suricata
detect-http-cookie.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 /** \file
25  *
26  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
27  * \author Victor Julien <victor@inliniac.net>
28  *
29  * \brief Handle HTTP cookie match
30  *
31  */
32 
33 #include "../suricata-common.h"
34 #include "../suricata.h"
35 #include "../flow-util.h"
36 #include "../flow.h"
37 #include "../app-layer-parser.h"
38 #include "../util-unittest.h"
39 #include "../util-unittest-helper.h"
40 #include "../app-layer.h"
41 #include "../app-layer-htp.h"
42 #include "../app-layer-protos.h"
43 #include "../detect-isdataat.h"
44 #include "../detect-engine-build.h"
45 #include "../detect-engine-alert.h"
46 
47 /***********************************Unittests**********************************/
48 
49 /**
50  * \test Test that the http_cookie content matches against a http request
51  * which holds the content.
52  */
53 static int DetectEngineHttpCookieTest01(void)
54 {
55  TcpSession ssn;
56  ThreadVars th_v;
57  DetectEngineThreadCtx *det_ctx = NULL;
58  Flow f;
59  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
60  "Cookie: CONNECT\r\n"
61  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
62  uint32_t http_len = sizeof(http_buf) - 1;
63  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
64 
65  memset(&th_v, 0, sizeof(th_v));
66  StatsThreadInit(&th_v.stats);
67  memset(&f, 0, sizeof(f));
68  memset(&ssn, 0, sizeof(ssn));
69 
70  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
71 
72  FLOW_INITIALIZE(&f);
73  f.protoctx = (void *)&ssn;
74  f.proto = IPPROTO_TCP;
75  f.flags |= FLOW_IPV4;
76  p->flow = &f;
77  p->flowflags |= FLOW_PKT_TOSERVER;
78  p->flowflags |= FLOW_PKT_ESTABLISHED;
79  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
80  f.alproto = ALPROTO_HTTP1;
81 
82  StreamTcpInitConfig(true);
83 
84  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
85  FAIL_IF_NULL(de_ctx);
86  de_ctx->flags |= DE_QUIET;
87 
88  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
89  "(msg:\"http header test\"; "
90  "content:\"CONNECT\"; http_cookie; "
91  "sid:1;)");
92  FAIL_IF_NULL(s);
93 
94  SigGroupBuild(de_ctx);
95  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
96 
97  int r = AppLayerParserParse(
98  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
99  FAIL_IF_NOT(r == 0);
100 
101  HtpState *http_state = f.alstate;
102  FAIL_IF_NULL(http_state);
103 
104  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
105  FAIL_IF(!(PacketAlertCheck(p, 1)));
106 
107  FLOW_DESTROY(&f);
108  UTHFreePackets(&p, 1);
109  AppLayerParserThreadCtxFree(alp_tctx);
110  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
111  DetectEngineCtxFree(de_ctx);
112  StreamTcpFreeConfig(true);
113  StatsThreadCleanup(&th_v.stats);
114  PASS;
115 }
116 
117 /**
118  * \test Test that the http_cookie content matches against a http request
119  * which holds the content.
120  */
121 static int DetectEngineHttpCookieTest02(void)
122 {
123  TcpSession ssn;
124  ThreadVars th_v;
125  DetectEngineThreadCtx *det_ctx = NULL;
126  Flow f;
127  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
128  "Cookie: CONNECT\r\n"
129  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
130  uint32_t http_len = sizeof(http_buf) - 1;
131  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
132 
133  memset(&th_v, 0, sizeof(th_v));
134  StatsThreadInit(&th_v.stats);
135  memset(&f, 0, sizeof(f));
136  memset(&ssn, 0, sizeof(ssn));
137 
138  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
139 
140  FLOW_INITIALIZE(&f);
141  f.protoctx = (void *)&ssn;
142  f.proto = IPPROTO_TCP;
143  f.flags |= FLOW_IPV4;
144  p->flow = &f;
145  p->flowflags |= FLOW_PKT_TOSERVER;
146  p->flowflags |= FLOW_PKT_ESTABLISHED;
147  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
148  f.alproto = ALPROTO_HTTP1;
149 
150  StreamTcpInitConfig(true);
151 
152  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
153  FAIL_IF_NULL(de_ctx);
154  de_ctx->flags |= DE_QUIET;
155 
156  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
157  "(msg:\"http header test\"; "
158  "content:\"CO\"; depth:4; http_cookie; "
159  "sid:1;)");
160  FAIL_IF_NULL(s);
161 
162  SigGroupBuild(de_ctx);
163  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
164 
165  int r = AppLayerParserParse(
166  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
167  FAIL_IF_NOT(r == 0);
168 
169  HtpState *http_state = f.alstate;
170  FAIL_IF_NULL(http_state);
171 
172  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
173  FAIL_IF(!(PacketAlertCheck(p, 1)));
174 
175  FLOW_DESTROY(&f);
176  UTHFreePackets(&p, 1);
177  AppLayerParserThreadCtxFree(alp_tctx);
178  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
179  DetectEngineCtxFree(de_ctx);
180  StreamTcpFreeConfig(true);
181  StatsThreadCleanup(&th_v.stats);
182  PASS;
183 }
184 
185 /**
186  * \test Test that the http_cookie content matches against a http request
187  * which holds the content.
188  */
189 static int DetectEngineHttpCookieTest03(void)
190 {
191  TcpSession ssn;
192  ThreadVars th_v;
193  DetectEngineThreadCtx *det_ctx = NULL;
194  Flow f;
195  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
196  "Cookie: CONNECT\r\n"
197  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
198  uint32_t http_len = sizeof(http_buf) - 1;
199  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
200 
201  memset(&th_v, 0, sizeof(th_v));
202  StatsThreadInit(&th_v.stats);
203  memset(&f, 0, sizeof(f));
204  memset(&ssn, 0, sizeof(ssn));
205 
206  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
207 
208  FLOW_INITIALIZE(&f);
209  f.protoctx = (void *)&ssn;
210  f.proto = IPPROTO_TCP;
211  f.flags |= FLOW_IPV4;
212  p->flow = &f;
213  p->flowflags |= FLOW_PKT_TOSERVER;
214  p->flowflags |= FLOW_PKT_ESTABLISHED;
215  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
216  f.alproto = ALPROTO_HTTP1;
217 
218  StreamTcpInitConfig(true);
219 
220  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
221  FAIL_IF_NULL(de_ctx);
222  de_ctx->flags |= DE_QUIET;
223 
224  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
225  "(msg:\"http header test\"; "
226  "content:!\"ECT\"; depth:4; http_cookie; "
227  "sid:1;)");
228  FAIL_IF_NULL(s);
229 
230  SigGroupBuild(de_ctx);
231  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
232 
233  int r = AppLayerParserParse(
234  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
235  FAIL_IF_NOT(r == 0);
236 
237  HtpState *http_state = f.alstate;
238  FAIL_IF_NULL(http_state);
239 
240  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
241  FAIL_IF(!(PacketAlertCheck(p, 1)));
242 
243  FLOW_DESTROY(&f);
244  UTHFreePackets(&p, 1);
245  AppLayerParserThreadCtxFree(alp_tctx);
246  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
247  DetectEngineCtxFree(de_ctx);
248  StreamTcpFreeConfig(true);
249  StatsThreadCleanup(&th_v.stats);
250  PASS;
251 }
252 
253 /**
254  * \test Test that the http_cookie content matches against a http request
255  * which holds the content.
