suricata
detect-http-cookie.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /** \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * \brief Handle HTTP cookie match
31  *
32  */
33 
34 #include "../suricata-common.h"
35 #include "../suricata.h"
36 #include "../flow-util.h"
37 #include "../flow.h"
38 #include "../app-layer-parser.h"
39 #include "../util-unittest.h"
40 #include "../util-unittest-helper.h"
41 #include "../app-layer.h"
42 #include "../app-layer-htp.h"
43 #include "../app-layer-protos.h"
44 #include "../detect-isdataat.h"
45 #include "../detect-engine-build.h"
46 #include "../detect-engine-alert.h"
47 
48 /***********************************Unittests**********************************/
49 
50 static int g_http_uri_buffer_id = 0;
51 
52 /**
53  * \test Test that the http_cookie content matches against a http request
54  * which holds the content.
55  */
56 static int DetectEngineHttpCookieTest01(void)
57 {
58  TcpSession ssn;
59  Packet *p = NULL;
60  ThreadVars th_v;
61  DetectEngineCtx *de_ctx = NULL;
62  DetectEngineThreadCtx *det_ctx = NULL;
63  HtpState *http_state = NULL;
64  Flow f;
65  uint8_t http_buf[] =
66  "GET /index.html HTTP/1.0\r\n"
67  "Cookie: CONNECT\r\n"
68  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
69  uint32_t http_len = sizeof(http_buf) - 1;
70  int result = 0;
71  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
72 
73  memset(&th_v, 0, sizeof(th_v));
74  memset(&f, 0, sizeof(f));
75  memset(&ssn, 0, sizeof(ssn));
76 
77  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
78 
79  FLOW_INITIALIZE(&f);
80  f.protoctx = (void *)&ssn;
81  f.proto = IPPROTO_TCP;
82  f.flags |= FLOW_IPV4;
83  p->flow = &f;
84  p->flowflags |= FLOW_PKT_TOSERVER;
85  p->flowflags |= FLOW_PKT_ESTABLISHED;
86  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
87  f.alproto = ALPROTO_HTTP1;
88 
89  StreamTcpInitConfig(true);
90 
91  de_ctx = DetectEngineCtxInit();
92  if (de_ctx == NULL)
93  goto end;
94 
95  de_ctx->flags |= DE_QUIET;
96 
97  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
98  "(msg:\"http header test\"; "
99  "content:\"CONNECT\"; http_cookie; "
100  "sid:1;)");
101  if (de_ctx->sig_list == NULL)
102  goto end;
103 
104  SigGroupBuild(de_ctx);
105  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
106 
107  int r = AppLayerParserParse(
108  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
109  if (r != 0) {
110  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
111  result = 0;
112  goto end;
113  }
114 
115  http_state = f.alstate;
116  if (http_state == NULL) {
117  printf("no http state: ");
118  result = 0;
119  goto end;
120  }
121 
122  /* do detect */
123  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
124 
125  if (!(PacketAlertCheck(p, 1))) {
126  printf("sid 1 didn't match but should have: ");
127  goto end;
128  }
129 
130  result = 1;
131 
132 end:
133  if (alp_tctx != NULL)
134  AppLayerParserThreadCtxFree(alp_tctx);
135  if (de_ctx != NULL)
136  DetectEngineCtxFree(de_ctx);
137 
138  StreamTcpFreeConfig(true);
139  FLOW_DESTROY(&f);
140  UTHFreePackets(&p, 1);
141  return result;
142 }
143 
144 /**
145  * \test Test that the http_cookie content matches against a http request
146  * which holds the content.
147  */
148 static int DetectEngineHttpCookieTest02(void)
149 {
150  TcpSession ssn;
151  Packet *p = NULL;
152  ThreadVars th_v;
153  DetectEngineCtx *de_ctx = NULL;
154  DetectEngineThreadCtx *det_ctx = NULL;
155  HtpState *http_state = NULL;
156  Flow f;
157  uint8_t http_buf[] =
158  "CONNECT /index.html HTTP/1.0\r\n"
159  "Cookie: CONNECT\r\n"
160  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
161  uint32_t http_len = sizeof(http_buf) - 1;
162  int result = 0;
163  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
164 
165  memset(&th_v, 0, sizeof(th_v));
166  memset(&f, 0, sizeof(f));
167  memset(&ssn, 0, sizeof(ssn));
168 
169  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
170 
171  FLOW_INITIALIZE(&f);
172  f.protoctx = (void *)&ssn;
173  f.proto = IPPROTO_TCP;
174  f.flags |= FLOW_IPV4;
175  p->flow = &f;
176  p->flowflags |= FLOW_PKT_TOSERVER;
177  p->flowflags |= FLOW_PKT_ESTABLISHED;
178  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
179  f.alproto = ALPROTO_HTTP1;
180 
181  StreamTcpInitConfig(true);
182 
183  de_ctx = DetectEngineCtxInit();
184  if (de_ctx == NULL)
185  goto end;
186 
187  de_ctx->flags |= DE_QUIET;
188 
189  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
190  "(msg:\"http header test\"; "
191  "content:\"CO\"; depth:4; http_cookie; "
192  "sid:1;)");
193  if (de_ctx->sig_list == NULL)
194  goto end;
195 
196  SigGroupBuild(de_ctx);
197  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
198 
199  int r = AppLayerParserParse(
200  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
201  if (r != 0) {
202  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
203  result = 0;
204  goto end;
205  }
206 
207  http_state = f.alstate;
208  if (http_state == NULL) {
209  printf("no http state: ");
210  result = 0;
211  goto end;
212  }
213 
214  /* do detect */
215  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
216 
217  if (!(PacketAlertCheck(p, 1))) {
218  printf("sid 1 didn't match but should have: ");
219  goto end;
220  }
221 
222  result = 1;
223 
224 end:
225  if (alp_tctx != NULL)
226  AppLayerParserThreadCtxFree(alp_tctx);
227  if (de_ctx != NULL)
228  DetectEngineCtxFree(de_ctx);
229 
230  StreamTcpFreeConfig(true);
231  FLOW_DESTROY(&f);
232  UTHFreePackets(&p, 1);
233  return result;
234 }
235 
236 /**
237  * \test Test that the http_cookie content matches against a http request
238  * which holds the content.
239  */
240 static int DetectEngineHttpCookieTest03(void)
241 {
242  TcpSession ssn;
243  Packet *p = NULL;
244  ThreadVars th_v;
245  DetectEngineCtx *de_ctx = NULL;
246  DetectEngineThreadCtx *det_ctx = NULL;
247  HtpState *http_state = NULL;
248  Flow f;
249  uint8_t http_buf[] =
250  "CONNECT /index.html HTTP/1.0\r\n"
251  "Cookie: CONNECT\r\n"
252  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
253  uint32_t http_len = sizeof(http_buf) - 1;
254  int result = 0;
255  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
256 
257  memset(&th_v, 0, sizeof(th_v));
258  memset(&f, 0, sizeof(f));
259  memset(&ssn, 0, sizeof(ssn));
260 
261  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
262 
263  FLOW_INITIALIZE(&f);
264  f.protoctx = (void *)&ssn;
265  f.proto = IPPROTO_TCP;
266  f.flags |= FLOW_IPV4;
267  p->flow = &f;
268  p->flowflags |= FLOW_PKT_TOSERVER;
269  p->flowflags |= FLOW_PKT_ESTABLISHED;
270  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
271  f.alproto = ALPROTO_HTTP1;
272 
273  StreamTcpInitConfig(true);
274 
275  de_ctx = DetectEngineCtxInit();
276  if (de_ctx == NULL)
277  goto end;
278 
279  de_ctx->flags |= DE_QUIET;
280 
281  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
282  "(msg:\"http header test\"; "
283  "content:!\"ECT\"; depth:4; http_cookie; "
284  "sid:1;)");
285  if (de_ctx->sig_list == NULL)
286  goto end;
287 
288  SigGroupBuild(de_ctx);
289  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
290 
291  int r = AppLayerParserParse(
292  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
293  if (r != 0) {
294  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
295  result = 0;
296  goto end;
297  }
298 
299  http_state = f.alstate;
300  if (http_state == NULL) {
301  printf("no http state: ");
302  result = 0;
303  goto end;
304  }
305 
306  /* do detect */
307  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
308 
309  if (!(PacketAlertCheck(p, 1))) {
310  printf("sid 1 didn't match but should have: ");
311  goto end;
312  }
313 
314  result = 1;
315 
316 end:
317  if (alp_tctx != NULL)
318  AppLayerParserThreadCtxFree(alp_tctx);
319  if (de_ctx != NULL)
320  DetectEngineCtxFree(de_ctx);
321 
322  StreamTcpFreeConfig(true);
323  FLOW_DESTROY(&f);
324  UTHFreePackets(&p, 1);
325  return result;
326 }
327 
328 /**
329  * \test Test that the http_cookie content matches against a http request
330  * which holds the content.
331  */
332 static int DetectEngineHttpCookieTest04(void)
333 {
334  TcpSession ssn;
335  Packet *p = NULL;
336  ThreadVars th_v;
337  DetectEngineCtx *de_ctx = NULL;
338  DetectEngineThreadCtx *det_ctx = NULL;
339  HtpState *http_state = NULL;
340  Flow f;
341  uint8_t http_buf[] =
342  "CONNECT /index.html HTTP/1.0\r\n"
343  "Cookie: CONNECT\r\n"
344  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
345  uint32_t http_len = sizeof(http_buf) - 1;
346  int result = 0;
347  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
348 
349  memset(&th_v, 0, sizeof(th_v));
350  memset(&f, 0, sizeof(f));
351  memset(&ssn, 0, sizeof(ssn));
352 
353  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
354 
355  FLOW_INITIALIZE(&f);
356  f.protoctx = (void *)&ssn;
357  f.proto = IPPROTO_TCP;
358  f.flags |= FLOW_IPV4;
359  p->flow = &f;
360  p->flowflags |= FLOW_PKT_TOSERVER;
361  p->flowflags |= FLOW_PKT_ESTABLISHED;
362  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
363  f.alproto = ALPROTO_HTTP1;
364 
365  StreamTcpInitConfig(true);
366 
367  de_ctx = DetectEngineCtxInit();
368  if (de_ctx == NULL)
369  goto end;
370 
371  de_ctx->flags |= DE_QUIET;
372 
373  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
374  "(msg:\"http header test\"; "
375  "content:\"ECT\"; depth:4; http_cookie; "
376  "sid:1;)");
377  if (de_ctx->sig_list == NULL)
378  goto end;
379 
380  SigGroupBuild(de_ctx);
381  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
382 
383  int r = AppLayerParserParse(
384  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
385  if (r != 0) {
386  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
387  result = 0;
388  goto end;
389  }
390 
391  http_state = f.alstate;
392  if (http_state == NULL) {
393  printf("no http state: ");
394  result = 0;
395  goto end;
396  }
397 
398  /* do detect */
399  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
400 
401  if (PacketAlertCheck(p, 1)) {
402  printf("sid 1 matched but shouldn't have: ");
403  goto end;
404  }
405 
406  result = 1;
407 
408 end:
409  if (alp_tctx != NULL)
410  AppLayerParserThreadCtxFree(alp_tctx);
411  if (de_ctx != NULL)
412  DetectEngineCtxFree(de_ctx);
413 
414  StreamTcpFreeConfig(true);
415  FLOW_DESTROY(&f);
416  UTHFreePackets(&p, 1);
417  return result;
418 }
419 
420 /**
421  * \test Test that the http_cookie content matches against a http request
422  * which holds the content.
