suricata
detect-http-cookie.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /** \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * \brief Handle HTTP cookie match
31  *
32  */
33 
34 #include "../suricata-common.h"
35 #include "../suricata.h"
36 #include "../flow-util.h"
37 #include "../flow.h"
38 #include "../app-layer-parser.h"
39 #include "../util-unittest.h"
40 #include "../util-unittest-helper.h"
41 #include "../app-layer.h"
42 #include "../app-layer-htp.h"
43 #include "../app-layer-protos.h"
44 #include "../detect-isdataat.h"
45 
46 /***********************************Unittests**********************************/
47 
48 static int g_http_uri_buffer_id = 0;
49 
50 /**
51  * \test Test that the http_cookie content matches against a http request
52  * which holds the content.
53  */
54 static int DetectEngineHttpCookieTest01(void)
55 {
56  TcpSession ssn;
57  Packet *p = NULL;
58  ThreadVars th_v;
59  DetectEngineCtx *de_ctx = NULL;
60  DetectEngineThreadCtx *det_ctx = NULL;
61  HtpState *http_state = NULL;
62  Flow f;
63  uint8_t http_buf[] =
64  "GET /index.html HTTP/1.0\r\n"
65  "Cookie: CONNECT\r\n"
66  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
67  uint32_t http_len = sizeof(http_buf) - 1;
68  int result = 0;
69  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
70 
71  memset(&th_v, 0, sizeof(th_v));
72  memset(&f, 0, sizeof(f));
73  memset(&ssn, 0, sizeof(ssn));
74 
75  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
76 
77  FLOW_INITIALIZE(&f);
78  f.protoctx = (void *)&ssn;
79  f.proto = IPPROTO_TCP;
80  f.flags |= FLOW_IPV4;
81  p->flow = &f;
82  p->flowflags |= FLOW_PKT_TOSERVER;
83  p->flowflags |= FLOW_PKT_ESTABLISHED;
84  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
85  f.alproto = ALPROTO_HTTP;
86 
87  StreamTcpInitConfig(TRUE);
88 
89  de_ctx = DetectEngineCtxInit();
90  if (de_ctx == NULL)
91  goto end;
92 
93  de_ctx->flags |= DE_QUIET;
94 
95  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
96  "(msg:\"http header test\"; "
97  "content:\"CONNECT\"; http_cookie; "
98  "sid:1;)");
99  if (de_ctx->sig_list == NULL)
100  goto end;
101 
102  SigGroupBuild(de_ctx);
103  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
104 
105  FLOWLOCK_WRLOCK(&f);
106  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
107  STREAM_TOSERVER, http_buf, http_len);
108  if (r != 0) {
109  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
110  result = 0;
111  FLOWLOCK_UNLOCK(&f);
112  goto end;
113  }
114  FLOWLOCK_UNLOCK(&f);
115 
116  http_state = f.alstate;
117  if (http_state == NULL) {
118  printf("no http state: ");
119  result = 0;
120  goto end;
121  }
122 
123  /* do detect */
124  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
125 
126  if (!(PacketAlertCheck(p, 1))) {
127  printf("sid 1 didn't match but should have: ");
128  goto end;
129  }
130 
131  result = 1;
132 
133 end:
134  if (alp_tctx != NULL)
135  AppLayerParserThreadCtxFree(alp_tctx);
136  if (de_ctx != NULL)
137  DetectEngineCtxFree(de_ctx);
138 
139  StreamTcpFreeConfig(TRUE);
140  FLOW_DESTROY(&f);
141  UTHFreePackets(&p, 1);
142  return result;
143 }
144 
145 /**
146  * \test Test that the http_cookie content matches against a http request
147  * which holds the content.
148  */
149 static int DetectEngineHttpCookieTest02(void)
150 {
151  TcpSession ssn;
152  Packet *p = NULL;
153  ThreadVars th_v;
154  DetectEngineCtx *de_ctx = NULL;
155  DetectEngineThreadCtx *det_ctx = NULL;
156  HtpState *http_state = NULL;
157  Flow f;
158  uint8_t http_buf[] =
159  "CONNECT /index.html HTTP/1.0\r\n"
160  "Cookie: CONNECT\r\n"
161  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
162  uint32_t http_len = sizeof(http_buf) - 1;
163  int result = 0;
164  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
165 
166  memset(&th_v, 0, sizeof(th_v));
167  memset(&f, 0, sizeof(f));
168  memset(&ssn, 0, sizeof(ssn));
169 
170  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
171 
172  FLOW_INITIALIZE(&f);
173  f.protoctx = (void *)&ssn;
174  f.proto = IPPROTO_TCP;
175  f.flags |= FLOW_IPV4;
176  p->flow = &f;
177  p->flowflags |= FLOW_PKT_TOSERVER;
178  p->flowflags |= FLOW_PKT_ESTABLISHED;
179  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
180  f.alproto = ALPROTO_HTTP;
181 
182  StreamTcpInitConfig(TRUE);
183 
184  de_ctx = DetectEngineCtxInit();
185  if (de_ctx == NULL)
186  goto end;
187 
188  de_ctx->flags |= DE_QUIET;
189 
190  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
191  "(msg:\"http header test\"; "
192  "content:\"CO\"; depth:4; http_cookie; "
193  "sid:1;)");
194  if (de_ctx->sig_list == NULL)
195  goto end;
196 
197  SigGroupBuild(de_ctx);
198  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
199 
200  FLOWLOCK_WRLOCK(&f);
201  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
202  STREAM_TOSERVER, http_buf, http_len);
203  if (r != 0) {
204  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
205  result = 0;
206  FLOWLOCK_UNLOCK(&f);
207  goto end;
208  }
209  FLOWLOCK_UNLOCK(&f);
210 
211  http_state = f.alstate;
212  if (http_state == NULL) {
213  printf("no http state: ");
214  result = 0;
215  goto end;
216  }
217 
218  /* do detect */
219  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
220 
221  if (!(PacketAlertCheck(p, 1))) {
222  printf("sid 1 didn't match but should have: ");
223  goto end;
224  }
225 
226  result = 1;
227 
228 end:
229  if (alp_tctx != NULL)
230  AppLayerParserThreadCtxFree(alp_tctx);
231  if (de_ctx != NULL)
232  DetectEngineCtxFree(de_ctx);
233 
234  StreamTcpFreeConfig(TRUE);
235  FLOW_DESTROY(&f);
236  UTHFreePackets(&p, 1);
237  return result;
238 }
239 
240 /**
241  * \test Test that the http_cookie content matches against a http request
242  * which holds the content.
243  */
244 static int DetectEngineHttpCookieTest03(void)
245 {
246  TcpSession ssn;
247  Packet *p = NULL;
248  ThreadVars th_v;
249  DetectEngineCtx *de_ctx = NULL;
250  DetectEngineThreadCtx *det_ctx = NULL;
251  HtpState *http_state = NULL;
252  Flow f;
253  uint8_t http_buf[] =
254  "CONNECT /index.html HTTP/1.0\r\n"
255  "Cookie: CONNECT\r\n"
256  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
257  uint32_t http_len = sizeof(http_buf) - 1;
258  int result = 0;
259  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
260 
261  memset(&th_v, 0, sizeof(th_v));
262  memset(&f, 0, sizeof(f));
263  memset(&ssn, 0, sizeof(ssn));
264 
265  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
266 
267  FLOW_INITIALIZE(&f);
268  f.protoctx = (void *)&ssn;
269  f.proto = IPPROTO_TCP;
270  f.flags |= FLOW_IPV4;
271  p->flow = &f;
272  p->flowflags |= FLOW_PKT_TOSERVER;
273  p->flowflags |= FLOW_PKT_ESTABLISHED;
274  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
275  f.alproto = ALPROTO_HTTP;
276 
277  StreamTcpInitConfig(TRUE);
278 
279  de_ctx = DetectEngineCtxInit();
280  if (de_ctx == NULL)
281  goto end;
282 
283  de_ctx->flags |= DE_QUIET;
284 
285  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
286  "(msg:\"http header test\"; "
287  "content:!\"ECT\"; depth:4; http_cookie; "
288  "sid:1;)");
289  if (de_ctx->sig_list == NULL)
290  goto end;
291 
292  SigGroupBuild(de_ctx);
293  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
294 
295  FLOWLOCK_WRLOCK(&f);
296  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
297  STREAM_TOSERVER, http_buf, http_len);
298  if (r != 0) {
299  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
300  result = 0;
301  FLOWLOCK_UNLOCK(&f);
302  goto end;
303  }
304  FLOWLOCK_UNLOCK(&f);
305 
306  http_state = f.alstate;
307  if (http_state == NULL) {
308  printf("no http state: ");
309  result = 0;
310  goto end;
311  }
312 
313  /* do detect */
314  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
315 
316  if (!(PacketAlertCheck(p, 1))) {
317  printf("sid 1 didn't match but should have: ");
318  goto end;
319  }
320 
321  result = 1;
322 
323 end:
324  if (alp_tctx != NULL)
325  AppLayerParserThreadCtxFree(alp_tctx);
326  if (de_ctx != NULL)
327  DetectEngineCtxFree(de_ctx);
328 
329  StreamTcpFreeConfig(TRUE);
330  FLOW_DESTROY(&f);
331  UTHFreePackets(&p, 1);
332  return result;
333 }
334 
335 /**
336  * \test Test that the http_cookie content matches against a http request
337  * which holds the content.
338  */
339 static int DetectEngineHttpCookieTest04(void)
340 {
341  TcpSession ssn;
342  Packet *p = NULL;
343  ThreadVars th_v;
344  DetectEngineCtx *de_ctx = NULL;
345  DetectEngineThreadCtx *det_ctx = NULL;
346  HtpState *http_state = NULL;
347  Flow f;
348  uint8_t http_buf[] =
349  "CONNECT /index.html HTTP/1.0\r\n"
350  "Cookie: CONNECT\r\n"
351  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
352  uint32_t http_len = sizeof(http_buf) - 1;
353  int result = 0;
354  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
355 
356  memset(&th_v, 0, sizeof(th_v));
357  memset(&f, 0, sizeof(f));
358  memset(&ssn, 0, sizeof(ssn));
359 
360  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
361 
362  FLOW_INITIALIZE(&f);
363  f.protoctx = (void *)&ssn;
364  f.proto = IPPROTO_TCP;
365  f.flags |= FLOW_IPV4;
366  p->flow = &f;
367  p->flowflags |= FLOW_PKT_TOSERVER;
368  p->flowflags |= FLOW_PKT_ESTABLISHED;
369  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
370  f.alproto = ALPROTO_HTTP;
371 
372  StreamTcpInitConfig(TRUE);
373 
374  de_ctx = DetectEngineCtxInit();
375  if (de_ctx == NULL)
376  goto end;
377 
378  de_ctx->flags |= DE_QUIET;
379 
380  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
381  "(msg:\"http header test\"; "
382  "content:\"ECT\"; depth:4; http_cookie; "
383  "sid:1;)");
384  if (de_ctx->sig_list == NULL)
385  goto end;
386 
387  SigGroupBuild(de_ctx);
388  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
389 
390  FLOWLOCK_WRLOCK(&f);
391  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
392  STREAM_TOSERVER, http_buf, http_len);
393  if (r != 0) {
394  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
395  result = 0;
396  FLOWLOCK_UNLOCK(&f);
397  goto end;
398  }
399  FLOWLOCK_UNLOCK(&f);
400 
401  http_state = f.alstate;
402  if (http_state == NULL) {
403  printf("no http state: ");
404  result = 0;
405  goto end;
406  }
407 
408  /* do detect */
409  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
410 
411  if (PacketAlertCheck(p, 1)) {
412  printf("sid 1 matched but shouldn't have: ");
413  goto end;
414  }
415 
416  result = 1;
417 
418 end:
419  if (alp_tctx != NULL)
420  AppLayerParserThreadCtxFree(alp_tctx);
421  if (de_ctx != NULL)
422  DetectEngineCtxFree(de_ctx);
423 
424  StreamTcpFreeConfig(TRUE);
425  FLOW_DESTROY(&f);
426  UTHFreePackets(&p, 1);
427  return result;
428 }
429 
430 /**
431  * \test Test that the http_cookie content matches against a http request
432  * which holds the content.