256  */
257 static int DetectEngineHttpCookieTest04(void)
258 {
259  TcpSession ssn;
260  ThreadVars th_v;
261  DetectEngineThreadCtx *det_ctx = NULL;
262  Flow f;
263  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
264  "Cookie: CONNECT\r\n"
265  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
266  uint32_t http_len = sizeof(http_buf) - 1;
267  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
268 
269  memset(&th_v, 0, sizeof(th_v));
270  StatsThreadInit(&th_v.stats);
271  memset(&f, 0, sizeof(f));
272  memset(&ssn, 0, sizeof(ssn));
273 
274  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
275 
276  FLOW_INITIALIZE(&f);
277  f.protoctx = (void *)&ssn;
278  f.proto = IPPROTO_TCP;
279  f.flags |= FLOW_IPV4;
280  p->flow = &f;
281  p->flowflags |= FLOW_PKT_TOSERVER;
282  p->flowflags |= FLOW_PKT_ESTABLISHED;
283  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
284  f.alproto = ALPROTO_HTTP1;
285 
286  StreamTcpInitConfig(true);
287 
288  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
289  FAIL_IF_NULL(de_ctx);
290  de_ctx->flags |= DE_QUIET;
291 
292  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
293  "(msg:\"http header test\"; "
294  "content:\"ECT\"; depth:4; http_cookie; "
295  "sid:1;)");
296  FAIL_IF_NULL(s);
297 
298  SigGroupBuild(de_ctx);
299  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
300 
301  int r = AppLayerParserParse(
302  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
303  FAIL_IF_NOT(r == 0);
304 
305  HtpState *http_state = f.alstate;
306  FAIL_IF_NULL(http_state);
307 
308  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
309  FAIL_IF(PacketAlertCheck(p, 1));
310 
311  FLOW_DESTROY(&f);
312  UTHFreePackets(&p, 1);
313  AppLayerParserThreadCtxFree(alp_tctx);
314  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
315  DetectEngineCtxFree(de_ctx);
316  StreamTcpFreeConfig(true);
317  StatsThreadCleanup(&th_v.stats);
318  PASS;
319 }
320 
321 /**
322  * \test Test that the http_cookie content matches against a http request
323  * which holds the content.
324  */
325 static int DetectEngineHttpCookieTest05(void)
326 {
327  TcpSession ssn;
328  ThreadVars th_v;
329  DetectEngineThreadCtx *det_ctx = NULL;
330  Flow f;
331  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
332  "Cookie: CONNECT\r\n"
333  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
334  uint32_t http_len = sizeof(http_buf) - 1;
335  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
336 
337  memset(&th_v, 0, sizeof(th_v));
338  StatsThreadInit(&th_v.stats);
339  memset(&f, 0, sizeof(f));
340  memset(&ssn, 0, sizeof(ssn));
341 
342  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
343 
344  FLOW_INITIALIZE(&f);
345  f.protoctx = (void *)&ssn;
346  f.proto = IPPROTO_TCP;
347  f.flags |= FLOW_IPV4;
348  p->flow = &f;
349  p->flowflags |= FLOW_PKT_TOSERVER;
350  p->flowflags |= FLOW_PKT_ESTABLISHED;
351  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
352  f.alproto = ALPROTO_HTTP1;
353 
354  StreamTcpInitConfig(true);
355 
356  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
357  FAIL_IF_NULL(de_ctx);
358  de_ctx->flags |= DE_QUIET;
359 
360  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
361  "(msg:\"http header test\"; "
362  "content:!\"CON\"; depth:4; http_cookie; "
363  "sid:1;)");
364  FAIL_IF_NULL(s);
365 
366  SigGroupBuild(de_ctx);
367  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
368 
369  int r = AppLayerParserParse(
370  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
371  FAIL_IF_NOT(r == 0);
372 
373  HtpState *http_state = f.alstate;
374  FAIL_IF_NULL(http_state);
375 
376  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
377  FAIL_IF(PacketAlertCheck(p, 1));
378 
379  FLOW_DESTROY(&f);
380  UTHFreePackets(&p, 1);
381  AppLayerParserThreadCtxFree(alp_tctx);
382  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
383  DetectEngineCtxFree(de_ctx);
384  StreamTcpFreeConfig(true);
385  StatsThreadCleanup(&th_v.stats);
386  PASS;
387 }
388 
389 /**
390  * \test Test that the http_cookie content matches against a http request
391  * which holds the content.
392  */
393 static int DetectEngineHttpCookieTest06(void)
394 {
395  TcpSession ssn;
396  ThreadVars th_v;
397  DetectEngineThreadCtx *det_ctx = NULL;
398  Flow f;
399  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
400  "Cookie: CONNECT\r\n"
401  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
402  uint32_t http_len = sizeof(http_buf) - 1;
403  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
404 
405  memset(&th_v, 0, sizeof(th_v));
406  StatsThreadInit(&th_v.stats);
407  memset(&f, 0, sizeof(f));
408  memset(&ssn, 0, sizeof(ssn));
409 
410  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
411 
412  FLOW_INITIALIZE(&f);
413  f.protoctx = (void *)&ssn;
414  f.proto = IPPROTO_TCP;
415  f.flags |= FLOW_IPV4;
416  p->flow = &f;
417  p->flowflags |= FLOW_PKT_TOSERVER;
418  p->flowflags |= FLOW_PKT_ESTABLISHED;
419  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
420  f.alproto = ALPROTO_HTTP1;
421 
422  StreamTcpInitConfig(true);
423 
424  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
425  FAIL_IF_NULL(de_ctx);
426  de_ctx->flags |= DE_QUIET;
427 
428  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
429  "(msg:\"http header test\"; "
430  "content:\"ECT\"; offset:3; http_cookie; "
431  "sid:1;)");
432  FAIL_IF_NULL(s);
433 
434  SigGroupBuild(de_ctx);
435  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
436 
437  int r = AppLayerParserParse(
438  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
439  FAIL_IF_NOT(r == 0);
440 
441  HtpState *http_state = f.alstate;
442  FAIL_IF_NULL(http_state);
443 
444  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
445  FAIL_IF(!(PacketAlertCheck(p, 1)));
446 
447  UTHFreePackets(&p, 1);
448  FLOW_DESTROY(&f);
449  AppLayerParserThreadCtxFree(alp_tctx);
450  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
451  DetectEngineCtxFree(de_ctx);
452  StreamTcpFreeConfig(true);
453  StatsThreadCleanup(&th_v.stats);
454  PASS;
455 }
456 
457 /**
458  * \test Test that the http_cookie content matches against a http request
459  * which holds the content.
460  */
461 static int DetectEngineHttpCookieTest07(void)
462 {
463  TcpSession ssn;
464  ThreadVars th_v;
465  DetectEngineThreadCtx *det_ctx = NULL;
466  Flow f;
467  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
468  "Cookie: CONNECT\r\n"
469  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
470  uint32_t http_len = sizeof(http_buf) - 1;
471  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
472 
473  memset(&th_v, 0, sizeof(th_v));
474  StatsThreadInit(&th_v.stats);
475  memset(&f, 0, sizeof(f));
476  memset(&ssn, 0, sizeof(ssn));
477 
478  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
479 
480  FLOW_INITIALIZE(&f);
481  f.protoctx = (void *)&ssn;
482  f.proto = IPPROTO_TCP;
483  f.flags |= FLOW_IPV4;
484  p->flow = &f;
485  p->flowflags |= FLOW_PKT_TOSERVER;
486  p->flowflags |= FLOW_PKT_ESTABLISHED;
487  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
488  f.alproto = ALPROTO_HTTP1;
489 
490  StreamTcpInitConfig(true);
491 
492  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
493  FAIL_IF_NULL(de_ctx);
494  de_ctx->flags |= DE_QUIET;
495 
496  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
497  "(msg:\"http header test\"; "
498  "content:!\"CO\"; offset:3; http_cookie; "
499  "sid:1;)");
500  FAIL_IF_NULL(s);
501 
502  SigGroupBuild(de_ctx);
503  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
504 
505  int r = AppLayerParserParse(
506  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
507  FAIL_IF_NOT(r == 0);
508 
509  HtpState *http_state = f.alstate;
510  FAIL_IF_NULL(http_state);
511 
512  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
513  FAIL_IF(!(PacketAlertCheck(p, 1)));
514 
515  AppLayerParserThreadCtxFree(alp_tctx);
516  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
517  DetectEngineCtxFree(de_ctx);
518  StreamTcpFreeConfig(true);
519  UTHFreePackets(&p, 1);
520  FLOW_DESTROY(&f);
521  StatsThreadCleanup(&th_v.stats);
522  PASS;
523 }
524 
525 /**
526  * \test Test that the http_cookie content matches against a http request
527  * which holds the content.