423  */
424 static int DetectEngineHttpCookieTest05(void)
425 {
426  TcpSession ssn;
427  Packet *p = NULL;
428  ThreadVars th_v;
429  DetectEngineCtx *de_ctx = NULL;
430  DetectEngineThreadCtx *det_ctx = NULL;
431  HtpState *http_state = NULL;
432  Flow f;
433  uint8_t http_buf[] =
434  "CONNECT /index.html HTTP/1.0\r\n"
435  "Cookie: CONNECT\r\n"
436  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
437  uint32_t http_len = sizeof(http_buf) - 1;
438  int result = 0;
439  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
440 
441  memset(&th_v, 0, sizeof(th_v));
442  memset(&f, 0, sizeof(f));
443  memset(&ssn, 0, sizeof(ssn));
444 
445  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
446 
447  FLOW_INITIALIZE(&f);
448  f.protoctx = (void *)&ssn;
449  f.proto = IPPROTO_TCP;
450  f.flags |= FLOW_IPV4;
451  p->flow = &f;
452  p->flowflags |= FLOW_PKT_TOSERVER;
453  p->flowflags |= FLOW_PKT_ESTABLISHED;
454  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
455  f.alproto = ALPROTO_HTTP1;
456 
457  StreamTcpInitConfig(true);
458 
459  de_ctx = DetectEngineCtxInit();
460  if (de_ctx == NULL)
461  goto end;
462 
463  de_ctx->flags |= DE_QUIET;
464 
465  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
466  "(msg:\"http header test\"; "
467  "content:!\"CON\"; depth:4; http_cookie; "
468  "sid:1;)");
469  if (de_ctx->sig_list == NULL)
470  goto end;
471 
472  SigGroupBuild(de_ctx);
473  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
474 
475  int r = AppLayerParserParse(
476  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
477  if (r != 0) {
478  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
479  result = 0;
480  goto end;
481  }
482 
483  http_state = f.alstate;
484  if (http_state == NULL) {
485  printf("no http state: ");
486  result = 0;
487  goto end;
488  }
489 
490  /* do detect */
491  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
492 
493  if (PacketAlertCheck(p, 1)) {
494  printf("sid 1 matched but shouldn't have: ");
495  goto end;
496  }
497 
498  result = 1;
499 
500 end:
501  if (alp_tctx != NULL)
502  AppLayerParserThreadCtxFree(alp_tctx);
503  if (de_ctx != NULL)
504  DetectEngineCtxFree(de_ctx);
505 
506  StreamTcpFreeConfig(true);
507  FLOW_DESTROY(&f);
508  UTHFreePackets(&p, 1);
509  return result;
510 }
511 
512 /**
513  * \test Test that the http_cookie content matches against a http request
514  * which holds the content.
515  */
516 static int DetectEngineHttpCookieTest06(void)
517 {
518  TcpSession ssn;
519  Packet *p = NULL;
520  ThreadVars th_v;
521  DetectEngineCtx *de_ctx = NULL;
522  DetectEngineThreadCtx *det_ctx = NULL;
523  HtpState *http_state = NULL;
524  Flow f;
525  uint8_t http_buf[] =
526  "CONNECT /index.html HTTP/1.0\r\n"
527  "Cookie: CONNECT\r\n"
528  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
529  uint32_t http_len = sizeof(http_buf) - 1;
530  int result = 0;
531  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
532 
533  memset(&th_v, 0, sizeof(th_v));
534  memset(&f, 0, sizeof(f));
535  memset(&ssn, 0, sizeof(ssn));
536 
537  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
538 
539  FLOW_INITIALIZE(&f);
540  f.protoctx = (void *)&ssn;
541  f.proto = IPPROTO_TCP;
542  f.flags |= FLOW_IPV4;
543  p->flow = &f;
544  p->flowflags |= FLOW_PKT_TOSERVER;
545  p->flowflags |= FLOW_PKT_ESTABLISHED;
546  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
547  f.alproto = ALPROTO_HTTP1;
548 
549  StreamTcpInitConfig(true);
550 
551  de_ctx = DetectEngineCtxInit();
552  if (de_ctx == NULL)
553  goto end;
554 
555  de_ctx->flags |= DE_QUIET;
556 
557  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
558  "(msg:\"http header test\"; "
559  "content:\"ECT\"; offset:3; http_cookie; "
560  "sid:1;)");
561  if (de_ctx->sig_list == NULL)
562  goto end;
563 
564  SigGroupBuild(de_ctx);
565  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
566 
567  int r = AppLayerParserParse(
568  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
569  if (r != 0) {
570  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
571  result = 0;
572  goto end;
573  }
574 
575  http_state = f.alstate;
576  if (http_state == NULL) {
577  printf("no http state: ");
578  result = 0;
579  goto end;
580  }
581 
582  /* do detect */
583  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
584 
585  if (!(PacketAlertCheck(p, 1))) {
586  printf("sid 1 didn't match but should have: ");
587  goto end;
588  }
589 
590  result = 1;
591 
592 end:
593  if (alp_tctx != NULL)
594  AppLayerParserThreadCtxFree(alp_tctx);
595  if (de_ctx != NULL)
596  DetectEngineCtxFree(de_ctx);
597 
598  StreamTcpFreeConfig(true);
599  FLOW_DESTROY(&f);
600  UTHFreePackets(&p, 1);
601  return result;
602 }
603 
604 /**
605  * \test Test that the http_cookie content matches against a http request
606  * which holds the content.
607  */
608 static int DetectEngineHttpCookieTest07(void)
609 {
610  TcpSession ssn;
611  Packet *p = NULL;
612  ThreadVars th_v;
613  DetectEngineCtx *de_ctx = NULL;
614  DetectEngineThreadCtx *det_ctx = NULL;
615  HtpState *http_state = NULL;
616  Flow f;
617  uint8_t http_buf[] =
618  "CONNECT /index.html HTTP/1.0\r\n"
619  "Cookie: CONNECT\r\n"
620  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
621  uint32_t http_len = sizeof(http_buf) - 1;
622  int result = 0;
623  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
624 
625  memset(&th_v, 0, sizeof(th_v));
626  memset(&f, 0, sizeof(f));
627  memset(&ssn, 0, sizeof(ssn));
628 
629  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
630 
631  FLOW_INITIALIZE(&f);
632  f.protoctx = (void *)&ssn;
633  f.proto = IPPROTO_TCP;
634  f.flags |= FLOW_IPV4;
635  p->flow = &f;
636  p->flowflags |= FLOW_PKT_TOSERVER;
637  p->flowflags |= FLOW_PKT_ESTABLISHED;
638  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
639  f.alproto = ALPROTO_HTTP1;
640 
641  StreamTcpInitConfig(true);
642 
643  de_ctx = DetectEngineCtxInit();
644  if (de_ctx == NULL)
645  goto end;
646 
647  de_ctx->flags |= DE_QUIET;
648 
649  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
650  "(msg:\"http header test\"; "
651  "content:!\"CO\"; offset:3; http_cookie; "
652  "sid:1;)");
653  if (de_ctx->sig_list == NULL)
654  goto end;
655 
656  SigGroupBuild(de_ctx);
657  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
658 
659  int r = AppLayerParserParse(
660  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
661  if (r != 0) {
662  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
663  result = 0;
664  goto end;
665  }
666 
667  http_state = f.alstate;
668  if (http_state == NULL) {
669  printf("no http state: ");
670  result = 0;
671  goto end;
672  }
673 
674  /* do detect */
675  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
676 
677  if (!(PacketAlertCheck(p, 1))) {
678  printf("sid 1 didn't match but should have: ");
679  goto end;
680  }
681 
682  result = 1;
683 
684 end:
685  if (alp_tctx != NULL)
686  AppLayerParserThreadCtxFree(alp_tctx);
687  if (de_ctx != NULL)
688  DetectEngineCtxFree(de_ctx);
689 
690  StreamTcpFreeConfig(true);
691  FLOW_DESTROY(&f);
692  UTHFreePackets(&p, 1);
693  return result;
694 }
695 
696 /**
697  * \test Test that the http_cookie content matches against a http request
698  * which holds the content.
699  */
700 static int DetectEngineHttpCookieTest08(void)
701 {
702  TcpSession ssn;
703  Packet *p = NULL;
704  ThreadVars th_v;
705  DetectEngineCtx *de_ctx = NULL;
706  DetectEngineThreadCtx *det_ctx = NULL;
707  HtpState *http_state = NULL;
708  Flow f;
709  uint8_t http_buf[] =
710  "CONNECT /index.html HTTP/1.0\r\n"
711  "Cookie: CONNECT\r\n"
712  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
713  uint32_t http_len = sizeof(http_buf) - 1;
714  int result = 0;
715  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
716 
717  memset(&th_v, 0, sizeof(th_v));
718  memset(&f, 0, sizeof(f));
719  memset(&ssn, 0, sizeof(ssn));
720 
721  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
722 
723  FLOW_INITIALIZE(&f);
724  f.protoctx = (void *)&ssn;
725  f.proto = IPPROTO_TCP;
726  f.flags |= FLOW_IPV4;
727  p->flow = &f;
728  p->flowflags |= FLOW_PKT_TOSERVER;
729  p->flowflags |= FLOW_PKT_ESTABLISHED;
730  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
731  f.alproto = ALPROTO_HTTP1;
732 
733  StreamTcpInitConfig(true);
734 
735  de_ctx = DetectEngineCtxInit();
736  if (de_ctx == NULL)
737  goto end;
738 
739  de_ctx->flags |= DE_QUIET;
740 
741  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
742  "(msg:\"http header test\"; "
743  "content:!\"ECT\"; offset:3; http_cookie; "
744  "sid:1;)");
745  if (de_ctx->sig_list == NULL)
746  goto end;
747 
748  SigGroupBuild(de_ctx);
749  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
750 
751  int r = AppLayerParserParse(
752  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
753  if (r != 0) {
754  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
755  result = 0;
756  goto end;
757  }
758 
759  http_state = f.alstate;
760  if (http_state == NULL) {
761  printf("no http state: ");
762  result = 0;
763  goto end;
764  }
765 
766  /* do detect */
767  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
768 
769  if (PacketAlertCheck(p, 1)) {
770  printf("sid 1 matched but shouldn't have: ");
771  goto end;
772  }
773 
774  result = 1;
775 
776 end:
777  if (alp_tctx != NULL)
778  AppLayerParserThreadCtxFree(alp_tctx);
779  if (de_ctx != NULL)
780  DetectEngineCtxFree(de_ctx);
781 
782  StreamTcpFreeConfig(true);
783  FLOW_DESTROY(&f);
784  UTHFreePackets(&p, 1);
785  return result;
786 }
787 
788 /**
789  * \test Test that the http_cookie content matches against a http request
790  * which holds the content.
