttpClientBodyTest19(
void)
536 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 537 "Host: www.openinfosecfoundation.org\r\n" 538 "Content-Type: text/html\r\n" 539 "Content-Length: 19\r\n" 541 "This is dummy body1",
546 const char *sig =
"alert http any any -> any any (content:\"bambu\"; http_client_body; content:\"is\"; http_client_body; sid:1;)";
547 return RunTest(steps, sig, NULL);
550 static int DetectEngineHttpClientBodyTest20(
void)
553 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 554 "Host: www.openinfosecfoundation.org\r\n" 555 "Content-Type: text/html\r\n" 556 "Content-Length: 19\r\n" 558 "This is dummy body1",
563 const char *sig =
"alert http any any -> any any (content:\"is\"; http_client_body; fast_pattern; sid:1;)";
564 return RunTest(steps, sig, NULL);
567 static int DetectEngineHttpClientBodyTest21(
void)
570 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 571 "Host: www.openinfosecfoundation.org\r\n" 572 "Content-Type: text/html\r\n" 573 "Content-Length: 46\r\n" 575 "This is dummy body1",
577 { (
const uint8_t *)
"This is dummy message body2",
582 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:!\"dummy\"; http_client_body; within:7; sid:1;)";
583 return RunTest(steps, sig, NULL);
586 static int DetectEngineHttpClientBodyTest22(
void)
589 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 590 "Host: www.openinfosecfoundation.org\r\n" 591 "Content-Type: text/html\r\n" 592 "Content-Length: 46\r\n" 594 "This is dummy body1",
596 { (
const uint8_t *)
"This is dummy message body2",
601 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:!\"dummy\"; within:7; http_client_body; sid:1;)";
602 return RunTest(steps, sig, NULL);
605 static int DetectEngineHttpClientBodyTest23(
void)
608 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 609 "Host: www.openinfosecfoundation.org\r\n" 610 "Content-Type: text/html\r\n" 611 "Content-Length: 46\r\n" 613 "This is dummy body1",
615 { (
const uint8_t *)
"This is dummy message body2",
620 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:!\"dummy\"; distance:3; http_client_body; sid:1;)";
621 return RunTest(steps, sig, NULL);
624 static int DetectEngineHttpClientBodyTest24(
void)
627 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 628 "Host: www.openinfosecfoundation.org\r\n" 629 "Content-Type: text/html\r\n" 630 "Content-Length: 46\r\n" 632 "This is dummy body1",
634 { (
const uint8_t *)
"This is dummy message body2",
639 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:!\"dummy\"; distance:13; http_client_body; sid:1;)";
640 return RunTest(steps, sig, NULL);
643 static int DetectEngineHttpClientBodyTest25(
void)
646 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 647 "Host: www.openinfosecfoundation.org\r\n" 648 "Content-Type: text/html\r\n" 649 "Content-Length: 46\r\n" 651 "This is dummy body1",
653 { (
const uint8_t *)
"This is dummy message body2",
658 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:\"dummy\"; within:15; http_client_body; sid:1;)";
659 return RunTest(steps, sig, NULL);
662 static int DetectEngineHttpClientBodyTest26(
void)
665 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 666 "Host: www.openinfosecfoundation.org\r\n" 667 "Content-Type: text/html\r\n" 668 "Content-Length: 46\r\n" 670 "This is dummy body1",
672 { (
const uint8_t *)
"This is dummy message body2",
677 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:\"dummy\"; within:10; http_client_body; sid:1;)";
678 return RunTest(steps, sig, NULL);
681 static int DetectEngineHttpClientBodyTest27(
void)
684 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 685 "Host: www.openinfosecfoundation.org\r\n" 686 "Content-Type: text/html\r\n" 687 "Content-Length: 46\r\n" 689 "This is dummy body1",
691 { (
const uint8_t *)
"This is dummy message body2",