528  */
529 static int DetectEngineHttpCookieTest08(void)
530 {
531  TcpSession ssn;
532  ThreadVars th_v;
533  DetectEngineThreadCtx *det_ctx = NULL;
534  Flow f;
535  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
536  "Cookie: CONNECT\r\n"
537  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
538  uint32_t http_len = sizeof(http_buf) - 1;
539  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
540 
541  memset(&th_v, 0, sizeof(th_v));
542  StatsThreadInit(&th_v.stats);
543  memset(&f, 0, sizeof(f));
544  memset(&ssn, 0, sizeof(ssn));
545 
546  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
547 
548  FLOW_INITIALIZE(&f);
549  f.protoctx = (void *)&ssn;
550  f.proto = IPPROTO_TCP;
551  f.flags |= FLOW_IPV4;
552  p->flow = &f;
553  p->flowflags |= FLOW_PKT_TOSERVER;
554  p->flowflags |= FLOW_PKT_ESTABLISHED;
555  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
556  f.alproto = ALPROTO_HTTP1;
557 
558  StreamTcpInitConfig(true);
559 
560  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
561  FAIL_IF_NULL(de_ctx);
562  de_ctx->flags |= DE_QUIET;
563 
564  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
565  "(msg:\"http header test\"; "
566  "content:!\"ECT\"; offset:3; http_cookie; "
567  "sid:1;)");
568  FAIL_IF_NULL(s);
569 
570  SigGroupBuild(de_ctx);
571  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
572 
573  int r = AppLayerParserParse(
574  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
575  FAIL_IF_NOT(r == 0);
576 
577  HtpState *http_state = f.alstate;
578  FAIL_IF_NULL(http_state);
579 
580  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
581  FAIL_IF(PacketAlertCheck(p, 1));
582 
583  UTHFreePackets(&p, 1);
584  FLOW_DESTROY(&f);
585  AppLayerParserThreadCtxFree(alp_tctx);
586  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
587  DetectEngineCtxFree(de_ctx);
588  StreamTcpFreeConfig(true);
589  StatsThreadCleanup(&th_v.stats);
590  PASS;
591 }
592 
593 /**
594  * \test Test that the http_cookie content matches against a http request
595  * which holds the content.
596  */
597 static int DetectEngineHttpCookieTest09(void)
598 {
599  TcpSession ssn;
600  ThreadVars th_v;
601  DetectEngineThreadCtx *det_ctx = NULL;
602  Flow f;
603  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
604  "Cookie: CONNECT\r\n"
605  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
606  uint32_t http_len = sizeof(http_buf) - 1;
607  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
608 
609  memset(&th_v, 0, sizeof(th_v));
610  StatsThreadInit(&th_v.stats);
611  memset(&f, 0, sizeof(f));
612  memset(&ssn, 0, sizeof(ssn));
613 
614  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
615 
616  FLOW_INITIALIZE(&f);
617  f.protoctx = (void *)&ssn;
618  f.proto = IPPROTO_TCP;
619  f.flags |= FLOW_IPV4;
620  p->flow = &f;
621  p->flowflags |= FLOW_PKT_TOSERVER;
622  p->flowflags |= FLOW_PKT_ESTABLISHED;
623  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
624  f.alproto = ALPROTO_HTTP1;
625 
626  StreamTcpInitConfig(true);
627 
628  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
629  FAIL_IF_NULL(de_ctx);
630  de_ctx->flags |= DE_QUIET;
631 
632  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
633  "(msg:\"http header test\"; "
634  "content:\"CON\"; offset:3; http_cookie; "
635  "sid:1;)");
636  FAIL_IF_NULL(s);
637 
638  SigGroupBuild(de_ctx);
639  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
640 
641  int r = AppLayerParserParse(
642  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
643  FAIL_IF_NOT(r == 0);
644 
645  HtpState *http_state = f.alstate;
646  FAIL_IF_NULL(http_state);
647 
648  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
649  FAIL_IF(PacketAlertCheck(p, 1));
650 
651  UTHFreePackets(&p, 1);
652  FLOW_DESTROY(&f);
653  AppLayerParserThreadCtxFree(alp_tctx);
654  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
655  DetectEngineCtxFree(de_ctx);
656  StreamTcpFreeConfig(true);
657  StatsThreadCleanup(&th_v.stats);
658  PASS;
659 }
660 
661 /**
662  * \test Test that the http_cookie content matches against a http request
663  * which holds the content.
664  */
665 static int DetectEngineHttpCookieTest10(void)
666 {
667  TcpSession ssn;
668  ThreadVars th_v;
669  DetectEngineThreadCtx *det_ctx = NULL;
670  Flow f;
671  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
672  "Cookie: CONNECT\r\n"
673  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
674  uint32_t http_len = sizeof(http_buf) - 1;
675  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
676 
677  memset(&th_v, 0, sizeof(th_v));
678  StatsThreadInit(&th_v.stats);
679  memset(&f, 0, sizeof(f));
680  memset(&ssn, 0, sizeof(ssn));
681 
682  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
683 
684  FLOW_INITIALIZE(&f);
685  f.protoctx = (void *)&ssn;
686  f.proto = IPPROTO_TCP;
687  f.flags |= FLOW_IPV4;
688  p->flow = &f;
689  p->flowflags |= FLOW_PKT_TOSERVER;
690  p->flowflags |= FLOW_PKT_ESTABLISHED;
691  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
692  f.alproto = ALPROTO_HTTP1;
693 
694  StreamTcpInitConfig(true);
695 
696  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
697  FAIL_IF_NULL(de_ctx);
698  de_ctx->flags |= DE_QUIET;
699 
700  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
701  "(msg:\"http header test\"; "
702  "content:\"CO\"; http_cookie; "
703  "content:\"EC\"; within:4; http_cookie; "
704  "sid:1;)");
705  FAIL_IF_NULL(s);
706 
707  SigGroupBuild(de_ctx);
708  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
709 
710  int r = AppLayerParserParse(
711  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
712  FAIL_IF_NOT(r == 0);
713 
714  HtpState *http_state = f.alstate;
715  FAIL_IF_NULL(http_state);
716 
717  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
718  FAIL_IF(!PacketAlertCheck(p, 1));
719 
720  UTHFreePackets(&p, 1);
721  FLOW_DESTROY(&f);
722  AppLayerParserThreadCtxFree(alp_tctx);
723  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
724  DetectEngineCtxFree(de_ctx);
725  StreamTcpFreeConfig(true);
726  StatsThreadCleanup(&th_v.stats);
727  PASS;
728 }
729 
730 /**
731  * \test Test that the http_cookie content matches against a http request
732  * which holds the content.
733  */
734 static int DetectEngineHttpCookieTest11(void)
735 {
736  TcpSession ssn;
737  ThreadVars th_v;
738  DetectEngineThreadCtx *det_ctx = NULL;
739  Flow f;
740  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
741  "Cookie: CONNECT\r\n"
742  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
743  uint32_t http_len = sizeof(http_buf) - 1;
744  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
745 
746  memset(&th_v, 0, sizeof(th_v));
747  StatsThreadInit(&th_v.stats);
748  memset(&f, 0, sizeof(f));
749  memset(&ssn, 0, sizeof(ssn));
750 
751  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
752 
753  FLOW_INITIALIZE(&f);
754  f.protoctx = (void *)&ssn;
755  f.proto = IPPROTO_TCP;
756  f.flags |= FLOW_IPV4;
757  p->flow = &f;
758  p->flowflags |= FLOW_PKT_TOSERVER;
759  p->flowflags |= FLOW_PKT_ESTABLISHED;
760  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
761  f.alproto = ALPROTO_HTTP1;
762 
763  StreamTcpInitConfig(true);
764 
765  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
766  FAIL_IF_NULL(de_ctx);
767  de_ctx->flags |= DE_QUIET;
768 
769  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
770  "(msg:\"http header test\"; "
771  "content:\"CO\"; http_cookie; "
772  "content:!\"EC\"; within:3; http_cookie; "
773  "sid:1;)");
774  FAIL_IF_NULL(s);
775 
776  SigGroupBuild(de_ctx);
777  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
778 
779  int r = AppLayerParserParse(
780  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
781  FAIL_IF_NOT(r == 0);
782 
783  HtpState *http_state = f.alstate;
784  FAIL_IF_NULL(http_state);
785 
786  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
787  FAIL_IF(!PacketAlertCheck(p, 1));
788 
789  UTHFreePackets(&p, 1);
790  FLOW_DESTROY(&f);
791  AppLayerParserThreadCtxFree(alp_tctx);
792  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
793  DetectEngineCtxFree(de_ctx);
794  StreamTcpFreeConfig(true);
795  StatsThreadCleanup(&th_v.stats);
796  PASS;
797 }
798 
799 /**
800  * \test Test that the http_cookie content matches against a http request
801  * which holds the content.
