35 #include "../suricata-common.h"
36 #include "../suricata.h"
37 #include "../decode.h"
75 static int DetectHttpClientBodyParserTest01(
void)
78 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; content:\"abc\"; nocase; http_client_body; sid:1;)",
true));
79 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; content:\"abc\"; endswith; http_client_body; sid:1;)",
true));
80 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; http_client_body; sid:1;)",
true));
81 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; endswith; http_client_body; sid:1;)",
true));
83 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; content:\"abc\"; rawbytes; http_client_body; sid:1;)",
false));
92 static int DetectHttpClientBodyParserTest02(
void)
95 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; nocase; sid:1;)",
true));
96 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; endswith; sid:1;)",
true));
97 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; startswith; sid:1;)",
true));
98 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; startswith; endswith; sid:1;)",
true));
101 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; rawbytes; sid:1;)",
false));
114 static int RunTest (
struct TestSteps *steps,
const char *sig,
const char *yaml)
123 memset(&th_v, 0,
sizeof(th_v));
124 memset(&f, 0,
sizeof(f));
125 memset(&ssn, 0,
sizeof(ssn));
144 f.
proto = IPPROTO_TCP;
158 while (b->
input != NULL) {
197 static int DetectEngineHttpClientBodyTest01(
void)
200 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
201 "Host: www.openinfosecfoundation.org\r\n"
202 "Content-Type: text/html\r\n"
203 "Content-Length: 46\r\n"
205 "This is dummy body1",
206 0, STREAM_TOSERVER, 0 },
207 { (
const uint8_t *)
"This is dummy message body2",
208 0, STREAM_TOSERVER, 1 },
212 const char *sig =
"alert http any any -> any any (content:\"body1This\"; http_client_body; sid:1;)";
213 return RunTest(steps, sig, NULL);
216 static int DetectEngineHttpClientBodyTest02(
void)
219 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
220 "Host: www.openinfosecfoundation.org\r\n"
221 "Content-Type: text/html\r\n"
222 "Content-Length: 19\r\n"
224 "This is dummy body1",
225 0, STREAM_TOSERVER, 1 },
229 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; offset:5; sid:1;)";
230 return RunTest(steps, sig, NULL);
233 static int DetectEngineHttpClientBodyTest03(
void)
236 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
237 "Host: www.openinfosecfoundation.org\r\n"
238 "Content-Type: text/html\r\n"
239 "Content-Length: 46\r\n"
241 "This is dummy body1",
242 0, STREAM_TOSERVER, 0 },
243 { (
const uint8_t *)
"This is dummy message body2",
244 0, STREAM_TOSERVER, 0 },
248 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; offset:16; sid:1;)";
249 return RunTest(steps, sig, NULL);
252 static int DetectEngineHttpClientBodyTest04(
void)
255 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
256 "Host: www.openinfosecfoundation.org\r\n"
257 "Content-Type: text/html\r\n"
258 "Content-Length: 46\r\n"
260 "This is dummy body1",
261 0, STREAM_TOSERVER, 0 },
262 { (
const uint8_t *)
"This is dummy message body2",
263 0, STREAM_TOSERVER, 1 },
267 const char *sig =
"alert http any any -> any any (content:!\"body1\"; http_client_body; offset:16; sid:1;)";
268 return RunTest(steps, sig, NULL);
271 static int DetectEngineHttpClientBodyTest05(
void)
274 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
275 "Host: www.openinfosecfoundation.org\r\n"
276 "Content-Type: text/html\r\n"
277 "Content-Length: 46\r\n"
279 "This is dummy body1",
280 0, STREAM_TOSERVER, 0 },
281 { (
const uint8_t *)
"This is dummy message body2",
282 0, STREAM_TOSERVER, 1 },
286 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; depth:25; sid:1;)";
287 return RunTest(steps, sig, NULL);
290 static int DetectEngineHttpClientBodyTest06(
void)
293 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
294 "Host: www.openinfosecfoundation.org\r\n"
295 "Content-Type: text/html\r\n"
296 "Content-Length: 46\r\n"
298 "This is dummy body1",
299 0, STREAM_TOSERVER, 0 },
300 { (
const uint8_t *)
"This is dummy message body2",
301 0, STREAM_TOSERVER, 0 },
305 const char *sig =
"alert http any any -> any any (content:!\"body1\"; http_client_body; depth:25; sid:1;)";
306 return RunTest(steps, sig, NULL);
309 static int DetectEngineHttpClientBodyTest07(
void)
312 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
313 "Host: www.openinfosecfoundation.org\r\n"
314 "Content-Type: text/html\r\n"
315 "Content-Length: 46\r\n"
317 "This is dummy body1",
318 0, STREAM_TOSERVER, 0 },
319 { (
const uint8_t *)
"This is dummy message body2",
320 0, STREAM_TOSERVER, 1 },
324 const char *sig =
"alert http any any -> any any (content:!\"body1\"; http_client_body; depth:15; sid:1;)";
325 return RunTest(steps, sig, NULL);
328 static int DetectEngineHttpClientBodyTest08(
void)