696 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:\"dummy\"; distance:8; http_client_body; sid:1;)";
697 return RunTest(steps, sig, NULL);
700 static int DetectEngineHttpClientBodyTest28(
void)
703 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 704 "Host: www.openinfosecfoundation.org\r\n" 705 "Content-Type: text/html\r\n" 706 "Content-Length: 46\r\n" 708 "This is dummy body1",
710 { (
const uint8_t *)
"This is dummy message body2",
715 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:\"dummy\"; distance:14; http_client_body; sid:1;)";
716 return RunTest(steps, sig, NULL);
719 static int DetectEngineHttpClientBodyTest29(
void)
721 const char *request_buffer =
"GET /one HTTP/1.0\r\n" 722 "Host: localhost\r\n\r\n";
723 #define TOTAL_REQUESTS 45 728 memcpy(http_buf + i * strlen(request_buffer), request_buffer,
729 strlen(request_buffer));
731 uint32_t http_buf_len = TOTAL_REQUESTS * strlen(request_buffer);
732 #undef TOTAL_REQUESTS 735 { (
const uint8_t *)http_buf,
738 { (
const uint8_t *)
"HTTP/1.0 200 ok\r\n" 739 "Content-Type: text/html\r\n" 740 "Content-Length: 5\r\n" 748 const char *sig =
"alert http any any -> any any (content:\"dummyone\"; fast_pattern:0,3; http_server_body; sid:1;)";
749 int result = RunTest(steps, sig, NULL);
754 static int DetectEngineHttpClientBodyTest30(
void)
756 const char yaml[] =
"\ 763 request-body-limit: 0\n\ 764 response-body-limit: 0\n\ 766 request-body-inspect-window: 0\n\ 767 response-body-inspect-window: 0\n\ 768 request-body-minimal-inspect-size: 0\n\ 769 response-body-minimal-inspect-size: 0\n\ 772 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 773 "Host: www.openinfosecfoundation.org\r\n" 774 "Content-Type: text/html\r\n" 775 "Content-Length: 46\r\n" 777 "This is dummy body1",
779 { (
const uint8_t *)
"This is dummy message body2",
784 const char *sig =
"alert http any any -> any any (content:\"bags\"; within:4; http_client_body; sid:1;)";
785 return RunTest(steps, sig, yaml);
788 static int DetectEngineHttpClientBodyTest31(
void)
790 const char yaml[] =
"\ 797 request-body-limit: 0\n\ 798 response-body-limit: 0\n\ 800 request-body-inspect-window: 0\n\ 801 response-body-inspect-window: 0\n\ 802 request-body-minimal-inspect-size: 0\n\ 803 response-body-minimal-inspect-size: 0\n\ 807 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n" 808 "Host: www.openinfosecfoundation.org\r\n" 809 "Content-Type: text/html\r\n" 810 "Content-Length: 46\r\n" 812 "This is dummy body1",
814 { (
const uint8_t *)
"This is dummy message body2",
819 const char *sig =
"alert http any any -> any any (content:\"bags\"; depth:4; http_client_body; sid:1;)";
820 return RunTest(steps, sig, yaml);
827 static int DetectHttpClientBodyTest01(
void)
839 "(msg:\"Testing http_client_body\"; " 840 "content:\"one\"; http_client_body; sid:1;)");
850 result &= (sm->
next == NULL);
863 static int DetectHttpClientBodyTest02(
void)
874 "(msg:\"Testing http_client_body\"; " 875 "content:\"one\"; http_client_body:; sid:1;)");
889 static int DetectHttpClientBodyTest03(
void)
900 "(msg:\"Testing http_client_body\"; " 901 "http_client_body; sid:1;)");
915 static int DetectHttpClientBodyTest04(
void)
926 "(msg:\"Testing http_client_body\"; " 927 "content:\"one\"; rawbytes; http_client_body; sid:1;)");
941 static int DetectHttpClientBodyTest05(
void)
952 "(msg:\"Testing http_client_body\"; " 953 "content:\"one\"; http_client_body; nocase; sid:1;)");
967 static int DetectHttpClientBodyTest06(
void)
977 "GET /index.html HTTP/1.0\r\n" 978 "Host: www.openinfosecfoundation.org\r\n" 979 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" 980 "Content-Type: text/html\r\n" 981 "Content-Length: 26\r\n" 983 "This is dummy message body";
984 uint32_t http_len =
sizeof(http_buf) - 1;
988 memset(&th_v, 0,
sizeof(th_v));
989 memset(&f, 0,
sizeof(f));
990 memset(&ssn, 0,
sizeof(ssn));
996 f.