791  */
792 static int DetectEngineHttpCookieTest09(void)
793 {
794  TcpSession ssn;
795  Packet *p = NULL;
796  ThreadVars th_v;
797  DetectEngineCtx *de_ctx = NULL;
798  DetectEngineThreadCtx *det_ctx = NULL;
799  HtpState *http_state = NULL;
800  Flow f;
801  uint8_t http_buf[] =
802  "CONNECT /index.html HTTP/1.0\r\n"
803  "Cookie: CONNECT\r\n"
804  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
805  uint32_t http_len = sizeof(http_buf) - 1;
806  int result = 0;
807  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
808 
809  memset(&th_v, 0, sizeof(th_v));
810  memset(&f, 0, sizeof(f));
811  memset(&ssn, 0, sizeof(ssn));
812 
813  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
814 
815  FLOW_INITIALIZE(&f);
816  f.protoctx = (void *)&ssn;
817  f.proto = IPPROTO_TCP;
818  f.flags |= FLOW_IPV4;
819  p->flow = &f;
820  p->flowflags |= FLOW_PKT_TOSERVER;
821  p->flowflags |= FLOW_PKT_ESTABLISHED;
822  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
823  f.alproto = ALPROTO_HTTP1;
824 
825  StreamTcpInitConfig(true);
826 
827  de_ctx = DetectEngineCtxInit();
828  if (de_ctx == NULL)
829  goto end;
830 
831  de_ctx->flags |= DE_QUIET;
832 
833  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
834  "(msg:\"http header test\"; "
835  "content:\"CON\"; offset:3; http_cookie; "
836  "sid:1;)");
837  if (de_ctx->sig_list == NULL)
838  goto end;
839 
840  SigGroupBuild(de_ctx);
841  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
842 
843  int r = AppLayerParserParse(
844  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
845  if (r != 0) {
846  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
847  result = 0;
848  goto end;
849  }
850 
851  http_state = f.alstate;
852  if (http_state == NULL) {
853  printf("no http state: ");
854  result = 0;
855  goto end;
856  }
857 
858  /* do detect */
859  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
860 
861  if (PacketAlertCheck(p, 1)) {
862  printf("sid 1 matched but shouldn't have: ");
863  goto end;
864  }
865 
866  result = 1;
867 
868 end:
869  if (alp_tctx != NULL)
870  AppLayerParserThreadCtxFree(alp_tctx);
871  if (de_ctx != NULL)
872  DetectEngineCtxFree(de_ctx);
873 
874  StreamTcpFreeConfig(true);
875  FLOW_DESTROY(&f);
876  UTHFreePackets(&p, 1);
877  return result;
878 }
879 
880 /**
881  * \test Test that the http_cookie content matches against a http request
882  * which holds the content.
883  */
884 static int DetectEngineHttpCookieTest10(void)
885 {
886  TcpSession ssn;
887  Packet *p = NULL;
888  ThreadVars th_v;
889  DetectEngineCtx *de_ctx = NULL;
890  DetectEngineThreadCtx *det_ctx = NULL;
891  HtpState *http_state = NULL;
892  Flow f;
893  uint8_t http_buf[] =
894  "CONNECT /index.html HTTP/1.0\r\n"
895  "Cookie: CONNECT\r\n"
896  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
897  uint32_t http_len = sizeof(http_buf) - 1;
898  int result = 0;
899  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
900 
901  memset(&th_v, 0, sizeof(th_v));
902  memset(&f, 0, sizeof(f));
903  memset(&ssn, 0, sizeof(ssn));
904 
905  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
906 
907  FLOW_INITIALIZE(&f);
908  f.protoctx = (void *)&ssn;
909  f.proto = IPPROTO_TCP;
910  f.flags |= FLOW_IPV4;
911  p->flow = &f;
912  p->flowflags |= FLOW_PKT_TOSERVER;
913  p->flowflags |= FLOW_PKT_ESTABLISHED;
914  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
915  f.alproto = ALPROTO_HTTP1;
916 
917  StreamTcpInitConfig(true);
918 
919  de_ctx = DetectEngineCtxInit();
920  if (de_ctx == NULL)
921  goto end;
922 
923  de_ctx->flags |= DE_QUIET;
924 
925  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
926  "(msg:\"http header test\"; "
927  "content:\"CO\"; http_cookie; "
928  "content:\"EC\"; within:4; http_cookie; "
929  "sid:1;)");
930  if (de_ctx->sig_list == NULL)
931  goto end;
932 
933  SigGroupBuild(de_ctx);
934  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
935 
936  int r = AppLayerParserParse(
937  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
938  if (r != 0) {
939  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
940  result = 0;
941  goto end;
942  }
943 
944  http_state = f.alstate;
945  if (http_state == NULL) {
946  printf("no http state: ");
947  result = 0;
948  goto end;
949  }
950 
951  /* do detect */
952  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
953 
954  if (!PacketAlertCheck(p, 1)) {
955  printf("sid 1 didn't match but should have: ");
956  goto end;
957  }
958 
959  result = 1;
960 
961 end:
962  if (alp_tctx != NULL)
963  AppLayerParserThreadCtxFree(alp_tctx);
964  if (de_ctx != NULL)
965  DetectEngineCtxFree(de_ctx);
966 
967  StreamTcpFreeConfig(true);
968  FLOW_DESTROY(&f);
969  UTHFreePackets(&p, 1);
970  return result;
971 }
972 
973 /**
974  * \test Test that the http_cookie content matches against a http request
975  * which holds the content.
976  */
977 static int DetectEngineHttpCookieTest11(void)
978 {
979  TcpSession ssn;
980  Packet *p = NULL;
981  ThreadVars th_v;
982  DetectEngineCtx *de_ctx = NULL;
983  DetectEngineThreadCtx *det_ctx = NULL;
984  HtpState *http_state = NULL;
985  Flow f;
986  uint8_t http_buf[] =
987  "CONNECT /index.html HTTP/1.0\r\n"
988  "Cookie: CONNECT\r\n"
989  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
990  uint32_t http_len = sizeof(http_buf) - 1;
991  int result = 0;
992  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
993 
994  memset(&th_v, 0, sizeof(th_v));
995  memset(&f, 0, sizeof(f));
996  memset(&ssn, 0, sizeof(ssn));
997 
998  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
999 
1000  FLOW_INITIALIZE(&f);
1001  f.protoctx = (void *)&ssn;
1002  f.proto = IPPROTO_TCP;
1003  f.flags |= FLOW_IPV4;
1004  p->flow = &f;
1005  p->flowflags |= FLOW_PKT_TOSERVER;
1006  p->flowflags |= FLOW_PKT_ESTABLISHED;
1007  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1008  f.alproto = ALPROTO_HTTP1;
1009 
1010  StreamTcpInitConfig(true);
1011 
1012  de_ctx = DetectEngineCtxInit();
1013  if (de_ctx == NULL)
1014  goto end;
1015 
1016  de_ctx->flags |= DE_QUIET;
1017 
1018  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1019  "(msg:\"http header test\"; "
1020  "content:\"CO\"; http_cookie; "
1021  "content:!\"EC\"; within:3; http_cookie; "
1022  "sid:1;)");
1023  if (de_ctx->sig_list == NULL)
1024  goto end;
1025 
1026  SigGroupBuild(de_ctx);
1027  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1028 
1029  int r = AppLayerParserParse(
1030  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1031  if (r != 0) {
1032  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1033  result = 0;
1034  goto end;
1035  }
1036 
1037  http_state = f.alstate;
1038  if (http_state == NULL) {
1039  printf("no http state: ");
1040  result = 0;
1041  goto end;
1042  }
1043 
1044  /* do detect */
1045  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1046 
1047  if (!PacketAlertCheck(p, 1)) {
1048  printf("sid 1 didn't match but should have: ");
1049  goto end;
1050  }
1051 
1052  result = 1;
1053 
1054 end:
1055  if (alp_tctx != NULL)
1056  AppLayerParserThreadCtxFree(alp_tctx);
1057  if (de_ctx != NULL)
1058  DetectEngineCtxFree(de_ctx);
1059 
1060  StreamTcpFreeConfig(true);
1061  FLOW_DESTROY(&f);
1062  UTHFreePackets(&p, 1);
1063  return result;
1064 }
1065 
1066 /**
1067  * \test Test that the http_cookie content matches against a http request
1068  * which holds the content.
1069  */
1070 static int DetectEngineHttpCookieTest12(void)
1071 {
1072  TcpSession ssn;
1073  Packet *p = NULL;
1074  ThreadVars th_v;
1075  DetectEngineCtx *de_ctx = NULL;
1076  DetectEngineThreadCtx *det_ctx = NULL;
1077  HtpState *http_state = NULL;
1078  Flow f;
1079  uint8_t http_buf[] =
1080  "CONNECT /index.html HTTP/1.0\r\n"
1081  "Cookie: CONNECT\r\n"
1082  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1083  uint32_t http_len = sizeof(http_buf) - 1;
1084  int result = 0;
1085  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1086 
1087  memset(&th_v, 0, sizeof(th_v));
1088  memset(&f, 0, sizeof(f));
1089  memset(&ssn, 0, sizeof(ssn));
1090 
1091  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1092 
1093  FLOW_INITIALIZE(&f);
1094  f.protoctx = (void *)&ssn;
1095  f.proto = IPPROTO_TCP;
1096  f.flags |= FLOW_IPV4;
1097  p->flow = &f;
1098  p->flowflags |= FLOW_PKT_TOSERVER;
1099  p->flowflags |= FLOW_PKT_ESTABLISHED;
1100  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1101  f.alproto = ALPROTO_HTTP1;
1102 
1103  StreamTcpInitConfig(true);
1104 
1105  de_ctx = DetectEngineCtxInit();
1106  if (de_ctx == NULL)
1107  goto end;
1108 
1109  de_ctx->flags |= DE_QUIET;
1110 
1111  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1112  "(msg:\"http header test\"; "
1113  "content:\"CO\"; http_cookie; "
1114  "content:\"EC\"; within:3; http_cookie; "
1115  "sid:1;)");
1116  if (de_ctx->sig_list == NULL)
1117  goto end;
1118 
1119  SigGroupBuild(de_ctx);
1120  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1121 
1122  int r = AppLayerParserParse(
1123  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1124  if (r != 0) {
1125  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1126  result = 0;
1127  goto end;
1128  }
1129 
1130  http_state = f.alstate;
1131  if (http_state == NULL) {
1132  printf("no http state: ");
1133  result = 0;
1134  goto end;
1135  }
1136 
1137  /* do detect */
1138  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1139 
1140  if (PacketAlertCheck(p, 1)) {
1141  printf("sid 1 matched but shouldn't have: ");
1142  goto end;
1143  }
1144 
1145  result = 1;
1146 
1147 end:
1148  if (alp_tctx != NULL)
1149  AppLayerParserThreadCtxFree(alp_tctx);
1150  if (de_ctx != NULL)
1151  DetectEngineCtxFree(de_ctx);
1152 
1153  StreamTcpFreeConfig(true);
1154  FLOW_DESTROY(&f);
1155  UTHFreePackets(&p, 1);
1156  return result;
1157 }
1158 
1159 /**
1160  * \test Test that the http_cookie content matches against a http request
1161  * which holds the content.