331 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
332 "Host: www.openinfosecfoundation.org\r\n"
333 "Content-Type: text/html\r\n"
334 "Content-Length: 46\r\n"
336 "This is dummy body1",
337 0, STREAM_TOSERVER, 0 },
338 { (
const uint8_t *)
"This is dummy message body2",
339 0, STREAM_TOSERVER, 1 },
343 const char *sig =
"alert http any any -> any any (content:\"This is dummy body1This is dummy message body2\"; http_client_body; sid:1;)";
344 return RunTest(steps, sig, NULL);
347 static int DetectEngineHttpClientBodyTest09(
void)
350 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
351 "Host: www.openinfosecfoundation.org\r\n"
352 "Content-Type: text/html\r\n"
353 "Content-Length: 46\r\n"
355 "This is dummy body1",
356 0, STREAM_TOSERVER, 0 },
357 { (
const uint8_t *)
"This is dummy message body2",
358 0, STREAM_TOSERVER, 1 },
362 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:\"This\"; http_client_body; within:5; sid:1;)";
363 return RunTest(steps, sig, NULL);
366 static int DetectEngineHttpClientBodyTest10(
void)
369 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
370 "Host: www.openinfosecfoundation.org\r\n"
371 "Content-Type: text/html\r\n"
372 "Content-Length: 46\r\n"
374 "This is dummy body1",
375 0, STREAM_TOSERVER, 0 },
376 { (
const uint8_t *)
"This is dummy message body2",
377 0, STREAM_TOSERVER, 1 },
381 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:!\"boom\"; http_client_body; within:5; sid:1;)";
382 return RunTest(steps, sig, NULL);
385 static int DetectEngineHttpClientBodyTest11(
void)
388 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
389 "Host: www.openinfosecfoundation.org\r\n"
390 "Content-Type: text/html\r\n"
391 "Content-Length: 46\r\n"
393 "This is dummy body1",
394 0, STREAM_TOSERVER, 0 },
395 { (
const uint8_t *)
"This is dummy message body2",
396 0, STREAM_TOSERVER, 0 },
400 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:\"boom\"; http_client_body; within:5; sid:1;)";
401 return RunTest(steps, sig, NULL);
404 static int DetectEngineHttpClientBodyTest12(
void)
407 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
408 "Host: www.openinfosecfoundation.org\r\n"
409 "Content-Type: text/html\r\n"
410 "Content-Length: 46\r\n"
412 "This is dummy body1",
413 0, STREAM_TOSERVER, 0 },
414 { (
const uint8_t *)
"This is dummy message body2",
415 0, STREAM_TOSERVER, 0 },
419 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:!\"This\"; http_client_body; within:5; sid:1;)";
420 return RunTest(steps, sig, NULL);
423 static int DetectEngineHttpClientBodyTest13(
void)
426 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
427 "Host: www.openinfosecfoundation.org\r\n"
428 "Content-Type: text/html\r\n"
429 "Content-Length: 46\r\n"
431 "This is dummy body1",
432 0, STREAM_TOSERVER, 0 },
433 { (
const uint8_t *)
"This is dummy message body2",
434 0, STREAM_TOSERVER, 1 },
438 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:\"dummy\"; http_client_body; distance:5; sid:1;)";
439 return RunTest(steps, sig, NULL);
442 static int DetectEngineHttpClientBodyTest14(
void)
445 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
446 "Host: www.openinfosecfoundation.org\r\n"
447 "Content-Type: text/html\r\n"
448 "Content-Length: 46\r\n"
450 "This is dummy body1",
451 0, STREAM_TOSERVER, 0 },
452 { (
const uint8_t *)
"This is dummy message body2",
453 0, STREAM_TOSERVER, 1 },
457 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:!\"dummy\"; http_client_body; distance:10; sid:1;)";
458 return RunTest(steps, sig, NULL);
461 static int DetectEngineHttpClientBodyTest15(
void)
464 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
465 "Host: www.openinfosecfoundation.org\r\n"
466 "Content-Type: text/html\r\n"
467 "Content-Length: 46\r\n"
469 "This is dummy body1",
470 0, STREAM_TOSERVER, 0 },
471 { (
const uint8_t *)
"This is dummy message body2",
472 0, STREAM_TOSERVER, 0 },
476 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:\"dummy\"; http_client_body; distance:10; sid:1;)";
477 return RunTest(steps, sig, NULL);
480 static int DetectEngineHttpClientBodyTest16(
void)
483 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
484 "Host: www.openinfosecfoundation.org\r\n"
485 "Content-Type: text/html\r\n"
486 "Content-Length: 46\r\n"
488 "This is dummy body1",
489 0, STREAM_TOSERVER, 0 },
490 { (
const uint8_t *)
"This is dummy message body2",
491 0, STREAM_TOSERVER, 0 },
495 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:!\"dummy\"; http_client_body; distance:5; sid:1;)";
496 return RunTest(steps, sig, NULL);
499 static int DetectEngineHttpClientBodyTest17(
void)
502 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
503 "Host: www.openinfosecfoundation.org\r\n"
504 "Content-Type: text/html\r\n"
505 "Content-Length: 19\r\n"
507 "This is dummy body1",
508 0, STREAM_TOSERVER, 0 },
512 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:\"bambu\"; http_client_body; sid:1;)";