proto = IPPROTO_TCP;
1014 "(msg:\"http client body test\"; " 1015 "content:\"message\"; http_client_body; " 1027 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1035 if (http_state == NULL) {
1036 printf(
"no http state: \n");
1045 printf(
"sid 1 didn't match but should have\n");
1051 if (alp_tctx != NULL)
1066 static int DetectHttpClientBodyTest07(
void)
1076 uint8_t http1_buf[] =
1077 "GET /index.html HTTP/1.0\r\n" 1078 "Host: www.openinfosecfoundation.org\r\n" 1079 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" 1080 "Content-Type: text/html\r\n" 1081 "Content-Length: 54\r\n" 1083 "This is dummy message body1";
1084 uint8_t http2_buf[] =
1085 "This is dummy message body2";
1086 uint32_t http1_len =
sizeof(http1_buf) - 1;
1087 uint32_t http2_len =
sizeof(http2_buf) - 1;
1091 memset(&th_v, 0,
sizeof(th_v));
1092 memset(&f, 0,
sizeof(f));
1093 memset(&ssn, 0,
sizeof(ssn));
1100 f.
proto = IPPROTO_TCP;
1122 "(msg:\"http client body test\"; " 1123 "content:\"message\"; http_client_body; " 1135 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1143 if (http_state == NULL) {
1144 printf(
"no http state: ");
1152 printf(
"sid 1 matched on p1 but shouldn't have: ");
1160 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1169 printf(
"sid 1 didn't match on p2 but should have: ");
1175 if (alp_tctx != NULL)
1191 static int DetectHttpClientBodyTest08(
void)
1201 uint8_t http1_buf[] =
1202 "GET /index.html HTTP/1.0\r\n" 1203 "Host: www.openinfosecfoundation.org\r\n" 1204 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" 1205 "Content-Type: text/html\r\n" 1206 "Content-Length: 46\r\n" 1208 "This is dummy body1";
1209 uint8_t http2_buf[] =
1210 "This is dummy message body2";
1211 uint32_t http1_len =
sizeof(http1_buf) - 1;
1212 uint32_t http2_len =
sizeof(http2_buf) - 1;
1216 memset(&th_v, 0,
sizeof(th_v));
1217 memset(&f, 0,
sizeof(f));
1218 memset(&ssn, 0,
sizeof(ssn));
1225 f.
proto = IPPROTO_TCP;
1247 "(msg:\"http client body test\"; " 1248 "content:\"message\"; http_client_body; " 1260 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1268 if (http_state == NULL) {
1269 printf(
"no http state: ");
1278 printf(
"sid 1 didn't match but should have");
1286 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1297 printf(
"sid 1 didn't match but should have");
1303 if (alp_tctx != NULL)
1319 static int DetectHttpClientBodyTest09(
void)
1329 uint8_t http1_buf[] =
1330 "GET /index.html HTTP/1.0\r\n" 1331 "Host: www.openinfosecfoundation.org\r\n" 1332 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" 1333 "Content-Type: text/html\r\n" 1334 "Content-Length: 46\r\n" 1336 "This is dummy body1";
1337 uint8_t http2_buf[] =
1338 "This is dummy message body2";
1339 uint32_t http1_len =
sizeof(http1_buf) - 1;
1340 uint32_t http2_len =
sizeof(http2_buf) - 1;
1344 memset(&th_v, 0,
sizeof(th_v));
1345 memset(&f, 0,
sizeof(f));
1346 memset(&ssn, 0,
sizeof(ssn));
1353 f.
proto = IPPROTO_TCP;
1375 "(msg:\"http client body test\"; " 1376 "content:\"body1This\"; http_client_body; " 1388 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1396 if (http_state == NULL) {
1397 printf(
"no http state: ");
1406 printf(
"sid 1 didn't match but should have");
1414 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1425 printf(
"sid 1 didn't match but should have");
1431 if (alp_tctx != NULL)
1447 static int DetectHttpClientBodyTest10(
void)
1457 uint8_t http1_buf[] =
1458 "GET /index.html HTTP/1.0\r\n" 1459 "Host: www.openinfosecfoundation.org\r\n" 1460 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" 1461 "Content-Type: text/html\r\n" 1462 "Content-Length: 46\r\n" 1464 "This is dummy bodY1";
1465 uint8_t http2_buf[] =
1466 "This is dummy message body2";
1467 uint32_t http1_len =
sizeof(http1_buf) - 1;
1468 uint32_t http2_len =
sizeof(http2_buf) - 1;
1472 memset(&th_v, 0,
sizeof(th_v));
1473 memset(&f, 0,
sizeof(f));
1474 memset(&ssn, 0,
sizeof(ssn));
1481 f.