1162  */
1163 static int DetectEngineHttpCookieTest13(void)
1164 {
1165  TcpSession ssn;
1166  Packet *p = NULL;
1167  ThreadVars th_v;
1168  DetectEngineCtx *de_ctx = NULL;
1169  DetectEngineThreadCtx *det_ctx = NULL;
1170  HtpState *http_state = NULL;
1171  Flow f;
1172  uint8_t http_buf[] =
1173  "CONNECT /index.html HTTP/1.0\r\n"
1174  "Cookie: CONNECT\r\n"
1175  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1176  uint32_t http_len = sizeof(http_buf) - 1;
1177  int result = 0;
1178  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1179 
1180  memset(&th_v, 0, sizeof(th_v));
1181  memset(&f, 0, sizeof(f));
1182  memset(&ssn, 0, sizeof(ssn));
1183 
1184  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1185 
1186  FLOW_INITIALIZE(&f);
1187  f.protoctx = (void *)&ssn;
1188  f.proto = IPPROTO_TCP;
1189  f.flags |= FLOW_IPV4;
1190  p->flow = &f;
1191  p->flowflags |= FLOW_PKT_TOSERVER;
1192  p->flowflags |= FLOW_PKT_ESTABLISHED;
1193  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1194  f.alproto = ALPROTO_HTTP1;
1195 
1196  StreamTcpInitConfig(true);
1197 
1198  de_ctx = DetectEngineCtxInit();
1199  if (de_ctx == NULL)
1200  goto end;
1201 
1202  de_ctx->flags |= DE_QUIET;
1203 
1204  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1205  "(msg:\"http header test\"; "
1206  "content:\"CO\"; http_cookie; "
1207  "content:!\"EC\"; within:4; http_cookie; "
1208  "sid:1;)");
1209  if (de_ctx->sig_list == NULL)
1210  goto end;
1211 
1212  SigGroupBuild(de_ctx);
1213  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1214 
1215  int r = AppLayerParserParse(
1216  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1217  if (r != 0) {
1218  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1219  result = 0;
1220  goto end;
1221  }
1222 
1223  http_state = f.alstate;
1224  if (http_state == NULL) {
1225  printf("no http state: ");
1226  result = 0;
1227  goto end;
1228  }
1229 
1230  /* do detect */
1231  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1232 
1233  if (PacketAlertCheck(p, 1)) {
1234  printf("sid 1 matched but shouldn't have: ");
1235  goto end;
1236  }
1237 
1238  result = 1;
1239 
1240 end:
1241  if (alp_tctx != NULL)
1242  AppLayerParserThreadCtxFree(alp_tctx);
1243  if (de_ctx != NULL)
1244  DetectEngineCtxFree(de_ctx);
1245 
1246  StreamTcpFreeConfig(true);
1247  FLOW_DESTROY(&f);
1248  UTHFreePackets(&p, 1);
1249  return result;
1250 }
1251 
1252 /**
1253  * \test Test that the http_cookie content matches against a http request
1254  * which holds the content.
1255  */
1256 static int DetectEngineHttpCookieTest14(void)
1257 {
1258  TcpSession ssn;
1259  Packet *p = NULL;
1260  ThreadVars th_v;
1261  DetectEngineCtx *de_ctx = NULL;
1262  DetectEngineThreadCtx *det_ctx = NULL;
1263  HtpState *http_state = NULL;
1264  Flow f;
1265  uint8_t http_buf[] =
1266  "CONNECT /index.html HTTP/1.0\r\n"
1267  "Cookie: CONNECT\r\n"
1268  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1269  uint32_t http_len = sizeof(http_buf) - 1;
1270  int result = 0;
1271  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1272 
1273  memset(&th_v, 0, sizeof(th_v));
1274  memset(&f, 0, sizeof(f));
1275  memset(&ssn, 0, sizeof(ssn));
1276 
1277  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1278 
1279  FLOW_INITIALIZE(&f);
1280  f.protoctx = (void *)&ssn;
1281  f.proto = IPPROTO_TCP;
1282  f.flags |= FLOW_IPV4;
1283  p->flow = &f;
1284  p->flowflags |= FLOW_PKT_TOSERVER;
1285  p->flowflags |= FLOW_PKT_ESTABLISHED;
1286  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1287  f.alproto = ALPROTO_HTTP1;
1288 
1289  StreamTcpInitConfig(true);
1290 
1291  de_ctx = DetectEngineCtxInit();
1292  if (de_ctx == NULL)
1293  goto end;
1294 
1295  de_ctx->flags |= DE_QUIET;
1296 
1297  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1298  "(msg:\"http header test\"; "
1299  "content:\"CO\"; http_cookie; "
1300  "content:\"EC\"; distance:2; http_cookie; "
1301  "sid:1;)");
1302  if (de_ctx->sig_list == NULL)
1303  goto end;
1304 
1305  SigGroupBuild(de_ctx);
1306  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1307 
1308  int r = AppLayerParserParse(
1309  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1310  if (r != 0) {
1311  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1312  result = 0;
1313  goto end;
1314  }
1315 
1316  http_state = f.alstate;
1317  if (http_state == NULL) {
1318  printf("no http state: ");
1319  result = 0;
1320  goto end;
1321  }
1322 
1323  /* do detect */
1324  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1325 
1326  if (!PacketAlertCheck(p, 1)) {
1327  printf("sid 1 didn't match but should have: ");
1328  goto end;
1329  }
1330 
1331  result = 1;
1332 
1333 end:
1334  if (alp_tctx != NULL)
1335  AppLayerParserThreadCtxFree(alp_tctx);
1336  if (de_ctx != NULL)
1337  DetectEngineCtxFree(de_ctx);
1338 
1339  StreamTcpFreeConfig(true);
1340  FLOW_DESTROY(&f);
1341  UTHFreePackets(&p, 1);
1342  return result;
1343 }
1344 
1345 /**
1346  * \test Test that the http_cookie content matches against a http request
1347  * which holds the content.
1348  */
1349 static int DetectEngineHttpCookieTest15(void)
1350 {
1351  TcpSession ssn;
1352  Packet *p = NULL;
1353  ThreadVars th_v;
1354  DetectEngineCtx *de_ctx = NULL;
1355  DetectEngineThreadCtx *det_ctx = NULL;
1356  HtpState *http_state = NULL;
1357  Flow f;
1358  uint8_t http_buf[] =
1359  "CONNECT /index.html HTTP/1.0\r\n"
1360  "Cookie: CONNECT\r\n"
1361  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1362  uint32_t http_len = sizeof(http_buf) - 1;
1363  int result = 0;
1364  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1365 
1366  memset(&th_v, 0, sizeof(th_v));
1367  memset(&f, 0, sizeof(f));
1368  memset(&ssn, 0, sizeof(ssn));
1369 
1370  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1371 
1372  FLOW_INITIALIZE(&f);
1373  f.protoctx = (void *)&ssn;
1374  f.proto = IPPROTO_TCP;
1375  f.flags |= FLOW_IPV4;
1376  p->flow = &f;
1377  p->flowflags |= FLOW_PKT_TOSERVER;
1378  p->flowflags |= FLOW_PKT_ESTABLISHED;
1379  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1380  f.alproto = ALPROTO_HTTP1;
1381 
1382  StreamTcpInitConfig(true);
1383 
1384  de_ctx = DetectEngineCtxInit();
1385  if (de_ctx == NULL)
1386  goto end;
1387 
1388  de_ctx->flags |= DE_QUIET;
1389 
1390  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1391  "(msg:\"http header test\"; "
1392  "content:\"CO\"; http_cookie; "
1393  "content:!\"EC\"; distance:3; http_cookie; "
1394  "sid:1;)");
1395  if (de_ctx->sig_list == NULL)
1396  goto end;
1397 
1398  SigGroupBuild(de_ctx);
1399  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1400 
1401  int r = AppLayerParserParse(
1402  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1403  if (r != 0) {
1404  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1405  result = 0;
1406  goto end;
1407  }
1408 
1409  http_state = f.alstate;
1410  if (http_state == NULL) {
1411  printf("no http state: ");
1412  result = 0;
1413  goto end;
1414  }
1415 
1416  /* do detect */
1417  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1418 
1419  if (!PacketAlertCheck(p, 1)) {
1420  printf("sid 1 didn't match but should have: ");
1421  goto end;
1422  }
1423 
1424  result = 1;
1425 
1426 end:
1427  if (alp_tctx != NULL)
1428  AppLayerParserThreadCtxFree(alp_tctx);
1429  if (de_ctx != NULL)
1430  DetectEngineCtxFree(de_ctx);
1431 
1432  StreamTcpFreeConfig(true);
1433  FLOW_DESTROY(&f);
1434  UTHFreePackets(&p, 1);
1435  return result;
1436 }
1437 
1438 /**
1439  * \test Test that the http_cookie content matches against a http request
1440  * which holds the content.
