35 #include "../suricata-common.h"
36 #include "../suricata.h"
37 #include "../decode.h"
75 static int DetectHttpClientBodyParserTest01(
void)
78 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; content:\"abc\"; nocase; http_client_body; sid:1;)",
true));
79 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; content:\"abc\"; endswith; http_client_body; sid:1;)",
true));
80 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; http_client_body; sid:1;)",
true));
81 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; endswith; http_client_body; sid:1;)",
true));
83 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; content:\"abc\"; rawbytes; http_client_body; sid:1;)",
false));
92 static int DetectHttpClientBodyParserTest02(
void)
95 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; nocase; sid:1;)",
true));
96 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; endswith; sid:1;)",
true));
97 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; startswith; sid:1;)",
true));
98 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; startswith; endswith; sid:1;)",
true));
101 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; rawbytes; sid:1;)",
false));
114 static int RunTest (
struct TestSteps *steps,
const char *sig,
const char *yaml)
123 memset(&th_v, 0,
sizeof(th_v));
124 memset(&f, 0,
sizeof(f));
125 memset(&ssn, 0,
sizeof(ssn));
144 f.
proto = IPPROTO_TCP;
158 while (b->
input != NULL) {
197 static int DetectEngineHttpClientBodyTest01(
void)
200 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
201 "Host: www.openinfosecfoundation.org\r\n"
202 "Content-Type: text/html\r\n"
203 "Content-Length: 46\r\n"
205 "This is dummy body1",
206 0, STREAM_TOSERVER, 0 },
207 { (
const uint8_t *)
"This is dummy message body2",
208 0, STREAM_TOSERVER, 1 },
212 const char *sig =
"alert http any any -> any any (content:\"body1This\"; http_client_body; sid:1;)";
213 return RunTest(steps, sig, NULL);
216 static int DetectEngineHttpClientBodyTest02(
void)
219 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
220 "Host: www.openinfosecfoundation.org\r\n"
221 "Content-Type: text/html\r\n"
222 "Content-Length: 19\r\n"
224 "This is dummy body1",
225 0, STREAM_TOSERVER, 1 },
229 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; offset:5; sid:1;)";
230 return RunTest(steps, sig, NULL);
233 static int DetectEngineHttpClientBodyTest03(
void)
236 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
237 "Host: www.openinfosecfoundation.org\r\n"
238 "Content-Type: text/html\r\n"
239 "Content-Length: 46\r\n"
241 "This is dummy body1",
242 0, STREAM_TOSERVER, 0 },
243 { (
const uint8_t *)
"This is dummy message body2",
244 0, STREAM_TOSERVER, 0 },
248 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; offset:16; sid:1;)";
249 return RunTest(steps, sig, NULL);
252 static int DetectEngineHttpClientBodyTest04(
void)
255 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
256 "Host: www.openinfosecfoundation.org\r\n"
257 "Content-Type: text/html\r\n"
258 "Content-Length: 46\r\n"
260 "This is dummy body1",
261 0, STREAM_TOSERVER, 0 },
262 { (
const uint8_t *)
"This is dummy message body2",
263 0, STREAM_TOSERVER, 1 },
267 const char *sig =
"alert http any any -> any any (content:!\"body1\"; http_client_body; offset:16; sid:1;)";
268 return RunTest(steps, sig, NULL);
271 static int DetectEngineHttpClientBodyTest05(
void)
274 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
275 "Host: www.openinfosecfoundation.org\r\n"
276 "Content-Type: text/html\r\n"
277 "Content-Length: 46\r\n"
279 "This is dummy body1",
280 0, STREAM_TOSERVER, 0 },
281 { (
const uint8_t *)
"This is dummy message body2",
282 0, STREAM_TOSERVER, 1 },
286 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; depth:25; sid:1;)";
287 return RunTest(steps, sig, NULL);
290 static int DetectEngineHttpClientBodyTest06(
void)
293 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
294 "Host: www.openinfosecfoundation.org\r\n"
295 "Content-Type: text/html\r\n"
296 "Content-Length: 46\r\n"
298 "This is dummy body1",
299 0, STREAM_TOSERVER, 0 },
300 { (
const uint8_t *)
"This is dummy message body2",
301 0, STREAM_TOSERVER, 0 },
305 const char *sig =
"alert http any any -> any any (content:!\"body1\"; http_client_body; depth:25; sid:1;)";
306 return RunTest(steps, sig, NULL);
309 static int DetectEngineHttpClientBodyTest07(
void)
312 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
313 "Host: www.openinfosecfoundation.org\r\n"
314 "Content-Type: text/html\r\n"
315 "Content-Length: 46\r\n"
317 "This is dummy body1",
318 0, STREAM_TOSERVER, 0 },
319 { (
const uint8_t *)
"This is dummy message body2",
320 0, STREAM_TOSERVER, 1 },
324 const char *sig =
"alert http any any -> any any (content:!\"body1\"; http_client_body; depth:15; sid:1;)";
325 return RunTest(steps, sig, NULL);
328 static int DetectEngineHttpClientBodyTest08(
void)
331 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
332 "Host: www.openinfosecfoundation.org\r\n"
333 "Content-Type: text/html\r\n"
334 "Content-Length: 46\r\n"
336 "This is dummy body1",
337 0, STREAM_TOSERVER, 0 },
338 { (