proto = IPPROTO_TCP;
1503 "(msg:\"http client body test\"; " 1504 "content:\"body1This\"; http_client_body; nocase;" 1516 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1524 if (http_state == NULL) {
1525 printf(
"no http state: \n");
1534 printf(
"sid 1 didn't match but should have\n");
1542 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
1553 printf(
"sid 1 didn't match but should have");
1559 if (alp_tctx != NULL)
1575 static int DetectHttpClientBodyTest11(
void)
1584 uint8_t http_buf[] =
1585 "GET /index.html HTTP/1.0\r\n" 1586 "Host: www.openinfosecfoundation.org\r\n" 1587 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" 1588 "Content-Type: text/html\r\n" 1589 "Content-Length: 26\r\n" 1591 "This is dummy message body";
1592 uint32_t http_len =
sizeof(http_buf) - 1;
1596 memset(&th_v, 0,
sizeof(th_v));
1597 memset(&f, 0,
sizeof(f));
1598 memset(&ssn, 0,
sizeof(ssn));
1604 f.
proto = IPPROTO_TCP;
1622 "(msg:\"http client body test\"; " 1623 "content:!\"message1\"; http_client_body; " 1635 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1643 if (http_state == NULL) {
1644 printf(
"no http state: ");
1653 printf(
"sid 1 didn't match but should have");
1659 if (alp_tctx != NULL)
1674 static int DetectHttpClientBodyTest12(
void)
1683 uint8_t http_buf[] =
1684 "GET /index.html HTTP/1.0\r\n" 1685 "Host: www.openinfosecfoundation.org\r\n" 1686 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" 1687 "Content-Type: text/html\r\n" 1688 "Content-Length: 26\r\n" 1690 "This is dummy message body";
1691 uint32_t http_len =
sizeof(http_buf) - 1;
1695 memset(&th_v, 0,
sizeof(th_v));
1696 memset(&f, 0,
sizeof(f));
1697 memset(&ssn, 0,
sizeof(ssn));
1703 f.
proto = IPPROTO_TCP;
1721 "(msg:\"http client body test\"; " 1722 "content:!\"message\"; http_client_body; " 1734 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1742 if (http_state == NULL) {
1743 printf(
"no http state: ");
1752 printf(
"sid 1 didn't match but should have");
1758 if (alp_tctx != NULL)
1773 static int DetectHttpClientBodyTest13(
void)
1782 uint8_t http_buf[] =
1783 "GET /index.html HTTP/1.0\r\n" 1784 "Host: www.openinfosecfoundation.org\r\n" 1785 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" 1786 "Content-Type: text/html\r\n" 1787 "Content-Length: 55\r\n" 1789 "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend";
1790 uint32_t http_len =
sizeof(http_buf) - 1;
1794 memset(&th_v, 0,
sizeof(th_v));
1795 memset(&f, 0,
sizeof(f));
1796 memset(&ssn, 0,
sizeof(ssn));
1802 f.
proto = IPPROTO_TCP;
1820 "(msg:\"http client body test\"; " 1821 "content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_client_body; " 1833 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1841 if (http_state == NULL) {
1842 printf(
"no http state: ");
1851 printf(
"sid 1 didn't match but should have");
1857 if (alp_tctx != NULL)
1869 static int DetectHttpClientBodyTest14(
void)
1878 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
1879 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1880 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
1881 uint8_t httpbuf4[] =
"Body one!!";
1882 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1883 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1884 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1885 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1886 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
1887 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
1888 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1889 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
1890 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
1891 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
1894 memset(&th_v, 0,
sizeof(th_v));
1895 memset(&f, 0,
sizeof(f));
1896 memset(&ssn, 0,
sizeof(ssn));
1902 f.