802  */
803 static int DetectEngineHttpCookieTest12(void)
804 {
805  TcpSession ssn;
806  ThreadVars th_v;
807  DetectEngineThreadCtx *det_ctx = NULL;
808  Flow f;
809  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
810  "Cookie: CONNECT\r\n"
811  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
812  uint32_t http_len = sizeof(http_buf) - 1;
813  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
814 
815  memset(&th_v, 0, sizeof(th_v));
816  StatsThreadInit(&th_v.stats);
817  memset(&f, 0, sizeof(f));
818  memset(&ssn, 0, sizeof(ssn));
819 
820  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
821 
822  FLOW_INITIALIZE(&f);
823  f.protoctx = (void *)&ssn;
824  f.proto = IPPROTO_TCP;
825  f.flags |= FLOW_IPV4;
826  p->flow = &f;
827  p->flowflags |= FLOW_PKT_TOSERVER;
828  p->flowflags |= FLOW_PKT_ESTABLISHED;
829  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
830  f.alproto = ALPROTO_HTTP1;
831 
832  StreamTcpInitConfig(true);
833 
834  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
835  FAIL_IF_NULL(de_ctx);
836  de_ctx->flags |= DE_QUIET;
837 
838  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
839  "(msg:\"http header test\"; "
840  "content:\"CO\"; http_cookie; "
841  "content:\"EC\"; within:3; http_cookie; "
842  "sid:1;)");
843  FAIL_IF_NULL(s);
844 
845  SigGroupBuild(de_ctx);
846  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
847 
848  int r = AppLayerParserParse(
849  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
850  FAIL_IF_NOT(r == 0);
851 
852  HtpState *http_state = f.alstate;
853  FAIL_IF_NULL(http_state);
854 
855  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
856  FAIL_IF(PacketAlertCheck(p, 1));
857 
858  UTHFreePackets(&p, 1);
859  FLOW_DESTROY(&f);
860  AppLayerParserThreadCtxFree(alp_tctx);
861  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
862  DetectEngineCtxFree(de_ctx);
863  StreamTcpFreeConfig(true);
864  StatsThreadCleanup(&th_v.stats);
865  PASS;
866 }
867 
868 /**
869  * \test Test that the http_cookie content matches against a http request
870  * which holds the content.
871  */
872 static int DetectEngineHttpCookieTest13(void)
873 {
874  TcpSession ssn;
875  ThreadVars th_v;
876  DetectEngineThreadCtx *det_ctx = NULL;
877  Flow f;
878  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
879  "Cookie: CONNECT\r\n"
880  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
881  uint32_t http_len = sizeof(http_buf) - 1;
882  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
883 
884  memset(&th_v, 0, sizeof(th_v));
885  StatsThreadInit(&th_v.stats);
886  memset(&f, 0, sizeof(f));
887  memset(&ssn, 0, sizeof(ssn));
888 
889  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
890 
891  FLOW_INITIALIZE(&f);
892  f.protoctx = (void *)&ssn;
893  f.proto = IPPROTO_TCP;
894  f.flags |= FLOW_IPV4;
895  p->flow = &f;
896  p->flowflags |= FLOW_PKT_TOSERVER;
897  p->flowflags |= FLOW_PKT_ESTABLISHED;
898  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
899  f.alproto = ALPROTO_HTTP1;
900 
901  StreamTcpInitConfig(true);
902 
903  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
904  FAIL_IF_NULL(de_ctx);
905  de_ctx->flags |= DE_QUIET;
906 
907  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
908  "(msg:\"http header test\"; "
909  "content:\"CO\"; http_cookie; "
910  "content:!\"EC\"; within:4; http_cookie; "
911  "sid:1;)");
912  FAIL_IF_NULL(s);
913 
914  SigGroupBuild(de_ctx);
915  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
916 
917  int r = AppLayerParserParse(
918  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
919  FAIL_IF_NOT(r == 0);
920 
921  HtpState *http_state = f.alstate;
922  FAIL_IF_NULL(http_state);
923 
924  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
925  FAIL_IF(PacketAlertCheck(p, 1));
926 
927  UTHFreePackets(&p, 1);
928  FLOW_DESTROY(&f);
929  AppLayerParserThreadCtxFree(alp_tctx);
930  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
931  DetectEngineCtxFree(de_ctx);
932  StreamTcpFreeConfig(true);
933  StatsThreadCleanup(&th_v.stats);
934  PASS;
935 }
936 
937 /**
938  * \test Test that the http_cookie content matches against a http request
939  * which holds the content.
940  */
941 static int DetectEngineHttpCookieTest14(void)
942 {
943  TcpSession ssn;
944  ThreadVars th_v;
945  DetectEngineThreadCtx *det_ctx = NULL;
946  Flow f;
947  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
948  "Cookie: CONNECT\r\n"
949  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
950  uint32_t http_len = sizeof(http_buf) - 1;
951  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
952 
953  memset(&th_v, 0, sizeof(th_v));
954  StatsThreadInit(&th_v.stats);
955  memset(&f, 0, sizeof(f));
956  memset(&ssn, 0, sizeof(ssn));
957 
958  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
959 
960  FLOW_INITIALIZE(&f);
961  f.protoctx = (void *)&ssn;
962  f.proto = IPPROTO_TCP;
963  f.flags |= FLOW_IPV4;
964  p->flow = &f;
965  p->flowflags |= FLOW_PKT_TOSERVER;
966  p->flowflags |= FLOW_PKT_ESTABLISHED;
967  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
968  f.alproto = ALPROTO_HTTP1;
969 
970  StreamTcpInitConfig(true);
971 
972  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
973  FAIL_IF_NULL(de_ctx);
974  de_ctx->flags |= DE_QUIET;
975 
976  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
977  "(msg:\"http header test\"; "
978  "content:\"CO\"; http_cookie; "
979  "content:\"EC\"; distance:2; http_cookie; "
980  "sid:1;)");
981  FAIL_IF_NULL(s);
982 
983  SigGroupBuild(de_ctx);
984  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
985 
986  int r = AppLayerParserParse(
987  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
988  FAIL_IF_NOT(r == 0);
989 
990  HtpState *http_state = f.alstate;
991  FAIL_IF_NULL(http_state);
992 
993  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
994  FAIL_IF(!PacketAlertCheck(p, 1));
995 
996  UTHFreePackets(&p, 1);
997  FLOW_DESTROY(&f);
998  AppLayerParserThreadCtxFree(alp_tctx);
999  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1000  DetectEngineCtxFree(de_ctx);
1001  StreamTcpFreeConfig(true);
1002  StatsThreadCleanup(&th_v.stats);
1003  PASS;
1004 }
1005 
1006 /**
1007  * \test Test that the http_cookie content matches against a http request
1008  * which holds the content.
1009  */
1010 static int DetectEngineHttpCookieTest15(void)
1011 {
1012  TcpSession ssn;
1013  ThreadVars th_v;
1014  DetectEngineThreadCtx *det_ctx = NULL;
1015  Flow f;
1016  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
1017  "Cookie: CONNECT\r\n"
1018  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1019  uint32_t http_len = sizeof(http_buf) - 1;
1020  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1021 
1022  memset(&th_v, 0, sizeof(th_v));
1023  StatsThreadInit(&th_v.stats);
1024  memset(&f, 0, sizeof(f));
1025  memset(&ssn, 0, sizeof(ssn));
1026 
1027  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1028 
1029  FLOW_INITIALIZE(&f);
1030  f.protoctx = (void *)&ssn;
1031  f.proto = IPPROTO_TCP;
1032  f.flags |= FLOW_IPV4;
1033  p->flow = &f;
1034  p->flowflags |= FLOW_PKT_TOSERVER;
1035  p->flowflags |= FLOW_PKT_ESTABLISHED;
1036  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1037  f.alproto = ALPROTO_HTTP1;
1038 
1039  StreamTcpInitConfig(true);
1040 
1041  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1042  FAIL_IF_NULL(de_ctx);
1043  de_ctx->flags |= DE_QUIET;
1044 
1045  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1046  "(msg:\"http header test\"; "
1047  "content:\"CO\"; http_cookie; "
1048  "content:!\"EC\"; distance:3; http_cookie; "
1049  "sid:1;)");
1050  FAIL_IF_NULL(s);
1051 
1052  SigGroupBuild(de_ctx);
1053  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1054 
1055  int r = AppLayerParserParse(
1056  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1057  FAIL_IF_NOT(r == 0);
1058 
1059  HtpState *http_state = f.alstate;
1060  FAIL_IF_NULL(http_state);
1061 
1062  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1063  FAIL_IF(!PacketAlertCheck(p, 1));
1064 
1065  UTHFreePackets(&p, 1);
1066  FLOW_DESTROY(&f);
1067  AppLayerParserThreadCtxFree(alp_tctx);
1068  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1069  DetectEngineCtxFree(de_ctx);
1070  StreamTcpFreeConfig(true);
1071  StatsThreadCleanup(&th_v.stats);
1072  PASS;
1073 }
1074 
1075 /**
1076  * \test Test that the http_cookie content matches against a http request
1077  * which holds the content.