433  */
434 static int DetectEngineHttpCookieTest05(void)
435 {
436  TcpSession ssn;
437  Packet *p = NULL;
438  ThreadVars th_v;
439  DetectEngineCtx *de_ctx = NULL;
440  DetectEngineThreadCtx *det_ctx = NULL;
441  HtpState *http_state = NULL;
442  Flow f;
443  uint8_t http_buf[] =
444  "CONNECT /index.html HTTP/1.0\r\n"
445  "Cookie: CONNECT\r\n"
446  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
447  uint32_t http_len = sizeof(http_buf) - 1;
448  int result = 0;
449  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
450 
451  memset(&th_v, 0, sizeof(th_v));
452  memset(&f, 0, sizeof(f));
453  memset(&ssn, 0, sizeof(ssn));
454 
455  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
456 
457  FLOW_INITIALIZE(&f);
458  f.protoctx = (void *)&ssn;
459  f.proto = IPPROTO_TCP;
460  f.flags |= FLOW_IPV4;
461  p->flow = &f;
462  p->flowflags |= FLOW_PKT_TOSERVER;
463  p->flowflags |= FLOW_PKT_ESTABLISHED;
464  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
465  f.alproto = ALPROTO_HTTP;
466 
467  StreamTcpInitConfig(TRUE);
468 
469  de_ctx = DetectEngineCtxInit();
470  if (de_ctx == NULL)
471  goto end;
472 
473  de_ctx->flags |= DE_QUIET;
474 
475  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
476  "(msg:\"http header test\"; "
477  "content:!\"CON\"; depth:4; http_cookie; "
478  "sid:1;)");
479  if (de_ctx->sig_list == NULL)
480  goto end;
481 
482  SigGroupBuild(de_ctx);
483  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
484 
485  FLOWLOCK_WRLOCK(&f);
486  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
487  STREAM_TOSERVER, http_buf, http_len);
488  if (r != 0) {
489  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
490  result = 0;
491  FLOWLOCK_UNLOCK(&f);
492  goto end;
493  }
494  FLOWLOCK_UNLOCK(&f);
495 
496  http_state = f.alstate;
497  if (http_state == NULL) {
498  printf("no http state: ");
499  result = 0;
500  goto end;
501  }
502 
503  /* do detect */
504  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
505 
506  if (PacketAlertCheck(p, 1)) {
507  printf("sid 1 matched but shouldn't have: ");
508  goto end;
509  }
510 
511  result = 1;
512 
513 end:
514  if (alp_tctx != NULL)
515  AppLayerParserThreadCtxFree(alp_tctx);
516  if (de_ctx != NULL)
517  DetectEngineCtxFree(de_ctx);
518 
519  StreamTcpFreeConfig(TRUE);
520  FLOW_DESTROY(&f);
521  UTHFreePackets(&p, 1);
522  return result;
523 }
524 
525 /**
526  * \test Test that the http_cookie content matches against a http request
527  * which holds the content.
528  */
529 static int DetectEngineHttpCookieTest06(void)
530 {
531  TcpSession ssn;
532  Packet *p = NULL;
533  ThreadVars th_v;
534  DetectEngineCtx *de_ctx = NULL;
535  DetectEngineThreadCtx *det_ctx = NULL;
536  HtpState *http_state = NULL;
537  Flow f;
538  uint8_t http_buf[] =
539  "CONNECT /index.html HTTP/1.0\r\n"
540  "Cookie: CONNECT\r\n"
541  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
542  uint32_t http_len = sizeof(http_buf) - 1;
543  int result = 0;
544  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
545 
546  memset(&th_v, 0, sizeof(th_v));
547  memset(&f, 0, sizeof(f));
548  memset(&ssn, 0, sizeof(ssn));
549 
550  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
551 
552  FLOW_INITIALIZE(&f);
553  f.protoctx = (void *)&ssn;
554  f.proto = IPPROTO_TCP;
555  f.flags |= FLOW_IPV4;
556  p->flow = &f;
557  p->flowflags |= FLOW_PKT_TOSERVER;
558  p->flowflags |= FLOW_PKT_ESTABLISHED;
559  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
560  f.alproto = ALPROTO_HTTP;
561 
562  StreamTcpInitConfig(TRUE);
563 
564  de_ctx = DetectEngineCtxInit();
565  if (de_ctx == NULL)
566  goto end;
567 
568  de_ctx->flags |= DE_QUIET;
569 
570  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
571  "(msg:\"http header test\"; "
572  "content:\"ECT\"; offset:3; http_cookie; "
573  "sid:1;)");
574  if (de_ctx->sig_list == NULL)
575  goto end;
576 
577  SigGroupBuild(de_ctx);
578  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
579 
580  FLOWLOCK_WRLOCK(&f);
581  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
582  STREAM_TOSERVER, http_buf, http_len);
583  if (r != 0) {
584  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
585  result = 0;
586  FLOWLOCK_UNLOCK(&f);
587  goto end;
588  }
589  FLOWLOCK_UNLOCK(&f);
590 
591  http_state = f.alstate;
592  if (http_state == NULL) {
593  printf("no http state: ");
594  result = 0;
595  goto end;
596  }
597 
598  /* do detect */
599  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
600 
601  if (!(PacketAlertCheck(p, 1))) {
602  printf("sid 1 didn't match but should have: ");
603  goto end;
604  }
605 
606  result = 1;
607 
608 end:
609  if (alp_tctx != NULL)
610  AppLayerParserThreadCtxFree(alp_tctx);
611  if (de_ctx != NULL)
612  DetectEngineCtxFree(de_ctx);
613 
614  StreamTcpFreeConfig(TRUE);
615  FLOW_DESTROY(&f);
616  UTHFreePackets(&p, 1);
617  return result;
618 }
619 
620 /**
621  * \test Test that the http_cookie content matches against a http request
622  * which holds the content.
623  */
624 static int DetectEngineHttpCookieTest07(void)
625 {
626  TcpSession ssn;
627  Packet *p = NULL;
628  ThreadVars th_v;
629  DetectEngineCtx *de_ctx = NULL;
630  DetectEngineThreadCtx *det_ctx = NULL;
631  HtpState *http_state = NULL;
632  Flow f;
633  uint8_t http_buf[] =
634  "CONNECT /index.html HTTP/1.0\r\n"
635  "Cookie: CONNECT\r\n"
636  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
637  uint32_t http_len = sizeof(http_buf) - 1;
638  int result = 0;
639  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
640 
641  memset(&th_v, 0, sizeof(th_v));
642  memset(&f, 0, sizeof(f));
643  memset(&ssn, 0, sizeof(ssn));
644 
645  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
646 
647  FLOW_INITIALIZE(&f);
648  f.protoctx = (void *)&ssn;
649  f.proto = IPPROTO_TCP;
650  f.flags |= FLOW_IPV4;
651  p->flow = &f;
652  p->flowflags |= FLOW_PKT_TOSERVER;
653  p->flowflags |= FLOW_PKT_ESTABLISHED;
654  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
655  f.alproto = ALPROTO_HTTP;
656 
657  StreamTcpInitConfig(TRUE);
658 
659  de_ctx = DetectEngineCtxInit();
660  if (de_ctx == NULL)
661  goto end;
662 
663  de_ctx->flags |= DE_QUIET;
664 
665  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
666  "(msg:\"http header test\"; "
667  "content:!\"CO\"; offset:3; http_cookie; "
668  "sid:1;)");
669  if (de_ctx->sig_list == NULL)
670  goto end;
671 
672  SigGroupBuild(de_ctx);
673  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
674 
675  FLOWLOCK_WRLOCK(&f);
676  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
677  STREAM_TOSERVER, http_buf, http_len);
678  if (r != 0) {
679  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
680  result = 0;
681  FLOWLOCK_UNLOCK(&f);
682  goto end;
683  }
684  FLOWLOCK_UNLOCK(&f);
685 
686  http_state = f.alstate;
687  if (http_state == NULL) {
688  printf("no http state: ");
689  result = 0;
690  goto end;
691  }
692 
693  /* do detect */
694  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
695 
696  if (!(PacketAlertCheck(p, 1))) {
697  printf("sid 1 didn't match but should have: ");
698  goto end;
699  }
700 
701  result = 1;
702 
703 end:
704  if (alp_tctx != NULL)
705  AppLayerParserThreadCtxFree(alp_tctx);
706  if (de_ctx != NULL)
707  DetectEngineCtxFree(de_ctx);
708 
709  StreamTcpFreeConfig(TRUE);
710  FLOW_DESTROY(&f);
711  UTHFreePackets(&p, 1);
712  return result;
713 }
714 
715 /**
716  * \test Test that the http_cookie content matches against a http request
717  * which holds the content.
718  */
719 static int DetectEngineHttpCookieTest08(void)
720 {
721  TcpSession ssn;
722  Packet *p = NULL;
723  ThreadVars th_v;
724  DetectEngineCtx *de_ctx = NULL;
725  DetectEngineThreadCtx *det_ctx = NULL;
726  HtpState *http_state = NULL;
727  Flow f;
728  uint8_t http_buf[] =
729  "CONNECT /index.html HTTP/1.0\r\n"
730  "Cookie: CONNECT\r\n"
731  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
732  uint32_t http_len = sizeof(http_buf) - 1;
733  int result = 0;
734  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
735 
736  memset(&th_v, 0, sizeof(th_v));
737  memset(&f, 0, sizeof(f));
738  memset(&ssn, 0, sizeof(ssn));
739 
740  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
741 
742  FLOW_INITIALIZE(&f);
743  f.protoctx = (void *)&ssn;
744  f.proto = IPPROTO_TCP;
745  f.flags |= FLOW_IPV4;
746  p->flow = &f;
747  p->flowflags |= FLOW_PKT_TOSERVER;
748  p->flowflags |= FLOW_PKT_ESTABLISHED;
749  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
750  f.alproto = ALPROTO_HTTP;
751 
752  StreamTcpInitConfig(TRUE);
753 
754  de_ctx = DetectEngineCtxInit();
755  if (de_ctx == NULL)
756  goto end;
757 
758  de_ctx->flags |= DE_QUIET;
759 
760  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
761  "(msg:\"http header test\"; "
762  "content:!\"ECT\"; offset:3; http_cookie; "
763  "sid:1;)");
764  if (de_ctx->sig_list == NULL)
765  goto end;
766 
767  SigGroupBuild(de_ctx);
768  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
769 
770  FLOWLOCK_WRLOCK(&f);
771  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
772  STREAM_TOSERVER, http_buf, http_len);
773  if (r != 0) {
774  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
775  result = 0;
776  FLOWLOCK_UNLOCK(&f);
777  goto end;
778  }
779  FLOWLOCK_UNLOCK(&f);
780 
781  http_state = f.alstate;
782  if (http_state == NULL) {
783  printf("no http state: ");
784  result = 0;
785  goto end;
786  }
787 
788  /* do detect */
789  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
790 
791  if (PacketAlertCheck(p, 1)) {
792  printf("sid 1 matched but shouldn't have: ");
793  goto end;
794  }
795 
796  result = 1;
797 
798 end:
799  if (alp_tctx != NULL)
800  AppLayerParserThreadCtxFree(alp_tctx);
801  if (de_ctx != NULL)
802  DetectEngineCtxFree(de_ctx);
803 
804  StreamTcpFreeConfig(TRUE);
805  FLOW_DESTROY(&f);
806  UTHFreePackets(&p, 1);
807  return result;
808 }
809 
810 /**
811  * \test Test that the http_cookie content matches against a http request
812  * which holds the content.