proto = IPPROTO_TCP;
1914 if (de_ctx == NULL) {
1920 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; content:\"one\"; http_client_body; sid:1; rev:1;)");
1922 printf(
"sig parse failed: ");
1925 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; content:\"two\"; http_client_body; sid:2; rev:1;)");
1927 printf(
"sig2 parse failed: ");
1938 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1947 printf(
"sig 1 alerted: ");
1956 printf(
"toserver chunk 2 returned %" PRId32
", expected 0: ", r);
1965 printf(
"sig 1 alerted (2): ");
1975 printf(
"toserver chunk 3 returned %" PRId32
", expected 0: ", r);
1984 printf(
"signature matched, but shouldn't have: ");
1993 printf(
"toserver chunk 4 returned %" PRId32
", expected 0: ", r);
2003 printf(
"sig 1 didn't alert: ");
2012 printf(
"toserver chunk 5 returned %" PRId32
", expected 0: ", r);
2021 printf(
"sig 1 alerted (5): ");
2030 printf(
"toserver chunk 6 returned %" PRId32
", expected 0: ", r);
2039 printf(
"sig 1 alerted (request 2, chunk 6): ");
2050 printf(
"toserver chunk 7 returned %" PRId32
", expected 0: ", r);
2059 printf(
"signature 2 didn't match, but should have: ");
2065 if (htp_state == NULL) {
2066 printf(
"no http state: ");
2072 printf(
"The http app layer doesn't have 2 transactions, but it should: ");
2078 if (alp_tctx != NULL)
2080 if (det_ctx != NULL) {
2083 if (de_ctx != NULL) {
2094 static int DetectHttpClientBodyTest15(
void)
2103 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
2104 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
2105 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
2106 uint8_t httpbuf4[] =
"Body one!!";
2107 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2108 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
2109 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
2110 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
2111 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
2112 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
2113 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
2114 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
2115 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
2116 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
2119 memset(&th_v, 0,
sizeof(th_v));
2120 memset(&f, 0,
sizeof(f));
2121 memset(&ssn, 0,
sizeof(ssn));
2127 f.
proto = IPPROTO_TCP;
2139 if (de_ctx == NULL) {
2145 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; content:\"one\"; http_client_body; sid:1; rev:1;)");
2147 printf(
"sig parse failed: ");
2150 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; content:\"two\"; http_client_body; sid:2; rev:1;)");
2152 printf(
"sig2 parse failed: ");
2163 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2172 printf(
"sig 1 alerted: ");
2181 printf(
"toserver chunk 2 returned %" PRId32
", expected 0: ", r);
2190 printf(
"sig 1 alerted (2): ");
2199 printf(
"toserver chunk 3 returned %" PRId32
", expected 0: ", r);
2208 printf(
"signature matched, but shouldn't have: ");
2217 printf(
"toserver chunk 4 returned %" PRId32
", expected 0: ", r);
2227 printf(
"sig 1 didn't alert: ");
2236 printf(
"toserver chunk 5 returned %" PRId32
", expected 0: ", r);
2245 printf(
"sig 1 alerted (5): ");
2254 printf(
"toserver chunk 6 returned %" PRId32
", expected 0: ", r);
2263 printf(
"sig 1 alerted (request 2, chunk 6): ");
2274 printf(
"toserver chunk 7 returned %" PRId32
", expected 0: ", r);
2283 printf(
"signature 2 didn't match, but should have: ");
2289 if (htp_state == NULL) {
2290 printf(
"no http state: ");
2297 printf(
"The http app layer doesn't have 2 transactions, but it should: ");
2308 SCLogDebug(
"No body data in t1 (it should be removed only when the tx is destroyed): ");
2313 (uint8_t *)
"Body one!!", 10) != 1)
2315 SCLogDebug(
"Body data in t1 is not correctly set: ");
2323 SCLogDebug(
"No body data in t1 (it should be removed only when the tx is destroyed): ");
2328 (uint8_t *)
"Body two!!", 10) != 1)
2330 SCLogDebug(
"Body data in t1 is not correctly set: ");
2336 if (alp_tctx != NULL)
2338 if (det_ctx != NULL) {
2341 if (de_ctx != NULL) {
2351 static int DetectHttpClientBodyTest22(
void)
2361 "(content:\"one\"; content:\"two\"; http_client_body; " 2362 "content:\"three\"; distance:10; http_client_body; content:\"four\"; sid:1;)");
2364 printf(
"de_ctx->sig_list == NULL\n");