const uint8_t *)
"This is dummy message body2",
339 0, STREAM_TOSERVER, 1 },
343 const char *sig =
"alert http any any -> any any (content:\"This is dummy body1This is dummy message body2\"; http_client_body; sid:1;)";
344 return RunTest(steps, sig, NULL);
347 static int DetectEngineHttpClientBodyTest09(
void)
350 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
351 "Host: www.openinfosecfoundation.org\r\n"
352 "Content-Type: text/html\r\n"
353 "Content-Length: 46\r\n"
355 "This is dummy body1",
356 0, STREAM_TOSERVER, 0 },
357 { (
const uint8_t *)
"This is dummy message body2",
358 0, STREAM_TOSERVER, 1 },
362 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:\"This\"; http_client_body; within:5; sid:1;)";
363 return RunTest(steps, sig, NULL);
366 static int DetectEngineHttpClientBodyTest10(
void)
369 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
370 "Host: www.openinfosecfoundation.org\r\n"
371 "Content-Type: text/html\r\n"
372 "Content-Length: 46\r\n"
374 "This is dummy body1",
375 0, STREAM_TOSERVER, 0 },
376 { (
const uint8_t *)
"This is dummy message body2",
377 0, STREAM_TOSERVER, 1 },
381 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:!\"boom\"; http_client_body; within:5; sid:1;)";
382 return RunTest(steps, sig, NULL);
385 static int DetectEngineHttpClientBodyTest11(
void)
388 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
389 "Host: www.openinfosecfoundation.org\r\n"
390 "Content-Type: text/html\r\n"
391 "Content-Length: 46\r\n"
393 "This is dummy body1",
394 0, STREAM_TOSERVER, 0 },
395 { (
const uint8_t *)
"This is dummy message body2",
396 0, STREAM_TOSERVER, 0 },
400 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:\"boom\"; http_client_body; within:5; sid:1;)";
401 return RunTest(steps, sig, NULL);
404 static int DetectEngineHttpClientBodyTest12(
void)
407 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
408 "Host: www.openinfosecfoundation.org\r\n"
409 "Content-Type: text/html\r\n"
410 "Content-Length: 46\r\n"
412 "This is dummy body1",
413 0, STREAM_TOSERVER, 0 },
414 { (
const uint8_t *)
"This is dummy message body2",
415 0, STREAM_TOSERVER, 0 },
419 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:!\"This\"; http_client_body; within:5; sid:1;)";
420 return RunTest(steps, sig, NULL);
423 static int DetectEngineHttpClientBodyTest13(
void)
426 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
427 "Host: www.openinfosecfoundation.org\r\n"
428 "Content-Type: text/html\r\n"
429 "Content-Length: 46\r\n"
431 "This is dummy body1",
432 0, STREAM_TOSERVER, 0 },
433 { (
const uint8_t *)
"This is dummy message body2",
434 0, STREAM_TOSERVER, 1 },
438 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:\"dummy\"; http_client_body; distance:5; sid:1;)";
439 return RunTest(steps, sig, NULL);
442 static int DetectEngineHttpClientBodyTest14(
void)
445 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
446 "Host: www.openinfosecfoundation.org\r\n"
447 "Content-Type: text/html\r\n"
448 "Content-Length: 46\r\n"
450 "This is dummy body1",
451 0, STREAM_TOSERVER, 0 },
452 { (
const uint8_t *)
"This is dummy message body2",
453 0, STREAM_TOSERVER, 1 },
457 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:!\"dummy\"; http_client_body; distance:10; sid:1;)";
458 return RunTest(steps, sig, NULL);
461 static int DetectEngineHttpClientBodyTest15(
void)
464 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
465 "Host: www.openinfosecfoundation.org\r\n"
466 "Content-Type: text/html\r\n"
467 "Content-Length: 46\r\n"
469 "This is dummy body1",
470 0, STREAM_TOSERVER, 0 },
471 { (
const uint8_t *)
"This is dummy message body2",
472 0, STREAM_TOSERVER, 0 },
476 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:\"dummy\"; http_client_body; distance:10; sid:1;)";
477 return RunTest(steps, sig, NULL);
480 static int DetectEngineHttpClientBodyTest16(
void)
483 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
484 "Host: www.openinfosecfoundation.org\r\n"
485 "Content-Type: text/html\r\n"
486 "Content-Length: 46\r\n"
488 "This is dummy body1",
489 0, STREAM_TOSERVER, 0 },
490 { (
const uint8_t *)
"This is dummy message body2",
491 0, STREAM_TOSERVER, 0 },
495 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:!\"dummy\"; http_client_body; distance:5; sid:1;)";
496 return RunTest(steps, sig, NULL);
499 static int DetectEngineHttpClientBodyTest17(
void)
502 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
503 "Host: www.openinfosecfoundation.org\r\n"
504 "Content-Type: text/html\r\n"
505 "Content-Length: 19\r\n"
507 "This is dummy body1",
508 0, STREAM_TOSERVER, 0 },
512 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:\"bambu\"; http_client_body; sid:1;)";
513 return RunTest(steps, sig, NULL);
516 static int DetectEngineHttpClientBodyTest18(
void)
519 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
520 "Host: www.openinfosecfoundation.org\r\n"
521 "Content-Type: text/html\r\n"
522 "Content-Length: 19\r\n"
524 "This is dummy body1",
525 0, STREAM_TOSERVER, 0 },
529 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:\"bambu\"; http_client_body; fast_pattern; sid:1;)";