813  */
814 static int DetectEngineHttpCookieTest09(void)
815 {
816  TcpSession ssn;
817  Packet *p = NULL;
818  ThreadVars th_v;
819  DetectEngineCtx *de_ctx = NULL;
820  DetectEngineThreadCtx *det_ctx = NULL;
821  HtpState *http_state = NULL;
822  Flow f;
823  uint8_t http_buf[] =
824  "CONNECT /index.html HTTP/1.0\r\n"
825  "Cookie: CONNECT\r\n"
826  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
827  uint32_t http_len = sizeof(http_buf) - 1;
828  int result = 0;
829  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
830 
831  memset(&th_v, 0, sizeof(th_v));
832  memset(&f, 0, sizeof(f));
833  memset(&ssn, 0, sizeof(ssn));
834 
835  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
836 
837  FLOW_INITIALIZE(&f);
838  f.protoctx = (void *)&ssn;
839  f.proto = IPPROTO_TCP;
840  f.flags |= FLOW_IPV4;
841  p->flow = &f;
842  p->flowflags |= FLOW_PKT_TOSERVER;
843  p->flowflags |= FLOW_PKT_ESTABLISHED;
844  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
845  f.alproto = ALPROTO_HTTP;
846 
847  StreamTcpInitConfig(TRUE);
848 
849  de_ctx = DetectEngineCtxInit();
850  if (de_ctx == NULL)
851  goto end;
852 
853  de_ctx->flags |= DE_QUIET;
854 
855  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
856  "(msg:\"http header test\"; "
857  "content:\"CON\"; offset:3; http_cookie; "
858  "sid:1;)");
859  if (de_ctx->sig_list == NULL)
860  goto end;
861 
862  SigGroupBuild(de_ctx);
863  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
864 
865  FLOWLOCK_WRLOCK(&f);
866  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
867  STREAM_TOSERVER, http_buf, http_len);
868  if (r != 0) {
869  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
870  result = 0;
871  FLOWLOCK_UNLOCK(&f);
872  goto end;
873  }
874  FLOWLOCK_UNLOCK(&f);
875 
876  http_state = f.alstate;
877  if (http_state == NULL) {
878  printf("no http state: ");
879  result = 0;
880  goto end;
881  }
882 
883  /* do detect */
884  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
885 
886  if (PacketAlertCheck(p, 1)) {
887  printf("sid 1 matched but shouldn't have: ");
888  goto end;
889  }
890 
891  result = 1;
892 
893 end:
894  if (alp_tctx != NULL)
895  AppLayerParserThreadCtxFree(alp_tctx);
896  if (de_ctx != NULL)
897  DetectEngineCtxFree(de_ctx);
898 
899  StreamTcpFreeConfig(TRUE);
900  FLOW_DESTROY(&f);
901  UTHFreePackets(&p, 1);
902  return result;
903 }
904 
905 /**
906  * \test Test that the http_cookie content matches against a http request
907  * which holds the content.
908  */
909 static int DetectEngineHttpCookieTest10(void)
910 {
911  TcpSession ssn;
912  Packet *p = NULL;
913  ThreadVars th_v;
914  DetectEngineCtx *de_ctx = NULL;
915  DetectEngineThreadCtx *det_ctx = NULL;
916  HtpState *http_state = NULL;
917  Flow f;
918  uint8_t http_buf[] =
919  "CONNECT /index.html HTTP/1.0\r\n"
920  "Cookie: CONNECT\r\n"
921  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
922  uint32_t http_len = sizeof(http_buf) - 1;
923  int result = 0;
924  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
925 
926  memset(&th_v, 0, sizeof(th_v));
927  memset(&f, 0, sizeof(f));
928  memset(&ssn, 0, sizeof(ssn));
929 
930  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
931 
932  FLOW_INITIALIZE(&f);
933  f.protoctx = (void *)&ssn;
934  f.proto = IPPROTO_TCP;
935  f.flags |= FLOW_IPV4;
936  p->flow = &f;
937  p->flowflags |= FLOW_PKT_TOSERVER;
938  p->flowflags |= FLOW_PKT_ESTABLISHED;
939  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
940  f.alproto = ALPROTO_HTTP;
941 
942  StreamTcpInitConfig(TRUE);
943 
944  de_ctx = DetectEngineCtxInit();
945  if (de_ctx == NULL)
946  goto end;
947 
948  de_ctx->flags |= DE_QUIET;
949 
950  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
951  "(msg:\"http header test\"; "
952  "content:\"CO\"; http_cookie; "
953  "content:\"EC\"; within:4; http_cookie; "
954  "sid:1;)");
955  if (de_ctx->sig_list == NULL)
956  goto end;
957 
958  SigGroupBuild(de_ctx);
959  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
960 
961  FLOWLOCK_WRLOCK(&f);
962  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
963  STREAM_TOSERVER, http_buf, http_len);
964  if (r != 0) {
965  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
966  result = 0;
967  FLOWLOCK_UNLOCK(&f);
968  goto end;
969  }
970  FLOWLOCK_UNLOCK(&f);
971 
972  http_state = f.alstate;
973  if (http_state == NULL) {
974  printf("no http state: ");
975  result = 0;
976  goto end;
977  }
978 
979  /* do detect */
980  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
981 
982  if (!PacketAlertCheck(p, 1)) {
983  printf("sid 1 didn't match but should have: ");
984  goto end;
985  }
986 
987  result = 1;
988 
989 end:
990  if (alp_tctx != NULL)
991  AppLayerParserThreadCtxFree(alp_tctx);
992  if (de_ctx != NULL)
993  DetectEngineCtxFree(de_ctx);
994 
995  StreamTcpFreeConfig(TRUE);
996  FLOW_DESTROY(&f);
997  UTHFreePackets(&p, 1);
998  return result;
999 }
1000 
1001 /**
1002  * \test Test that the http_cookie content matches against a http request
1003  * which holds the content.
1004  */
1005 static int DetectEngineHttpCookieTest11(void)
1006 {
1007  TcpSession ssn;
1008  Packet *p = NULL;
1009  ThreadVars th_v;
1010  DetectEngineCtx *de_ctx = NULL;
1011  DetectEngineThreadCtx *det_ctx = NULL;
1012  HtpState *http_state = NULL;
1013  Flow f;
1014  uint8_t http_buf[] =
1015  "CONNECT /index.html HTTP/1.0\r\n"
1016  "Cookie: CONNECT\r\n"
1017  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1018  uint32_t http_len = sizeof(http_buf) - 1;
1019  int result = 0;
1020  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1021 
1022  memset(&th_v, 0, sizeof(th_v));
1023  memset(&f, 0, sizeof(f));
1024  memset(&ssn, 0, sizeof(ssn));
1025 
1026  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1027 
1028  FLOW_INITIALIZE(&f);
1029  f.protoctx = (void *)&ssn;
1030  f.proto = IPPROTO_TCP;
1031  f.flags |= FLOW_IPV4;
1032  p->flow = &f;
1033  p->flowflags |= FLOW_PKT_TOSERVER;
1034  p->flowflags |= FLOW_PKT_ESTABLISHED;
1035  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1036  f.alproto = ALPROTO_HTTP;
1037 
1038  StreamTcpInitConfig(TRUE);
1039 
1040  de_ctx = DetectEngineCtxInit();
1041  if (de_ctx == NULL)
1042  goto end;
1043 
1044  de_ctx->flags |= DE_QUIET;
1045 
1046  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1047  "(msg:\"http header test\"; "
1048  "content:\"CO\"; http_cookie; "
1049  "content:!\"EC\"; within:3; http_cookie; "
1050  "sid:1;)");
1051  if (de_ctx->sig_list == NULL)
1052  goto end;
1053 
1054  SigGroupBuild(de_ctx);
1055  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1056 
1057  FLOWLOCK_WRLOCK(&f);
1058  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1059  STREAM_TOSERVER, http_buf, http_len);
1060  if (r != 0) {
1061  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1062  result = 0;
1063  FLOWLOCK_UNLOCK(&f);
1064  goto end;
1065  }
1066  FLOWLOCK_UNLOCK(&f);
1067 
1068  http_state = f.alstate;
1069  if (http_state == NULL) {
1070  printf("no http state: ");
1071  result = 0;
1072  goto end;
1073  }
1074 
1075  /* do detect */
1076  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1077 
1078  if (!PacketAlertCheck(p, 1)) {
1079  printf("sid 1 didn't match but should have: ");
1080  goto end;
1081  }
1082 
1083  result = 1;
1084 
1085 end:
1086  if (alp_tctx != NULL)
1087  AppLayerParserThreadCtxFree(alp_tctx);
1088  if (de_ctx != NULL)
1089  DetectEngineCtxFree(de_ctx);
1090 
1091  StreamTcpFreeConfig(TRUE);
1092  FLOW_DESTROY(&f);
1093  UTHFreePackets(&p, 1);
1094  return result;
1095 }
1096 
1097 /**
1098  * \test Test that the http_cookie content matches against a http request
1099  * which holds the content.
1100  */
1101 static int DetectEngineHttpCookieTest12(void)
1102 {
1103  TcpSession ssn;
1104  Packet *p = NULL;
1105  ThreadVars th_v;
1106  DetectEngineCtx *de_ctx = NULL;
1107  DetectEngineThreadCtx *det_ctx = NULL;
1108  HtpState *http_state = NULL;
1109  Flow f;
1110  uint8_t http_buf[] =
1111  "CONNECT /index.html HTTP/1.0\r\n"
1112  "Cookie: CONNECT\r\n"
1113  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1114  uint32_t http_len = sizeof(http_buf) - 1;
1115  int result = 0;
1116  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1117 
1118  memset(&th_v, 0, sizeof(th_v));
1119  memset(&f, 0, sizeof(f));
1120  memset(&ssn, 0, sizeof(ssn));
1121 
1122  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1123 
1124  FLOW_INITIALIZE(&f);
1125  f.protoctx = (void *)&ssn;
1126  f.proto = IPPROTO_TCP;
1127  f.flags |= FLOW_IPV4;
1128  p->flow = &f;
1129  p->flowflags |= FLOW_PKT_TOSERVER;
1130  p->flowflags |= FLOW_PKT_ESTABLISHED;
1131  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1132  f.alproto = ALPROTO_HTTP;
1133 
1134  StreamTcpInitConfig(TRUE);
1135 
1136  de_ctx = DetectEngineCtxInit();
1137  if (de_ctx == NULL)
1138  goto end;
1139 
1140  de_ctx->flags |= DE_QUIET;
1141 
1142  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1143  "(msg:\"http header test\"; "
1144  "content:\"CO\"; http_cookie; "
1145  "content:\"EC\"; within:3; http_cookie; "
1146  "sid:1;)");
1147  if (de_ctx->sig_list == NULL)
1148  goto end;
1149 
1150  SigGroupBuild(de_ctx);
1151  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1152 
1153  FLOWLOCK_WRLOCK(&f);
1154  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1155  STREAM_TOSERVER, http_buf, http_len);
1156  if (r != 0) {
1157  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1158  result = 0;
1159  FLOWLOCK_UNLOCK(&f);
1160  goto end;
1161  }
1162  FLOWLOCK_UNLOCK(&f);
1163 
1164  http_state = f.alstate;
1165  if (http_state == NULL) {
1166  printf("no http state: ");
1167  result = 0;
1168  goto end;
1169  }
1170 
1171  /* do detect */
1172  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1173 
1174  if (PacketAlertCheck(p, 1)) {
1175  printf("sid 1 matched but shouldn't have: ");
1176  goto end;
1177  }
1178 
1179  result = 1;
1180 
1181 end:
1182  if (alp_tctx != NULL)
1183  AppLayerParserThreadCtxFree(alp_tctx);
1184  if (de_ctx != NULL)
1185  DetectEngineCtxFree(de_ctx);
1186 
1187  StreamTcpFreeConfig(TRUE);
1188  FLOW_DESTROY(&f);
1189  UTHFreePackets(&p, 1);
1190  return result;
1191 }
1192 
1193 /**
1194  * \test Test that the http_cookie content matches against a http request
1195  * which holds the content.