513 return RunTest(steps, sig, NULL);
516 static int DetectEngineHttpClientBodyTest18(
void)
519 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
520 "Host: www.openinfosecfoundation.org\r\n"
521 "Content-Type: text/html\r\n"
522 "Content-Length: 19\r\n"
524 "This is dummy body1",
525 0, STREAM_TOSERVER, 0 },
529 const char *sig =
"alert http any any -> any any (content:\"body1\"; http_client_body; content:\"bambu\"; http_client_body; fast_pattern; sid:1;)";
530 return RunTest(steps, sig, NULL);
533 static int DetectEngineHttpClientBodyTest19(
void)
536 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
537 "Host: www.openinfosecfoundation.org\r\n"
538 "Content-Type: text/html\r\n"
539 "Content-Length: 19\r\n"
541 "This is dummy body1",
542 0, STREAM_TOSERVER, 0 },
546 const char *sig =
"alert http any any -> any any (content:\"bambu\"; http_client_body; content:\"is\"; http_client_body; sid:1;)";
547 return RunTest(steps, sig, NULL);
550 static int DetectEngineHttpClientBodyTest20(
void)
553 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
554 "Host: www.openinfosecfoundation.org\r\n"
555 "Content-Type: text/html\r\n"
556 "Content-Length: 19\r\n"
558 "This is dummy body1",
559 0, STREAM_TOSERVER, 1 },
563 const char *sig =
"alert http any any -> any any (content:\"is\"; http_client_body; fast_pattern; sid:1;)";
564 return RunTest(steps, sig, NULL);
567 static int DetectEngineHttpClientBodyTest21(
void)
570 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
571 "Host: www.openinfosecfoundation.org\r\n"
572 "Content-Type: text/html\r\n"
573 "Content-Length: 46\r\n"
575 "This is dummy body1",
576 0, STREAM_TOSERVER, 0 },
577 { (
const uint8_t *)
"This is dummy message body2",
578 0, STREAM_TOSERVER, 1 },
582 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:!\"dummy\"; http_client_body; within:7; sid:1;)";
583 return RunTest(steps, sig, NULL);
586 static int DetectEngineHttpClientBodyTest22(
void)
589 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
590 "Host: www.openinfosecfoundation.org\r\n"
591 "Content-Type: text/html\r\n"
592 "Content-Length: 46\r\n"
594 "This is dummy body1",
595 0, STREAM_TOSERVER, 0 },
596 { (
const uint8_t *)
"This is dummy message body2",
597 0, STREAM_TOSERVER, 1 },
601 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:!\"dummy\"; within:7; http_client_body; sid:1;)";
602 return RunTest(steps, sig, NULL);
605 static int DetectEngineHttpClientBodyTest23(
void)
608 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
609 "Host: www.openinfosecfoundation.org\r\n"
610 "Content-Type: text/html\r\n"
611 "Content-Length: 46\r\n"
613 "This is dummy body1",
614 0, STREAM_TOSERVER, 0 },
615 { (
const uint8_t *)
"This is dummy message body2",
616 0, STREAM_TOSERVER, 0 },
620 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:!\"dummy\"; distance:3; http_client_body; sid:1;)";
621 return RunTest(steps, sig, NULL);
624 static int DetectEngineHttpClientBodyTest24(
void)
627 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
628 "Host: www.openinfosecfoundation.org\r\n"
629 "Content-Type: text/html\r\n"
630 "Content-Length: 46\r\n"
632 "This is dummy body1",
633 0, STREAM_TOSERVER, 0 },
634 { (
const uint8_t *)
"This is dummy message body2",
635 0, STREAM_TOSERVER, 1 },
639 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:!\"dummy\"; distance:13; http_client_body; sid:1;)";
640 return RunTest(steps, sig, NULL);
643 static int DetectEngineHttpClientBodyTest25(
void)
646 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
647 "Host: www.openinfosecfoundation.org\r\n"
648 "Content-Type: text/html\r\n"
649 "Content-Length: 46\r\n"
651 "This is dummy body1",
652 0, STREAM_TOSERVER, 0 },
653 { (
const uint8_t *)
"This is dummy message body2",
654 0, STREAM_TOSERVER, 1 },
658 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:\"dummy\"; within:15; http_client_body; sid:1;)";
659 return RunTest(steps, sig, NULL);
662 static int DetectEngineHttpClientBodyTest26(
void)
665 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
666 "Host: www.openinfosecfoundation.org\r\n"
667 "Content-Type: text/html\r\n"
668 "Content-Length: 46\r\n"
670 "This is dummy body1",
671 0, STREAM_TOSERVER, 0 },
672 { (
const uint8_t *)
"This is dummy message body2",
673 0, STREAM_TOSERVER, 0 },
677 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:\"dummy\"; within:10; http_client_body; sid:1;)";
678 return RunTest(steps, sig, NULL);
681 static int DetectEngineHttpClientBodyTest27(
void)
684 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
685 "Host: www.openinfosecfoundation.org\r\n"
686 "Content-Type: text/html\r\n"
687 "Content-Length: 46\r\n"
689 "This is dummy body1",
690 0, STREAM_TOSERVER, 0 },
691 { (
const uint8_t *)
"This is dummy message body2",
692 0, STREAM_TOSERVER, 1 },
696 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:\"dummy\"; distance:8; http_client_body; sid:1;)";