2369 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
2373 if (de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2374 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2383 cd2->flags != 0 || memcmp(cd2->content,
"four", cd2->content_len) != 0 ||
2387 memcmp(hcbd2->content,
"three", hcbd1->
content_len) != 0) {
2405 static int DetectHttpClientBodyTest23(
void)
2415 "(content:\"one\"; http_client_body; pcre:/two/; " 2416 "content:\"three\"; distance:10; http_client_body; content:\"four\"; sid:1;)");
2418 printf(
"de_ctx->sig_list == NULL\n");
2423 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
2427 if (de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2428 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2436 if (pd1->
flags != 0 ||
2437 cd2->flags != 0 || memcmp(cd2->content,
"four", cd2->content_len) != 0 ||
2441 memcmp(hcbd2->content,
"three", hcbd1->
content_len) != 0) {
2458 static int DetectHttpClientBodyTest24(
void)
2468 "(content:\"one\"; http_client_body; pcre:/two/; " 2469 "content:\"three\"; distance:10; within:15; http_client_body; content:\"four\"; sid:1;)");
2471 printf(
"de_ctx->sig_list == NULL\n");
2476 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
2480 if (de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2481 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2489 if (pd1->
flags != 0 ||
2490 cd2->flags != 0 || memcmp(cd2->content,
"four", cd2->content_len) != 0 ||
2494 memcmp(hcbd2->content,
"three", hcbd1->
content_len) != 0) {
2511 static int DetectHttpClientBodyTest25(
void)
2521 "(content:\"one\"; http_client_body; pcre:/two/; " 2522 "content:\"three\"; distance:10; http_client_body; " 2523 "content:\"four\"; distance:10; sid:1;)");
2525 printf(
"de_ctx->sig_list == NULL\n");
2530 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
2534 if (de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2535 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2545 memcmp(cd2->content,
"four", cd2->content_len) != 0 ||
2549 memcmp(hcbd2->content,
"three", hcbd1->
content_len) != 0) {
2566 static int DetectHttpClientBodyTest26(
void)
2576 "(content:\"one\"; offset:10; http_client_body; pcre:/two/; " 2577 "content:\"three\"; distance:10; http_client_body; within:10; " 2578 "content:\"four\"; distance:10; sid:1;)");
2580 printf(
"de_ctx->sig_list == NULL\n");
2585 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
2589 if (de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2590 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2600 memcmp(cd2->content,
"four", cd2->content_len) != 0 ||
2604 memcmp(hcbd2->content,
"three", hcbd1->
content_len) != 0) {
2605 printf (
"failed: http_client_body incorrect flags");
2622 static int DetectHttpClientBodyTest27(
void)
2632 "(content:\"one\"; offset:10; http_client_body; pcre:/two/; " 2633 "content:\"three\"; distance:10; http_client_body; within:10; " 2634 "content:\"four\"; distance:10; sid:1;)");
2636 printf(
"de_ctx->sig_list == NULL\n");
2647 static int DetectHttpClientBodyTest28(
void)
2657 "(content:\"one\"; http_client_body; pcre:/two/; " 2658 "content:\"three\"; http_client_body; depth:10; " 2659 "content:\"four\"; distance:10; sid:1;)");
2661 printf(
"de_ctx->sig_list == NULL\n");
2666 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
2670 if (de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2671 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2681 memcmp(cd2->content,
"four", cd2->content_len) != 0 ||
2682 hcbd1->
flags != 0 ||
2685 memcmp(hcbd2->content,
"three", hcbd1->
content_len) != 0) {
2702 static int DetectHttpClientBodyTest29(
void)
2712 "(content:\"one\"; http_client_body; " 2713 "content:\"two\"; distance:0; http_client_body; sid:1;)");
2715 printf(
"de_ctx->sig_list == NULL\n");
2720 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
2724 if (de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2725 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2734 memcmp(hcbd2->content,
"two", hcbd1->
content_len) != 0) {
2745 static int DetectHttpClientBodyTest30(
void)
2755 "(content:\"one\"; http_client_body; " 2756 "content:\"two\"; within:5; http_client_body; sid:1;)");
2758 printf(
"de_ctx->sig_list == NULL\n");
2763 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
2767 if (de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2768 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2777 memcmp(hcbd2->content,