1196  */
1197 static int DetectEngineHttpCookieTest13(void)
1198 {
1199  TcpSession ssn;
1200  Packet *p = NULL;
1201  ThreadVars th_v;
1202  DetectEngineCtx *de_ctx = NULL;
1203  DetectEngineThreadCtx *det_ctx = NULL;
1204  HtpState *http_state = NULL;
1205  Flow f;
1206  uint8_t http_buf[] =
1207  "CONNECT /index.html HTTP/1.0\r\n"
1208  "Cookie: CONNECT\r\n"
1209  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1210  uint32_t http_len = sizeof(http_buf) - 1;
1211  int result = 0;
1212  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1213 
1214  memset(&th_v, 0, sizeof(th_v));
1215  memset(&f, 0, sizeof(f));
1216  memset(&ssn, 0, sizeof(ssn));
1217 
1218  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1219 
1220  FLOW_INITIALIZE(&f);
1221  f.protoctx = (void *)&ssn;
1222  f.proto = IPPROTO_TCP;
1223  f.flags |= FLOW_IPV4;
1224  p->flow = &f;
1225  p->flowflags |= FLOW_PKT_TOSERVER;
1226  p->flowflags |= FLOW_PKT_ESTABLISHED;
1227  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1228  f.alproto = ALPROTO_HTTP;
1229 
1230  StreamTcpInitConfig(TRUE);
1231 
1232  de_ctx = DetectEngineCtxInit();
1233  if (de_ctx == NULL)
1234  goto end;
1235 
1236  de_ctx->flags |= DE_QUIET;
1237 
1238  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1239  "(msg:\"http header test\"; "
1240  "content:\"CO\"; http_cookie; "
1241  "content:!\"EC\"; within:4; http_cookie; "
1242  "sid:1;)");
1243  if (de_ctx->sig_list == NULL)
1244  goto end;
1245 
1246  SigGroupBuild(de_ctx);
1247  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1248 
1249  FLOWLOCK_WRLOCK(&f);
1250  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1251  STREAM_TOSERVER, http_buf, http_len);
1252  if (r != 0) {
1253  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1254  result = 0;
1255  FLOWLOCK_UNLOCK(&f);
1256  goto end;
1257  }
1258  FLOWLOCK_UNLOCK(&f);
1259 
1260  http_state = f.alstate;
1261  if (http_state == NULL) {
1262  printf("no http state: ");
1263  result = 0;
1264  goto end;
1265  }
1266 
1267  /* do detect */
1268  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1269 
1270  if (PacketAlertCheck(p, 1)) {
1271  printf("sid 1 matched but shouldn't have: ");
1272  goto end;
1273  }
1274 
1275  result = 1;
1276 
1277 end:
1278  if (alp_tctx != NULL)
1279  AppLayerParserThreadCtxFree(alp_tctx);
1280  if (de_ctx != NULL)
1281  DetectEngineCtxFree(de_ctx);
1282 
1283  StreamTcpFreeConfig(TRUE);
1284  FLOW_DESTROY(&f);
1285  UTHFreePackets(&p, 1);
1286  return result;
1287 }
1288 
1289 /**
1290  * \test Test that the http_cookie content matches against a http request
1291  * which holds the content.
1292  */
1293 static int DetectEngineHttpCookieTest14(void)
1294 {
1295  TcpSession ssn;
1296  Packet *p = NULL;
1297  ThreadVars th_v;
1298  DetectEngineCtx *de_ctx = NULL;
1299  DetectEngineThreadCtx *det_ctx = NULL;
1300  HtpState *http_state = NULL;
1301  Flow f;
1302  uint8_t http_buf[] =
1303  "CONNECT /index.html HTTP/1.0\r\n"
1304  "Cookie: CONNECT\r\n"
1305  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1306  uint32_t http_len = sizeof(http_buf) - 1;
1307  int result = 0;
1308  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1309 
1310  memset(&th_v, 0, sizeof(th_v));
1311  memset(&f, 0, sizeof(f));
1312  memset(&ssn, 0, sizeof(ssn));
1313 
1314  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1315 
1316  FLOW_INITIALIZE(&f);
1317  f.protoctx = (void *)&ssn;
1318  f.proto = IPPROTO_TCP;
1319  f.flags |= FLOW_IPV4;
1320  p->flow = &f;
1321  p->flowflags |= FLOW_PKT_TOSERVER;
1322  p->flowflags |= FLOW_PKT_ESTABLISHED;
1323  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1324  f.alproto = ALPROTO_HTTP;
1325 
1326  StreamTcpInitConfig(TRUE);
1327 
1328  de_ctx = DetectEngineCtxInit();
1329  if (de_ctx == NULL)
1330  goto end;
1331 
1332  de_ctx->flags |= DE_QUIET;
1333 
1334  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1335  "(msg:\"http header test\"; "
1336  "content:\"CO\"; http_cookie; "
1337  "content:\"EC\"; distance:2; http_cookie; "
1338  "sid:1;)");
1339  if (de_ctx->sig_list == NULL)
1340  goto end;
1341 
1342  SigGroupBuild(de_ctx);
1343  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1344 
1345  FLOWLOCK_WRLOCK(&f);
1346  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1347  STREAM_TOSERVER, http_buf, http_len);
1348  if (r != 0) {
1349  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1350  result = 0;
1351  FLOWLOCK_UNLOCK(&f);
1352  goto end;
1353  }
1354  FLOWLOCK_UNLOCK(&f);
1355 
1356  http_state = f.alstate;
1357  if (http_state == NULL) {
1358  printf("no http state: ");
1359  result = 0;
1360  goto end;
1361  }
1362 
1363  /* do detect */
1364  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1365 
1366  if (!PacketAlertCheck(p, 1)) {
1367  printf("sid 1 didn't match but should have: ");
1368  goto end;
1369  }
1370 
1371  result = 1;
1372 
1373 end:
1374  if (alp_tctx != NULL)
1375  AppLayerParserThreadCtxFree(alp_tctx);
1376  if (de_ctx != NULL)
1377  DetectEngineCtxFree(de_ctx);
1378 
1379  StreamTcpFreeConfig(TRUE);
1380  FLOW_DESTROY(&f);
1381  UTHFreePackets(&p, 1);
1382  return result;
1383 }
1384 
1385 /**
1386  * \test Test that the http_cookie content matches against a http request
1387  * which holds the content.
1388  */
1389 static int DetectEngineHttpCookieTest15(void)
1390 {
1391  TcpSession ssn;
1392  Packet *p = NULL;
1393  ThreadVars th_v;
1394  DetectEngineCtx *de_ctx = NULL;
1395  DetectEngineThreadCtx *det_ctx = NULL;
1396  HtpState *http_state = NULL;
1397  Flow f;
1398  uint8_t http_buf[] =
1399  "CONNECT /index.html HTTP/1.0\r\n"
1400  "Cookie: CONNECT\r\n"
1401  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1402  uint32_t http_len = sizeof(http_buf) - 1;
1403  int result = 0;
1404  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1405 
1406  memset(&th_v, 0, sizeof(th_v));
1407  memset(&f, 0, sizeof(f));
1408  memset(&ssn, 0, sizeof(ssn));
1409 
1410  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1411 
1412  FLOW_INITIALIZE(&f);
1413  f.protoctx = (void *)&ssn;
1414  f.proto = IPPROTO_TCP;
1415  f.flags |= FLOW_IPV4;
1416  p->flow = &f;
1417  p->flowflags |= FLOW_PKT_TOSERVER;
1418  p->flowflags |= FLOW_PKT_ESTABLISHED;
1419  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1420  f.alproto = ALPROTO_HTTP;
1421 
1422  StreamTcpInitConfig(TRUE);
1423 
1424  de_ctx = DetectEngineCtxInit();
1425  if (de_ctx == NULL)
1426  goto end;
1427 
1428  de_ctx->flags |= DE_QUIET;
1429 
1430  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1431  "(msg:\"http header test\"; "
1432  "content:\"CO\"; http_cookie; "
1433  "content:!\"EC\"; distance:3; http_cookie; "
1434  "sid:1;)");
1435  if (de_ctx->sig_list == NULL)
1436  goto end;
1437 
1438  SigGroupBuild(de_ctx);
1439  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1440 
1441  FLOWLOCK_WRLOCK(&f);
1442  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1443  STREAM_TOSERVER, http_buf, http_len);
1444  if (r != 0) {
1445  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1446  result = 0;
1447  FLOWLOCK_UNLOCK(&f);
1448  goto end;
1449  }
1450  FLOWLOCK_UNLOCK(&f);
1451 
1452  http_state = f.alstate;
1453  if (http_state == NULL) {
1454  printf("no http state: ");
1455  result = 0;
1456  goto end;
1457  }
1458 
1459  /* do detect */
1460  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1461 
1462  if (!PacketAlertCheck(p, 1)) {
1463  printf("sid 1 didn't match but should have: ");
1464  goto end;
1465  }
1466 
1467  result = 1;
1468 
1469 end:
1470  if (alp_tctx != NULL)
1471  AppLayerParserThreadCtxFree(alp_tctx);
1472  if (de_ctx != NULL)
1473  DetectEngineCtxFree(de_ctx);
1474 
1475  StreamTcpFreeConfig(TRUE);
1476  FLOW_DESTROY(&f);
1477  UTHFreePackets(&p, 1);
1478  return result;
1479 }
1480 
1481 /**
1482  * \test Test that the http_cookie content matches against a http request
1483  * which holds the content.