1078  */
1079 static int DetectEngineHttpCookieTest16(void)
1080 {
1081  TcpSession ssn;
1082  ThreadVars th_v;
1083  DetectEngineThreadCtx *det_ctx = NULL;
1084  Flow f;
1085  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
1086  "Cookie: CONNECT\r\n"
1087  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1088  uint32_t http_len = sizeof(http_buf) - 1;
1089  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1090 
1091  memset(&th_v, 0, sizeof(th_v));
1092  StatsThreadInit(&th_v.stats);
1093  memset(&f, 0, sizeof(f));
1094  memset(&ssn, 0, sizeof(ssn));
1095 
1096  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1097 
1098  FLOW_INITIALIZE(&f);
1099  f.protoctx = (void *)&ssn;
1100  f.proto = IPPROTO_TCP;
1101  f.flags |= FLOW_IPV4;
1102  p->flow = &f;
1103  p->flowflags |= FLOW_PKT_TOSERVER;
1104  p->flowflags |= FLOW_PKT_ESTABLISHED;
1105  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1106  f.alproto = ALPROTO_HTTP1;
1107 
1108  StreamTcpInitConfig(true);
1109 
1110  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1111  FAIL_IF_NULL(de_ctx);
1112  de_ctx->flags |= DE_QUIET;
1113 
1114  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1115  "(msg:\"http header test\"; "
1116  "content:\"CO\"; http_cookie; "
1117  "content:\"EC\"; distance:3; http_cookie; "
1118  "sid:1;)");
1119  FAIL_IF_NULL(s);
1120 
1121  SigGroupBuild(de_ctx);
1122  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1123 
1124  int r = AppLayerParserParse(
1125  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1126  FAIL_IF_NOT(r == 0);
1127 
1128  HtpState *http_state = f.alstate;
1129  FAIL_IF_NULL(http_state);
1130 
1131  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1132  FAIL_IF(PacketAlertCheck(p, 1));
1133 
1134  UTHFreePackets(&p, 1);
1135  FLOW_DESTROY(&f);
1136  AppLayerParserThreadCtxFree(alp_tctx);
1137  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1138  DetectEngineCtxFree(de_ctx);
1139  StreamTcpFreeConfig(true);
1140  StatsThreadCleanup(&th_v.stats);
1141  PASS;
1142 }
1143 
1144 /**
1145  * \test Test that the http_cookie content matches against a http request
1146  * which holds the content.
1147  */
1148 static int DetectEngineHttpCookieTest17(void)
1149 {
1150  TcpSession ssn;
1151  ThreadVars th_v;
1152  DetectEngineThreadCtx *det_ctx = NULL;
1153  Flow f;
1154  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
1155  "Cookie: CONNECT\r\n"
1156  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1157  uint32_t http_len = sizeof(http_buf) - 1;
1158  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1159 
1160  memset(&th_v, 0, sizeof(th_v));
1161  StatsThreadInit(&th_v.stats);
1162  memset(&f, 0, sizeof(f));
1163  memset(&ssn, 0, sizeof(ssn));
1164 
1165  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1166 
1167  FLOW_INITIALIZE(&f);
1168  f.protoctx = (void *)&ssn;
1169  f.proto = IPPROTO_TCP;
1170  f.flags |= FLOW_IPV4;
1171  p->flow = &f;
1172  p->flowflags |= FLOW_PKT_TOSERVER;
1173  p->flowflags |= FLOW_PKT_ESTABLISHED;
1174  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1175  f.alproto = ALPROTO_HTTP1;
1176 
1177  StreamTcpInitConfig(true);
1178 
1179  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1180  FAIL_IF_NULL(de_ctx);
1181  de_ctx->flags |= DE_QUIET;
1182 
1183  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1184  "(msg:\"http header test\"; "
1185  "content:\"CO\"; http_cookie; "
1186  "content:!\"EC\"; distance:2; http_cookie; "
1187  "sid:1;)");
1188  FAIL_IF_NULL(s);
1189 
1190  SigGroupBuild(de_ctx);
1191  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1192 
1193  int r = AppLayerParserParse(
1194  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1195  FAIL_IF_NOT(r == 0);
1196 
1197  HtpState *http_state = f.alstate;
1198  FAIL_IF_NULL(http_state);
1199 
1200  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1201  FAIL_IF(PacketAlertCheck(p, 1));
1202 
1203  UTHFreePackets(&p, 1);
1204  FLOW_DESTROY(&f);
1205  AppLayerParserThreadCtxFree(alp_tctx);
1206  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1207  DetectEngineCtxFree(de_ctx);
1208  StreamTcpFreeConfig(true);
1209  StatsThreadCleanup(&th_v.stats);
1210  PASS;
1211 }
1212 
1213 /**
1214  * \test Checks if a http_cookie is registered in a Signature, if content is not
1215  * specified in the signature
1216  */
1217 static int DetectHttpCookieTest01(void)
1218 {
1219  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1220  FAIL_IF_NULL(de_ctx);
1221  de_ctx->flags |= DE_QUIET;
1222  Signature *s =
1223  DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1224  "(msg:\"Testing http_cookie\"; http_cookie;sid:1;)");
1225  FAIL_IF_NOT_NULL(s);
1226  DetectEngineCtxFree(de_ctx);
1227  PASS;
1228 }
1229 
1230 /**
1231  * \test Checks if a http_cookie is registered in a Signature, if some parameter
1232  * is specified with http_cookie in the signature
1233  */
1234 static int DetectHttpCookieTest02(void)
1235 {
1236  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1237  FAIL_IF_NULL(de_ctx);
1238  de_ctx->flags |= DE_QUIET;
1239  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1240  "(msg:\"Testing http_cookie\"; content:\"me\"; "
1241  "http_cookie:woo; sid:1;)");
1242  FAIL_IF_NOT_NULL(s);
1243  DetectEngineCtxFree(de_ctx);
1244  PASS;
1245 }
1246 
1247 /** \test Check the signature working to alert when http_cookie is matched . */
1248 static int DetectHttpCookieSigTest01(void)
1249 {
1250  Flow f;
1251  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
1252  " hellocatchme\r\n\r\n";
1253  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1254  TcpSession ssn;
1255  ThreadVars th_v;
1256  DetectEngineThreadCtx *det_ctx = NULL;
1257  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1258 
1259  memset(&th_v, 0, sizeof(th_v));
1260  StatsThreadInit(&th_v.stats);
1261  memset(&f, 0, sizeof(f));
1262  memset(&ssn, 0, sizeof(ssn));
1263 
1264  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1265 
1266  FLOW_INITIALIZE(&f);
1267  f.protoctx = (void *)&ssn;
1268  f.proto = IPPROTO_TCP;
1269  f.flags |= FLOW_IPV4;
1270 
1271  p->flow = &f;
1272  p->flowflags |= FLOW_PKT_TOSERVER;
1273  p->flowflags |= FLOW_PKT_ESTABLISHED;
1274  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1275  f.alproto = ALPROTO_HTTP1;
1276 
1277  StreamTcpInitConfig(true);
1278 
1279  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1280  FAIL_IF_NULL(de_ctx);
1281  de_ctx->flags |= DE_QUIET;
1282 
1283  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1284  "\"HTTP cookie\"; content:\"me\"; "
1285  "http_cookie; sid:1;)");
1286  FAIL_IF_NULL(s);
1287 
1288  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:\"HTTP "
1289  "cookie\"; content:\"go\"; http_cookie; sid:2;)");
1290  FAIL_IF_NULL(s);
1291 
1292  SigGroupBuild(de_ctx);
1293  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1294 
1295  int r = AppLayerParserParse(
1296  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1297  FAIL_IF_NOT(r == 0);
1298 
1299  HtpState *http_state = f.alstate;
1300  FAIL_IF_NULL(http_state);
1301 
1302  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1303  FAIL_IF(!(PacketAlertCheck(p, 1)));
1304  FAIL_IF(PacketAlertCheck(p, 2));
1305 
1306  UTHFreePackets(&p, 1);
1307  FLOW_DESTROY(&f);
1308  AppLayerParserThreadCtxFree(alp_tctx);
1309  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1310  DetectEngineCtxFree(de_ctx);