"two", hcbd1->
content_len) != 0) {
2788 static int DetectHttpClientBodyTest31(
void)
2798 "(content:\"one\"; within:5; http_client_body; sid:1;)");
2800 printf(
"de_ctx->sig_list == NULL\n");
2811 static int DetectHttpClientBodyTest32(
void)
2821 "(content:\"one\"; http_client_body; within:5; sid:1;)");
2823 printf(
"de_ctx->sig_list != NULL\n");
2834 static int DetectHttpClientBodyTest33(
void)
2844 "(content:\"one\"; within:5; sid:1;)");
2846 printf(
"de_ctx->sig_list == NULL\n");
2857 static int DetectHttpClientBodyTest34(
void)
2868 "content:\"two\"; within:5; http_client_body; sid:1;)");
2870 printf(
"de_ctx->sig_list == NULL\n");
2875 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
2879 if (de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2880 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2884 if (de_ctx->
sig_list->sm_lists_tail[g_http_client_body_buffer_id] == NULL ||
2886 de_ctx->
sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev == NULL ||
2887 de_ctx->
sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->type !=
DETECT_PCRE) {
2896 memcmp(hcbd2->content,
"two", hcbd2->content_len) != 0) {
2907 static int DetectHttpClientBodyTest35(
void)
2917 "(content:\"two\"; http_client_body; " 2918 "pcre:/one/PR; sid:1;)");
2920 printf(
"de_ctx->sig_list == NULL\n");
2925 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
2929 if (de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2930 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2934 if (de_ctx->
sig_list->sm_lists_tail[g_http_client_body_buffer_id] == NULL ||
2936 de_ctx->
sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev == NULL ||
2957 static int DetectHttpClientBodyTest36(
void)
2968 "content:\"two\"; distance:5; http_client_body; sid:1;)");
2970 printf(
"de_ctx->sig_list == NULL\n");
2975 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
2979 if (de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2980 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2984 if (de_ctx->
sig_list->sm_lists_tail[g_http_client_body_buffer_id] == NULL ||
2986 de_ctx->
sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev == NULL ||
2987 de_ctx->
sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->type !=
DETECT_PCRE) {
2996 memcmp(hcbd2->content,
"two", hcbd2->content_len) != 0) {
3007 static int DetectHttpClientBodyIsdataatParseTest(
void)
3014 "alert tcp any any -> any any (" 3015 "content:\"one\"; http_client_body; " 3016 "isdataat:!4,relative; sid:1;)");
3034 UtRegisterTest(
"DetectHttpClientBodyParserTest01", DetectHttpClientBodyParserTest01);
3035 UtRegisterTest(
"DetectHttpClientBodyParserTest02", DetectHttpClientBodyParserTest02);
3036 UtRegisterTest(
"DetectHttpClientBodyTest01", DetectHttpClientBodyTest01);
3037 UtRegisterTest(
"DetectHttpClientBodyTest02", DetectHttpClientBodyTest02);
3038 UtRegisterTest(
"DetectHttpClientBodyTest03", DetectHttpClientBodyTest03);
3039 UtRegisterTest(
"DetectHttpClientBodyTest04", DetectHttpClientBodyTest04);
3040 UtRegisterTest(
"DetectHttpClientBodyTest05", DetectHttpClientBodyTest05);
3041 UtRegisterTest(
"DetectHttpClientBodyTest06", DetectHttpClientBodyTest06);
3042 UtRegisterTest(
"DetectHttpClientBodyTest07", DetectHttpClientBodyTest07);
3043 UtRegisterTest(
"DetectHttpClientBodyTest08", DetectHttpClientBodyTest08);
3044 UtRegisterTest(
"DetectHttpClientBodyTest09", DetectHttpClientBodyTest09);
3045 UtRegisterTest(
"DetectHttpClientBodyTest10", DetectHttpClientBodyTest10);
3046 UtRegisterTest(
"DetectHttpClientBodyTest11", DetectHttpClientBodyTest11);
3047 UtRegisterTest(
"DetectHttpClientBodyTest12", DetectHttpClientBodyTest12);
3048 UtRegisterTest(
"DetectHttpClientBodyTest13", DetectHttpClientBodyTest13);
3049 UtRegisterTest(
"DetectHttpClientBodyTest14", DetectHttpClientBodyTest14);
3050 UtRegisterTest(
"DetectHttpClientBodyTest15", DetectHttpClientBodyTest15);
3052 UtRegisterTest(
"DetectHttpClientBodyTest22", DetectHttpClientBodyTest22);
3053 UtRegisterTest(
"DetectHttpClientBodyTest23", DetectHttpClientBodyTest23);
3054 UtRegisterTest(
"DetectHttpClientBodyTest24", DetectHttpClientBodyTest24);
3055 UtRegisterTest(
"DetectHttpClientBodyTest25", DetectHttpClientBodyTest25);
3056 UtRegisterTest(
"DetectHttpClientBodyTest26", DetectHttpClientBodyTest26);
3057 UtRegisterTest(