1484  */
1485 static int DetectEngineHttpCookieTest16(void)
1486 {
1487  TcpSession ssn;
1488  Packet *p = NULL;
1489  ThreadVars th_v;
1490  DetectEngineCtx *de_ctx = NULL;
1491  DetectEngineThreadCtx *det_ctx = NULL;
1492  HtpState *http_state = NULL;
1493  Flow f;
1494  uint8_t http_buf[] =
1495  "CONNECT /index.html HTTP/1.0\r\n"
1496  "Cookie: CONNECT\r\n"
1497  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1498  uint32_t http_len = sizeof(http_buf) - 1;
1499  int result = 0;
1500  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1501 
1502  memset(&th_v, 0, sizeof(th_v));
1503  memset(&f, 0, sizeof(f));
1504  memset(&ssn, 0, sizeof(ssn));
1505 
1506  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1507 
1508  FLOW_INITIALIZE(&f);
1509  f.protoctx = (void *)&ssn;
1510  f.proto = IPPROTO_TCP;
1511  f.flags |= FLOW_IPV4;
1512  p->flow = &f;
1513  p->flowflags |= FLOW_PKT_TOSERVER;
1514  p->flowflags |= FLOW_PKT_ESTABLISHED;
1515  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1516  f.alproto = ALPROTO_HTTP;
1517 
1518  StreamTcpInitConfig(TRUE);
1519 
1520  de_ctx = DetectEngineCtxInit();
1521  if (de_ctx == NULL)
1522  goto end;
1523 
1524  de_ctx->flags |= DE_QUIET;
1525 
1526  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1527  "(msg:\"http header test\"; "
1528  "content:\"CO\"; http_cookie; "
1529  "content:\"EC\"; distance:3; http_cookie; "
1530  "sid:1;)");
1531  if (de_ctx->sig_list == NULL)
1532  goto end;
1533 
1534  SigGroupBuild(de_ctx);
1535  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1536 
1537  FLOWLOCK_WRLOCK(&f);
1538  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1539  STREAM_TOSERVER, http_buf, http_len);
1540  if (r != 0) {
1541  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1542  result = 0;
1543  FLOWLOCK_UNLOCK(&f);
1544  goto end;
1545  }
1546  FLOWLOCK_UNLOCK(&f);
1547 
1548  http_state = f.alstate;
1549  if (http_state == NULL) {
1550  printf("no http state: ");
1551  result = 0;
1552  goto end;
1553  }
1554 
1555  /* do detect */
1556  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1557 
1558  if (PacketAlertCheck(p, 1)) {
1559  printf("sid 1 matched but shouldn't have: ");
1560  goto end;
1561  }
1562 
1563  result = 1;
1564 
1565 end:
1566  if (alp_tctx != NULL)
1567  AppLayerParserThreadCtxFree(alp_tctx);
1568  if (de_ctx != NULL)
1569  DetectEngineCtxFree(de_ctx);
1570 
1571  StreamTcpFreeConfig(TRUE);
1572  FLOW_DESTROY(&f);
1573  UTHFreePackets(&p, 1);
1574  return result;
1575 }
1576 
1577 /**
1578  * \test Test that the http_cookie content matches against a http request
1579  * which holds the content.
1580  */
1581 static int DetectEngineHttpCookieTest17(void)
1582 {
1583  TcpSession ssn;
1584  Packet *p = NULL;
1585  ThreadVars th_v;
1586  DetectEngineCtx *de_ctx = NULL;
1587  DetectEngineThreadCtx *det_ctx = NULL;
1588  HtpState *http_state = NULL;
1589  Flow f;
1590  uint8_t http_buf[] =
1591  "CONNECT /index.html HTTP/1.0\r\n"
1592  "Cookie: CONNECT\r\n"
1593  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1594  uint32_t http_len = sizeof(http_buf) - 1;
1595  int result = 0;
1596  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1597 
1598  memset(&th_v, 0, sizeof(th_v));
1599  memset(&f, 0, sizeof(f));
1600  memset(&ssn, 0, sizeof(ssn));
1601 
1602  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1603 
1604  FLOW_INITIALIZE(&f);
1605  f.protoctx = (void *)&ssn;
1606  f.proto = IPPROTO_TCP;
1607  f.flags |= FLOW_IPV4;
1608  p->flow = &f;
1609  p->flowflags |= FLOW_PKT_TOSERVER;
1610  p->flowflags |= FLOW_PKT_ESTABLISHED;
1611  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1612  f.alproto = ALPROTO_HTTP;
1613 
1614  StreamTcpInitConfig(TRUE);
1615 
1616  de_ctx = DetectEngineCtxInit();
1617  if (de_ctx == NULL)
1618  goto end;
1619 
1620  de_ctx->flags |= DE_QUIET;
1621 
1622  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1623  "(msg:\"http header test\"; "
1624  "content:\"CO\"; http_cookie; "
1625  "content:!\"EC\"; distance:2; http_cookie; "
1626  "sid:1;)");
1627  if (de_ctx->sig_list == NULL)
1628  goto end;
1629 
1630  SigGroupBuild(de_ctx);
1631  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1632 
1633  FLOWLOCK_WRLOCK(&f);
1634  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1635  STREAM_TOSERVER, http_buf, http_len);
1636  if (r != 0) {
1637  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1638  result = 0;
1639  FLOWLOCK_UNLOCK(&f);
1640  goto end;
1641  }
1642  FLOWLOCK_UNLOCK(&f);
1643 
1644  http_state = f.alstate;
1645  if (http_state == NULL) {
1646  printf("no http state: ");
1647  result = 0;
1648  goto end;
1649  }
1650 
1651  /* do detect */
1652  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1653 
1654  if (PacketAlertCheck(p, 1)) {
1655  printf("sid 1 matched but shouldn't have: ");
1656  goto end;
1657  }
1658 
1659  result = 1;
1660 
1661 end:
1662  if (alp_tctx != NULL)
1663  AppLayerParserThreadCtxFree(alp_tctx);
1664  if (de_ctx != NULL)
1665  DetectEngineCtxFree(de_ctx);
1666 
1667  StreamTcpFreeConfig(TRUE);
1668  FLOW_DESTROY(&f);
1669  UTHFreePackets(&p, 1);
1670  return result;
1671 }
1672 
1673 /**
1674  * \test Checks if a http_cookie is registered in a Signature, if content is not
1675  * specified in the signature
1676  */
1677 static int DetectHttpCookieTest01(void)
1678 {
1679  DetectEngineCtx *de_ctx = NULL;
1680  int result = 0;
1681 
1682  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1683  goto end;
1684 
1685  de_ctx->flags |= DE_QUIET;
1686  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1687  "(msg:\"Testing http_cookie\"; http_cookie;sid:1;)");
1688  if (de_ctx->sig_list == NULL)
1689  result = 1;
1690 
1691 end:
1692  if (de_ctx != NULL)
1693  DetectEngineCtxFree(de_ctx);
1694  return result;
1695 }
1696 
1697 /**
1698  * \test Checks if a http_cookie is registered in a Signature, if some parameter
1699  * is specified with http_cookie in the signature
1700  */
1701 static int DetectHttpCookieTest02(void)
1702 {
1703  DetectEngineCtx *de_ctx = NULL;
1704  int result = 0;
1705 
1706  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1707  goto end;
1708 
1709  de_ctx->flags |= DE_QUIET;
1710  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1711  "(msg:\"Testing http_cookie\"; content:\"me\"; "
1712  "http_cookie:woo; sid:1;)");
1713  if (de_ctx->sig_list == NULL)
1714  result = 1;
1715 
1716 end:
1717  if (de_ctx != NULL)
1718  DetectEngineCtxFree(de_ctx);
1719  return result;
1720 }
1721 
1722 /**
1723  * \test Checks if a http_cookie is registered in a Signature
1724  */
1725 static int DetectHttpCookieTest03(void)
1726 {
1727  SigMatch *sm = NULL;
1728  DetectEngineCtx *de_ctx = NULL;
1729  int result = 0;
1730 
1731  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1732  goto end;
1733 
1734  de_ctx->flags |= DE_QUIET;
1735  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1736  "(msg:\"Testing http_cookie\"; content:\"one\"; "
1737  "http_cookie; content:\"two\"; http_cookie; "
1738  "content:\"two\"; http_cookie; "
1739  "sid:1;)");
1740  if (de_ctx->sig_list == NULL) {
1741  printf("sig parse failed: ");
1742  goto end;
1743  }
1744 
1745  result = 0;
1746  sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id];
1747  if (sm == NULL) {
1748  printf("no sigmatch(es): ");
1749  goto end;
1750  }
1751 
1752  while (sm != NULL) {
1753  if (sm->type == DETECT_CONTENT) {
1754  result = 1;
1755  } else {
1756  printf("expected DETECT_CONTENT for http_cookie, got %d: ", sm->type);
1757  goto end;
1758  }
1759  sm = sm->next;
1760  }
1761 
1762 end:
1763  if (de_ctx != NULL)
1764  DetectEngineCtxFree(de_ctx);
1765  return result;
1766 }
1767 
1768 /**
1769  * \test Checks if a http_cookie is registered in a Signature, when fast_pattern
1770  * is also specified in the signature (now it should)
1771  */
1772 static int DetectHttpCookieTest04(void)
1773 {
1774  DetectEngineCtx *de_ctx = NULL;
1775  int result = 0;
1776 
1777  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1778  goto end;
1779 
1780  de_ctx->flags |= DE_QUIET;
1781  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1782  "(msg:\"Testing http_cookie\"; content:\"one\"; "
1783  "fast_pattern; http_cookie; sid:1;)");
1784  if (de_ctx->sig_list != NULL)
1785  result = 1;
1786 
1787 end:
1788  if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
1789  return result;
1790 }
1791 
1792 /**
1793  * \test Checks if a http_cookie is registered in a Signature, when rawbytes is
1794  * also specified in the signature
1795  */
1796 static int DetectHttpCookieTest05(void)
1797 {
1798  DetectEngineCtx *de_ctx = NULL;
1799  int result = 0;
1800 
1801  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1802  goto end;
1803 
1804  de_ctx->flags |= DE_QUIET;
1805  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1806  "(msg:\"Testing http_cookie\"; content:\"one\"; "
1807  "rawbytes; http_cookie; sid:1;)");
1808  if (de_ctx->sig_list == NULL)
1809  result = 1;
1810 
1811  end:
1812  if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
1813  return result;
1814 }
1815 
1816 /**
1817  * \test Checks if a http_cookie is registered in a Signature, when rawbytes is
1818  * also specified in the signature
1819  */
1820 static int DetectHttpCookieTest06(void)
1821 {
1822  DetectEngineCtx *de_ctx = NULL;
1823  int result = 0;
1824 
1825  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1826  goto end;
1827 
1828  de_ctx->flags |= DE_QUIET;
1829  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1830  "(msg:\"Testing http_cookie\"; content:\"one\"; "
1831  "http_cookie; uricontent:\"abc\"; sid:1;)");
1832  if (de_ctx->sig_list == NULL)
1833  goto end;
1834 
1835  Signature *s = de_ctx->sig_list;
1836 
1837  BUG_ON(s->sm_lists[g_http_cookie_buffer_id] == NULL);
1838 
1839  if (s->sm_lists[g_http_cookie_buffer_id]->type != DETECT_CONTENT)
1840  goto end;
1841 
1842  if (s->sm_lists[g_http_uri_buffer_id] == NULL) {
1843  printf("expected another SigMatch, got NULL: ");
1844  goto end;
1845  }
1846 
1847  if (s->sm_lists[g_http_uri_buffer_id]->type != DETECT_CONTENT) {
1848  goto end;
1849  }
1850 
1851  result = 1;
1852 end:
1853  if (de_ctx != NULL) {
1854  DetectEngineCtxFree(de_ctx);
1855  }
1856  return result;
1857 }
1858 
1859 /** \test Check the signature working to alert when http_cookie is matched . */
1860 static int DetectHttpCookieSigTest01(void)
1861 {
1862  int result = 0;
1863  Flow f;
1864  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
1865  " hellocatchme\r\n\r\n";
1866  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1867  TcpSession ssn;