1441  */
1442 static int DetectEngineHttpCookieTest16(void)
1443 {
1444  TcpSession ssn;
1445  Packet *p = NULL;
1446  ThreadVars th_v;
1447  DetectEngineCtx *de_ctx = NULL;
1448  DetectEngineThreadCtx *det_ctx = NULL;
1449  HtpState *http_state = NULL;
1450  Flow f;
1451  uint8_t http_buf[] =
1452  "CONNECT /index.html HTTP/1.0\r\n"
1453  "Cookie: CONNECT\r\n"
1454  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1455  uint32_t http_len = sizeof(http_buf) - 1;
1456  int result = 0;
1457  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1458 
1459  memset(&th_v, 0, sizeof(th_v));
1460  memset(&f, 0, sizeof(f));
1461  memset(&ssn, 0, sizeof(ssn));
1462 
1463  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1464 
1465  FLOW_INITIALIZE(&f);
1466  f.protoctx = (void *)&ssn;
1467  f.proto = IPPROTO_TCP;
1468  f.flags |= FLOW_IPV4;
1469  p->flow = &f;
1470  p->flowflags |= FLOW_PKT_TOSERVER;
1471  p->flowflags |= FLOW_PKT_ESTABLISHED;
1472  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1473  f.alproto = ALPROTO_HTTP1;
1474 
1475  StreamTcpInitConfig(true);
1476 
1477  de_ctx = DetectEngineCtxInit();
1478  if (de_ctx == NULL)
1479  goto end;
1480 
1481  de_ctx->flags |= DE_QUIET;
1482 
1483  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1484  "(msg:\"http header test\"; "
1485  "content:\"CO\"; http_cookie; "
1486  "content:\"EC\"; distance:3; http_cookie; "
1487  "sid:1;)");
1488  if (de_ctx->sig_list == NULL)
1489  goto end;
1490 
1491  SigGroupBuild(de_ctx);
1492  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1493 
1494  int r = AppLayerParserParse(
1495  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1496  if (r != 0) {
1497  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1498  result = 0;
1499  goto end;
1500  }
1501 
1502  http_state = f.alstate;
1503  if (http_state == NULL) {
1504  printf("no http state: ");
1505  result = 0;
1506  goto end;
1507  }
1508 
1509  /* do detect */
1510  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1511 
1512  if (PacketAlertCheck(p, 1)) {
1513  printf("sid 1 matched but shouldn't have: ");
1514  goto end;
1515  }
1516 
1517  result = 1;
1518 
1519 end:
1520  if (alp_tctx != NULL)
1521  AppLayerParserThreadCtxFree(alp_tctx);
1522  if (de_ctx != NULL)
1523  DetectEngineCtxFree(de_ctx);
1524 
1525  StreamTcpFreeConfig(true);
1526  FLOW_DESTROY(&f);
1527  UTHFreePackets(&p, 1);
1528  return result;
1529 }
1530 
1531 /**
1532  * \test Test that the http_cookie content matches against a http request
1533  * which holds the content.
1534  */
1535 static int DetectEngineHttpCookieTest17(void)
1536 {
1537  TcpSession ssn;
1538  Packet *p = NULL;
1539  ThreadVars th_v;
1540  DetectEngineCtx *de_ctx = NULL;
1541  DetectEngineThreadCtx *det_ctx = NULL;
1542  HtpState *http_state = NULL;
1543  Flow f;
1544  uint8_t http_buf[] =
1545  "CONNECT /index.html HTTP/1.0\r\n"
1546  "Cookie: CONNECT\r\n"
1547  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1548  uint32_t http_len = sizeof(http_buf) - 1;
1549  int result = 0;
1550  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1551 
1552  memset(&th_v, 0, sizeof(th_v));
1553  memset(&f, 0, sizeof(f));
1554  memset(&ssn, 0, sizeof(ssn));
1555 
1556  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1557 
1558  FLOW_INITIALIZE(&f);
1559  f.protoctx = (void *)&ssn;
1560  f.proto = IPPROTO_TCP;
1561  f.flags |= FLOW_IPV4;
1562  p->flow = &f;
1563  p->flowflags |= FLOW_PKT_TOSERVER;
1564  p->flowflags |= FLOW_PKT_ESTABLISHED;
1565  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1566  f.alproto = ALPROTO_HTTP1;
1567 
1568  StreamTcpInitConfig(true);
1569 
1570  de_ctx = DetectEngineCtxInit();
1571  if (de_ctx == NULL)
1572  goto end;
1573 
1574  de_ctx->flags |= DE_QUIET;
1575 
1576  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1577  "(msg:\"http header test\"; "
1578  "content:\"CO\"; http_cookie; "
1579  "content:!\"EC\"; distance:2; http_cookie; "
1580  "sid:1;)");
1581  if (de_ctx->sig_list == NULL)
1582  goto end;
1583 
1584  SigGroupBuild(de_ctx);
1585  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1586 
1587  int r = AppLayerParserParse(
1588  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1589  if (r != 0) {
1590  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1591  result = 0;
1592  goto end;
1593  }
1594 
1595  http_state = f.alstate;
1596  if (http_state == NULL) {
1597  printf("no http state: ");
1598  result = 0;
1599  goto end;
1600  }
1601 
1602  /* do detect */
1603  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1604 
1605  if (PacketAlertCheck(p, 1)) {
1606  printf("sid 1 matched but shouldn't have: ");
1607  goto end;
1608  }
1609 
1610  result = 1;
1611 
1612 end:
1613  if (alp_tctx != NULL)
1614  AppLayerParserThreadCtxFree(alp_tctx);
1615  if (de_ctx != NULL)
1616  DetectEngineCtxFree(de_ctx);
1617 
1618  StreamTcpFreeConfig(true);
1619  FLOW_DESTROY(&f);
1620  UTHFreePackets(&p, 1);
1621  return result;
1622 }
1623 
1624 /**
1625  * \test Checks if a http_cookie is registered in a Signature, if content is not
1626  * specified in the signature
1627  */
1628 static int DetectHttpCookieTest01(void)
1629 {
1630  DetectEngineCtx *de_ctx = NULL;
1631  int result = 0;
1632 
1633  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1634  goto end;
1635 
1636  de_ctx->flags |= DE_QUIET;
1637  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1638  "(msg:\"Testing http_cookie\"; http_cookie;sid:1;)");
1639  if (de_ctx->sig_list == NULL)
1640  result = 1;
1641 
1642 end:
1643  if (de_ctx != NULL)
1644  DetectEngineCtxFree(de_ctx);
1645  return result;
1646 }
1647 
1648 /**
1649  * \test Checks if a http_cookie is registered in a Signature, if some parameter
1650  * is specified with http_cookie in the signature
1651  */
1652 static int DetectHttpCookieTest02(void)
1653 {
1654  DetectEngineCtx *de_ctx = NULL;
1655  int result = 0;
1656 
1657  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1658  goto end;
1659 
1660  de_ctx->flags |= DE_QUIET;
1661  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1662  "(msg:\"Testing http_cookie\"; content:\"me\"; "
1663  "http_cookie:woo; sid:1;)");
1664  if (de_ctx->sig_list == NULL)
1665  result = 1;
1666 
1667 end:
1668  if (de_ctx != NULL)
1669  DetectEngineCtxFree(de_ctx);
1670  return result;
1671 }
1672 
1673 /**
1674  * \test Checks if a http_cookie is registered in a Signature
1675  */
1676 static int DetectHttpCookieTest03(void)
1677 {
1678  SigMatch *sm = NULL;
1679  DetectEngineCtx *de_ctx = NULL;
1680  int result = 0;
1681 
1682  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1683  goto end;
1684 
1685  de_ctx->flags |= DE_QUIET;
1686  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1687  "(msg:\"Testing http_cookie\"; content:\"one\"; "
1688  "http_cookie; content:\"two\"; http_cookie; "
1689  "content:\"two\"; http_cookie; "
1690  "sid:1;)");
1691  if (de_ctx->sig_list == NULL) {
1692  printf("sig parse failed: ");
1693  goto end;
1694  }
1695 
1696  result = 0;
1697  sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id];
1698  if (sm == NULL) {
1699  printf("no sigmatch(es): ");
1700  goto end;
1701  }
1702 
1703  while (sm != NULL) {
1704  if (sm->type == DETECT_CONTENT) {
1705  result = 1;
1706  } else {
1707  printf("expected DETECT_CONTENT for http_cookie, got %d: ", sm->type);
1708  goto end;
1709  }
1710  sm = sm->next;
1711  }
1712 
1713 end:
1714  if (de_ctx != NULL)
1715  DetectEngineCtxFree(de_ctx);
1716  return result;
1717 }
1718 
1719 /**
1720  * \test Checks if a http_cookie is registered in a Signature, when fast_pattern
1721  * is also specified in the signature (now it should)
1722  */
1723 static int DetectHttpCookieTest04(void)
1724 {
1725  DetectEngineCtx *de_ctx = NULL;
1726  int result = 0;
1727 
1728  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1729  goto end;
1730 
1731  de_ctx->flags |= DE_QUIET;
1732  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1733  "(msg:\"Testing http_cookie\"; content:\"one\"; "
1734  "fast_pattern; http_cookie; sid:1;)");
1735  if (de_ctx->sig_list != NULL)
1736  result = 1;
1737 
1738 end:
1739  if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
1740  return result;
1741 }
1742 
1743 /**
1744  * \test Checks if a http_cookie is registered in a Signature, when rawbytes is
1745  * also specified in the signature
1746  */
1747 static int DetectHttpCookieTest05(void)
1748 {
1749  DetectEngineCtx *de_ctx = NULL;
1750  int result = 0;
1751 
1752  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1753  goto end;
1754 
1755  de_ctx->flags |= DE_QUIET;
1756  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1757  "(msg:\"Testing http_cookie\"; content:\"one\"; "
1758  "rawbytes; http_cookie; sid:1;)");
1759  if (de_ctx->sig_list == NULL)
1760  result = 1;
1761 
1762  end:
1763  if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
1764  return result;
1765 }
1766 
1767 /**
1768  * \test Checks if a http_cookie is registered in a Signature, when rawbytes is
1769  * also specified in the signature
1770  */
1771 static int DetectHttpCookieTest06(void)
1772 {
1773  DetectEngineCtx *de_ctx = NULL;
1774  int result = 0;
1775 
1776  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1777  goto end;
1778 
1779  de_ctx->flags |= DE_QUIET;
1780  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1781  "(msg:\"Testing http_cookie\"; content:\"one\"; "
1782  "http_cookie; uricontent:\"abc\"; sid:1;)");
1783  if (de_ctx->sig_list == NULL)
1784  goto end;
1785 
1786  Signature *s = de_ctx->sig_list;
1787 
1788  BUG_ON(s->sm_lists[g_http_cookie_buffer_id] == NULL);
1789 
1790  if (s->sm_lists[g_http_cookie_buffer_id]->type != DETECT_CONTENT)
1791  goto end;
1792 
1793  if (s->sm_lists[g_http_uri_buffer_id] == NULL) {
1794  printf("expected another SigMatch, got NULL: ");
1795  goto end;
1796  }
1797 
1798  if (s->sm_lists[g_http_uri_buffer_id]->type != DETECT_CONTENT) {
1799  goto end;
1800  }
1801 
1802  result = 1;
1803 end:
1804  if (de_ctx != NULL) {
1805  DetectEngineCtxFree(de_ctx);
1806  }
1807  return result;
1808 }
1809 
1810 /** \test Check the signature working to alert when http_cookie is matched . */
1811 static int DetectHttpCookieSigTest01(void)
1812 {
1813  int result = 0;
1814  Flow f;
1815  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