697 return RunTest(steps, sig, NULL);
700 static int DetectEngineHttpClientBodyTest28(
void)
703 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
704 "Host: www.openinfosecfoundation.org\r\n"
705 "Content-Type: text/html\r\n"
706 "Content-Length: 46\r\n"
708 "This is dummy body1",
709 0, STREAM_TOSERVER, 0 },
710 { (
const uint8_t *)
"This is dummy message body2",
711 0, STREAM_TOSERVER, 0 },
715 const char *sig =
"alert http any any -> any any (pcre:/body1/P; content:\"dummy\"; distance:14; http_client_body; sid:1;)";
716 return RunTest(steps, sig, NULL);
719 static int DetectEngineHttpClientBodyTest29(
void)
721 const char *request_buffer =
"GET /one HTTP/1.0\r\n"
722 "Host: localhost\r\n\r\n";
723 #define TOTAL_REQUESTS 45
728 memcpy(http_buf + i * strlen(request_buffer), request_buffer,
729 strlen(request_buffer));
732 #undef TOTAL_REQUESTS
735 { (
const uint8_t *)http_buf,
736 (
size_t)http_buf_len, STREAM_TOSERVER, 0 },
738 { (
const uint8_t *)
"HTTP/1.0 200 ok\r\n"
739 "Content-Type: text/html\r\n"
740 "Content-Length: 5\r\n"
743 0, STREAM_TOCLIENT, 0 },
748 const char *sig =
"alert http any any -> any any (content:\"dummyone\"; fast_pattern:0,3; http_server_body; sid:1;)";
749 int result = RunTest(steps, sig, NULL);
754 static int DetectEngineHttpClientBodyTest30(
void)
756 const char yaml[] =
"\
763 request-body-limit: 0\n\
764 response-body-limit: 0\n\
766 request-body-inspect-window: 0\n\
767 response-body-inspect-window: 0\n\
768 request-body-minimal-inspect-size: 0\n\
769 response-body-minimal-inspect-size: 0\n\
772 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
773 "Host: www.openinfosecfoundation.org\r\n"
774 "Content-Type: text/html\r\n"
775 "Content-Length: 46\r\n"
777 "This is dummy body1",
778 0, STREAM_TOSERVER, 0 },
779 { (
const uint8_t *)
"This is dummy message body2",
780 0, STREAM_TOSERVER, 0 },
784 const char *sig =
"alert http any any -> any any (content:\"bags\"; within:4; http_client_body; sid:1;)";
785 return RunTest(steps, sig, yaml);
788 static int DetectEngineHttpClientBodyTest31(
void)
790 const char yaml[] =
"\
797 request-body-limit: 0\n\
798 response-body-limit: 0\n\
800 request-body-inspect-window: 0\n\
801 response-body-inspect-window: 0\n\
802 request-body-minimal-inspect-size: 0\n\
803 response-body-minimal-inspect-size: 0\n\
807 { (
const uint8_t *)
"GET /index.html HTTP/1.1\r\n"
808 "Host: www.openinfosecfoundation.org\r\n"
809 "Content-Type: text/html\r\n"
810 "Content-Length: 46\r\n"
812 "This is dummy body1",
813 0, STREAM_TOSERVER, 0 },
814 { (
const uint8_t *)
"This is dummy message body2",
815 0, STREAM_TOSERVER, 0 },
819 const char *sig =
"alert http any any -> any any (content:\"bags\"; depth:4; http_client_body; sid:1;)";
820 return RunTest(steps, sig, yaml);
827 static int DetectHttpClientBodyTest01(
void)
834 "(msg:\"Testing http_client_body\"; "
835 "content:\"one\"; http_client_body; sid:1;)");
850 static int DetectHttpClientBodyTest02(
void)
857 "(msg:\"Testing http_client_body\"; "
858 "content:\"one\"; http_client_body:; sid:1;)");
868 static int DetectHttpClientBodyTest03(
void)
874 const char *sigs[] = {
875 "alert tcp any any -> any any (http_client_body; sid:1;)",
876 "alert tcp any any -> any any "
877 "(msg:\"Testing http_client_body\"; "
878 "content:\"one\"; rawbytes; http_client_body; sid:2;)",
882 for (uint32_t i = 0; sigs[i] != NULL; i++) {
894 static int DetectHttpClientBodyTest05(
void)
900 const char *sigs[] = {
901 "alert tcp any any -> any any (content:\"one\"; http_client_body; nocase; sid:1;)",
905 for (uint32_t i = 0; sigs[i] != NULL; i++) {
917 static int DetectHttpClientBodyTest06(
void)
927 "GET /index.html HTTP/1.0\r\n"
928 "Host: www.openinfosecfoundation.org\r\n"
929 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
930 "Content-Type: text/html\r\n"
931 "Content-Length: 26\r\n"
933 "This is dummy message body";
934 uint32_t http_len =
sizeof(http_buf) - 1;
938 memset(&th_v, 0,
sizeof(th_v));
939 memset(&f, 0,
sizeof(f));
940 memset(&ssn, 0,
sizeof(ssn));
946 f.
proto = IPPROTO_TCP;
964 "(msg:\"http client body test\"; "
965 "content:\"message\"; http_client_body; "
975 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
981 if (http_state == NULL) {
982 printf(
"no http state: \n");
991 printf(
"sid 1 didn't match but should have\n");
1012 static int DetectHttpClientBodyTest07(
void)
1022 uint8_t http1_buf[] =
1023 "GET /index.html HTTP/1.0\r\n"
1024 "Host: www.openinfosecfoundation.org\r\n"
1025 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1026 "Content-Type: text/html\r\n"
1027 "Content-Length: 54\r\n"
1029 "This is dummy message body1";
1030 uint8_t http2_buf[] =
1031 "This is dummy message body2";
1032 uint32_t http1_len =
sizeof(http1_buf) - 1;
1033 uint32_t http2_len =
sizeof(http2_buf) - 1;
1037 memset(&th_v, 0,
sizeof(th_v));
1038 memset(&f, 0,
sizeof(f));
1039 memset(&ssn, 0,
sizeof(ssn));
1046 f.
