suricata
detect-http-cookie.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 /** \file
25  *
26  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
27  * \author Victor Julien <victor@inliniac.net>
28  *
29  * \brief Handle HTTP cookie match
30  *
31  */
32 
33 #include "../suricata-common.h"
34 #include "../suricata.h"
35 #include "../flow-util.h"
36 #include "../flow.h"
37 #include "../app-layer-parser.h"
38 #include "../util-unittest.h"
39 #include "../util-unittest-helper.h"
40 #include "../app-layer.h"
41 #include "../app-layer-htp.h"
42 #include "../app-layer-protos.h"
43 #include "../detect-isdataat.h"
44 #include "../detect-engine-build.h"
45 #include "../detect-engine-alert.h"
46 
47 /***********************************Unittests**********************************/
48 
49 /**
50  * \test Test that the http_cookie content matches against a http request
51  * which holds the content.
52  */
53 static int DetectEngineHttpCookieTest01(void)
54 {
55  TcpSession ssn;
56  ThreadVars th_v;
57  DetectEngineThreadCtx *det_ctx = NULL;
58  Flow f;
59  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
60  "Cookie: CONNECT\r\n"
61  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
62  uint32_t http_len = sizeof(http_buf) - 1;
63  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
64 
65  memset(&th_v, 0, sizeof(th_v));
66  memset(&f, 0, sizeof(f));
67  memset(&ssn, 0, sizeof(ssn));
68 
69  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
70 
71  FLOW_INITIALIZE(&f);
72  f.protoctx = (void *)&ssn;
73  f.proto = IPPROTO_TCP;
74  f.flags |= FLOW_IPV4;
75  p->flow = &f;
76  p->flowflags |= FLOW_PKT_TOSERVER;
77  p->flowflags |= FLOW_PKT_ESTABLISHED;
78  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
79  f.alproto = ALPROTO_HTTP1;
80 
81  StreamTcpInitConfig(true);
82 
83  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
84  FAIL_IF_NULL(de_ctx);
85  de_ctx->flags |= DE_QUIET;
86 
87  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
88  "(msg:\"http header test\"; "
89  "content:\"CONNECT\"; http_cookie; "
90  "sid:1;)");
91  FAIL_IF_NULL(s);
92 
93  SigGroupBuild(de_ctx);
94  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
95 
96  int r = AppLayerParserParse(
97  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
98  FAIL_IF_NOT(r == 0);
99 
100  HtpState *http_state = f.alstate;
101  FAIL_IF_NULL(http_state);
102 
103  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
104  FAIL_IF(!(PacketAlertCheck(p, 1)));
105 
106  FLOW_DESTROY(&f);
107  UTHFreePackets(&p, 1);
108  AppLayerParserThreadCtxFree(alp_tctx);
109  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
110  DetectEngineCtxFree(de_ctx);
111  StreamTcpFreeConfig(true);
112  StatsThreadCleanup(&th_v);
113  PASS;
114 }
115 
116 /**
117  * \test Test that the http_cookie content matches against a http request
118  * which holds the content.
119  */
120 static int DetectEngineHttpCookieTest02(void)
121 {
122  TcpSession ssn;
123  ThreadVars th_v;
124  DetectEngineThreadCtx *det_ctx = NULL;
125  Flow f;
126  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
127  "Cookie: CONNECT\r\n"
128  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
129  uint32_t http_len = sizeof(http_buf) - 1;
130  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
131 
132  memset(&th_v, 0, sizeof(th_v));
133  memset(&f, 0, sizeof(f));
134  memset(&ssn, 0, sizeof(ssn));
135 
136  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
137 
138  FLOW_INITIALIZE(&f);
139  f.protoctx = (void *)&ssn;
140  f.proto = IPPROTO_TCP;
141  f.flags |= FLOW_IPV4;
142  p->flow = &f;
143  p->flowflags |= FLOW_PKT_TOSERVER;
144  p->flowflags |= FLOW_PKT_ESTABLISHED;
145  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
146  f.alproto = ALPROTO_HTTP1;
147 
148  StreamTcpInitConfig(true);
149 
150  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
151  FAIL_IF_NULL(de_ctx);
152  de_ctx->flags |= DE_QUIET;
153 
154  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
155  "(msg:\"http header test\"; "
156  "content:\"CO\"; depth:4; http_cookie; "
157  "sid:1;)");
158  FAIL_IF_NULL(s);
159 
160  SigGroupBuild(de_ctx);
161  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
162 
163  int r = AppLayerParserParse(
164  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
165  FAIL_IF_NOT(r == 0);
166 
167  HtpState *http_state = f.alstate;
168  FAIL_IF_NULL(http_state);
169 
170  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
171  FAIL_IF(!(PacketAlertCheck(p, 1)));
172 
173  FLOW_DESTROY(&f);
174  UTHFreePackets(&p, 1);
175  AppLayerParserThreadCtxFree(alp_tctx);
176  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
177  DetectEngineCtxFree(de_ctx);
178  StreamTcpFreeConfig(true);
179  StatsThreadCleanup(&th_v);
180  PASS;
181 }
182 
183 /**
184  * \test Test that the http_cookie content matches against a http request
185  * which holds the content.