530 return RunTest(steps, sig, NULL);
533 static int DetectEngineHttpClientBodyTest19(
void)
536 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
537 "Host: www.openinfosecfoundation.org\r\n"
538 "Content-Type: text/html\r\n"
539 "Content-Length: 19\r\n"
541 "This is dummy body1",
542 0, STREAM_TOSERVER, 0 },
546 const char *sig =
"alert http any any -> any any (content:\"bambu\"; http_client_body; content:\"is\"; http_client_body; sid:1;)";
547 return RunTest(steps, sig, NULL);
550 static int DetectEngineHttpClientBodyTest20(
void)
553 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
554 "Host: www.openinfosecfoundation.org\r\n"
555 "Content-Type: text/html\r\n"
556 "Content-Length: 19\r\n"
558 "This is dummy body1",
559 0, STREAM_TOSERVER, 1 },
563 const char *sig =
"alert http any any -> any any (content:\"is\"; http_client_body; fast_pattern; sid:1;)";
564 return RunTest(steps, sig, NULL);
567 static int DetectEngineHttpClientBodyTest21(
void)
570 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
571 "Host: www.openinfosecfoundation.org\r\n"
572 "Content-Type: text/html\r\n"
573 "Content-Length: 46\r\n"
575 "This is dummy body1",
576 0, STREAM_TOSERVER, 0 },
577 { (
const uint8_t *)
"This is dummy message body2",
578 0, STREAM_TOSERVER, 1 },
582 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:!\"dummy\"; http_client_body; within:7; sid:1;)";
583 return RunTest(steps, sig, NULL);
586 static int DetectEngineHttpClientBodyTest22(
void)
589 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
590 "Host: www.openinfosecfoundation.org\r\n"
591 "Content-Type: text/html\r\n"
592 "Content-Length: 46\r\n"
594 "This is dummy body1",
595 0, STREAM_TOSERVER, 0 },
596 { (
const uint8_t *)
"This is dummy message body2",
597 0, STREAM_TOSERVER, 1 },
601 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:!\"dummy\"; within:7; http_client_body; sid:1;)";
602 return RunTest(steps, sig, NULL);
605 static int DetectEngineHttpClientBodyTest23(
void)
608 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
609 "Host: www.openinfosecfoundation.org\r\n"
610 "Content-Type: text/html\r\n"
611 "Content-Length: 46\r\n"
613 "This is dummy body1",
614 0, STREAM_TOSERVER, 0 },
615 { (
const uint8_t *)
"This is dummy message body2",
616 0, STREAM_TOSERVER, 0 },
620 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:!\"dummy\"; distance:3; http_client_body; sid:1;)";
621 return RunTest(steps, sig, NULL);
624 static int DetectEngineHttpClientBodyTest24(
void)
627 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
628 "Host: www.openinfosecfoundation.org\r\n"
629 "Content-Type: text/html\r\n"
630 "Content-Length: 46\r\n"
632 "This is dummy body1",
633 0, STREAM_TOSERVER, 0 },
634 { (
const uint8_t *)
"This is dummy message body2",
635 0, STREAM_TOSERVER, 1 },
639 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:!\"dummy\"; distance:13; http_client_body; sid:1;)";
640 return RunTest(steps, sig, NULL);
643 static int DetectEngineHttpClientBodyTest25(
void)
646 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
647 "Host: www.openinfosecfoundation.org\r\n"
648 "Content-Type: text/html\r\n"
649 "Content-Length: 46\r\n"
651 "This is dummy body1",
652 0, STREAM_TOSERVER, 0 },
653 { (
const uint8_t *)
"This is dummy message body2",
654 0, STREAM_TOSERVER, 1 },
658 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:\"dummy\"; within:15; http_client_body; sid:1;)";
659 return RunTest(steps, sig, NULL);
662 static int DetectEngineHttpClientBodyTest26(
void)
665 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
666 "Host: www.openinfosecfoundation.org\r\n"
667 "Content-Type: text/html\r\n"
668 "Content-Length: 46\r\n"
670 "This is dummy body1",
671 0, STREAM_TOSERVER, 0 },
672 { (
const uint8_t *)
"This is dummy message body2",
673 0, STREAM_TOSERVER, 0 },
677 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:\"dummy\"; within:10; http_client_body; sid:1;)";
678 return RunTest(steps, sig, NULL);
681 static int DetectEngineHttpClientBodyTest27(
void)
684 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
685 "Host: www.openinfosecfoundation.org\r\n"
686 "Content-Type: text/html\r\n"
687 "Content-Length: 46\r\n"
689 "This is dummy body1",
690 0, STREAM_TOSERVER, 0 },
691 { (
const uint8_t *)
"This is dummy message body2",
692 0, STREAM_TOSERVER, 1 },
696 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:\"dummy\"; distance:8; http_client_body; sid:1;)";
697 return RunTest(steps, sig, NULL);
700 static int DetectEngineHttpClientBodyTest28(
void)
703 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
704 "Host: www.openinfosecfoundation.org\r\n"
705 "Content-Type: text/html\r\n"
706 "Content-Length: 46\r\n"
708 "This is dummy body1",
709 0, STREAM_TOSERVER, 0 },
710 { (
const uint8_t *)
"This is dummy message body2",
711 0, STREAM_TOSERVER, 0 },
715 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:\"dummy\"; distance:14; http_client_body; sid:1;)";
716 return RunTest(steps, sig, NULL);
719 static int DetectEngineHttpClientBodyTest29(
void)
721 const char *request_buffer =
"GET /one HTTP/1.0\r\n"