1311  StreamTcpFreeConfig(true);
1312  StatsThreadCleanup(&th_v.stats);
1313  PASS;
1314 }
1315 
1316 /** \test Check the signature working to alert when http_cookie is not present */
1317 static int DetectHttpCookieSigTest02(void)
1318 {
1319  Flow f;
1320  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1321  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1322  TcpSession ssn;
1323  ThreadVars th_v;
1324  DetectEngineThreadCtx *det_ctx = NULL;
1325  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1326 
1327  memset(&th_v, 0, sizeof(th_v));
1328  StatsThreadInit(&th_v.stats);
1329  memset(&f, 0, sizeof(f));
1330  memset(&ssn, 0, sizeof(ssn));
1331 
1332  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1333 
1334  FLOW_INITIALIZE(&f);
1335  f.protoctx = (void *)&ssn;
1336  f.proto = IPPROTO_TCP;
1337  f.flags |= FLOW_IPV4;
1338 
1339  p->flow = &f;
1340  p->flowflags |= FLOW_PKT_TOSERVER;
1341  p->flowflags |= FLOW_PKT_ESTABLISHED;
1342  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1343  f.alproto = ALPROTO_HTTP1;
1344 
1345  StreamTcpInitConfig(true);
1346 
1347  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1348  FAIL_IF_NULL(de_ctx);
1349  de_ctx->flags |= DE_QUIET;
1350 
1351  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1352  "\"HTTP cookie\"; content:\"me\"; "
1353  "http_cookie; sid:1;)");
1354  FAIL_IF_NULL(s);
1355 
1356  SigGroupBuild(de_ctx);
1357  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1358 
1359  int r = AppLayerParserParse(
1360  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1361  FAIL_IF_NOT(r == 0);
1362 
1363  HtpState *http_state = f.alstate;
1364  FAIL_IF_NULL(http_state);
1365 
1366  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1367  FAIL_IF(PacketAlertCheck(p, 1));
1368 
1369  UTHFreePackets(&p, 1);
1370  FLOW_DESTROY(&f);
1371  AppLayerParserThreadCtxFree(alp_tctx);
1372  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1373  DetectEngineCtxFree(de_ctx);
1374  StreamTcpFreeConfig(true);
1375  StatsThreadCleanup(&th_v.stats);
1376  PASS;
1377 }
1378 
1379 /** \test Check the signature working to alert when http_cookie is not present */
1380 static int DetectHttpCookieSigTest03(void)
1381 {
1382  Flow f;
1383  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
1384  "Cookie: dummy\r\n\r\n";
1385  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1386  TcpSession ssn;
1387  ThreadVars th_v;
1388  DetectEngineThreadCtx *det_ctx = NULL;
1389  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1390 
1391  memset(&th_v, 0, sizeof(th_v));
1392  StatsThreadInit(&th_v.stats);
1393  memset(&f, 0, sizeof(f));
1394  memset(&ssn, 0, sizeof(ssn));
1395 
1396  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1397 
1398  FLOW_INITIALIZE(&f);
1399  f.protoctx = (void *)&ssn;
1400  f.proto = IPPROTO_TCP;
1401  f.flags |= FLOW_IPV4;
1402 
1403  p->flow = &f;
1404  p->flowflags |= FLOW_PKT_TOSERVER;
1405  p->flowflags |= FLOW_PKT_ESTABLISHED;
1406  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1407  f.alproto = ALPROTO_HTTP1;
1408 
1409  StreamTcpInitConfig(true);
1410 
1411  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1412  FAIL_IF_NULL(de_ctx);
1413  de_ctx->flags |= DE_QUIET;
1414 
1415  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1416  "\"HTTP cookie\"; content:\"boo\"; "
1417  "http_cookie; sid:1;)");
1418  FAIL_IF_NULL(s);
1419 
1420  SigGroupBuild(de_ctx);
1421  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1422 
1423  int r = AppLayerParserParse(
1424  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1425  FAIL_IF_NOT(r == 0);
1426 
1427  HtpState *http_state = f.alstate;
1428  FAIL_IF_NULL(http_state);
1429 
1430  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1431  FAIL_IF(PacketAlertCheck(p, 1));
1432 
1433  UTHFreePackets(&p, 1);
1434  FLOW_DESTROY(&f);
1435  AppLayerParserThreadCtxFree(alp_tctx);
1436  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1437  DetectEngineCtxFree(de_ctx);
1438  StreamTcpFreeConfig(true);
1439  StatsThreadCleanup(&th_v.stats);
1440  PASS;
1441 }
1442 
1443 /** \test Check the signature working to alert when http_cookie is not present */
1444 static int DetectHttpCookieSigTest04(void)
1445 {
1446  Flow f;
1447  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
1448  "Cookie: dummy\r\n\r\n";
1449  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1450  TcpSession ssn;
1451  ThreadVars th_v;
1452  DetectEngineThreadCtx *det_ctx = NULL;
1453  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1454 
1455  memset(&th_v, 0, sizeof(th_v));
1456  StatsThreadInit(&th_v.stats);
1457  memset(&f, 0, sizeof(f));
1458  memset(&ssn, 0, sizeof(ssn));
1459 
1460  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1461 
1462  FLOW_INITIALIZE(&f);
1463  f.protoctx = (void *)&ssn;
1464  f.proto = IPPROTO_TCP;
1465  f.flags |= FLOW_IPV4;
1466 
1467  p->flow = &f;
1468  p->flowflags |= FLOW_PKT_TOSERVER;
1469  p->flowflags |= FLOW_PKT_ESTABLISHED;
1470  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1471  f.alproto = ALPROTO_HTTP1;
1472 
1473  StreamTcpInitConfig(true);
1474 
1475  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1476  FAIL_IF_NULL(de_ctx);
1477  de_ctx->flags |= DE_QUIET;
1478 
1479  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1480  "\"HTTP cookie\"; content:!\"boo\"; "
1481  "http_cookie; sid:1;)");
1482  FAIL_IF_NULL(s);
1483 
1484  SigGroupBuild(de_ctx);
1485  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1486 
1487  int r = AppLayerParserParse(
1488  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1489  FAIL_IF_NOT(r == 0);
1490 
1491  HtpState *http_state = f.alstate;
1492  FAIL_IF_NULL(http_state);
1493 
1494  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1495  FAIL_IF(!PacketAlertCheck(p, 1));
1496 
1497  UTHFreePackets(&p, 1);
1498  FLOW_DESTROY(&f);
1499  AppLayerParserThreadCtxFree(alp_tctx);
1500  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1501  DetectEngineCtxFree(de_ctx);
1502  StreamTcpFreeConfig(true);
1503  StatsThreadCleanup(&th_v.stats);
1504  PASS;
1505 }
1506 
1507 /** \test Check the signature working to alert when http_cookie is not present */
1508 static int DetectHttpCookieSigTest05(void)
1509 {
1510  Flow f;
1511  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
1512  "Cookie: DuMmY\r\n\r\n";
1513  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1514  TcpSession ssn;
1515  ThreadVars th_v;
1516  DetectEngineThreadCtx *det_ctx = NULL;
1517  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1518 
1519  memset(&th_v, 0, sizeof(th_v));
1520  StatsThreadInit(&th_v.stats);
1521  memset(&f, 0, sizeof(f));
1522  memset(&ssn, 0, sizeof(ssn));
1523 
1524  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1525 
1526  FLOW_INITIALIZE(&f);
1527  f.protoctx = (void *)&ssn;
1528  f.proto = IPPROTO_TCP;
1529  f.flags |= FLOW_IPV4;
1530 
1531  p->flow = &f;
1532  p->flowflags |= FLOW_PKT_TOSERVER;
1533  p->flowflags |= FLOW_PKT_ESTABLISHED;
1534  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1535  f.alproto = ALPROTO_HTTP1;
1536 
1537  StreamTcpInitConfig(true);
1538 
1539  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1540  FAIL_IF_NULL(de_ctx);
1541  de_ctx->flags |= DE_QUIET;
1542 
1543  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1544  "\"HTTP cookie\"; content:\"dummy\"; nocase; "