1816  " hellocatchme\r\n\r\n";
1817  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1818  TcpSession ssn;
1819  Packet *p = NULL;
1820  Signature *s = NULL;
1821  ThreadVars th_v;
1822  DetectEngineThreadCtx *det_ctx = NULL;
1823  HtpState *http_state = NULL;
1824  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1825 
1826  memset(&th_v, 0, sizeof(th_v));
1827  memset(&f, 0, sizeof(f));
1828  memset(&ssn, 0, sizeof(ssn));
1829 
1830  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1831 
1832  FLOW_INITIALIZE(&f);
1833  f.protoctx = (void *)&ssn;
1834  f.proto = IPPROTO_TCP;
1835  f.flags |= FLOW_IPV4;
1836 
1837  p->flow = &f;
1838  p->flowflags |= FLOW_PKT_TOSERVER;
1839  p->flowflags |= FLOW_PKT_ESTABLISHED;
1840  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1841  f.alproto = ALPROTO_HTTP1;
1842 
1843  StreamTcpInitConfig(true);
1844 
1845  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1846  if (de_ctx == NULL) {
1847  goto end;
1848  }
1849 
1850  de_ctx->flags |= DE_QUIET;
1851 
1852  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
1853  "\"HTTP cookie\"; content:\"me\"; "
1854  "http_cookie; sid:1;)");
1855  if (s == NULL) {
1856  goto end;
1857  }
1858 
1859  s->next = SigInit(de_ctx,"alert http any any -> any any (msg:\"HTTP "
1860  "cookie\"; content:\"go\"; http_cookie; sid:2;)");
1861  if (s->next == NULL) {
1862  goto end;
1863  }
1864 
1865 
1866  SigGroupBuild(de_ctx);
1867  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1868 
1869  int r = AppLayerParserParse(
1870  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1871  if (r != 0) {
1872  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1873  result = 0;
1874  goto end;
1875  }
1876 
1877  http_state = f.alstate;
1878  if (http_state == NULL) {
1879  printf("no http state: ");
1880  result = 0;
1881  goto end;
1882  }
1883 
1884  /* do detect */
1885  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1886 
1887  if (!(PacketAlertCheck(p, 1))) {
1888  printf("sid 1 didn't match but should have: ");
1889  goto end;
1890  }
1891  if (PacketAlertCheck(p, 2)) {
1892  printf("sid 2 matched but shouldn't: ");
1893  goto end;
1894  }
1895 
1896  result = 1;
1897 end:
1898  if (alp_tctx != NULL)
1899  AppLayerParserThreadCtxFree(alp_tctx);
1900  if (det_ctx != NULL) {
1901  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1902  }
1903  if (de_ctx != NULL) {
1904  DetectEngineCtxFree(de_ctx);
1905  }
1906 
1907  StreamTcpFreeConfig(true);
1908 
1909  UTHFreePackets(&p, 1);
1910  return result;
1911 }
1912 
1913 /** \test Check the signature working to alert when http_cookie is not present */
1914 static int DetectHttpCookieSigTest02(void)
1915 {
1916  int result = 0;
1917  Flow f;
1918  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1919  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1920  TcpSession ssn;
1921  Packet *p = NULL;
1922  Signature *s = NULL;
1923  ThreadVars th_v;
1924  DetectEngineThreadCtx *det_ctx = NULL;
1925  HtpState *http_state = NULL;
1926  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1927 
1928  memset(&th_v, 0, sizeof(th_v));
1929  memset(&p, 0, sizeof(p));
1930  memset(&f, 0, sizeof(f));
1931  memset(&ssn, 0, sizeof(ssn));
1932 
1933  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1934 
1935  FLOW_INITIALIZE(&f);
1936  f.protoctx = (void *)&ssn;
1937  f.proto = IPPROTO_TCP;
1938  f.flags |= FLOW_IPV4;
1939 
1940  p->flow = &f;
1941  p->flowflags |= FLOW_PKT_TOSERVER;
1942  p->flowflags |= FLOW_PKT_ESTABLISHED;
1943  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1944  f.alproto = ALPROTO_HTTP1;
1945 
1946  StreamTcpInitConfig(true);
1947 
1948  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1949  if (de_ctx == NULL) {
1950  goto end;
1951  }
1952 
1953  de_ctx->flags |= DE_QUIET;
1954 
1955  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
1956  "\"HTTP cookie\"; content:\"me\"; "
1957  "http_cookie; sid:1;)");
1958  if (s == NULL) {
1959  goto end;
1960  }
1961 
1962  SigGroupBuild(de_ctx);
1963  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1964 
1965  int r = AppLayerParserParse(
1966  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1967  if (r != 0) {
1968  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1969  result = 0;
1970  goto end;
1971  }
1972 
1973  http_state = f.alstate;
1974  if (http_state == NULL) {
1975  printf("no http state: ");
1976  result = 0;
1977  goto end;
1978  }
1979 
1980  /* do detect */
1981  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1982 
1983  if ((PacketAlertCheck(p, 1))) {
1984  goto end;
1985  }
1986 
1987  result = 1;
1988 
1989 end:
1990  if (alp_tctx != NULL)
1991  AppLayerParserThreadCtxFree(alp_tctx);
1992  if (det_ctx != NULL) {
1993  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1994  }
1995  if (de_ctx != NULL) {
1996  DetectEngineCtxFree(de_ctx);
1997  }
1998  StreamTcpFreeConfig(true);
1999  UTHFreePackets(&p, 1);
2000  return result;
2001 }
2002 
2003 /** \test Check the signature working to alert when http_cookie is not present */
2004 static int DetectHttpCookieSigTest03(void)
2005 {
2006  int result = 0;
2007  Flow f;
2008  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2009  "Cookie: dummy\r\n\r\n";
2010  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2011  TcpSession ssn;
2012  Packet *p = NULL;
2013  Signature *s = NULL;
2014  ThreadVars th_v;
2015  DetectEngineThreadCtx *det_ctx = NULL;
2016  HtpState *http_state = NULL;
2017  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2018 
2019  memset(&th_v, 0, sizeof(th_v));
2020  memset(&f, 0, sizeof(f));
2021  memset(&ssn, 0, sizeof(ssn));
2022 
2023  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2024 
2025  FLOW_INITIALIZE(&f);
2026  f.protoctx = (void *)&ssn;
2027  f.proto = IPPROTO_TCP;
2028  f.flags |= FLOW_IPV4;
2029 
2030  p->flow = &f;
2031  p->flowflags |= FLOW_PKT_TOSERVER;
2032  p->flowflags |= FLOW_PKT_ESTABLISHED;
2033  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2034  f.alproto = ALPROTO_HTTP1;
2035 
2036  StreamTcpInitConfig(true);
2037 
2038  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2039  if (de_ctx == NULL) {
2040  goto end;
2041  }
2042 
2043  de_ctx->flags |= DE_QUIET;
2044 
2045  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2046  "\"HTTP cookie\"; content:\"boo\"; "
2047  "http_cookie; sid:1;)");
2048  if (s == NULL) {
2049  goto end;
2050  }
2051 
2052  SigGroupBuild(de_ctx);
2053  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2054 
2055  int r = AppLayerParserParse(
2056  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2057  if (r != 0) {
2058  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2059  result = 0;
2060  goto end;
2061  }
2062 
2063  http_state = f.alstate;
2064  if (http_state == NULL) {
2065  printf("no http state: ");
2066  result = 0;
2067  goto end;
2068  }
2069 
2070  /* do detect */
2071  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2072 
2073  if ((PacketAlertCheck(p, 1))) {
2074  goto end;
2075  }
2076 
2077  result = 1;
2078 end:
2079  if (alp_tctx != NULL)
2080  AppLayerParserThreadCtxFree(alp_tctx);
2081  if (det_ctx != NULL) {
2082  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2083  }
2084  if (de_ctx != NULL) {
2085  DetectEngineCtxFree(de_ctx);
2086  }
2087 
2088  StreamTcpFreeConfig(true);
2089  UTHFreePackets(&p, 1);
2090  return result;
2091 }
2092 
2093 /** \test Check the signature working to alert when http_cookie is not present */
2094 static int DetectHttpCookieSigTest04(void)
2095 {
2096  int result = 0;
2097  Flow f;
2098  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2099  "Cookie: dummy\r\n\r\n";
2100  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2101  TcpSession ssn;
2102  Packet *p = NULL;
2103  Signature *s = NULL;
2104  ThreadVars th_v;
2105  DetectEngineThreadCtx *det_ctx = NULL;
2106  HtpState *http_state = NULL;
2107  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2108 
2109  memset(&th_v, 0, sizeof(th_v));
2110  memset(&p, 0, sizeof(p));
2111  memset(&f, 0, sizeof(f));
2112  memset(&ssn, 0, sizeof(ssn));
2113 
2114  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2115 
2116  FLOW_INITIALIZE(&f);
2117  f.protoctx = (void *)&ssn;
2118  f.proto = IPPROTO_TCP;
2119  f.flags |= FLOW_IPV4;
2120 
2121  p->flow = &f;
2122  p->flowflags |= FLOW_PKT_TOSERVER;
2123  p->flowflags |= FLOW_PKT_ESTABLISHED;
2124  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2125  f.alproto = ALPROTO_HTTP1;
2126 
2127  StreamTcpInitConfig(true);
2128 
2129  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2130  if (de_ctx == NULL) {
2131  goto end;
2132  }
2133 
2134  de_ctx->flags |= DE_QUIET;
2135 
2136  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2137  "\"HTTP cookie\"; content:!\"boo\"; "
2138  "http_cookie; sid:1;)");
2139  if (s == NULL) {
2140  goto end;
2141  }
2142 
2143  SigGroupBuild(de_ctx);
2144  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2145 
2146  int r = AppLayerParserParse(
2147  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2148  if (r != 0) {
2149  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2150  result = 0;
2151  goto end;
2152  }
2153 
2154  http_state = f.alstate;
2155  if (http_state == NULL) {
2156  printf("no http state: ");
2157  result = 0;
2158  goto end;
2159  }
2160 
2161  /* do detect */
2162  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2163 
2164  if (!PacketAlertCheck(p, 1)) {
2165  goto end;
2166  }
2167 
2168  result = 1;
2169 end:
2170  if (alp_tctx != NULL)
2171  AppLayerParserThreadCtxFree(alp_tctx);
2172  if (det_ctx != NULL) {
2173  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2174  }
2175  if (de_ctx != NULL) {
2176  DetectEngineCtxFree(de_ctx);
2177  }
2178 
2179  StreamTcpFreeConfig(true);
2180  UTHFreePackets(&p, 1);
2181  return result;
2182 }
2183 
2184 /** \test Check the signature working to alert when http_cookie is not present */
2185 static int DetectHttpCookieSigTest05(void)
2186 {
2187  int result = 0;
2188  Flow f;
2189  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2190  "Cookie: DuMmY\r\n\r\n";
2191  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2192  TcpSession ssn;
2193  Packet *p = NULL;
2194  Signature *s = NULL;
2195  ThreadVars th_v;
2196  DetectEngineThreadCtx *det_ctx = NULL;