186  */
187 static int DetectEngineHttpCookieTest03(void)
188 {
189  TcpSession ssn;
190  ThreadVars th_v;
191  DetectEngineThreadCtx *det_ctx = NULL;
192  Flow f;
193  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
194  "Cookie: CONNECT\r\n"
195  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
196  uint32_t http_len = sizeof(http_buf) - 1;
197  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
198 
199  memset(&th_v, 0, sizeof(th_v));
200  memset(&f, 0, sizeof(f));
201  memset(&ssn, 0, sizeof(ssn));
202 
203  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
204 
205  FLOW_INITIALIZE(&f);
206  f.protoctx = (void *)&ssn;
207  f.proto = IPPROTO_TCP;
208  f.flags |= FLOW_IPV4;
209  p->flow = &f;
210  p->flowflags |= FLOW_PKT_TOSERVER;
211  p->flowflags |= FLOW_PKT_ESTABLISHED;
212  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
213  f.alproto = ALPROTO_HTTP1;
214 
215  StreamTcpInitConfig(true);
216 
217  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
218  FAIL_IF_NULL(de_ctx);
219  de_ctx->flags |= DE_QUIET;
220 
221  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
222  "(msg:\"http header test\"; "
223  "content:!\"ECT\"; depth:4; http_cookie; "
224  "sid:1;)");
225  FAIL_IF_NULL(s);
226 
227  SigGroupBuild(de_ctx);
228  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
229 
230  int r = AppLayerParserParse(
231  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
232  FAIL_IF_NOT(r == 0);
233 
234  HtpState *http_state = f.alstate;
235  FAIL_IF_NULL(http_state);
236 
237  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
238  FAIL_IF(!(PacketAlertCheck(p, 1)));
239 
240  FLOW_DESTROY(&f);
241  UTHFreePackets(&p, 1);
242  AppLayerParserThreadCtxFree(alp_tctx);
243  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
244  DetectEngineCtxFree(de_ctx);
245  StreamTcpFreeConfig(true);
246  StatsThreadCleanup(&th_v);
247  PASS;
248 }
249 
250 /**
251  * \test Test that the http_cookie content matches against a http request
252  * which holds the content.