722 "Host: localhost\r\n\r\n";
723 #define TOTAL_REQUESTS 45
728 memcpy(http_buf + i * strlen(request_buffer), request_buffer,
729 strlen(request_buffer));
732 #undef TOTAL_REQUESTS
735 { (
const uint8_t *)http_buf,
736 (
size_t)http_buf_len, STREAM_TOSERVER, 0 },
738 { (
const uint8_t *)
"HTTP/1.0 200 ok\r\n"
739 "Content-Type: text/html\r\n"
740 "Content-Length: 5\r\n"
743 0, STREAM_TOCLIENT, 0 },
748 const char *sig =
"alert http any any -> any any (content:\"dummyone\"; fast_pattern:0,3; http_server_body; sid:1;)";
749 int result = RunTest(steps, sig, NULL);
754 static int DetectEngineHttpClientBodyTest30(
void)
756 const char yaml[] =
"\
763 request-body-limit: 0\n\
764 response-body-limit: 0\n\
766 request-body-inspect-window: 0\n\
767 response-body-inspect-window: 0\n\
768 request-body-minimal-inspect-size: 0\n\
769 response-body-minimal-inspect-size: 0\n\
772 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
773 "Host: www.openinfosecfoundation.org\r\n"
774 "Content-Type: text/html\r\n"
775 "Content-Length: 46\r\n"
777 "This is dummy body1",
778 0, STREAM_TOSERVER, 0 },
779 { (
const uint8_t *)
"This is dummy message body2",
780 0, STREAM_TOSERVER, 0 },
784 const char *sig =
"alert http any any -> any any (content:\"bags\"; within:4; http_client_body; sid:1;)";
785 return RunTest(steps, sig, yaml);
788 static int DetectEngineHttpClientBodyTest31(
void)
790 const char yaml[] =
"\
797 request-body-limit: 0\n\
798 response-body-limit: 0\n\
800 request-body-inspect-window: 0\n\
801 response-body-inspect-window: 0\n\
802 request-body-minimal-inspect-size: 0\n\
803 response-body-minimal-inspect-size: 0\n\
807 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
808 "Host: www.openinfosecfoundation.org\r\n"
809 "Content-Type: text/html\r\n"
810 "Content-Length: 46\r\n"
812 "This is dummy body1",
813 0, STREAM_TOSERVER, 0 },
814 { (
const uint8_t *)
"This is dummy message body2",
815 0, STREAM_TOSERVER, 0 },
819 const char *sig =
"alert http any any -> any any (content:\"bags\"; depth:4; http_client_body; sid:1;)";
820 return RunTest(steps, sig, yaml);
827 static int DetectHttpClientBodyTest01(
void)
839 "(msg:\"Testing http_client_body\"; "
840 "content:\"one\"; http_client_body; sid:1;)");
850 result &= (sm->
next == NULL);
863 static int DetectHttpClientBodyTest02(
void)
874 "(msg:\"Testing http_client_body\"; "
875 "content:\"one\"; http_client_body:; sid:1;)");
889 static int DetectHttpClientBodyTest03(
void)
900 "(msg:\"Testing http_client_body\"; "
901 "http_client_body; sid:1;)");
915 static int DetectHttpClientBodyTest04(
void)
926 "(msg:\"Testing http_client_body\"; "
927 "content:\"one\"; rawbytes; http_client_body; sid:1;)");
941 static int DetectHttpClientBodyTest05(
void)
952 "(msg:\"Testing http_client_body\"; "
953 "content:\"one\"; http_client_body; nocase; sid:1;)");
967 static int DetectHttpClientBodyTest06(
void)
977 "GET /index.html HTTP/1.0\r\n"
978 "Host: www.openinfosecfoundation.org\r\n"
979 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
980 "Content-Type: text/html\r\n"
981 "Content-Length: 26\r\n"
983 "This is dummy message body";
984 uint32_t http_len =
sizeof(http_buf) - 1;
988 memset(&th_v, 0,
sizeof(th_v));
989 memset(&f, 0,
sizeof(f));
990 memset(&ssn, 0,
sizeof(ssn));
996 f.
proto = IPPROTO_TCP;
1014 "(msg:\"http client body test\"; "
1015 "content:\"message\"; http_client_body; "
1026 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1032 if (http_state == NULL) {
1033 printf(
"no http state: \n");
1042 printf(
"sid 1 didn't match but should have\n");
1063 static int DetectHttpClientBodyTest07(
void)
1073 uint8_t http1_buf[] =
1074 "GET /index.html HTTP/1.0\r\n"
1075 "Host: www.openinfosecfoundation.org\r\n"
1076 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1077 "Content-Type: text/html\r\n"
1078 "Content-Length: 54\r\n"
1080 "This is dummy message body1";
1081 uint8_t http2_buf[] =
1082 "This is dummy message body2";
1083 uint32_t http1_len =
sizeof(http1_buf) - 1;
1084 uint32_t http2_len =
sizeof(http2_buf) - 1;
1088 memset(&th_v, 0,
sizeof(th_v));
1089 memset(&f, 0,
sizeof(f));
1090 memset(&ssn, 0,
sizeof(ssn));
1097 f.
proto = IPPROTO_TCP;
1119 "(msg:\"http client body test\"; "
1120 "content:\"message\"; http_client_body; "
1131 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1137 if (http_state == NULL) {
1138 printf(
"no http state: ");
1146 printf(
"sid 1 matched on p1 but shouldn't have: ");
1153 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1160 printf(
"sid 1 didn't match on p2 but should have: ");
1182 static int DetectHttpClientBodyTest08(
void)
1192 uint8_t http1_buf[] =
1193 "GET /index.html HTTP/1.0\r\n"
1194 "Host: www.openinfosecfoundation.org\r\n"
1195 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1196 "Content-Type: text/html\r\n"
1197 "Content-Length: 46\r\n"
1199 "This is dummy body1";
1200 uint8_t http2_buf[] =
1201 "This is dummy message body2";
1202 uint32_t http1_len =
sizeof(http1_buf) - 1;
1203 uint32_t http2_len =
sizeof(http2_buf) - 1;
1207 memset(&th_v, 0,
sizeof(th_v));
1208 memset(&f, 0,
sizeof(f));
1209 memset(&ssn, 0,
sizeof(ssn));
1216 f.