1868  Packet *p = NULL;
1869  Signature *s = NULL;
1870  ThreadVars th_v;
1871  DetectEngineThreadCtx *det_ctx = NULL;
1872  HtpState *http_state = NULL;
1873  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1874 
1875  memset(&th_v, 0, sizeof(th_v));
1876  memset(&f, 0, sizeof(f));
1877  memset(&ssn, 0, sizeof(ssn));
1878 
1879  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1880 
1881  FLOW_INITIALIZE(&f);
1882  f.protoctx = (void *)&ssn;
1883  f.proto = IPPROTO_TCP;
1884  f.flags |= FLOW_IPV4;
1885 
1886  p->flow = &f;
1887  p->flowflags |= FLOW_PKT_TOSERVER;
1888  p->flowflags |= FLOW_PKT_ESTABLISHED;
1889  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1890  f.alproto = ALPROTO_HTTP;
1891 
1892  StreamTcpInitConfig(TRUE);
1893 
1894  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1895  if (de_ctx == NULL) {
1896  goto end;
1897  }
1898 
1899  de_ctx->flags |= DE_QUIET;
1900 
1901  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
1902  "\"HTTP cookie\"; content:\"me\"; "
1903  "http_cookie; sid:1;)");
1904  if (s == NULL) {
1905  goto end;
1906  }
1907 
1908  s->next = SigInit(de_ctx,"alert http any any -> any any (msg:\"HTTP "
1909  "cookie\"; content:\"go\"; http_cookie; sid:2;)");
1910  if (s->next == NULL) {
1911  goto end;
1912  }
1913 
1914 
1915  SigGroupBuild(de_ctx);
1916  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1917 
1918  FLOWLOCK_WRLOCK(&f);
1919  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1920  STREAM_TOSERVER, httpbuf1, httplen1);
1921  if (r != 0) {
1922  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1923  result = 0;
1924  FLOWLOCK_UNLOCK(&f);
1925  goto end;
1926  }
1927  FLOWLOCK_UNLOCK(&f);
1928 
1929  http_state = f.alstate;
1930  if (http_state == NULL) {
1931  printf("no http state: ");
1932  result = 0;
1933  goto end;
1934  }
1935 
1936  /* do detect */
1937  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1938 
1939  if (!(PacketAlertCheck(p, 1))) {
1940  printf("sid 1 didn't match but should have: ");
1941  goto end;
1942  }
1943  if (PacketAlertCheck(p, 2)) {
1944  printf("sid 2 matched but shouldn't: ");
1945  goto end;
1946  }
1947 
1948  result = 1;
1949 end:
1950  if (alp_tctx != NULL)
1951  AppLayerParserThreadCtxFree(alp_tctx);
1952  if (det_ctx != NULL) {
1953  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1954  }
1955  if (de_ctx != NULL) {
1956  DetectEngineCtxFree(de_ctx);
1957  }
1958 
1959  StreamTcpFreeConfig(TRUE);
1960 
1961  UTHFreePackets(&p, 1);
1962  return result;
1963 }
1964 
1965 /** \test Check the signature working to alert when http_cookie is not present */
1966 static int DetectHttpCookieSigTest02(void)
1967 {
1968  int result = 0;
1969  Flow f;
1970  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1971  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1972  TcpSession ssn;
1973  Packet *p = NULL;
1974  Signature *s = NULL;
1975  ThreadVars th_v;
1976  DetectEngineThreadCtx *det_ctx = NULL;
1977  HtpState *http_state = NULL;
1978  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1979 
1980  memset(&th_v, 0, sizeof(th_v));
1981  memset(&p, 0, sizeof(p));
1982  memset(&f, 0, sizeof(f));
1983  memset(&ssn, 0, sizeof(ssn));
1984 
1985  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1986 
1987  FLOW_INITIALIZE(&f);
1988  f.protoctx = (void *)&ssn;
1989  f.proto = IPPROTO_TCP;
1990  f.flags |= FLOW_IPV4;
1991 
1992  p->flow = &f;
1993  p->flowflags |= FLOW_PKT_TOSERVER;
1994  p->flowflags |= FLOW_PKT_ESTABLISHED;
1995  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1996  f.alproto = ALPROTO_HTTP;
1997 
1998  StreamTcpInitConfig(TRUE);
1999 
2000  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2001  if (de_ctx == NULL) {
2002  goto end;
2003  }
2004 
2005  de_ctx->flags |= DE_QUIET;
2006 
2007  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2008  "\"HTTP cookie\"; content:\"me\"; "
2009  "http_cookie; sid:1;)");
2010  if (s == NULL) {
2011  goto end;
2012  }
2013 
2014  SigGroupBuild(de_ctx);
2015  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2016 
2017  FLOWLOCK_WRLOCK(&f);
2018  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2019  STREAM_TOSERVER, httpbuf1, httplen1);
2020  if (r != 0) {
2021  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2022  result = 0;
2023  FLOWLOCK_UNLOCK(&f);
2024  goto end;
2025  }
2026  FLOWLOCK_UNLOCK(&f);
2027 
2028  http_state = f.alstate;
2029  if (http_state == NULL) {
2030  printf("no http state: ");
2031  result = 0;
2032  goto end;
2033  }
2034 
2035  /* do detect */
2036  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2037 
2038  if ((PacketAlertCheck(p, 1))) {
2039  goto end;
2040  }
2041 
2042  result = 1;
2043 
2044 end:
2045  if (alp_tctx != NULL)
2046  AppLayerParserThreadCtxFree(alp_tctx);
2047  if (det_ctx != NULL) {
2048  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2049  }
2050  if (de_ctx != NULL) {
2051  DetectEngineCtxFree(de_ctx);
2052  }
2053  StreamTcpFreeConfig(TRUE);
2054  UTHFreePackets(&p, 1);
2055  return result;
2056 }
2057 
2058 /** \test Check the signature working to alert when http_cookie is not present */
2059 static int DetectHttpCookieSigTest03(void)
2060 {
2061  int result = 0;
2062  Flow f;
2063  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2064  "Cookie: dummy\r\n\r\n";
2065  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2066  TcpSession ssn;
2067  Packet *p = NULL;
2068  Signature *s = NULL;
2069  ThreadVars th_v;
2070  DetectEngineThreadCtx *det_ctx = NULL;
2071  HtpState *http_state = NULL;
2072  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2073 
2074  memset(&th_v, 0, sizeof(th_v));
2075  memset(&f, 0, sizeof(f));
2076  memset(&ssn, 0, sizeof(ssn));
2077 
2078  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2079 
2080  FLOW_INITIALIZE(&f);
2081  f.protoctx = (void *)&ssn;
2082  f.proto = IPPROTO_TCP;
2083  f.flags |= FLOW_IPV4;
2084 
2085  p->flow = &f;
2086  p->flowflags |= FLOW_PKT_TOSERVER;
2087  p->flowflags |= FLOW_PKT_ESTABLISHED;
2088  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2089  f.alproto = ALPROTO_HTTP;
2090 
2091  StreamTcpInitConfig(TRUE);
2092 
2093  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2094  if (de_ctx == NULL) {
2095  goto end;
2096  }
2097 
2098  de_ctx->flags |= DE_QUIET;
2099 
2100  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2101  "\"HTTP cookie\"; content:\"boo\"; "
2102  "http_cookie; sid:1;)");
2103  if (s == NULL) {
2104  goto end;
2105  }
2106 
2107  SigGroupBuild(de_ctx);
2108  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2109 
2110  FLOWLOCK_WRLOCK(&f);
2111  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2112  STREAM_TOSERVER, httpbuf1, httplen1);
2113  if (r != 0) {
2114  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2115  result = 0;
2116  FLOWLOCK_UNLOCK(&f);
2117  goto end;
2118  }
2119  FLOWLOCK_UNLOCK(&f);
2120 
2121  http_state = f.alstate;
2122  if (http_state == NULL) {
2123  printf("no http state: ");
2124  result = 0;
2125  goto end;
2126  }
2127 
2128  /* do detect */
2129  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2130 
2131  if ((PacketAlertCheck(p, 1))) {
2132  goto end;
2133  }
2134 
2135  result = 1;
2136 end:
2137  if (alp_tctx != NULL)
2138  AppLayerParserThreadCtxFree(alp_tctx);
2139  if (det_ctx != NULL) {
2140  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2141  }
2142  if (de_ctx != NULL) {
2143  DetectEngineCtxFree(de_ctx);
2144  }
2145 
2146  StreamTcpFreeConfig(TRUE);
2147  UTHFreePackets(&p, 1);
2148  return result;
2149 }
2150 
2151 /** \test Check the signature working to alert when http_cookie is not present */
2152 static int DetectHttpCookieSigTest04(void)
2153 {
2154  int result = 0;
2155  Flow f;
2156  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2157  "Cookie: dummy\r\n\r\n";
2158  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2159  TcpSession ssn;
2160  Packet *p = NULL;
2161  Signature *s = NULL;
2162  ThreadVars th_v;
2163  DetectEngineThreadCtx *det_ctx = NULL;
2164  HtpState *http_state = NULL;
2165  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2166 
2167  memset(&th_v, 0, sizeof(th_v));
2168  memset(&p, 0, sizeof(p));
2169  memset(&f, 0, sizeof(f));
2170  memset(&ssn, 0, sizeof(ssn));
2171 
2172  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2173 
2174  FLOW_INITIALIZE(&f);
2175  f.protoctx = (void *)&ssn;
2176  f.proto = IPPROTO_TCP;
2177  f.flags |= FLOW_IPV4;
2178 
2179  p->flow = &f;
2180  p->flowflags |= FLOW_PKT_TOSERVER;
2181  p->flowflags |= FLOW_PKT_ESTABLISHED;
2182  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2183  f.alproto = ALPROTO_HTTP;
2184 
2185  StreamTcpInitConfig(TRUE);
2186 
2187  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2188  if (de_ctx == NULL) {
2189  goto end;
2190  }
2191 
2192  de_ctx->flags |= DE_QUIET;
2193 
2194  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2195  "\"HTTP cookie\"; content:!\"boo\"; "
2196  "http_cookie; sid:1;)");
2197  if (s == NULL) {
2198  goto end;
2199  }
2200 
2201  SigGroupBuild(de_ctx);
2202  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2203 
2204  FLOWLOCK_WRLOCK(&f);
2205  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2206  STREAM_TOSERVER, httpbuf1, httplen1);
2207  if (r != 0) {
2208  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2209  result = 0;
2210  FLOWLOCK_UNLOCK(&f);
2211  goto end;
2212  }
2213  FLOWLOCK_UNLOCK(&f);
2214 
2215  http_state = f.alstate;
2216  if (http_state == NULL) {
2217  printf("no http state: ");
2218  result = 0;
2219  goto end;
2220  }
2221 
2222  /* do detect */
2223  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2224 
2225  if (!PacketAlertCheck(p, 1)) {
2226  goto end;
2227  }
2228 
2229  result = 1;
2230 end:
2231  if (alp_tctx != NULL)
2232  AppLayerParserThreadCtxFree(alp_tctx);
2233  if (det_ctx != NULL) {
2234  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2235  }
2236  if (de_ctx != NULL) {
2237  DetectEngineCtxFree(de_ctx);
2238  }
2239 
2240  StreamTcpFreeConfig(TRUE);
2241  UTHFreePackets(&p, 1);
2242  return result;
2243 }
2244 
2245 /** \test Check the signature working to alert when http_cookie is not present */
2246 static int DetectHttpCookieSigTest05(void)
2247 {
2248  int result = 0;
2249  Flow f;
2250  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2251  "Cookie: DuMmY\r\n\r\n";
2252  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2253  TcpSession ssn;
2254  Packet *p = NULL;
2255  Signature *s = NULL;
2256  ThreadVars th_v;
2257  DetectEngineThreadCtx *det_ctx = NULL;