253  */
254 static int DetectEngineHttpCookieTest04(void)
255 {
256  TcpSession ssn;
257  ThreadVars th_v;
258  DetectEngineThreadCtx *det_ctx = NULL;
259  Flow f;
260  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
261  "Cookie: CONNECT\r\n"
262  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
263  uint32_t http_len = sizeof(http_buf) - 1;
264  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
265 
266  memset(&th_v, 0, sizeof(th_v));
267  memset(&f, 0, sizeof(f));
268  memset(&ssn, 0, sizeof(ssn));
269 
270  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
271 
272  FLOW_INITIALIZE(&f);
273  f.protoctx = (void *)&ssn;
274  f.proto = IPPROTO_TCP;
275  f.flags |= FLOW_IPV4;
276  p->flow = &f;
277  p->flowflags |= FLOW_PKT_TOSERVER;
278  p->flowflags |= FLOW_PKT_ESTABLISHED;
279  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
280  f.alproto = ALPROTO_HTTP1;
281 
282  StreamTcpInitConfig(true);
283 
284  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
285  FAIL_IF_NULL(de_ctx);
286  de_ctx->flags |= DE_QUIET;
287 
288  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
289  "(msg:\"http header test\"; "
290  "content:\"ECT\"; depth:4; http_cookie; "
291  "sid:1;)");
292  FAIL_IF_NULL(s);
293 
294  SigGroupBuild(de_ctx);
295  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
296 
297  int r = AppLayerParserParse(
298  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
299  FAIL_IF_NOT(r == 0);
300 
301  HtpState *http_state = f.alstate;
302  FAIL_IF_NULL(http_state);
303 
304  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
305  FAIL_IF(PacketAlertCheck(p, 1));
306 
307  FLOW_DESTROY(&f);
308  UTHFreePackets(&p, 1);
309  AppLayerParserThreadCtxFree(alp_tctx);
310  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
311  DetectEngineCtxFree(de_ctx);
312  StreamTcpFreeConfig(true);
313  StatsThreadCleanup(&th_v);
314  PASS;
315 }
316 
317 /**
318  * \test Test that the http_cookie content matches against a http request
319  * which holds the content.
320  */
321 static int DetectEngineHttpCookieTest05(void)
322 {
323  TcpSession ssn;
324  ThreadVars th_v;
325  DetectEngineThreadCtx *det_ctx = NULL;
326  Flow f;
327  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
328  "Cookie: CONNECT\r\n"
329  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
330  uint32_t http_len = sizeof(http_buf) - 1;
331  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
332 
333  memset(&th_v, 0, sizeof(th_v));
334  memset(&f, 0, sizeof(f));
335  memset(&ssn, 0, sizeof(ssn));
336 
337  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
338 
339  FLOW_INITIALIZE(&f);
340  f.protoctx = (void *)&ssn;
341  f.proto = IPPROTO_TCP;
342  f.flags |= FLOW_IPV4;
343  p->flow = &f;
344  p->flowflags |= FLOW_PKT_TOSERVER;
345  p->flowflags |= FLOW_PKT_ESTABLISHED;
346  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
347  f.alproto = ALPROTO_HTTP1;
348 
349  StreamTcpInitConfig(true);
350 
351  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
352  FAIL_IF_NULL(de_ctx);
353  de_ctx->flags |= DE_QUIET;
354 
355  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
356  "(msg:\"http header test\"; "
357  "content:!\"CON\"; depth:4; http_cookie; "
358  "sid:1;)");
359  FAIL_IF_NULL(s);
360 
361  SigGroupBuild(de_ctx);
362  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
363 
364  int r = AppLayerParserParse(
365  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
366  FAIL_IF_NOT(r == 0);
367 
368  HtpState *http_state = f.alstate;
369  FAIL_IF_NULL(http_state);
370 
371  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
372  FAIL_IF(PacketAlertCheck(p, 1));
373 
374  FLOW_DESTROY(&f);
375  UTHFreePackets(&p, 1);
376  AppLayerParserThreadCtxFree(alp_tctx);
377  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
378  DetectEngineCtxFree(de_ctx);
379  StreamTcpFreeConfig(true);
380  StatsThreadCleanup(&th_v);
381  PASS;
382 }
383 
384 /**
385  * \test Test that the http_cookie content matches against a http request
386  * which holds the content.