proto = IPPROTO_TCP;
1068 "(msg:\"http client body test\"; "
1069 "content:\"message\"; http_client_body; "
1079 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1085 if (http_state == NULL) {
1086 printf(
"no http state: ");
1094 printf(
"sid 1 matched on p1 but shouldn't have: ");
1101 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1108 printf(
"sid 1 didn't match on p2 but should have: ");
1130 static int DetectHttpClientBodyTest08(
void)
1140 uint8_t http1_buf[] =
1141 "GET /index.html HTTP/1.0\r\n"
1142 "Host: www.openinfosecfoundation.org\r\n"
1143 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1144 "Content-Type: text/html\r\n"
1145 "Content-Length: 46\r\n"
1147 "This is dummy body1";
1148 uint8_t http2_buf[] =
1149 "This is dummy message body2";
1150 uint32_t http1_len =
sizeof(http1_buf) - 1;
1151 uint32_t http2_len =
sizeof(http2_buf) - 1;
1155 memset(&th_v, 0,
sizeof(th_v));
1156 memset(&f, 0,
sizeof(f));
1157 memset(&ssn, 0,
sizeof(ssn));
1164 f.
proto = IPPROTO_TCP;
1186 "(msg:\"http client body test\"; "
1187 "content:\"message\"; http_client_body; "
1197 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1203 if (http_state == NULL) {
1204 printf(
"no http state: ");
1213 printf(
"sid 1 didn't match but should have");
1220 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1229 printf(
"sid 1 didn't match but should have");
1251 static int DetectHttpClientBodyTest09(
void)
1261 uint8_t http1_buf[] =
1262 "GET /index.html HTTP/1.0\r\n"
1263 "Host: www.openinfosecfoundation.org\r\n"
1264 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1265 "Content-Type: text/html\r\n"
1266 "Content-Length: 46\r\n"
1268 "This is dummy body1";
1269 uint8_t http2_buf[] =
1270 "This is dummy message body2";
1271 uint32_t http1_len =
sizeof(http1_buf) - 1;
1272 uint32_t http2_len =
sizeof(http2_buf) - 1;
1276 memset(&th_v, 0,
sizeof(th_v));
1277 memset(&f, 0,
sizeof(f));
1278 memset(&ssn, 0,
sizeof(ssn));
1285 f.
proto = IPPROTO_TCP;
1307 "(msg:\"http client body test\"; "
1308 "content:\"body1This\"; http_client_body; "
1318 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1324 if (http_state == NULL) {
1325 printf(
"no http state: ");
1334 printf(
"sid 1 didn't match but should have");
1341 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1350 printf(
"sid 1 didn't match but should have");
1372 static int DetectHttpClientBodyTest10(
void)
1382 uint8_t http1_buf[] =
1383 "GET /index.html HTTP/1.0\r\n"
1384 "Host: www.openinfosecfoundation.org\r\n"
1385 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1386 "Content-Type: text/html\r\n"
1387 "Content-Length: 46\r\n"
1389 "This is dummy bodY1";
1390 uint8_t http2_buf[] =
1391 "This is dummy message body2";
1392 uint32_t http1_len =
sizeof(http1_buf) - 1;
1393 uint32_t http2_len =
sizeof(http2_buf) - 1;
1397 memset(&th_v, 0,
sizeof(th_v));
1398 memset(&f, 0,
sizeof(f));
1399 memset(&ssn, 0,
sizeof(ssn));
1406 f.
proto = IPPROTO_TCP;
1428 "(msg:\"http client body test\"; "
1429 "content:\"body1This\"; http_client_body; nocase;"
1439 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1445 if (http_state == NULL) {
1446 printf(
"no http state: \n");
1455 printf(
"sid 1 didn't match but should have\n");
1462 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
1471 printf(
"sid 1 didn't match but should have");
1493 static int DetectHttpClientBodyTest11(
void)
1502 uint8_t http_buf[] =
1503 "GET /index.html HTTP/1.0\r\n"
1504 "Host: www.openinfosecfoundation.org\r\n"
1505 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1506 "Content-Type: text/html\r\n"
1507 "Content-Length: 26\r\n"
1509 "This is dummy message body";
1510 uint32_t http_len =
sizeof(http_buf) - 1;
1514 memset(&th_v, 0,
sizeof(th_v));
1515 memset(&f, 0,
sizeof(f));
1516 memset(&ssn, 0,
sizeof(ssn));
1522 f.
proto = IPPROTO_TCP;
1540 "(msg:\"http client body test\"; "
1541 "content:!\"message1\"; http_client_body; "
1551 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1557 if (http_state == NULL) {
1558 printf(
"no http state: ");
1567 printf(
"sid 1 didn't match but should have");
1588 static int DetectHttpClientBodyTest12(
void)
1597 uint8_t http_buf[] =
1598 "GET /index.html HTTP/1.0\r\n"
1599 "Host: www.openinfosecfoundation.org\r\n"
1600 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1601 "Content-Type: text/html\r\n"
1602 "Content-Length: 26\r\n"
1604 "This is dummy message body";
1605 uint32_t http_len =
sizeof(http_buf) - 1;
1609 memset(&th_v, 0,
sizeof(th_v));
1610 memset(&f, 0,
sizeof(f));
1611 memset(&ssn, 0,
sizeof(ssn));
1617 f.