1545  "http_cookie; sid:1;)");
1546  FAIL_IF_NULL(s);
1547 
1548  SigGroupBuild(de_ctx);
1549  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1550 
1551  int r = AppLayerParserParse(
1552  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1553  FAIL_IF_NOT(r == 0);
1554 
1555  HtpState *http_state = f.alstate;
1556  FAIL_IF_NULL(http_state);
1557 
1558  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1559  FAIL_IF(!PacketAlertCheck(p, 1));
1560 
1561  UTHFreePackets(&p, 1);
1562  FLOW_DESTROY(&f);
1563  AppLayerParserThreadCtxFree(alp_tctx);
1564  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1565  DetectEngineCtxFree(de_ctx);
1566  StreamTcpFreeConfig(true);
1567  StatsThreadCleanup(&th_v.stats);
1568  PASS;
1569 }
1570 
1571 /** \test Check the signature working to alert when http_cookie is not present */
1572 static int DetectHttpCookieSigTest06(void)
1573 {
1574  Flow f;
1575  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
1576  "Cookie: DuMmY\r\n\r\n";
1577  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1578  TcpSession ssn;
1579  ThreadVars th_v;
1580  DetectEngineThreadCtx *det_ctx = NULL;
1581  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1582 
1583  memset(&th_v, 0, sizeof(th_v));
1584  StatsThreadInit(&th_v.stats);
1585  memset(&f, 0, sizeof(f));
1586  memset(&ssn, 0, sizeof(ssn));
1587 
1588  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1589 
1590  FLOW_INITIALIZE(&f);
1591  f.protoctx = (void *)&ssn;
1592  f.proto = IPPROTO_TCP;
1593  f.flags |= FLOW_IPV4;
1594 
1595  p->flow = &f;
1596  p->flowflags |= FLOW_PKT_TOSERVER;
1597  p->flowflags |= FLOW_PKT_ESTABLISHED;
1598  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1599  f.alproto = ALPROTO_HTTP1;
1600 
1601  StreamTcpInitConfig(true);
1602 
1603  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1604  FAIL_IF_NULL(de_ctx);
1605  de_ctx->flags |= DE_QUIET;
1606 
1607  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1608  "\"HTTP cookie\"; content:\"dummy\"; "
1609  "http_cookie; nocase; sid:1;)");
1610  FAIL_IF_NULL(s);
1611 
1612  SigGroupBuild(de_ctx);
1613  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1614 
1615  int r = AppLayerParserParse(
1616  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1617  FAIL_IF_NOT(r == 0);
1618 
1619  HtpState *http_state = f.alstate;
1620  FAIL_IF_NULL(http_state);
1621 
1622  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1623  FAIL_IF(!PacketAlertCheck(p, 1));
1624 
1625  UTHFreePackets(&p, 1);
1626  FLOW_DESTROY(&f);
1627  AppLayerParserThreadCtxFree(alp_tctx);
1628  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1629  DetectEngineCtxFree(de_ctx);
1630  StreamTcpFreeConfig(true);
1631  StatsThreadCleanup(&th_v.stats);
1632  PASS;
1633 }
1634 
1635 /** \test Check the signature working to alert when http_cookie is not present */
1636 static int DetectHttpCookieSigTest07(void)
1637 {
1638  Flow f;
1639  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
1640  "Cookie: dummy\r\n\r\n";
1641  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1642  TcpSession ssn;
1643  ThreadVars th_v;
1644  DetectEngineThreadCtx *det_ctx = NULL;
1645  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1646 
1647  memset(&th_v, 0, sizeof(th_v));
1648  StatsThreadInit(&th_v.stats);
1649  memset(&f, 0, sizeof(f));
1650  memset(&ssn, 0, sizeof(ssn));
1651 
1652  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1653 
1654  FLOW_INITIALIZE(&f);
1655  f.protoctx = (void *)&ssn;
1656  f.proto = IPPROTO_TCP;
1657  f.flags |= FLOW_IPV4;
1658 
1659  p->flow = &f;
1660  p->flowflags |= FLOW_PKT_TOSERVER;
1661  p->flowflags |= FLOW_PKT_ESTABLISHED;
1662  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1663  f.alproto = ALPROTO_HTTP1;
1664 
1665  StreamTcpInitConfig(true);
1666 
1667  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1668  FAIL_IF_NULL(de_ctx);
1669  de_ctx->flags |= DE_QUIET;
1670 
1671  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1672  "\"HTTP cookie\"; content:!\"dummy\"; "
1673  "http_cookie; sid:1;)");
1674  FAIL_IF_NULL(s);
1675 
1676  SigGroupBuild(de_ctx);
1677  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1678 
1679  int r = AppLayerParserParse(
1680  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1681  FAIL_IF_NOT(r == 0);
1682 
1683  HtpState *http_state = f.alstate;
1684  FAIL_IF_NULL(http_state);
1685 
1686  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1687  FAIL_IF(PacketAlertCheck(p, 1));
1688 
1689  UTHFreePackets(&p, 1);
1690  FLOW_DESTROY(&f);
1691  AppLayerParserThreadCtxFree(alp_tctx);
1692  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1693  DetectEngineCtxFree(de_ctx);
1694  StreamTcpFreeConfig(true);
1695  StatsThreadCleanup(&th_v.stats);
1696  PASS;
1697 }
1698 
1699 /**
1700  * \test Check the signature working to alert against set-cookie
1701  */
1702 static int DetectHttpCookieSigTest08(void)
1703 {
1704  uint8_t httpbuf_request[] = "GET / HTTP/1.1\r\n"
1705  "User-Agent: Mozilla/1.0\r\n"
1706  "\r\n";
1707  uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the \0 */
1708 
1709  uint8_t httpbuf_response[] = "HTTP/1.1 200 OK\r\n"
1710  "Set-Cookie: response_user_agent\r\n"
1711  "\r\n";
1712  uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the \0 */
1713 
1714  Flow f;
1715  TcpSession ssn;
1716  ThreadVars th_v;
1717  DetectEngineThreadCtx *det_ctx = NULL;
1718  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1719 
1720  memset(&th_v, 0, sizeof(th_v));
1721  StatsThreadInit(&th_v.stats);
1722  memset(&f, 0, sizeof(f));
1723  memset(&ssn, 0, sizeof(ssn));
1724 
1725  FLOW_INITIALIZE(&f);
1726  f.protoctx = (void *)&ssn;
1727  f.proto = IPPROTO_TCP;
1728  f.flags |= FLOW_IPV4;
1729  f.alproto = ALPROTO_HTTP1;
1730 
1731  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1732  p1->flow = &f;
1733  p1->flowflags |= FLOW_PKT_TOSERVER;
1734  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1735  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1736 
1737  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1738  p2->flow = &f;
1739  p2->flowflags |= FLOW_PKT_TOCLIENT;
1740  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1741  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1742 
1743  StreamTcpInitConfig(true);
1744 
1745  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1746  FAIL_IF_NULL(de_ctx);
1747  de_ctx->flags |= DE_QUIET;
1748 
1749  Signature *s =
1750  DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1751  "(flow:to_client; content:\"response_user_agent\"; "
1752  "http_cookie; sid:1;)");
1753  FAIL_IF_NULL(s);
1754 
1755  SigGroupBuild(de_ctx);
1756  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1757 
1758  /* request */
1759  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf_request,
1760  httpbuf_request_len);
1761  FAIL_IF(r != 0);
1762 
1763  HtpState *http_state = f.alstate;
1764  FAIL_IF_NULL(http_state);
1765 
1766  /* do detect */
1767  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1768  FAIL_IF(PacketAlertCheck(p1, 1));
1769 
1770  /* response */
1771  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf_response,
1772  httpbuf_response_len);
1773  FAIL_IF(r != 0);
1774 
1775  /* do detect */
1776  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1777  FAIL_IF(!PacketAlertCheck(p2, 1));
1778 
1779  UTHFreePackets(&p1, 1);