387  */
388 static int DetectEngineHttpCookieTest06(void)
389 {
390  TcpSession ssn;
391  ThreadVars th_v;
392  DetectEngineThreadCtx *det_ctx = NULL;
393  Flow f;
394  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
395  "Cookie: CONNECT\r\n"
396  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
397  uint32_t http_len = sizeof(http_buf) - 1;
398  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
399 
400  memset(&th_v, 0, sizeof(th_v));
401  memset(&f, 0, sizeof(f));
402  memset(&ssn, 0, sizeof(ssn));
403 
404  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
405 
406  FLOW_INITIALIZE(&f);
407  f.protoctx = (void *)&ssn;
408  f.proto = IPPROTO_TCP;
409  f.flags |= FLOW_IPV4;
410  p->flow = &f;
411  p->flowflags |= FLOW_PKT_TOSERVER;
412  p->flowflags |= FLOW_PKT_ESTABLISHED;
413  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
414  f.alproto = ALPROTO_HTTP1;
415 
416  StreamTcpInitConfig(true);
417 
418  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
419  FAIL_IF_NULL(de_ctx);
420  de_ctx->flags |= DE_QUIET;
421 
422  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
423  "(msg:\"http header test\"; "
424  "content:\"ECT\"; offset:3; http_cookie; "
425  "sid:1;)");
426  FAIL_IF_NULL(s);
427 
428  SigGroupBuild(de_ctx);
429  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
430 
431  int r = AppLayerParserParse(
432  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
433  FAIL_IF_NOT(r == 0);
434 
435  HtpState *http_state = f.alstate;
436  FAIL_IF_NULL(http_state);
437 
438  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
439  FAIL_IF(!(PacketAlertCheck(p, 1)));
440 
441  UTHFreePackets(&p, 1);
442  FLOW_DESTROY(&f);
443  AppLayerParserThreadCtxFree(alp_tctx);
444  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
445  DetectEngineCtxFree(de_ctx);
446  StreamTcpFreeConfig(true);
447  StatsThreadCleanup(&th_v);
448  PASS;
449 }
450 
451 /**
452  * \test Test that the http_cookie content matches against a http request
453  * which holds the content.
454  */
455 static int DetectEngineHttpCookieTest07(void)
456 {
457  TcpSession ssn;
458  ThreadVars th_v;
459  DetectEngineThreadCtx *det_ctx = NULL;
460  Flow f;
461  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
462  "Cookie: CONNECT\r\n"
463  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
464  uint32_t http_len = sizeof(http_buf) - 1;
465  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
466 
467  memset(&th_v, 0, sizeof(th_v));
468  memset(&f, 0, sizeof(f));
469  memset(&ssn, 0, sizeof(ssn));
470 
471  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
472 
473  FLOW_INITIALIZE(&f);
474  f.protoctx = (void *)&ssn;
475  f.proto = IPPROTO_TCP;
476  f.flags |= FLOW_IPV4;
477  p->flow = &f;
478  p->flowflags |= FLOW_PKT_TOSERVER;
479  p->flowflags |= FLOW_PKT_ESTABLISHED;
480  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
481  f.alproto = ALPROTO_HTTP1;
482 
483  StreamTcpInitConfig(true);
484 
485  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
486  FAIL_IF_NULL(de_ctx);
487  de_ctx->flags |= DE_QUIET;
488 
489  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
490  "(msg:\"http header test\"; "
491  "content:!\"CO\"; offset:3; http_cookie; "
492  "sid:1;)");
493  FAIL_IF_NULL(s);
494 
495  SigGroupBuild(de_ctx);
496  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
497 
498  int r = AppLayerParserParse(
499  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
500  FAIL_IF_NOT(r == 0);
501 
502  HtpState *http_state = f.alstate;
503  FAIL_IF_NULL(http_state);
504 
505  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
506  FAIL_IF(!(PacketAlertCheck(p, 1)));
507 
508  AppLayerParserThreadCtxFree(alp_tctx);
509  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
510  DetectEngineCtxFree(de_ctx);
511  StreamTcpFreeConfig(true);
512  UTHFreePackets(&p, 1);
513  FLOW_DESTROY(&f);
514  StatsThreadCleanup(&th_v);
515  PASS;
516 }
517 
518 /**
519  * \test Test that the http_cookie content matches against a http request
520  * which holds the content.