proto = IPPROTO_TCP;
1635 "(msg:\"http client body test\"; "
1636 "content:!\"message\"; http_client_body; "
1646 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1652 if (http_state == NULL) {
1653 printf(
"no http state: ");
1662 printf(
"sid 1 didn't match but should have");
1683 static int DetectHttpClientBodyTest13(
void)
1692 uint8_t http_buf[] =
1693 "GET /index.html HTTP/1.0\r\n"
1694 "Host: www.openinfosecfoundation.org\r\n"
1695 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1696 "Content-Type: text/html\r\n"
1697 "Content-Length: 55\r\n"
1699 "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend";
1700 uint32_t http_len =
sizeof(http_buf) - 1;
1704 memset(&th_v, 0,
sizeof(th_v));
1705 memset(&f, 0,
sizeof(f));
1706 memset(&ssn, 0,
sizeof(ssn));
1712 f.
proto = IPPROTO_TCP;
1730 "alert http any any -> any any "
1731 "(msg:\"http client body test\"; "
1732 "content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_client_body; "
1742 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1748 if (http_state == NULL) {
1749 printf(
"no http state: ");
1758 printf(
"sid 1 didn't match but should have");
1776 static int DetectHttpClientBodyTest14(
void)
1785 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
1786 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1787 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
1788 uint8_t httpbuf4[] =
"Body one!!";
1789 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1790 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1791 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1792 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1793 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
1794 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
1795 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1796 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
1797 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
1798 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
1801 memset(&th_v, 0,
sizeof(th_v));
1802 memset(&f, 0,
sizeof(f));
1803 memset(&ssn, 0,
sizeof(ssn));
1809 f.
proto = IPPROTO_TCP;
1827 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; content:\"one\"; http_client_body; sid:1; rev:1;)");
1829 printf(
"sig parse failed: ");
1832 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; content:\"two\"; http_client_body; sid:2; rev:1;)");
1834 printf(
"sig2 parse failed: ");
1844 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1851 printf(
"sig 1 alerted: ");
1858 printf(
"toserver chunk 2 returned %" PRId32
", expected 0: ", r);
1865 printf(
"sig 1 alerted (2): ");
1872 printf(
"toserver chunk 3 returned %" PRId32
", expected 0: ", r);
1879 printf(
"signature matched, but shouldn't have: ");
1886 printf(
"toserver chunk 4 returned %" PRId32
", expected 0: ", r);
1894 printf(
"sig 1 didn't alert: ");
1901 printf(
"toserver chunk 5 returned %" PRId32
", expected 0: ", r);
1908 printf(
"sig 1 alerted (5): ");
1915 printf(
"toserver chunk 6 returned %" PRId32
", expected 0: ", r);
1922 printf(
"sig 1 alerted (request 2, chunk 6): ");
1931 printf(
"toserver chunk 7 returned %" PRId32
", expected 0: ", r);
1938 printf(
"signature 2 didn't match, but should have: ");
1944 if (htp_state == NULL) {
1945 printf(
"no http state: ");
1951 printf(
"The http app layer doesn't have 2 transactions, but it should: ");
1959 if (det_ctx != NULL) {
1973 static int DetectHttpClientBodyTest15(
void)
1982 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
1983 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1984 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
1985 uint8_t httpbuf4[] =
"Body one!!";
1986 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1987 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1988 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1989 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1990 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
1991 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
1992 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1993 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
1994 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
1995 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
1998 memset(&th_v, 0,
sizeof(th_v));
1999 memset(&f, 0,
sizeof(f));
2000 memset(&ssn, 0,
sizeof(ssn));
2006 f.
proto = IPPROTO_TCP;
2024 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; content:\"one\"; http_client_body; sid:1; rev:1;)");
2026 printf(
"sig parse failed: ");
2029 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; content:\"two\"; http_client_body; sid:2; rev:1;)");
2031 printf(
"sig2 parse failed: ");
2041 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2048 printf(
"sig 1 alerted: ");
2055 printf(
"toserver chunk 2 returned %" PRId32
", expected 0: ", r);
2062 printf(
"sig 1 alerted (2): ");
2069 printf(
"toserver chunk 3 returned %" PRId32
", expected 0: ", r);