proto = IPPROTO_TCP;
1238 "(msg:\"http client body test\"; "
1239 "content:\"message\"; http_client_body; "
1250 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1256 if (http_state == NULL) {
1257 printf(
"no http state: ");
1266 printf(
"sid 1 didn't match but should have");
1273 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1282 printf(
"sid 1 didn't match but should have");
1304 static int DetectHttpClientBodyTest09(
void)
1314 uint8_t http1_buf[] =
1315 "GET /index.html HTTP/1.0\r\n"
1316 "Host: www.openinfosecfoundation.org\r\n"
1317 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1318 "Content-Type: text/html\r\n"
1319 "Content-Length: 46\r\n"
1321 "This is dummy body1";
1322 uint8_t http2_buf[] =
1323 "This is dummy message body2";
1324 uint32_t http1_len =
sizeof(http1_buf) - 1;
1325 uint32_t http2_len =
sizeof(http2_buf) - 1;
1329 memset(&th_v, 0,
sizeof(th_v));
1330 memset(&f, 0,
sizeof(f));
1331 memset(&ssn, 0,
sizeof(ssn));
1338 f.
proto = IPPROTO_TCP;
1360 "(msg:\"http client body test\"; "
1361 "content:\"body1This\"; http_client_body; "
1372 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1378 if (http_state == NULL) {
1379 printf(
"no http state: ");
1388 printf(
"sid 1 didn't match but should have");
1395 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1404 printf(
"sid 1 didn't match but should have");
1426 static int DetectHttpClientBodyTest10(
void)
1436 uint8_t http1_buf[] =
1437 "GET /index.html HTTP/1.0\r\n"
1438 "Host: www.openinfosecfoundation.org\r\n"
1439 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1440 "Content-Type: text/html\r\n"
1441 "Content-Length: 46\r\n"
1443 "This is dummy bodY1";
1444 uint8_t http2_buf[] =
1445 "This is dummy message body2";
1446 uint32_t http1_len =
sizeof(http1_buf) - 1;
1447 uint32_t http2_len =
sizeof(http2_buf) - 1;
1451 memset(&th_v, 0,
sizeof(th_v));
1452 memset(&f, 0,
sizeof(f));
1453 memset(&ssn, 0,
sizeof(ssn));
1460 f.
proto = IPPROTO_TCP;
1482 "(msg:\"http client body test\"; "
1483 "content:\"body1This\"; http_client_body; nocase;"
1494 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1500 if (http_state == NULL) {
1501 printf(
"no http state: \n");
1510 printf(
"sid 1 didn't match but should have\n");
1517 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
1526 printf(
"sid 1 didn't match but should have");
1548 static int DetectHttpClientBodyTest11(
void)
1557 uint8_t http_buf[] =
1558 "GET /index.html HTTP/1.0\r\n"
1559 "Host: www.openinfosecfoundation.org\r\n"
1560 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1561 "Content-Type: text/html\r\n"
1562 "Content-Length: 26\r\n"
1564 "This is dummy message body";
1565 uint32_t http_len =
sizeof(http_buf) - 1;
1569 memset(&th_v, 0,
sizeof(th_v));
1570 memset(&f, 0,
sizeof(f));
1571 memset(&ssn, 0,
sizeof(ssn));
1577 f.
proto = IPPROTO_TCP;
1595 "(msg:\"http client body test\"; "
1596 "content:!\"message1\"; http_client_body; "
1607 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1613 if (http_state == NULL) {
1614 printf(
"no http state: ");
1623 printf(
"sid 1 didn't match but should have");
1644 static int DetectHttpClientBodyTest12(
void)
1653 uint8_t http_buf[] =
1654 "GET /index.html HTTP/1.0\r\n"
1655 "Host: www.openinfosecfoundation.org\r\n"
1656 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1657 "Content-Type: text/html\r\n"
1658 "Content-Length: 26\r\n"
1660 "This is dummy message body";
1661 uint32_t http_len =
sizeof(http_buf) - 1;
1665 memset(&th_v, 0,
sizeof(th_v));
1666 memset(&f, 0,
sizeof(f));
1667 memset(&ssn, 0,
sizeof(ssn));
1673 f.
proto = IPPROTO_TCP;
1691 "(msg:\"http client body test\"; "
1692 "content:!\"message\"; http_client_body; "
1703 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1709 if (http_state == NULL) {
1710 printf(
"no http state: ");
1719 printf(
"sid 1 didn't match but should have");
1740 static int DetectHttpClientBodyTest13(
void)
1749 uint8_t http_buf[] =
1750 "GET /index.html HTTP/1.0\r\n"
1751 "Host: www.openinfosecfoundation.org\r\n"
1752 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1753 "Content-Type: text/html\r\n"
1754 "Content-Length: 55\r\n"
1756 "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend";
1757 uint32_t http_len =
sizeof(http_buf) - 1;
1761 memset(&th_v, 0,
sizeof(th_v));
1762 memset(&f, 0,
sizeof(f));
1763 memset(&ssn, 0,
sizeof(ssn));
1769 f.