521  */
522 static int DetectEngineHttpCookieTest08(void)
523 {
524  TcpSession ssn;
525  ThreadVars th_v;
526  DetectEngineThreadCtx *det_ctx = NULL;
527  Flow f;
528  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
529  "Cookie: CONNECT\r\n"
530  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
531  uint32_t http_len = sizeof(http_buf) - 1;
532  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
533 
534  memset(&th_v, 0, sizeof(th_v));
535  memset(&f, 0, sizeof(f));
536  memset(&ssn, 0, sizeof(ssn));
537 
538  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
539 
540  FLOW_INITIALIZE(&f);
541  f.protoctx = (void *)&ssn;
542  f.proto = IPPROTO_TCP;
543  f.flags |= FLOW_IPV4;
544  p->flow = &f;
545  p->flowflags |= FLOW_PKT_TOSERVER;
546  p->flowflags |= FLOW_PKT_ESTABLISHED;
547  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
548  f.alproto = ALPROTO_HTTP1;
549 
550  StreamTcpInitConfig(true);
551 
552  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
553  FAIL_IF_NULL(de_ctx);
554  de_ctx->flags |= DE_QUIET;
555 
556  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
557  "(msg:\"http header test\"; "
558  "content:!\"ECT\"; offset:3; http_cookie; "
559  "sid:1;)");
560  FAIL_IF_NULL(s);
561 
562  SigGroupBuild(de_ctx);
563  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
564 
565  int r = AppLayerParserParse(
566  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
567  FAIL_IF_NOT(r == 0);
568 
569  HtpState *http_state = f.alstate;
570  FAIL_IF_NULL(http_state);
571 
572  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
573  FAIL_IF(PacketAlertCheck(p, 1));
574 
575  UTHFreePackets(&p, 1);
576  FLOW_DESTROY(&f);
577  AppLayerParserThreadCtxFree(alp_tctx);
578  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
579  DetectEngineCtxFree(de_ctx);
580  StreamTcpFreeConfig(true);
581  StatsThreadCleanup(&th_v);
582  PASS;
583 }
584 
585 /**
586  * \test Test that the http_cookie content matches against a http request
587  * which holds the content.
588  */
589 static int DetectEngineHttpCookieTest09(void)
590 {
591  TcpSession ssn;
592  ThreadVars th_v;
593  DetectEngineThreadCtx *det_ctx = NULL;
594  Flow f;
595  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
596  "Cookie: CONNECT\r\n"
597  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
598  uint32_t http_len = sizeof(http_buf) - 1;
599  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
600 
601  memset(&th_v, 0, sizeof(th_v));
602  memset(&f, 0, sizeof(f));
603  memset(&ssn, 0, sizeof(ssn));
604 
605  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
606 
607  FLOW_INITIALIZE(&f);
608  f.protoctx = (void *)&ssn;
609  f.proto = IPPROTO_TCP;
610  f.flags |= FLOW_IPV4;
611  p->flow = &f;
612  p->flowflags |= FLOW_PKT_TOSERVER;
613  p->flowflags |= FLOW_PKT_ESTABLISHED;
614  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
615  f.alproto = ALPROTO_HTTP1;
616 
617  StreamTcpInitConfig(true);
618 
619  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
620  FAIL_IF_NULL(de_ctx);
621  de_ctx->flags |= DE_QUIET;
622 
623  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
624  "(msg:\"http header test\"; "
625  "content:\"CON\"; offset:3; http_cookie; "
626  "sid:1;)");
627  FAIL_IF_NULL(s);
628 
629  SigGroupBuild(de_ctx);
630  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
631 
632  int r = AppLayerParserParse(
633  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
634  FAIL_IF_NOT(r == 0);
635 
636  HtpState *http_state = f.alstate;
637  FAIL_IF_NULL(http_state);
638 
639  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
640  FAIL_IF(PacketAlertCheck(p, 1));
641 
642  UTHFreePackets(&p, 1);
643  FLOW_DESTROY(&f);
644  AppLayerParserThreadCtxFree(alp_tctx);
645  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
646  DetectEngineCtxFree(de_ctx);
647  StreamTcpFreeConfig(true);
648  StatsThreadCleanup(&th_v);
649  PASS;
650 }
651 
652 /**
653  * \test Test that the http_cookie content matches against a http request
654  * which holds the content.