2076 printf(
"signature matched, but shouldn't have: ");
2083 printf(
"toserver chunk 4 returned %" PRId32
", expected 0: ", r);
2091 printf(
"sig 1 didn't alert: ");
2098 printf(
"toserver chunk 5 returned %" PRId32
", expected 0: ", r);
2105 printf(
"sig 1 alerted (5): ");
2112 printf(
"toserver chunk 6 returned %" PRId32
", expected 0: ", r);
2119 printf(
"sig 1 alerted (request 2, chunk 6): ");
2128 printf(
"toserver chunk 7 returned %" PRId32
", expected 0: ", r);
2135 printf(
"signature 2 didn't match, but should have: ");
2141 if (htp_state == NULL) {
2142 printf(
"no http state: ");
2149 printf(
"The http app layer doesn't have 2 transactions, but it should: ");
2160 SCLogDebug(
"No body data in t1 (it should be removed only when the tx is destroyed): ");
2165 (uint8_t *)
"Body one!!", 10) != 1)
2167 SCLogDebug(
"Body data in t1 is not correctly set: ");
2175 SCLogDebug(
"No body data in t1 (it should be removed only when the tx is destroyed): ");
2180 (uint8_t *)
"Body two!!", 10) != 1)
2182 SCLogDebug(
"Body data in t1 is not correctly set: ");
2190 if (det_ctx != NULL) {
2203 static int DetectHttpClientBodyTest22(
void)
2209 "alert icmp any any -> any any "
2210 "(content:\"one\"; content:\"two\"; http_client_body; "
2211 "content:\"three\"; distance:10; http_client_body; content:\"four\"; sid:1;)");
2230 FAIL_IF(memcmp(cd2->content,
"four", cd2->content_len) != 0);
2245 static int DetectHttpClientBodyTest23(
void)
2252 "alert icmp any any -> any any "
2253 "(content:\"one\"; http_client_body; pcre:/two/; "
2254 "content:\"three\"; distance:10; http_client_body; content:\"four\"; sid:1;)");
2272 FAIL_IF(memcmp(cd2->content,
"four", cd2->content_len) != 0);
2285 static int DetectHttpClientBodyTest24(
void)
2295 "(content:\"one\"; http_client_body; pcre:/two/; "
2296 "content:\"three\"; distance:10; within:15; "
2297 "http_client_body; content:\"four\"; sid:1;)");
2299 printf(
"de_ctx->sig_list == NULL\n");
2304 printf(
"de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] == NULL\n");
2309 printf(
"DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
2324 if (pd1->
flags != 0 ||
2325 cd2->flags != 0 || memcmp(cd2->content,
"four", cd2->content_len) != 0 ||
2346 static int DetectHttpClientBodyTest25(
void)
2357 "(content:\"one\"; http_client_body; pcre:/two/; "
2358 "content:\"three\"; distance:10; http_client_body; "
2359 "content:\"four\"; distance:10; sid:1;)");
2361 printf(
"de_ctx->sig_list == NULL\n");
2366 printf(
"de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] == NULL\n");
2371 printf(
"DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
2388 memcmp(cd2->content,
"four", cd2->content_len) != 0 ||
2409 static int DetectHttpClientBodyTest26(
void)
2419 "alert icmp any any -> any any "
2420 "(content:\"one\"; offset:10; http_client_body; pcre:/two/; "
2421 "content:\"three\"; distance:10; http_client_body; within:10; "
2422 "content:\"four\"; distance:10; sid:1;)");
2424 printf(
"de_ctx->sig_list == NULL\n");
2429 printf(
"de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] == NULL\n");
2434 printf(
"DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
2451 memcmp(cd2->content,
"four", cd2->content_len) != 0 ||
2456 printf (
"failed: http_client_body incorrect flags");
2473 static int DetectHttpClientBodyTest27(
void)
2483 "alert icmp any any -> any any "
2484 "(content:\"one\"; offset:10; http_client_body; pcre:/two/; "
2485 "content:\"three\"; distance:10; http_client_body; within:10; "
2486 "content:\"four\"; distance:10; sid:1;)");
2496 static int DetectHttpClientBodyTest28(
void)
2506 "(content:\"one\"; http_client_body; pcre:/two/; "
2507 "content:\"three\"; http_client_body; depth:10; "
2508 "content:\"four\"; distance:10; sid:1;)");
2510 printf(
"de_ctx->sig_list == NULL\n");
2515 printf(
"de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] == NULL\n");
2520 printf(
"DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
2537 memcmp(cd2->content,
"four", cd2->content_len) != 0 ||
2538 hcbd1->
flags != 0 ||
2558 static int DetectHttpClientBodyTest29(
void)
2569 "(content:\"one\"; http_client_body; "
2570 "content:\"two\"; distance:0; http_client_body; sid:1;)");
2572 printf(
"de_ctx->sig_list == NULL\n");
2577 printf(
"de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL\n");
2582 printf(
"DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
2605 static int DetectHttpClientBodyTest30(
void)
2616 "(content:\"one\"; http_client_body; "
2617 "content:\"two\"; within:5; http_client_body; sid:1;)");
2619 printf(
"de_ctx->sig_list == NULL\n");
2624 printf(
"de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL\n");
2629 printf(
"DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
2652 static int DetectHttpClientBodyTest31(
void)
2663 "(content:\"one\"; within:5; http_client_body; sid:1;)");
2673 static int DetectHttpClientBodyTest32(
void)
2684 "(content:\"one\"; http_client_body; within:5; sid:1;)");