proto = IPPROTO_TCP;
1787 "(msg:\"http client body test\"; "
1788 "content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_client_body; "
1799 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1805 if (http_state == NULL) {
1806 printf(
"no http state: ");
1815 printf(
"sid 1 didn't match but should have");
1833 static int DetectHttpClientBodyTest14(
void)
1842 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
1843 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1844 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
1845 uint8_t httpbuf4[] =
"Body one!!";
1846 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1847 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1848 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1849 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1850 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
1851 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
1852 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1853 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
1854 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
1855 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
1858 memset(&th_v, 0,
sizeof(th_v));
1859 memset(&f, 0,
sizeof(f));
1860 memset(&ssn, 0,
sizeof(ssn));
1866 f.
proto = IPPROTO_TCP;
1884 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; content:\"one\"; http_client_body; sid:1; rev:1;)");
1886 printf(
"sig parse failed: ");
1889 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; content:\"two\"; http_client_body; sid:2; rev:1;)");
1891 printf(
"sig2 parse failed: ");
1901 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1908 printf(
"sig 1 alerted: ");
1915 printf(
"toserver chunk 2 returned %" PRId32
", expected 0: ", r);
1922 printf(
"sig 1 alerted (2): ");
1929 printf(
"toserver chunk 3 returned %" PRId32
", expected 0: ", r);
1936 printf(
"signature matched, but shouldn't have: ");
1943 printf(
"toserver chunk 4 returned %" PRId32
", expected 0: ", r);
1951 printf(
"sig 1 didn't alert: ");
1958 printf(
"toserver chunk 5 returned %" PRId32
", expected 0: ", r);
1965 printf(
"sig 1 alerted (5): ");
1972 printf(
"toserver chunk 6 returned %" PRId32
", expected 0: ", r);
1979 printf(
"sig 1 alerted (request 2, chunk 6): ");
1988 printf(
"toserver chunk 7 returned %" PRId32
", expected 0: ", r);
1995 printf(
"signature 2 didn't match, but should have: ");
2001 if (htp_state == NULL) {
2002 printf(
"no http state: ");
2008 printf(
"The http app layer doesn't have 2 transactions, but it should: ");
2016 if (det_ctx != NULL) {
2030 static int DetectHttpClientBodyTest15(
void)
2039 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
2040 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
2041 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
2042 uint8_t httpbuf4[] =
"Body one!!";
2043 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2044 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
2045 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
2046 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
2047 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
2048 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
2049 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
2050 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
2051 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
2052 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
2055 memset(&th_v, 0,
sizeof(th_v));
2056 memset(&f, 0,
sizeof(f));
2057 memset(&ssn, 0,
sizeof(ssn));
2063 f.
proto = IPPROTO_TCP;
2081 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; content:\"one\"; http_client_body; sid:1; rev:1;)");
2083 printf(
"sig parse failed: ");
2086 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; content:\"two\"; http_client_body; sid:2; rev:1;)");
2088 printf(
"sig2 parse failed: ");
2098 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2105 printf(
"sig 1 alerted: ");
2112 printf(
"toserver chunk 2 returned %" PRId32
", expected 0: ", r);
2119 printf(
"sig 1 alerted (2): ");
2126 printf(
"toserver chunk 3 returned %" PRId32
", expected 0: ", r);
2133 printf(
"signature matched, but shouldn't have: ");
2140 printf(
"toserver chunk 4 returned %" PRId32
", expected 0: ", r);
2148 printf(
"sig 1 didn't alert: ");
2155 printf(
"toserver chunk 5 returned %" PRId32
", expected 0: ", r);
2162 printf(
"sig 1 alerted (5): ");
2169 printf(
"toserver chunk 6 returned %" PRId32
", expected 0: ", r);
2176 printf(
"sig 1 alerted (request 2, chunk 6): ");
2185 printf(
"toserver chunk 7 returned %" PRId32
", expected 0: ", r);
2192 printf(
"signature 2 didn't match, but should have: ");
2198 if (htp_state == NULL) {
2199 printf(
"no http state: ");
2206 printf(
"The http app layer doesn't have 2 transactions, but it should: ");
2217 SCLogDebug(
"No body data in t1 (it should be removed only when the tx is destroyed): ");
2222 (uint8_t *)
"Body one!!", 10) != 1)
2224 SCLogDebug(
"Body data in t1 is not correctly set: ");
2232 SCLogDebug(
"No body data in t1 (it should be removed only when the tx is destroyed): ");
2237 (uint8_t *)
"Body two!!", 10) != 1)
2239 SCLogDebug(
"Body data in t1 is not correctly set: ");
2247 if (det_ctx != NULL) {
2260 static int DetectHttpClientBodyTest22(
void)
2270 "(content:\"one\"; content:\"two\"; http_client_body; "