2258  HtpState *http_state = NULL;
2259  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2260 
2261  memset(&th_v, 0, sizeof(th_v));
2262  memset(&p, 0, sizeof(p));
2263  memset(&f, 0, sizeof(f));
2264  memset(&ssn, 0, sizeof(ssn));
2265 
2266  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2267 
2268  FLOW_INITIALIZE(&f);
2269  f.protoctx = (void *)&ssn;
2270  f.proto = IPPROTO_TCP;
2271  f.flags |= FLOW_IPV4;
2272 
2273  p->flow = &f;
2274  p->flowflags |= FLOW_PKT_TOSERVER;
2275  p->flowflags |= FLOW_PKT_ESTABLISHED;
2276  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2277  f.alproto = ALPROTO_HTTP;
2278 
2279  StreamTcpInitConfig(TRUE);
2280 
2281  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2282  if (de_ctx == NULL) {
2283  goto end;
2284  }
2285 
2286  de_ctx->flags |= DE_QUIET;
2287 
2288  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2289  "\"HTTP cookie\"; content:\"dummy\"; nocase; "
2290  "http_cookie; sid:1;)");
2291  if (s == NULL) {
2292  goto end;
2293  }
2294 
2295  SigGroupBuild(de_ctx);
2296  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2297 
2298  FLOWLOCK_WRLOCK(&f);
2299  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2300  STREAM_TOSERVER, httpbuf1, httplen1);
2301  if (r != 0) {
2302  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2303  result = 0;
2304  FLOWLOCK_UNLOCK(&f);
2305  goto end;
2306  }
2307  FLOWLOCK_UNLOCK(&f);
2308 
2309  http_state = f.alstate;
2310  if (http_state == NULL) {
2311  printf("no http state: ");
2312  result = 0;
2313  goto end;
2314  }
2315 
2316  /* do detect */
2317  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2318 
2319  if (!PacketAlertCheck(p, 1)) {
2320  goto end;
2321  }
2322 
2323  result = 1;
2324 end:
2325  if (alp_tctx != NULL)
2326  AppLayerParserThreadCtxFree(alp_tctx);
2327  if (det_ctx != NULL) {
2328  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2329  }
2330  if (de_ctx != NULL) {
2331  DetectEngineCtxFree(de_ctx);
2332  }
2333 
2334  StreamTcpFreeConfig(TRUE);
2335  UTHFreePackets(&p, 1);
2336  return result;
2337 }
2338 
2339 /** \test Check the signature working to alert when http_cookie is not present */
2340 static int DetectHttpCookieSigTest06(void)
2341 {
2342  int result = 0;
2343  Flow f;
2344  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2345  "Cookie: DuMmY\r\n\r\n";
2346  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2347  TcpSession ssn;
2348  Packet *p = NULL;
2349  Signature *s = NULL;
2350  ThreadVars th_v;
2351  DetectEngineThreadCtx *det_ctx = NULL;
2352  HtpState *http_state = NULL;
2353  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2354 
2355  memset(&th_v, 0, sizeof(th_v));
2356  memset(&p, 0, sizeof(p));
2357  memset(&f, 0, sizeof(f));
2358  memset(&ssn, 0, sizeof(ssn));
2359 
2360  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2361 
2362  FLOW_INITIALIZE(&f);
2363  f.protoctx = (void *)&ssn;
2364  f.proto = IPPROTO_TCP;
2365  f.flags |= FLOW_IPV4;
2366 
2367  p->flow = &f;
2368  p->flowflags |= FLOW_PKT_TOSERVER;
2369  p->flowflags |= FLOW_PKT_ESTABLISHED;
2370  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2371  f.alproto = ALPROTO_HTTP;
2372 
2373  StreamTcpInitConfig(TRUE);
2374 
2375  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2376  if (de_ctx == NULL) {
2377  goto end;
2378  }
2379 
2380  de_ctx->flags |= DE_QUIET;
2381 
2382  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2383  "\"HTTP cookie\"; content:\"dummy\"; "
2384  "http_cookie; nocase; sid:1;)");
2385  if (s == NULL) {
2386  printf("sig parse failed: ");
2387  goto end;
2388  }
2389 
2390  SigGroupBuild(de_ctx);
2391  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2392 
2393  FLOWLOCK_WRLOCK(&f);
2394  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2395  STREAM_TOSERVER, httpbuf1, httplen1);
2396  if (r != 0) {
2397  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2398  FLOWLOCK_UNLOCK(&f);
2399  goto end;
2400  }
2401  FLOWLOCK_UNLOCK(&f);
2402 
2403  http_state = f.alstate;
2404  if (http_state == NULL) {
2405  printf("no http state: ");
2406  goto end;
2407  }
2408 
2409  /* do detect */
2410  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2411 
2412  if (!PacketAlertCheck(p, 1)) {
2413  printf("sig 1 failed to match: ");
2414  goto end;
2415  }
2416 
2417  result = 1;
2418 end:
2419  if (alp_tctx != NULL)
2420  AppLayerParserThreadCtxFree(alp_tctx);
2421  if (det_ctx != NULL) {
2422  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2423  }
2424  if (de_ctx != NULL) {
2425  DetectEngineCtxFree(de_ctx);
2426  }
2427 
2428  StreamTcpFreeConfig(TRUE);
2429  UTHFreePackets(&p, 1);
2430  return result;
2431 }
2432 
2433 /** \test Check the signature working to alert when http_cookie is not present */
2434 static int DetectHttpCookieSigTest07(void)
2435 {
2436  int result = 0;
2437  Flow f;
2438  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2439  "Cookie: dummy\r\n\r\n";
2440  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2441  TcpSession ssn;
2442  Packet *p = NULL;
2443  Signature *s = NULL;
2444  ThreadVars th_v;
2445  DetectEngineThreadCtx *det_ctx = NULL;
2446  HtpState *http_state = NULL;
2447  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2448 
2449  memset(&th_v, 0, sizeof(th_v));
2450  memset(&f, 0, sizeof(f));
2451  memset(&ssn, 0, sizeof(ssn));
2452 
2453  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2454 
2455  FLOW_INITIALIZE(&f);
2456  f.protoctx = (void *)&ssn;
2457  f.proto = IPPROTO_TCP;
2458  f.flags |= FLOW_IPV4;
2459 
2460  p->flow = &f;
2461  p->flowflags |= FLOW_PKT_TOSERVER;
2462  p->flowflags |= FLOW_PKT_ESTABLISHED;
2463  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2464  f.alproto = ALPROTO_HTTP;
2465 
2466  StreamTcpInitConfig(TRUE);
2467 
2468  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2469  if (de_ctx == NULL) {
2470  goto end;
2471  }
2472 
2473  de_ctx->flags |= DE_QUIET;
2474 
2475  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2476  "\"HTTP cookie\"; content:!\"dummy\"; "
2477  "http_cookie; sid:1;)");
2478  if (s == NULL) {
2479  goto end;
2480  }
2481 
2482  SigGroupBuild(de_ctx);
2483  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2484 
2485  FLOWLOCK_WRLOCK(&f);
2486  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2487  STREAM_TOSERVER, httpbuf1, httplen1);
2488  if (r != 0) {
2489  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2490  result = 0;
2491  FLOWLOCK_UNLOCK(&f);
2492  goto end;
2493  }
2494  FLOWLOCK_UNLOCK(&f);
2495 
2496  http_state = f.alstate;
2497  if (http_state == NULL) {
2498  printf("no http state: ");
2499  result = 0;
2500  goto end;
2501  }
2502 
2503  /* do detect */
2504  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2505 
2506  if (PacketAlertCheck(p, 1)) {
2507  goto end;
2508  }
2509 
2510  result = 1;
2511 end:
2512  if (alp_tctx != NULL)
2513  AppLayerParserThreadCtxFree(alp_tctx);
2514  if (det_ctx != NULL) {
2515  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2516  }
2517  if (de_ctx != NULL) {
2518  DetectEngineCtxFree(de_ctx);
2519  }
2520 
2521  StreamTcpFreeConfig(TRUE);
2522  UTHFreePackets(&p, 1);
2523  return result;
2524 }
2525 
2526 /**
2527  * \test Check the signature working to alert against set-cookie
2528  */
2529 static int DetectHttpCookieSigTest08(void)
2530 {
2531  int result = 0;
2532  Flow f;
2533 
2534  uint8_t httpbuf_request[] =
2535  "GET / HTTP/1.1\r\n"
2536  "User-Agent: Mozilla/1.0\r\n"
2537  "\r\n";
2538  uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the \0 */
2539 
2540  uint8_t httpbuf_response[] =
2541  "HTTP/1.1 200 OK\r\n"
2542  "Set-Cookie: response_user_agent\r\n"
2543  "\r\n";
2544  uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the \0 */
2545 
2546  TcpSession ssn;
2547  Packet *p1 = NULL, *p2 = NULL;
2548  Signature *s = NULL;
2549  ThreadVars th_v;
2550  DetectEngineThreadCtx *det_ctx = NULL;
2551  HtpState *http_state = NULL;
2552  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2553 
2554  memset(&th_v, 0, sizeof(th_v));
2555  memset(&f, 0, sizeof(f));
2556  memset(&ssn, 0, sizeof(ssn));
2557 
2558  FLOW_INITIALIZE(&f);
2559  f.protoctx = (void *)&ssn;
2560  f.proto = IPPROTO_TCP;
2561  f.flags |= FLOW_IPV4;
2562  f.alproto = ALPROTO_HTTP;
2563 
2564  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2565  p1->flow = &f;
2566  p1->flowflags |= FLOW_PKT_TOSERVER;
2567  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2568  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2569 
2570  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2571  p2->flow = &f;
2572  p2->flowflags |= FLOW_PKT_TOCLIENT;
2573  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2574  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2575 
2576  StreamTcpInitConfig(TRUE);
2577 
2578  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2579  if (de_ctx == NULL) {
2580  goto end;
2581  }
2582 
2583  de_ctx->flags |= DE_QUIET;
2584 
2585  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2586  "(flow:to_client; content:\"response_user_agent\"; "
2587  "http_cookie; sid:1;)");
2588  if (s == NULL) {
2589  goto end;
2590  }
2591 
2592  SigGroupBuild(de_ctx);
2593  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2594 
2595  /* request */
2596  FLOWLOCK_WRLOCK(&f);
2597  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2598  STREAM_TOSERVER, httpbuf_request,
2599  httpbuf_request_len);
2600  if (r != 0) {
2601  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2602  result = 0;
2603  FLOWLOCK_UNLOCK(&f);
2604  goto end;
2605  }
2606  FLOWLOCK_UNLOCK(&f);
2607 
2608  http_state = f.alstate;
2609  if (http_state == NULL) {
2610  printf("no http state: ");
2611  goto end;
2612  }
2613 
2614  /* do detect */
2615  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2616  if (PacketAlertCheck(p1, 1)) {
2617  goto end;
2618  }
2619 
2620  /* response */
2621  FLOWLOCK_WRLOCK(&f);
2622  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2623  STREAM_TOCLIENT, httpbuf_response,
2624  httpbuf_response_len);
2625  if (r != 0) {
2626  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2627  result = 0;
2628  FLOWLOCK_UNLOCK(&f);
2629  goto end;
2630  }
2631  FLOWLOCK_UNLOCK(&f);
2632 
2633  /* do detect */
2634  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2635  if (!PacketAlertCheck(p2, 1)) {
2636  goto end;
2637  }
2638 
2639  result = 1;
2640 
2641 end:
2642  if (alp_tctx != NULL)
2643  AppLayerParserThreadCtxFree(alp_tctx);
2644  if (det_ctx != NULL) {
2645  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2646  }