2694 static int DetectHttpClientBodyTest33(
void)
2704 "(content:\"one\"; within:5; sid:1;)");
2714 static int DetectHttpClientBodyTest34(
void)
2726 "content:\"two\"; within:5; http_client_body; sid:1;)");
2728 printf(
"de_ctx->sig_list == NULL\n");
2733 printf(
"de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL\n");
2738 printf(
"DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
2769 static int DetectHttpClientBodyTest35(
void)
2779 "(content:\"two\"; http_client_body; "
2780 "pcre:/one/PR; sid:1;)");
2782 printf(
"de_ctx->sig_list == NULL\n");
2787 printf(
"de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL\n");
2792 printf(
"DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
2823 static int DetectHttpClientBodyTest36(
void)
2835 "content:\"two\"; distance:5; http_client_body; sid:1;)");
2837 printf(
"de_ctx->sig_list == NULL\n");
2842 printf(
"de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL\n");
2847 printf(
"DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
2878 static int DetectHttpClientBodyIsdataatParseTest(
void)
2885 "alert tcp any any -> any any ("
2886 "content:\"one\"; http_client_body; "
2887 "isdataat:!4,relative; sid:1;)");
2905 UtRegisterTest(
"DetectHttpClientBodyParserTest01", DetectHttpClientBodyParserTest01);
2906 UtRegisterTest(
"DetectHttpClientBodyParserTest02", DetectHttpClientBodyParserTest02);
2907 UtRegisterTest(
"DetectHttpClientBodyTest01", DetectHttpClientBodyTest01);
2908 UtRegisterTest(
"DetectHttpClientBodyTest02", DetectHttpClientBodyTest02);
2909 UtRegisterTest(
"DetectHttpClientBodyTest03", DetectHttpClientBodyTest03);
2910 UtRegisterTest(
"DetectHttpClientBodyTest05", DetectHttpClientBodyTest05);
2911 UtRegisterTest(
"DetectHttpClientBodyTest06", DetectHttpClientBodyTest06);
2912 UtRegisterTest(
"DetectHttpClientBodyTest07", DetectHttpClientBodyTest07);
2913 UtRegisterTest(
"DetectHttpClientBodyTest08", DetectHttpClientBodyTest08);
2914 UtRegisterTest(
"DetectHttpClientBodyTest09", DetectHttpClientBodyTest09);
2915 UtRegisterTest(
"DetectHttpClientBodyTest10", DetectHttpClientBodyTest10);
2916 UtRegisterTest(
"DetectHttpClientBodyTest11", DetectHttpClientBodyTest11);
2917 UtRegisterTest(
"DetectHttpClientBodyTest12", DetectHttpClientBodyTest12);
2918 UtRegisterTest(
"DetectHttpClientBodyTest13", DetectHttpClientBodyTest13);
2919 UtRegisterTest(
"DetectHttpClientBodyTest14", DetectHttpClientBodyTest14);
2920 UtRegisterTest(
"DetectHttpClientBodyTest15", DetectHttpClientBodyTest15);
2922 UtRegisterTest(
"DetectHttpClientBodyTest22", DetectHttpClientBodyTest22);
2923 UtRegisterTest(
"DetectHttpClientBodyTest23", DetectHttpClientBodyTest23);
2924 UtRegisterTest(
"DetectHttpClientBodyTest24", DetectHttpClientBodyTest24);
2925 UtRegisterTest(
"DetectHttpClientBodyTest25", DetectHttpClientBodyTest25);
2926 UtRegisterTest(
"DetectHttpClientBodyTest26", DetectHttpClientBodyTest26);
2927 UtRegisterTest(
"DetectHttpClientBodyTest27", DetectHttpClientBodyTest27);
2928 UtRegisterTest(
"DetectHttpClientBodyTest28", DetectHttpClientBodyTest28);
2929 UtRegisterTest(
"DetectHttpClientBodyTest29", DetectHttpClientBodyTest29);
2930 UtRegisterTest(
"DetectHttpClientBodyTest30", DetectHttpClientBodyTest30);
2931 UtRegisterTest(
"DetectHttpClientBodyTest31", DetectHttpClientBodyTest31);
2932 UtRegisterTest(
"DetectHttpClientBodyTest32", DetectHttpClientBodyTest32);
2933 UtRegisterTest(
"DetectHttpClientBodyTest33", DetectHttpClientBodyTest33);
2934 UtRegisterTest(
"DetectHttpClientBodyTest34", DetectHttpClientBodyTest34);
2935 UtRegisterTest(
"DetectHttpClientBodyTest35", DetectHttpClientBodyTest35);
2936 UtRegisterTest(
"DetectHttpClientBodyTest36", DetectHttpClientBodyTest36);
2939 DetectHttpClientBodyIsdataatParseTest);
2942 DetectEngineHttpClientBodyTest01);
2944 DetectEngineHttpClientBodyTest02);
2946 DetectEngineHttpClientBodyTest03);
2948 DetectEngineHttpClientBodyTest04);
2950 DetectEngineHttpClientBodyTest05);
2952 DetectEngineHttpClientBodyTest06);
2954 DetectEngineHttpClientBodyTest07);
2956 DetectEngineHttpClientBodyTest08);
2958 DetectEngineHttpClientBodyTest09);
2960 DetectEngineHttpClientBodyTest10);
2962 DetectEngineHttpClientBodyTest11);
2964 DetectEngineHttpClientBodyTest12);
2966 DetectEngineHttpClientBodyTest13);
2968 DetectEngineHttpClientBodyTest14);
2970 DetectEngineHttpClientBodyTest15);
2972 DetectEngineHttpClientBodyTest16);
2974 DetectEngineHttpClientBodyTest17);
2976 DetectEngineHttpClientBodyTest18);
2978 DetectEngineHttpClientBodyTest19);
2980 DetectEngineHttpClientBodyTest20);
2982 DetectEngineHttpClientBodyTest21);
2984 DetectEngineHttpClientBodyTest22);
2986 DetectEngineHttpClientBodyTest23);
2988 DetectEngineHttpClientBodyTest24);
2990 DetectEngineHttpClientBodyTest25);
2992 DetectEngineHttpClientBodyTest26);
2994 DetectEngineHttpClientBodyTest27);
2996 DetectEngineHttpClientBodyTest28);
2998 DetectEngineHttpClientBodyTest29);
3001 DetectEngineHttpClientBodyTest30);
3003 DetectEngineHttpClientBodyTest31);