2271 "content:\"three\"; distance:10; http_client_body; content:\"four\"; sid:1;)");
2273 printf(
"de_ctx->sig_list == NULL\n");
2278 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
2282 if (
de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2283 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2292 cd2->flags != 0 || memcmp(cd2->content,
"four", cd2->content_len) != 0 ||
2296 memcmp(hcbd2->content,
"three", hcbd1->
content_len) != 0) {
2314 static int DetectHttpClientBodyTest23(
void)
2324 "(content:\"one\"; http_client_body; pcre:/two/; "
2325 "content:\"three\"; distance:10; http_client_body; content:\"four\"; sid:1;)");
2327 printf(
"de_ctx->sig_list == NULL\n");
2332 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
2336 if (
de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2337 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2345 if (pd1->
flags != 0 ||
2346 cd2->flags != 0 || memcmp(cd2->content,
"four", cd2->content_len) != 0 ||
2350 memcmp(hcbd2->content,
"three", hcbd1->
content_len) != 0) {
2367 static int DetectHttpClientBodyTest24(
void)
2377 "(content:\"one\"; http_client_body; pcre:/two/; "
2378 "content:\"three\"; distance:10; within:15; http_client_body; content:\"four\"; sid:1;)");
2380 printf(
"de_ctx->sig_list == NULL\n");
2385 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
2389 if (
de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2390 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2398 if (pd1->
flags != 0 ||
2399 cd2->flags != 0 || memcmp(cd2->content,
"four", cd2->content_len) != 0 ||
2403 memcmp(hcbd2->content,
"three", hcbd1->
content_len) != 0) {
2420 static int DetectHttpClientBodyTest25(
void)
2430 "(content:\"one\"; http_client_body; pcre:/two/; "
2431 "content:\"three\"; distance:10; http_client_body; "
2432 "content:\"four\"; distance:10; sid:1;)");
2434 printf(
"de_ctx->sig_list == NULL\n");
2439 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
2443 if (
de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2444 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2454 memcmp(cd2->content,
"four", cd2->content_len) != 0 ||
2458 memcmp(hcbd2->content,
"three", hcbd1->
content_len) != 0) {
2475 static int DetectHttpClientBodyTest26(
void)
2485 "(content:\"one\"; offset:10; http_client_body; pcre:/two/; "
2486 "content:\"three\"; distance:10; http_client_body; within:10; "
2487 "content:\"four\"; distance:10; sid:1;)");
2489 printf(
"de_ctx->sig_list == NULL\n");
2494 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
2498 if (
de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2499 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2509 memcmp(cd2->content,
"four", cd2->content_len) != 0 ||
2513 memcmp(hcbd2->content,
"three", hcbd1->
content_len) != 0) {
2514 printf (
"failed: http_client_body incorrect flags");
2531 static int DetectHttpClientBodyTest27(
void)
2541 "(content:\"one\"; offset:10; http_client_body; pcre:/two/; "
2542 "content:\"three\"; distance:10; http_client_body; within:10; "
2543 "content:\"four\"; distance:10; sid:1;)");
2545 printf(
"de_ctx->sig_list == NULL\n");
2556 static int DetectHttpClientBodyTest28(
void)
2566 "(content:\"one\"; http_client_body; pcre:/two/; "
2567 "content:\"three\"; http_client_body; depth:10; "
2568 "content:\"four\"; distance:10; sid:1;)");
2570 printf(
"de_ctx->sig_list == NULL\n");
2575 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
2579 if (
de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2580 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2590 memcmp(cd2->content,
"four", cd2->content_len) != 0 ||
2591 hcbd1->
flags != 0 ||
2594 memcmp(hcbd2->content,
"three", hcbd1->
content_len) != 0) {
2611 static int DetectHttpClientBodyTest29(
void)
2621 "(content:\"one\"; http_client_body; "
2622 "content:\"two\"; distance:0; http_client_body; sid:1;)");
2624 printf(
"de_ctx->sig_list == NULL\n");
2629 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
2633 if (
de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2634 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2643 memcmp(hcbd2->content,
"two", hcbd1->
content_len) != 0) {
2654 static int DetectHttpClientBodyTest30(
void)
2664 "(content:\"one\"; http_client_body; "
2665 "content:\"two\"; within:5; http_client_body; sid:1;)");
2667 printf(
"de_ctx->sig_list == NULL\n");
2672 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
2676 if (
de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2677 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2686 memcmp(hcbd2->content,
"two", hcbd1->
content_len) != 0) {
2697 static int DetectHttpClientBodyTest31(
void)
2707 "(content:\"one\"; within:5; http_client_body; sid:1;)");
2709 printf(
"de_ctx->sig_list == NULL\n");
2720 static int DetectHttpClientBodyTest32(
void)
2730 "(content:\"one\"; http_client_body; within:5; sid:1;)");
2732 printf(
"de_ctx->sig_list != NULL\n");
2743 static int DetectHttpClientBodyTest33(
void)
2753 "(content:\"one\"; within:5; sid:1;)");
2755 printf(
"de_ctx->sig_list == NULL\n");
2766 static int DetectHttpClientBodyTest34(
void)
2777 "content:\"two\"; within:5; http_client_body; sid:1;)");
2779 printf(
"de_ctx->sig_list == NULL\n");
2784 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
2788 if (
de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2789 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2793 if (