2197  HtpState *http_state = NULL;
2198  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2199 
2200  memset(&th_v, 0, sizeof(th_v));
2201  memset(&p, 0, sizeof(p));
2202  memset(&f, 0, sizeof(f));
2203  memset(&ssn, 0, sizeof(ssn));
2204 
2205  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2206 
2207  FLOW_INITIALIZE(&f);
2208  f.protoctx = (void *)&ssn;
2209  f.proto = IPPROTO_TCP;
2210  f.flags |= FLOW_IPV4;
2211 
2212  p->flow = &f;
2213  p->flowflags |= FLOW_PKT_TOSERVER;
2214  p->flowflags |= FLOW_PKT_ESTABLISHED;
2215  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2216  f.alproto = ALPROTO_HTTP1;
2217 
2218  StreamTcpInitConfig(true);
2219 
2220  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2221  if (de_ctx == NULL) {
2222  goto end;
2223  }
2224 
2225  de_ctx->flags |= DE_QUIET;
2226 
2227  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2228  "\"HTTP cookie\"; content:\"dummy\"; nocase; "
2229  "http_cookie; sid:1;)");
2230  if (s == NULL) {
2231  goto end;
2232  }
2233 
2234  SigGroupBuild(de_ctx);
2235  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2236 
2237  int r = AppLayerParserParse(
2238  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2239  if (r != 0) {
2240  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2241  result = 0;
2242  goto end;
2243  }
2244 
2245  http_state = f.alstate;
2246  if (http_state == NULL) {
2247  printf("no http state: ");
2248  result = 0;
2249  goto end;
2250  }
2251 
2252  /* do detect */
2253  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2254 
2255  if (!PacketAlertCheck(p, 1)) {
2256  goto end;
2257  }
2258 
2259  result = 1;
2260 end:
2261  if (alp_tctx != NULL)
2262  AppLayerParserThreadCtxFree(alp_tctx);
2263  if (det_ctx != NULL) {
2264  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2265  }
2266  if (de_ctx != NULL) {
2267  DetectEngineCtxFree(de_ctx);
2268  }
2269 
2270  StreamTcpFreeConfig(true);
2271  UTHFreePackets(&p, 1);
2272  return result;
2273 }
2274 
2275 /** \test Check the signature working to alert when http_cookie is not present */
2276 static int DetectHttpCookieSigTest06(void)
2277 {
2278  int result = 0;
2279  Flow f;
2280  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2281  "Cookie: DuMmY\r\n\r\n";
2282  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2283  TcpSession ssn;
2284  Packet *p = NULL;
2285  Signature *s = NULL;
2286  ThreadVars th_v;
2287  DetectEngineThreadCtx *det_ctx = NULL;
2288  HtpState *http_state = NULL;
2289  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2290 
2291  memset(&th_v, 0, sizeof(th_v));
2292  memset(&p, 0, sizeof(p));
2293  memset(&f, 0, sizeof(f));
2294  memset(&ssn, 0, sizeof(ssn));
2295 
2296  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2297 
2298  FLOW_INITIALIZE(&f);
2299  f.protoctx = (void *)&ssn;
2300  f.proto = IPPROTO_TCP;
2301  f.flags |= FLOW_IPV4;
2302 
2303  p->flow = &f;
2304  p->flowflags |= FLOW_PKT_TOSERVER;
2305  p->flowflags |= FLOW_PKT_ESTABLISHED;
2306  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2307  f.alproto = ALPROTO_HTTP1;
2308 
2309  StreamTcpInitConfig(true);
2310 
2311  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2312  if (de_ctx == NULL) {
2313  goto end;
2314  }
2315 
2316  de_ctx->flags |= DE_QUIET;
2317 
2318  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2319  "\"HTTP cookie\"; content:\"dummy\"; "
2320  "http_cookie; nocase; sid:1;)");
2321  if (s == NULL) {
2322  printf("sig parse failed: ");
2323  goto end;
2324  }
2325 
2326  SigGroupBuild(de_ctx);
2327  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2328 
2329  int r = AppLayerParserParse(
2330  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2331  if (r != 0) {
2332  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2333  goto end;
2334  }
2335 
2336  http_state = f.alstate;
2337  if (http_state == NULL) {
2338  printf("no http state: ");
2339  goto end;
2340  }
2341 
2342  /* do detect */
2343  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2344 
2345  if (!PacketAlertCheck(p, 1)) {
2346  printf("sig 1 failed to match: ");
2347  goto end;
2348  }
2349 
2350  result = 1;
2351 end:
2352  if (alp_tctx != NULL)
2353  AppLayerParserThreadCtxFree(alp_tctx);
2354  if (det_ctx != NULL) {
2355  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2356  }
2357  if (de_ctx != NULL) {
2358  DetectEngineCtxFree(de_ctx);
2359  }
2360 
2361  StreamTcpFreeConfig(true);
2362  UTHFreePackets(&p, 1);
2363  return result;
2364 }
2365 
2366 /** \test Check the signature working to alert when http_cookie is not present */
2367 static int DetectHttpCookieSigTest07(void)
2368 {
2369  int result = 0;
2370  Flow f;
2371  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2372  "Cookie: dummy\r\n\r\n";
2373  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2374  TcpSession ssn;
2375  Packet *p = NULL;
2376  Signature *s = NULL;
2377  ThreadVars th_v;
2378  DetectEngineThreadCtx *det_ctx = NULL;
2379  HtpState *http_state = NULL;
2380  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2381 
2382  memset(&th_v, 0, sizeof(th_v));
2383  memset(&f, 0, sizeof(f));
2384  memset(&ssn, 0, sizeof(ssn));
2385 
2386  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2387 
2388  FLOW_INITIALIZE(&f);
2389  f.protoctx = (void *)&ssn;
2390  f.proto = IPPROTO_TCP;
2391  f.flags |= FLOW_IPV4;
2392 
2393  p->flow = &f;
2394  p->flowflags |= FLOW_PKT_TOSERVER;
2395  p->flowflags |= FLOW_PKT_ESTABLISHED;
2396  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2397  f.alproto = ALPROTO_HTTP1;
2398 
2399  StreamTcpInitConfig(true);
2400 
2401  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2402  if (de_ctx == NULL) {
2403  goto end;
2404  }
2405 
2406  de_ctx->flags |= DE_QUIET;
2407 
2408  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2409  "\"HTTP cookie\"; content:!\"dummy\"; "
2410  "http_cookie; sid:1;)");
2411  if (s == NULL) {
2412  goto end;
2413  }
2414 
2415  SigGroupBuild(de_ctx);
2416  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2417 
2418  int r = AppLayerParserParse(
2419  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2420  if (r != 0) {
2421  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2422  result = 0;
2423  goto end;
2424  }
2425 
2426  http_state = f.alstate;
2427  if (http_state == NULL) {
2428  printf("no http state: ");
2429  result = 0;
2430  goto end;
2431  }
2432 
2433  /* do detect */
2434  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2435 
2436  if (PacketAlertCheck(p, 1)) {
2437  goto end;
2438  }
2439 
2440  result = 1;
2441 end:
2442  if (alp_tctx != NULL)
2443  AppLayerParserThreadCtxFree(alp_tctx);
2444  if (det_ctx != NULL) {
2445  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2446  }
2447  if (de_ctx != NULL) {
2448  DetectEngineCtxFree(de_ctx);
2449  }
2450 
2451  StreamTcpFreeConfig(true);
2452  UTHFreePackets(&p, 1);
2453  return result;
2454 }
2455 
2456 /**
2457  * \test Check the signature working to alert against set-cookie
2458  */
2459 static int DetectHttpCookieSigTest08(void)
2460 {
2461  int result = 0;
2462  Flow f;
2463 
2464  uint8_t httpbuf_request[] =
2465  "GET / HTTP/1.1\r\n"
2466  "User-Agent: Mozilla/1.0\r\n"
2467  "\r\n";
2468  uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the \0 */
2469 
2470  uint8_t httpbuf_response[] =
2471  "HTTP/1.1 200 OK\r\n"
2472  "Set-Cookie: response_user_agent\r\n"
2473  "\r\n";
2474  uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the \0 */
2475 
2476  TcpSession ssn;
2477  Packet *p1 = NULL, *p2 = NULL;
2478  Signature *s = NULL;
2479  ThreadVars th_v;
2480  DetectEngineThreadCtx *det_ctx = NULL;
2481  HtpState *http_state = NULL;
2482  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2483 
2484  memset(&th_v, 0, sizeof(th_v));
2485  memset(&f, 0, sizeof(f));
2486  memset(&ssn, 0, sizeof(ssn));
2487 
2488  FLOW_INITIALIZE(&f);
2489  f.protoctx = (void *)&ssn;
2490  f.proto = IPPROTO_TCP;
2491  f.flags |= FLOW_IPV4;
2492  f.alproto = ALPROTO_HTTP1;
2493 
2494  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2495  p1->flow = &f;
2496  p1->flowflags |= FLOW_PKT_TOSERVER;
2497  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2498  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2499 
2500  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2501  p2->flow = &f;
2502  p2->flowflags |= FLOW_PKT_TOCLIENT;
2503  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2504  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2505 
2506  StreamTcpInitConfig(true);
2507 
2508  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2509  if (de_ctx == NULL) {
2510  goto end;
2511  }
2512 
2513  de_ctx->flags |= DE_QUIET;
2514 
2515  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2516  "(flow:to_client; content:\"response_user_agent\"; "
2517  "http_cookie; sid:1;)");
2518  if (s == NULL) {
2519  goto end;
2520  }
2521 
2522  SigGroupBuild(de_ctx);
2523  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2524 
2525  /* request */
2526  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf_request,
2527  httpbuf_request_len);
2528  if (r != 0) {
2529  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2530  result = 0;
2531  goto end;
2532  }
2533 
2534  http_state = f.alstate;
2535  if (http_state == NULL) {
2536  printf("no http state: ");
2537  goto end;
2538  }
2539 
2540  /* do detect */
2541  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2542  if (PacketAlertCheck(p1, 1)) {
2543  goto end;
2544  }
2545 
2546  /* response */
2547  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf_response,
2548  httpbuf_response_len);
2549  if (r != 0) {
2550  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2551  result = 0;
2552  goto end;
2553  }
2554 
2555  /* do detect */
2556  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2557  if (!PacketAlertCheck(p2, 1)) {
2558  goto end;
2559  }
2560 
2561  result = 1;
2562 
2563 end:
2564  if (alp_tctx != NULL)
2565  AppLayerParserThreadCtxFree(alp_tctx);
2566  if (det_ctx != NULL) {
2567  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2568  }
2569  if (de_ctx != NULL) {
2570  DetectEngineCtxFree(de_ctx);
2571  }
2572 
2573  StreamTcpFreeConfig(true);
2574  UTHFreePackets(&p1, 1);
2575  UTHFreePackets(&p2, 1);
2576  return result;
2577 }
2578 
2579 /**