2647  if (de_ctx != NULL) {
2648  DetectEngineCtxFree(de_ctx);
2649  }
2650 
2651  StreamTcpFreeConfig(TRUE);
2652  UTHFreePackets(&p1, 1);
2653  UTHFreePackets(&p2, 1);
2654  return result;
2655 }
2656 
2657 /**
2658  * \test Check the signature working to alert against cookie/set-cookie
2659  */
2660 static int DetectHttpCookieSigTest09(void)
2661 {
2662  int result = 0;
2663  Flow f;
2664 
2665  uint8_t httpbuf_request[] =
2666  "GET / HTTP/1.1\r\n"
2667  "Cookie: request_user_agent\r\n"
2668  "User-Agent: Mozilla/1.0\r\n"
2669  "\r\n";
2670  uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the \0 */
2671 
2672  uint8_t httpbuf_response[] =
2673  "HTTP/1.1 200 OK\r\n"
2674  "Set-Cookie: response_user_agent\r\n"
2675  "\r\n";
2676  uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the \0 */
2677 
2678  TcpSession ssn;
2679  Packet *p1 = NULL, *p2 = NULL;
2680  Signature *s = NULL;
2681  ThreadVars th_v;
2682  DetectEngineThreadCtx *det_ctx = NULL;
2683  HtpState *http_state = NULL;
2684  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2685 
2686  memset(&th_v, 0, sizeof(th_v));
2687  memset(&f, 0, sizeof(f));
2688  memset(&ssn, 0, sizeof(ssn));
2689 
2690  FLOW_INITIALIZE(&f);
2691  f.protoctx = (void *)&ssn;
2692  f.proto = IPPROTO_TCP;
2693  f.flags |= FLOW_IPV4;
2694  f.alproto = ALPROTO_HTTP;
2695 
2696  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2697  p1->flow = &f;
2698  p1->flowflags |= FLOW_PKT_TOSERVER;
2699  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2700  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2701 
2702  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2703  p2->flow = &f;
2704  p2->flowflags |= FLOW_PKT_TOCLIENT;
2705  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2706  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2707 
2708  StreamTcpInitConfig(TRUE);
2709 
2710  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2711  if (de_ctx == NULL) {
2712  goto end;
2713  }
2714 
2715  de_ctx->flags |= DE_QUIET;
2716 
2717  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2718  "(flow:to_server; content:\"request_user_agent\"; "
2719  "http_cookie; sid:1;)");
2720  if (s == NULL) {
2721  goto end;
2722  }
2723  s = de_ctx->sig_list->next = SigInit(de_ctx,"alert http any any -> any any "
2724  "(flow:to_client; content:\"response_user_agent\"; "
2725  "http_cookie; sid:2;)");
2726  if (s == NULL) {
2727  goto end;
2728  }
2729 
2730  SigGroupBuild(de_ctx);
2731  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2732 
2733  /* request */
2734  FLOWLOCK_WRLOCK(&f);
2735  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2736  STREAM_TOSERVER, httpbuf_request,
2737  httpbuf_request_len);
2738  if (r != 0) {
2739  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2740  result = 0;
2741  FLOWLOCK_UNLOCK(&f);
2742  goto end;
2743  }
2744  FLOWLOCK_UNLOCK(&f);
2745 
2746  http_state = f.alstate;
2747  if (http_state == NULL) {
2748  printf("no http state: ");
2749  goto end;
2750  }
2751 
2752  /* do detect */
2753  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2754  if (!PacketAlertCheck(p1, 1) || PacketAlertCheck(p1, 2)) {
2755  goto end;
2756  }
2757 
2758  /* response */
2759  FLOWLOCK_WRLOCK(&f);
2760  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2761  STREAM_TOCLIENT, httpbuf_response,
2762  httpbuf_response_len);
2763  if (r != 0) {
2764  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2765  result = 0;
2766  FLOWLOCK_UNLOCK(&f);
2767  goto end;
2768  }
2769  FLOWLOCK_UNLOCK(&f);
2770 
2771  /* do detect */
2772  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2773  if (PacketAlertCheck(p2, 1) || !PacketAlertCheck(p2, 2)) {
2774  goto end;
2775  }
2776 
2777  result = 1;
2778 
2779 end:
2780  if (alp_tctx != NULL)
2781  AppLayerParserThreadCtxFree(alp_tctx);
2782  if (det_ctx != NULL) {
2783  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2784  }
2785  if (de_ctx != NULL) {
2786  DetectEngineCtxFree(de_ctx);
2787  }
2788 
2789  StreamTcpFreeConfig(TRUE);
2790  UTHFreePackets(&p1, 1);
2791  UTHFreePackets(&p2, 1);
2792  return result;
2793 }
2794 
2795 static int DetectHttpCookieIsdataatParseTest(void)
2796 {
2797  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2798  FAIL_IF_NULL(de_ctx);
2799  de_ctx->flags |= DE_QUIET;
2800 
2801  Signature *s = DetectEngineAppendSig(de_ctx,
2802  "alert tcp any any -> any any ("
2803  "content:\"one\"; http_cookie; "
2804  "isdataat:!4,relative; sid:1;)");
2805  FAIL_IF_NULL(s);
2806 
2807  SigMatch *sm = s->init_data->smlists_tail[g_http_cookie_buffer_id];
2808  FAIL_IF_NULL(sm);
2809  FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
2810 
2811  DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
2812  FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
2813  FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
2814  FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
2815 
2816  DetectEngineCtxFree(de_ctx);
2817  PASS;
2818 }
2819 
2820 /**
2821  * \brief Register the UNITTESTS for the http_cookie keyword
2822  */
2823 void DetectHttpCookieRegisterTests (void)
2824 {
2825  g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
2826 
2827  UtRegisterTest("DetectHttpCookieTest01", DetectHttpCookieTest01);
2828  UtRegisterTest("DetectHttpCookieTest02", DetectHttpCookieTest02);
2829  UtRegisterTest("DetectHttpCookieTest03", DetectHttpCookieTest03);
2830  UtRegisterTest("DetectHttpCookieTest04", DetectHttpCookieTest04);
2831  UtRegisterTest("DetectHttpCookieTest05", DetectHttpCookieTest05);
2832  UtRegisterTest("DetectHttpCookieTest06", DetectHttpCookieTest06);
2833  UtRegisterTest("DetectHttpCookieSigTest01", DetectHttpCookieSigTest01);
2834  UtRegisterTest("DetectHttpCookieSigTest02", DetectHttpCookieSigTest02);
2835  UtRegisterTest("DetectHttpCookieSigTest03", DetectHttpCookieSigTest03);
2836  UtRegisterTest("DetectHttpCookieSigTest04", DetectHttpCookieSigTest04);
2837  UtRegisterTest("DetectHttpCookieSigTest05", DetectHttpCookieSigTest05);
2838  UtRegisterTest("DetectHttpCookieSigTest06", DetectHttpCookieSigTest06);
2839  UtRegisterTest("DetectHttpCookieSigTest07", DetectHttpCookieSigTest07);
2840  UtRegisterTest("DetectHttpCookieSigTest08", DetectHttpCookieSigTest08);
2841  UtRegisterTest("DetectHttpCookieSigTest09", DetectHttpCookieSigTest09);
2842  UtRegisterTest("DetectHttpCookieIsdataatParseTest",
2843  DetectHttpCookieIsdataatParseTest);
2844  UtRegisterTest("DetectEngineHttpCookieTest01",
2845  DetectEngineHttpCookieTest01);
2846  UtRegisterTest("DetectEngineHttpCookieTest02",
2847  DetectEngineHttpCookieTest02);
2848  UtRegisterTest("DetectEngineHttpCookieTest03",
2849  DetectEngineHttpCookieTest03);
2850  UtRegisterTest("DetectEngineHttpCookieTest04",
2851  DetectEngineHttpCookieTest04);
2852  UtRegisterTest("DetectEngineHttpCookieTest05",
2853  DetectEngineHttpCookieTest05);
2854  UtRegisterTest("DetectEngineHttpCookieTest06",
2855  DetectEngineHttpCookieTest06);
2856  UtRegisterTest("DetectEngineHttpCookieTest07",
2857  DetectEngineHttpCookieTest07);
2858  UtRegisterTest("DetectEngineHttpCookieTest08",
2859  DetectEngineHttpCookieTest08);
2860  UtRegisterTest("DetectEngineHttpCookieTest09",
2861  DetectEngineHttpCookieTest09);
2862  UtRegisterTest("DetectEngineHttpCookieTest10",
2863  DetectEngineHttpCookieTest10);
2864  UtRegisterTest("DetectEngineHttpCookieTest11",
2865  DetectEngineHttpCookieTest11);
2866  UtRegisterTest("DetectEngineHttpCookieTest12",
2867  DetectEngineHttpCookieTest12);
2868  UtRegisterTest("DetectEngineHttpCookieTest13",
2869  DetectEngineHttpCookieTest13);
2870  UtRegisterTest("DetectEngineHttpCookieTest14",
2871  DetectEngineHttpCookieTest14);
2872  UtRegisterTest("DetectEngineHttpCookieTest15",
2873  DetectEngineHttpCookieTest15);
2874  UtRegisterTest("DetectEngineHttpCookieTest16",
2875  DetectEngineHttpCookieTest16);
2876  UtRegisterTest("DetectEngineHttpCookieTest17",
2877  DetectEngineHttpCookieTest17);
2878 }
2879 /**
2880  * @}
2881  */
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1087
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:59
Flow_::proto
uint8_t proto
Definition: flow.h:361
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:446
Flow_
Flow data structure.
Definition: flow.h:343
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2033
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2089
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:279
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:336
DetectIsdataatData_
Definition: detect-isdataat.h:35
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:442
Flow_::protoctx
void * protoctx
Definition: flow.h:416
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:94
HtpState_
Definition: app-layer-htp.h:247
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:260
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:876
Signature_::next
struct Signature_ * next
Definition: detect.h:599
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:523
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:19
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:257
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:323
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:282
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1668
Packet_
Definition: decode.h:411
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:596
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:219
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
SigMatch_::type
uint8_t type
Definition: detect.h:320
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:253
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2326
Packet_::flow
struct Flow_ * flow
Definition: decode.h:448
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2793
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1171
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3001
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
ISDATAAT_NEGATED
#define ISDATAAT_NEGATED
Definition: detect-isdataat.h:29
Flow_::alstate
void * alstate
Definition: flow.h:454
Flow_::flags
uint32_t flags
Definition: flow.h:396
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:78
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:30
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:220
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2044
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
TcpSession_
Definition: stream-tcp-private.h:260
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:425
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1085
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:467