"DetectHttpClientBodyTest27", DetectHttpClientBodyTest27);
3058 UtRegisterTest(
"DetectHttpClientBodyTest28", DetectHttpClientBodyTest28);
3059 UtRegisterTest(
"DetectHttpClientBodyTest29", DetectHttpClientBodyTest29);
3060 UtRegisterTest(
"DetectHttpClientBodyTest30", DetectHttpClientBodyTest30);
3061 UtRegisterTest(
"DetectHttpClientBodyTest31", DetectHttpClientBodyTest31);
3062 UtRegisterTest(
"DetectHttpClientBodyTest32", DetectHttpClientBodyTest32);
3063 UtRegisterTest(
"DetectHttpClientBodyTest33", DetectHttpClientBodyTest33);
3064 UtRegisterTest(
"DetectHttpClientBodyTest34", DetectHttpClientBodyTest34);
3065 UtRegisterTest(
"DetectHttpClientBodyTest35", DetectHttpClientBodyTest35);
3066 UtRegisterTest(
"DetectHttpClientBodyTest36", DetectHttpClientBodyTest36);
3069 DetectHttpClientBodyIsdataatParseTest);
3072 DetectEngineHttpClientBodyTest01);
3074 DetectEngineHttpClientBodyTest02);
3076 DetectEngineHttpClientBodyTest03);
3078 DetectEngineHttpClientBodyTest04);
3080 DetectEngineHttpClientBodyTest05);
3082 DetectEngineHttpClientBodyTest06);
3084 DetectEngineHttpClientBodyTest07);
3086 DetectEngineHttpClientBodyTest08);
3088 DetectEngineHttpClientBodyTest09);
3090 DetectEngineHttpClientBodyTest10);
3092 DetectEngineHttpClientBodyTest11);
3094 DetectEngineHttpClientBodyTest12);
3096 DetectEngineHttpClientBodyTest13);
3098 DetectEngineHttpClientBodyTest14);
3100 DetectEngineHttpClientBodyTest15);
3102 DetectEngineHttpClientBodyTest16);
3104 DetectEngineHttpClientBodyTest17);
3106 DetectEngineHttpClientBodyTest18);
3108 DetectEngineHttpClientBodyTest19);
3110 DetectEngineHttpClientBodyTest20);
3112 DetectEngineHttpClientBodyTest21);
3114 DetectEngineHttpClientBodyTest22);
3116 DetectEngineHttpClientBodyTest23);
3118 DetectEngineHttpClientBodyTest24);
3120 DetectEngineHttpClientBodyTest25);
3122 DetectEngineHttpClientBodyTest26);
3124 DetectEngineHttpClientBodyTest27);
3126 DetectEngineHttpClientBodyTest28);
3128 DetectEngineHttpClientBodyTest29);
3131 DetectEngineHttpClientBodyTest30);
3133 DetectEngineHttpClientBodyTest31);
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
SignatureInitData * init_data
#define DETECT_PCRE_RELATIVE
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
#define FLOWLOCK_UNLOCK(fb)
#define PASS
Pass the test.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
int ConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
int UTHParseSignature(const char *str, bool expect)
parser a sig and see if the expected result is correct
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PKT_ESTABLISHED
#define ISDATAAT_RELATIVE
void StreamTcpFreeConfig(char quiet)
#define DETECT_CONTENT_DISTANCE
#define FLOWLOCK_WRLOCK(fb)
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define ISDATAAT_RAWBYTES
StreamingBufferSegment sbseg
#define DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_IS_SINGLE(c)
main detection engine ctx
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
void ConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
void HtpConfigCreateBackup(void)
Data structures and function prototypes for keeping state for the detection engine.
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void ConfInit(void)
Initialize the configuration system.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
void ConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
#define FLOW_PKT_TOSERVER
struct SigMatch_ ** smlists_tail
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
void HtpConfigRestoreBackup(void)
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
#define FLOW_INITIALIZE(f)
int StreamingBufferSegmentCompareRawData(const StreamingBuffer *sb, const StreamingBufferSegment *seg, const uint8_t *rawdata, uint32_t rawdata_len)
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
#define DETECT_CONTENT_WITHIN
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
#define DETECT_PCRE_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Per thread variable structure.
#define FLOW_PKT_TOCLIENT
AppProto alproto
application level protocol
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void DetectHttpClientBodyRegisterTests(void)
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
#define DETECT_CONTENT_OFFSET
a single match condition for a signature
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
DetectEngineCtx * DetectEngineCtxInit(void)
1.8.11 