655  */
656 static int DetectEngineHttpCookieTest10(void)
657 {
658  TcpSession ssn;
659  ThreadVars th_v;
660  DetectEngineThreadCtx *det_ctx = NULL;
661  Flow f;
662  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
663  "Cookie: CONNECT\r\n"
664  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
665  uint32_t http_len = sizeof(http_buf) - 1;
666  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
667 
668  memset(&th_v, 0, sizeof(th_v));
669  memset(&f, 0, sizeof(f));
670  memset(&ssn, 0, sizeof(ssn));
671 
672  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
673 
674  FLOW_INITIALIZE(&f);
675  f.protoctx = (void *)&ssn;
676  f.proto = IPPROTO_TCP;
677  f.flags |= FLOW_IPV4;
678  p->flow = &f;
679  p->flowflags |= FLOW_PKT_TOSERVER;
680  p->flowflags |= FLOW_PKT_ESTABLISHED;
681  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
682  f.alproto = ALPROTO_HTTP1;
683 
684  StreamTcpInitConfig(true);
685 
686  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
687  FAIL_IF_NULL(de_ctx);
688  de_ctx->flags |= DE_QUIET;
689 
690  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
691  "(msg:\"http header test\"; "
692  "content:\"CO\"; http_cookie; "
693  "content:\"EC\"; within:4; http_cookie; "
694  "sid:1;)");
695  FAIL_IF_NULL(s);
696 
697  SigGroupBuild(de_ctx);
698  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
699 
700  int r = AppLayerParserParse(
701  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
702  FAIL_IF_NOT(r == 0);
703 
704  HtpState *http_state = f.alstate;
705  FAIL_IF_NULL(http_state);
706 
707  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
708  FAIL_IF(!PacketAlertCheck(p, 1));
709 
710  UTHFreePackets(&p, 1);
711  FLOW_DESTROY(&f);
712  AppLayerParserThreadCtxFree(alp_tctx);
713  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
714  DetectEngineCtxFree(de_ctx);
715  StreamTcpFreeConfig(true);
716  StatsThreadCleanup(&th_v);
717  PASS;
718 }
719 
720 /**
721  * \test Test that the http_cookie content matches against a http request
722  * which holds the content.
723  */
724 static int DetectEngineHttpCookieTest11(void)
725 {
726  TcpSession ssn;
727  ThreadVars th_v;
728  DetectEngineThreadCtx *det_ctx = NULL;
729  Flow f;
730  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
731  "Cookie: CONNECT\r\n"
732  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
733  uint32_t http_len = sizeof(http_buf) - 1;
734  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
735 
736  memset(&th_v, 0, sizeof(th_v));
737  memset(&f, 0, sizeof(f));
738  memset(&ssn, 0, sizeof(ssn));
739 
740  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
741 
742  FLOW_INITIALIZE(&f);
743  f.protoctx = (void *)&ssn;
744  f.proto = IPPROTO_TCP;
745  f.flags |= FLOW_IPV4;
746  p->flow = &f;
747  p->flowflags |= FLOW_PKT_TOSERVER;
748  p->flowflags |= FLOW_PKT_ESTABLISHED;
749  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
750  f.alproto = ALPROTO_HTTP1;
751 
752  StreamTcpInitConfig(true);
753 
754  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
755  FAIL_IF_NULL(de_ctx);
756  de_ctx->flags |= DE_QUIET;
757 
758  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
759  "(msg:\"http header test\"; "
760  "content:\"CO\"; http_cookie; "
761  "content:!\"EC\"; within:3; http_cookie; "
762  "sid:1;)");
763  FAIL_IF_NULL(s);
764 
765  SigGroupBuild(de_ctx);
766  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
767 
768  int r = AppLayerParserParse(
769  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
770  FAIL_IF_NOT(r == 0);
771 
772  HtpState *http_state = f.alstate;
773  FAIL_IF_NULL(http_state);
774 
775  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
776  FAIL_IF(!PacketAlertCheck(p, 1));
777 
778  UTHFreePackets(&p, 1);
779  FLOW_DESTROY(&f);
780  AppLayerParserThreadCtxFree(alp_tctx);
781  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
782  DetectEngineCtxFree(de_ctx);
783  StreamTcpFreeConfig(true);
784  StatsThreadCleanup(&th_v);
785  PASS;
786 }
787 
788 /**
789  * \test Test that the http_cookie content matches against a http request
790  * which holds the content.