2580  * \test Check the signature working to alert against cookie/set-cookie
2581  */
2582 static int DetectHttpCookieSigTest09(void)
2583 {
2584  int result = 0;
2585  Flow f;
2586 
2587  uint8_t httpbuf_request[] =
2588  "GET / HTTP/1.1\r\n"
2589  "Cookie: request_user_agent\r\n"
2590  "User-Agent: Mozilla/1.0\r\n"
2591  "\r\n";
2592  uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the \0 */
2593 
2594  uint8_t httpbuf_response[] =
2595  "HTTP/1.1 200 OK\r\n"
2596  "Set-Cookie: response_user_agent\r\n"
2597  "\r\n";
2598  uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the \0 */
2599 
2600  TcpSession ssn;
2601  Packet *p1 = NULL, *p2 = NULL;
2602  Signature *s = NULL;
2603  ThreadVars th_v;
2604  DetectEngineThreadCtx *det_ctx = NULL;
2605  HtpState *http_state = NULL;
2606  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2607 
2608  memset(&th_v, 0, sizeof(th_v));
2609  memset(&f, 0, sizeof(f));
2610  memset(&ssn, 0, sizeof(ssn));
2611 
2612  FLOW_INITIALIZE(&f);
2613  f.protoctx = (void *)&ssn;
2614  f.proto = IPPROTO_TCP;
2615  f.flags |= FLOW_IPV4;
2616  f.alproto = ALPROTO_HTTP1;
2617 
2618  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2619  p1->flow = &f;
2620  p1->flowflags |= FLOW_PKT_TOSERVER;
2621  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2622  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2623 
2624  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2625  p2->flow = &f;
2626  p2->flowflags |= FLOW_PKT_TOCLIENT;
2627  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2628  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2629 
2630  StreamTcpInitConfig(true);
2631 
2632  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2633  if (de_ctx == NULL) {
2634  goto end;
2635  }
2636 
2637  de_ctx->flags |= DE_QUIET;
2638 
2639  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2640  "(flow:to_server; content:\"request_user_agent\"; "
2641  "http_cookie; sid:1;)");
2642  if (s == NULL) {
2643  goto end;
2644  }
2645  s = de_ctx->sig_list->next = SigInit(de_ctx,"alert http any any -> any any "
2646  "(flow:to_client; content:\"response_user_agent\"; "
2647  "http_cookie; sid:2;)");
2648  if (s == NULL) {
2649  goto end;
2650  }
2651 
2652  SigGroupBuild(de_ctx);
2653  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2654 
2655  /* request */
2656  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf_request,
2657  httpbuf_request_len);
2658  if (r != 0) {
2659  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2660  result = 0;
2661  goto end;
2662  }
2663 
2664  http_state = f.alstate;
2665  if (http_state == NULL) {
2666  printf("no http state: ");
2667  goto end;
2668  }
2669 
2670  /* do detect */
2671  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2672  if (!PacketAlertCheck(p1, 1) || PacketAlertCheck(p1, 2)) {
2673  goto end;
2674  }
2675 
2676  /* response */
2677  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf_response,
2678  httpbuf_response_len);
2679  if (r != 0) {
2680  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2681  result = 0;
2682  goto end;
2683  }
2684 
2685  /* do detect */
2686  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2687  if (PacketAlertCheck(p2, 1) || !PacketAlertCheck(p2, 2)) {
2688  goto end;
2689  }
2690 
2691  result = 1;
2692 
2693 end:
2694  if (alp_tctx != NULL)
2695  AppLayerParserThreadCtxFree(alp_tctx);
2696  if (det_ctx != NULL) {
2697  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2698  }
2699  if (de_ctx != NULL) {
2700  DetectEngineCtxFree(de_ctx);
2701  }
2702 
2703  StreamTcpFreeConfig(true);
2704  UTHFreePackets(&p1, 1);
2705  UTHFreePackets(&p2, 1);
2706  return result;
2707 }
2708 
2709 static int DetectHttpCookieIsdataatParseTest(void)
2710 {
2711  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2712  FAIL_IF_NULL(de_ctx);
2713  de_ctx->flags |= DE_QUIET;
2714 
2715  Signature *s = DetectEngineAppendSig(de_ctx,
2716  "alert tcp any any -> any any ("
2717  "content:\"one\"; http_cookie; "
2718  "isdataat:!4,relative; sid:1;)");
2719  FAIL_IF_NULL(s);
2720 
2721  SigMatch *sm = s->init_data->smlists_tail[g_http_cookie_buffer_id];
2722  FAIL_IF_NULL(sm);
2723  FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
2724 
2725  DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
2726  FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
2727  FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
2728  FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
2729 
2730  DetectEngineCtxFree(de_ctx);
2731  PASS;
2732 }
2733 
2734 /**
2735  * \brief Register the UNITTESTS for the http_cookie keyword
2736  */
2737 void DetectHttpCookieRegisterTests (void)
2738 {
2739  g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
2740 
2741  UtRegisterTest("DetectHttpCookieTest01", DetectHttpCookieTest01);
2742  UtRegisterTest("DetectHttpCookieTest02", DetectHttpCookieTest02);
2743  UtRegisterTest("DetectHttpCookieTest03", DetectHttpCookieTest03);
2744  UtRegisterTest("DetectHttpCookieTest04", DetectHttpCookieTest04);
2745  UtRegisterTest("DetectHttpCookieTest05", DetectHttpCookieTest05);
2746  UtRegisterTest("DetectHttpCookieTest06", DetectHttpCookieTest06);
2747  UtRegisterTest("DetectHttpCookieSigTest01", DetectHttpCookieSigTest01);
2748  UtRegisterTest("DetectHttpCookieSigTest02", DetectHttpCookieSigTest02);
2749  UtRegisterTest("DetectHttpCookieSigTest03", DetectHttpCookieSigTest03);
2750  UtRegisterTest("DetectHttpCookieSigTest04", DetectHttpCookieSigTest04);
2751  UtRegisterTest("DetectHttpCookieSigTest05", DetectHttpCookieSigTest05);
2752  UtRegisterTest("DetectHttpCookieSigTest06", DetectHttpCookieSigTest06);
2753  UtRegisterTest("DetectHttpCookieSigTest07", DetectHttpCookieSigTest07);
2754  UtRegisterTest("DetectHttpCookieSigTest08", DetectHttpCookieSigTest08);
2755  UtRegisterTest("DetectHttpCookieSigTest09", DetectHttpCookieSigTest09);
2756  UtRegisterTest("DetectHttpCookieIsdataatParseTest",
2757  DetectHttpCookieIsdataatParseTest);
2758  UtRegisterTest("DetectEngineHttpCookieTest01",
2759  DetectEngineHttpCookieTest01);
2760  UtRegisterTest("DetectEngineHttpCookieTest02",
2761  DetectEngineHttpCookieTest02);
2762  UtRegisterTest("DetectEngineHttpCookieTest03",
2763  DetectEngineHttpCookieTest03);
2764  UtRegisterTest("DetectEngineHttpCookieTest04",
2765  DetectEngineHttpCookieTest04);
2766  UtRegisterTest("DetectEngineHttpCookieTest05",
2767  DetectEngineHttpCookieTest05);
2768  UtRegisterTest("DetectEngineHttpCookieTest06",
2769  DetectEngineHttpCookieTest06);
2770  UtRegisterTest("DetectEngineHttpCookieTest07",
2771  DetectEngineHttpCookieTest07);
2772  UtRegisterTest("DetectEngineHttpCookieTest08",
2773  DetectEngineHttpCookieTest08);
2774  UtRegisterTest("DetectEngineHttpCookieTest09",
2775  DetectEngineHttpCookieTest09);
2776  UtRegisterTest("DetectEngineHttpCookieTest10",
2777  DetectEngineHttpCookieTest10);
2778  UtRegisterTest("DetectEngineHttpCookieTest11",
2779  DetectEngineHttpCookieTest11);
2780  UtRegisterTest("DetectEngineHttpCookieTest12",
2781  DetectEngineHttpCookieTest12);
2782  UtRegisterTest("DetectEngineHttpCookieTest13",
2783  DetectEngineHttpCookieTest13);
2784  UtRegisterTest("DetectEngineHttpCookieTest14",
2785  DetectEngineHttpCookieTest14);
2786  UtRegisterTest("DetectEngineHttpCookieTest15",
2787  DetectEngineHttpCookieTest15);
2788  UtRegisterTest("DetectEngineHttpCookieTest16",
2789  DetectEngineHttpCookieTest16);
2790  UtRegisterTest("DetectEngineHttpCookieTest17",
2791  DetectEngineHttpCookieTest17);
2792 }
2793 /**
2794  * @}
2795  */
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1003
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
Flow_::proto
uint8_t proto
Definition: flow.h:379
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:463
Flow_
Flow data structure.
Definition: flow.h:357
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2442
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:314
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:227
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1809
DetectIsdataatData_
Definition: detect-isdataat.h:35
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2434
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:459
Flow_::protoctx
void * protoctx
Definition: flow.h:447
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
HtpState_
Definition: app-layer-htp.h:244
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1079
Signature_::next
struct Signature_ * next
Definition: detect.h:614
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:536
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:356
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:40
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1025
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:317
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2129
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:289
Packet_
Definition: decode.h:428
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:611
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:228
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1951
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:293
Packet_::flow
struct Flow_ * flow
Definition: decode.h:465
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3153
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:668
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1323
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3367
SigMatch_::type
uint16_t type
Definition: detect.h:314
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:791
ISDATAAT_NEGATED
#define ISDATAAT_NEGATED
Definition: detect-isdataat.h:29
Flow_::alstate
void * alstate
Definition: flow.h:482
Flow_::flags
uint32_t flags
Definition: flow.h:427
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:313
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:82
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:229
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2403
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:786
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:66
TcpSession_
Definition: stream-tcp-private.h:272
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:456
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:129
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1000
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468