de_ctx->
sig_list->sm_lists_tail[g_http_client_body_buffer_id] == NULL ||
2795 de_ctx->
sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev == NULL ||
2805 memcmp(hcbd2->content,
"two", hcbd2->content_len) != 0) {
2816 static int DetectHttpClientBodyTest35(
void)
2826 "(content:\"two\"; http_client_body; "
2827 "pcre:/one/PR; sid:1;)");
2829 printf(
"de_ctx->sig_list == NULL\n");
2834 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
2838 if (
de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2839 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2843 if (
de_ctx->
sig_list->sm_lists_tail[g_http_client_body_buffer_id] == NULL ||
2845 de_ctx->
sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev == NULL ||
2866 static int DetectHttpClientBodyTest36(
void)
2877 "content:\"two\"; distance:5; http_client_body; sid:1;)");
2879 printf(
"de_ctx->sig_list == NULL\n");
2884 printf(
"de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
2888 if (
de_ctx->
sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
2889 printf(
"de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
2893 if (
de_ctx->
sig_list->sm_lists_tail[g_http_client_body_buffer_id] == NULL ||
2895 de_ctx->
sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev == NULL ||
2905 memcmp(hcbd2->content,
"two", hcbd2->content_len) != 0) {
2916 static int DetectHttpClientBodyIsdataatParseTest(
void)
2923 "alert tcp any any -> any any ("
2924 "content:\"one\"; http_client_body; "
2925 "isdataat:!4,relative; sid:1;)");
2943 UtRegisterTest(
"DetectHttpClientBodyParserTest01", DetectHttpClientBodyParserTest01);
2944 UtRegisterTest(
"DetectHttpClientBodyParserTest02", DetectHttpClientBodyParserTest02);
2945 UtRegisterTest(
"DetectHttpClientBodyTest01", DetectHttpClientBodyTest01);
2946 UtRegisterTest(
"DetectHttpClientBodyTest02", DetectHttpClientBodyTest02);
2947 UtRegisterTest(
"DetectHttpClientBodyTest03", DetectHttpClientBodyTest03);
2948 UtRegisterTest(
"DetectHttpClientBodyTest04", DetectHttpClientBodyTest04);
2949 UtRegisterTest(
"DetectHttpClientBodyTest05", DetectHttpClientBodyTest05);
2950 UtRegisterTest(
"DetectHttpClientBodyTest06", DetectHttpClientBodyTest06);
2951 UtRegisterTest(
"DetectHttpClientBodyTest07", DetectHttpClientBodyTest07);
2952 UtRegisterTest(
"DetectHttpClientBodyTest08", DetectHttpClientBodyTest08);
2953 UtRegisterTest(
"DetectHttpClientBodyTest09", DetectHttpClientBodyTest09);
2954 UtRegisterTest(
"DetectHttpClientBodyTest10", DetectHttpClientBodyTest10);
2955 UtRegisterTest(
"DetectHttpClientBodyTest11", DetectHttpClientBodyTest11);
2956 UtRegisterTest(
"DetectHttpClientBodyTest12", DetectHttpClientBodyTest12);
2957 UtRegisterTest(
"DetectHttpClientBodyTest13", DetectHttpClientBodyTest13);
2958 UtRegisterTest(
"DetectHttpClientBodyTest14", DetectHttpClientBodyTest14);
2959 UtRegisterTest(
"DetectHttpClientBodyTest15", DetectHttpClientBodyTest15);
2961 UtRegisterTest(
"DetectHttpClientBodyTest22", DetectHttpClientBodyTest22);
2962 UtRegisterTest(
"DetectHttpClientBodyTest23", DetectHttpClientBodyTest23);
2963 UtRegisterTest(
"DetectHttpClientBodyTest24", DetectHttpClientBodyTest24);
2964 UtRegisterTest(
"DetectHttpClientBodyTest25", DetectHttpClientBodyTest25);
2965 UtRegisterTest(
"DetectHttpClientBodyTest26", DetectHttpClientBodyTest26);
2966 UtRegisterTest(
"DetectHttpClientBodyTest27", DetectHttpClientBodyTest27);
2967 UtRegisterTest(
"DetectHttpClientBodyTest28", DetectHttpClientBodyTest28);
2968 UtRegisterTest(
"DetectHttpClientBodyTest29", DetectHttpClientBodyTest29);
2969 UtRegisterTest(
"DetectHttpClientBodyTest30", DetectHttpClientBodyTest30);
2970 UtRegisterTest(
"DetectHttpClientBodyTest31", DetectHttpClientBodyTest31);
2971 UtRegisterTest(
"DetectHttpClientBodyTest32", DetectHttpClientBodyTest32);
2972 UtRegisterTest(
"DetectHttpClientBodyTest33", DetectHttpClientBodyTest33);
2973 UtRegisterTest(
"DetectHttpClientBodyTest34", DetectHttpClientBodyTest34);
2974 UtRegisterTest(
"DetectHttpClientBodyTest35", DetectHttpClientBodyTest35);
2975 UtRegisterTest(
"DetectHttpClientBodyTest36", DetectHttpClientBodyTest36);
2978 DetectHttpClientBodyIsdataatParseTest);
2981 DetectEngineHttpClientBodyTest01);
2983 DetectEngineHttpClientBodyTest02);
2985 DetectEngineHttpClientBodyTest03);
2987 DetectEngineHttpClientBodyTest04);
2989 DetectEngineHttpClientBodyTest05);
2991 DetectEngineHttpClientBodyTest06);
2993 DetectEngineHttpClientBodyTest07);
2995 DetectEngineHttpClientBodyTest08);
2997 DetectEngineHttpClientBodyTest09);
2999 DetectEngineHttpClientBodyTest10);
3001 DetectEngineHttpClientBodyTest11);
3003 DetectEngineHttpClientBodyTest12);
3005 DetectEngineHttpClientBodyTest13);
3007 DetectEngineHttpClientBodyTest14);
3009 DetectEngineHttpClientBodyTest15);
3011 DetectEngineHttpClientBodyTest16);
3013 DetectEngineHttpClientBodyTest17);
3015 DetectEngineHttpClientBodyTest18);
3017 DetectEngineHttpClientBodyTest19);
3019 DetectEngineHttpClientBodyTest20);
3021 DetectEngineHttpClientBodyTest21);
3023 DetectEngineHttpClientBodyTest22);
3025 DetectEngineHttpClientBodyTest23);
3027 DetectEngineHttpClientBodyTest24);
3029 DetectEngineHttpClientBodyTest25);
3031 DetectEngineHttpClientBodyTest26);
3033 DetectEngineHttpClientBodyTest27);
3035 DetectEngineHttpClientBodyTest28);
3037 DetectEngineHttpClientBodyTest29);
3040 DetectEngineHttpClientBodyTest30);
3042 DetectEngineHttpClientBodyTest31);