791  */
792 static int DetectEngineHttpCookieTest12(void)
793 {
794  TcpSession ssn;
795  ThreadVars th_v;
796  DetectEngineThreadCtx *det_ctx = NULL;
797  Flow f;
798  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
799  "Cookie: CONNECT\r\n"
800  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
801  uint32_t http_len = sizeof(http_buf) - 1;
802  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
803 
804  memset(&th_v, 0, sizeof(th_v));
805  memset(&f, 0, sizeof(f));
806  memset(&ssn, 0, sizeof(ssn));
807 
808  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
809 
810  FLOW_INITIALIZE(&f);
811  f.protoctx = (void *)&ssn;
812  f.proto = IPPROTO_TCP;
813  f.flags |= FLOW_IPV4;
814  p->flow = &f;
815  p->flowflags |= FLOW_PKT_TOSERVER;
816  p->flowflags |= FLOW_PKT_ESTABLISHED;
817  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
818  f.alproto = ALPROTO_HTTP1;
819 
820  StreamTcpInitConfig(true);
821 
822  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
823  FAIL_IF_NULL(de_ctx);
824  de_ctx->flags |= DE_QUIET;
825 
826  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
827  "(msg:\"http header test\"; "
828  "content:\"CO\"; http_cookie; "
829  "content:\"EC\"; within:3; http_cookie; "
830  "sid:1;)");
831  FAIL_IF_NULL(s);
832 
833  SigGroupBuild(de_ctx);
834  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
835 
836  int r = AppLayerParserParse(
837  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
838  FAIL_IF_NOT(r == 0);
839 
840  HtpState *http_state = f.alstate;
841  FAIL_IF_NULL(http_state);
842 
843  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
844  FAIL_IF(PacketAlertCheck(p, 1));
845 
846  UTHFreePackets(&p, 1);
847  FLOW_DESTROY(&f);
848  AppLayerParserThreadCtxFree(alp_tctx);
849  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
850  DetectEngineCtxFree(de_ctx);
851  StreamTcpFreeConfig(true);
852  StatsThreadCleanup(&th_v);
853  PASS;
854 }
855 
856 /**
857  * \test Test that the http_cookie content matches against a http request
858  * which holds the content.
859  */
860 static int DetectEngineHttpCookieTest13(void)
861 {
862  TcpSession ssn;
863  ThreadVars th_v;
864  DetectEngineThreadCtx *det_ctx = NULL;
865  Flow f;
866  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
867  "Cookie: CONNECT\r\n"
868  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
869  uint32_t http_len = sizeof(http_buf) - 1;
870  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
871 
872  memset(&th_v, 0, sizeof(th_v));
873  memset(&f, 0, sizeof(f));
874  memset(&ssn, 0, sizeof(ssn));
875 
876  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
877 
878  FLOW_INITIALIZE(&f);
879  f.protoctx = (void *)&ssn;
880  f.proto = IPPROTO_TCP;
881  f.flags |= FLOW_IPV4;
882  p->flow = &f;
883  p->flowflags |= FLOW_PKT_TOSERVER;
884  p->flowflags |= FLOW_PKT_ESTABLISHED;
885  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
886  f.alproto = ALPROTO_HTTP1;
887 
888  StreamTcpInitConfig(true);
889 
890  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
891  FAIL_IF_NULL(de_ctx);
892  de_ctx->flags |= DE_QUIET;
893 
894  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
895  "(msg:\"http header test\"; "
896  "content:\"CO\"; http_cookie; "
897  "content:!\"EC\"; within:4; http_cookie; "
898  "sid:1;)");
899  FAIL_IF_NULL(s);
900 
901  SigGroupBuild(de_ctx);
902  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
903 
904  int r = AppLayerParserParse(
905  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
906  FAIL_IF_NOT(r == 0);
907 
908  HtpState *http_state = f.alstate;
909  FAIL_IF_NULL(http_state);
910 
911  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
912  FAIL_IF(PacketAlertCheck(p, 1));
913 
914  UTHFreePackets(&p, 1);
915  FLOW_DESTROY(&f);
916  AppLayerParserThreadCtxFree(alp_tctx);
917  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
918  DetectEngineCtxFree(de_ctx);
919  StreamTcpFreeConfig(true);
920  StatsThreadCleanup(&th_v);
921  PASS;
922 }
923 
924 /**
925  * \test Test that the http_cookie content matches against a http request
926  * which holds the content.