1780  UTHFreePackets(&p2, 1);
1781  FLOW_DESTROY(&f);
1782 
1783  AppLayerParserThreadCtxFree(alp_tctx);
1784  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1785  DetectEngineCtxFree(de_ctx);
1786  StreamTcpFreeConfig(true);
1787  StatsThreadCleanup(&th_v.stats);
1788  PASS;
1789 }
1790 
1791 /**
1792  * \test Check the signature working to alert against cookie/set-cookie
1793  */
1794 static int DetectHttpCookieSigTest09(void)
1795 {
1796  uint8_t httpbuf_request[] = "GET / HTTP/1.1\r\n"
1797  "Cookie: request_user_agent\r\n"
1798  "User-Agent: Mozilla/1.0\r\n"
1799  "\r\n";
1800  uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the \0 */
1801 
1802  uint8_t httpbuf_response[] = "HTTP/1.1 200 OK\r\n"
1803  "Set-Cookie: response_user_agent\r\n"
1804  "\r\n";
1805  uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the \0 */
1806  Flow f;
1807  TcpSession ssn;
1808  ThreadVars th_v;
1809  DetectEngineThreadCtx *det_ctx = NULL;
1810  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1811 
1812  memset(&th_v, 0, sizeof(th_v));
1813  StatsThreadInit(&th_v.stats);
1814  memset(&f, 0, sizeof(f));
1815  memset(&ssn, 0, sizeof(ssn));
1816 
1817  FLOW_INITIALIZE(&f);
1818  f.protoctx = (void *)&ssn;
1819  f.proto = IPPROTO_TCP;
1820  f.flags |= FLOW_IPV4;
1821  f.alproto = ALPROTO_HTTP1;
1822 
1823  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1824  p1->flow = &f;
1825  p1->flowflags |= FLOW_PKT_TOSERVER;
1826  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1827  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1828 
1829  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1830  p2->flow = &f;
1831  p2->flowflags |= FLOW_PKT_TOCLIENT;
1832  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1833  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1834 
1835  StreamTcpInitConfig(true);
1836 
1837  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1838  FAIL_IF_NULL(de_ctx);
1839  de_ctx->flags |= DE_QUIET;
1840 
1841  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1842  "(flow:to_server; content:\"request_user_agent\"; "
1843  "http_cookie; sid:1;)");
1844  FAIL_IF_NULL(s);
1845  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1846  "(flow:to_client; content:\"response_user_agent\"; "
1847  "http_cookie; sid:2;)");
1848  FAIL_IF_NULL(s);
1849 
1850  SigGroupBuild(de_ctx);
1851  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1852 
1853  /* request */
1854  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf_request,
1855  httpbuf_request_len);
1856  FAIL_IF_NOT(r == 0);
1857 
1858  HtpState *http_state = f.alstate;
1859  FAIL_IF_NULL(http_state);
1860 
1861  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1862  FAIL_IF(!PacketAlertCheck(p1, 1));
1863  FAIL_IF(PacketAlertCheck(p1, 2));
1864 
1865  /* response */
1866  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf_response,
1867  httpbuf_response_len);
1868  FAIL_IF_NOT(r == 0);
1869 
1870  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1871  FAIL_IF(PacketAlertCheck(p2, 1));
1872  FAIL_IF(!PacketAlertCheck(p2, 2));
1873 
1874  UTHFreePackets(&p1, 1);
1875  UTHFreePackets(&p2, 1);
1876  FLOW_DESTROY(&f);
1877  AppLayerParserThreadCtxFree(alp_tctx);
1878  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1879  DetectEngineCtxFree(de_ctx);
1880  StreamTcpFreeConfig(true);
1881  StatsThreadCleanup(&th_v.stats);
1882  PASS;
1883 }
1884 
1885 /**
1886  * \brief Register the UNITTESTS for the http_cookie keyword
1887  */
1888 void DetectHttpCookieRegisterTests(void)
1889 {
1890  UtRegisterTest("DetectHttpCookieTest01", DetectHttpCookieTest01);
1891  UtRegisterTest("DetectHttpCookieTest02", DetectHttpCookieTest02);
1892  UtRegisterTest("DetectHttpCookieSigTest01", DetectHttpCookieSigTest01);
1893  UtRegisterTest("DetectHttpCookieSigTest02", DetectHttpCookieSigTest02);
1894  UtRegisterTest("DetectHttpCookieSigTest03", DetectHttpCookieSigTest03);
1895  UtRegisterTest("DetectHttpCookieSigTest04", DetectHttpCookieSigTest04);
1896  UtRegisterTest("DetectHttpCookieSigTest05", DetectHttpCookieSigTest05);
1897  UtRegisterTest("DetectHttpCookieSigTest06", DetectHttpCookieSigTest06);
1898  UtRegisterTest("DetectHttpCookieSigTest07", DetectHttpCookieSigTest07);
1899  UtRegisterTest("DetectHttpCookieSigTest08", DetectHttpCookieSigTest08);
1900  UtRegisterTest("DetectHttpCookieSigTest09", DetectHttpCookieSigTest09);
1901  UtRegisterTest("DetectEngineHttpCookieTest01", DetectEngineHttpCookieTest01);
1902  UtRegisterTest("DetectEngineHttpCookieTest02", DetectEngineHttpCookieTest02);
1903  UtRegisterTest("DetectEngineHttpCookieTest03", DetectEngineHttpCookieTest03);
1904  UtRegisterTest("DetectEngineHttpCookieTest04", DetectEngineHttpCookieTest04);
1905  UtRegisterTest("DetectEngineHttpCookieTest05", DetectEngineHttpCookieTest05);
1906  UtRegisterTest("DetectEngineHttpCookieTest06", DetectEngineHttpCookieTest06);
1907  UtRegisterTest("DetectEngineHttpCookieTest07", DetectEngineHttpCookieTest07);
1908  UtRegisterTest("DetectEngineHttpCookieTest08", DetectEngineHttpCookieTest08);
1909  UtRegisterTest("DetectEngineHttpCookieTest09", DetectEngineHttpCookieTest09);
1910  UtRegisterTest("DetectEngineHttpCookieTest10", DetectEngineHttpCookieTest10);
1911  UtRegisterTest("DetectEngineHttpCookieTest11", DetectEngineHttpCookieTest11);
1912  UtRegisterTest("DetectEngineHttpCookieTest12", DetectEngineHttpCookieTest12);
1913  UtRegisterTest("DetectEngineHttpCookieTest13", DetectEngineHttpCookieTest13);
1914  UtRegisterTest("DetectEngineHttpCookieTest14", DetectEngineHttpCookieTest14);
1915  UtRegisterTest("DetectEngineHttpCookieTest15", DetectEngineHttpCookieTest15);
1916  UtRegisterTest("DetectEngineHttpCookieTest16", DetectEngineHttpCookieTest16);
1917  UtRegisterTest("DetectEngineHttpCookieTest17", DetectEngineHttpCookieTest17);
1918 }
1919 /**
1920  * @}
1921  */
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_::proto
uint8_t proto
Definition: flow.h:370
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
Flow_
Flow data structure.
Definition: flow.h:348
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:933
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2418
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3447
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
Flow_::protoctx
void * protoctx
Definition: flow.h:433
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
HtpState_
Definition: app-layer-htp.h:181
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:496
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1245
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3364
Packet_
Definition: decode.h:501
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2194
StatsThreadInit
void StatsThreadInit(StatsThreadContext *stats)
Definition: counters.c:1258
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:867
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1277
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3601
Flow_::alstate
void * alstate
Definition: flow.h:471
Flow_::flags
uint32_t flags
Definition: flow.h:413
Signature_
Signature container.
Definition: detect.h:668
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:935
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
StatsThreadCleanup
void StatsThreadCleanup(StatsThreadContext *stats)
Definition: counters.c:1354
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456