927  */
928 static int DetectEngineHttpCookieTest14(void)
929 {
930  TcpSession ssn;
931  ThreadVars th_v;
932  DetectEngineThreadCtx *det_ctx = NULL;
933  Flow f;
934  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
935  "Cookie: CONNECT\r\n"
936  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
937  uint32_t http_len = sizeof(http_buf) - 1;
938  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
939 
940  memset(&th_v, 0, sizeof(th_v));
941  memset(&f, 0, sizeof(f));
942  memset(&ssn, 0, sizeof(ssn));
943 
944  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
945 
946  FLOW_INITIALIZE(&f);
947  f.protoctx = (void *)&ssn;
948  f.proto = IPPROTO_TCP;
949  f.flags |= FLOW_IPV4;
950  p->flow = &f;
951  p->flowflags |= FLOW_PKT_TOSERVER;
952  p->flowflags |= FLOW_PKT_ESTABLISHED;
953  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
954  f.alproto = ALPROTO_HTTP1;
955 
956  StreamTcpInitConfig(true);
957 
958  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
959  FAIL_IF_NULL(de_ctx);
960  de_ctx->flags |= DE_QUIET;
961 
962  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
963  "(msg:\"http header test\"; "
964  "content:\"CO\"; http_cookie; "
965  "content:\"EC\"; distance:2; http_cookie; "
966  "sid:1;)");
967  FAIL_IF_NULL(s);
968 
969  SigGroupBuild(de_ctx);
970  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
971 
972  int r = AppLayerParserParse(
973  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
974  FAIL_IF_NOT(r == 0);
975 
976  HtpState *http_state = f.alstate;
977  FAIL_IF_NULL(http_state);
978 
979  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
980  FAIL_IF(!PacketAlertCheck(p, 1));
981 
982  UTHFreePackets(&p, 1);
983  FLOW_DESTROY(&f);
984  AppLayerParserThreadCtxFree(alp_tctx);
985  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
986  DetectEngineCtxFree(de_ctx);
987  StreamTcpFreeConfig(true);
988  StatsThreadCleanup(&th_v);
989  PASS;
990 }
991 
992 /**
993  * \test Test that the http_cookie content matches against a http request
994  * which holds the content.
995  */
996 static int DetectEngineHttpCookieTest15(void)
997 {
998  TcpSession ssn;
999  ThreadVars th_v;
1000  DetectEngineThreadCtx *det_ctx = NULL;
1001  Flow f;
1002  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
1003  "Cookie: CONNECT\r\n"
1004  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1005  uint32_t http_len = sizeof(http_buf) - 1;
1006  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1007 
1008  memset(&th_v, 0, sizeof(th_v));
1009  memset(&f, 0, sizeof(f));
1010  memset(&ssn, 0, sizeof(ssn));
1011 
1012  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1013 
1014  FLOW_INITIALIZE(&f);
1015  f.protoctx = (void *)&ssn;
1016  f.proto = IPPROTO_TCP;
1017  f.flags |= FLOW_IPV4;
1018  p->flow = &f;
1019  p->flowflags |= FLOW_PKT_TOSERVER;
1020  p->flowflags |= FLOW_PKT_ESTABLISHED;
1021  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1022  f.alproto = ALPROTO_HTTP1;
1023 
1024  StreamTcpInitConfig(true);
1025 
1026  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1027  FAIL_IF_NULL(de_ctx);
1028  de_ctx->flags |= DE_QUIET;
1029 
1030  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1031  "(msg:\"http header test\"; "
1032  "content:\"CO\"; http_cookie; "
1033  "content:!\"EC\"; distance:3; http_cookie; "
1034  "sid:1;)");
1035  FAIL_IF_NULL(s);
1036 
1037  SigGroupBuild(de_ctx);
1038  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1039 
1040  int r = AppLayerParserParse(
1041  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1042  FAIL_IF_NOT(r == 0);
1043 
1044  HtpState *http_state = f.alstate;
1045  FAIL_IF_NULL(http_state);
1046 
1047  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1048  FAIL_IF(!PacketAlertCheck(p, 1));
1049 
1050  UTHFreePackets(&p, 1);
1051  FLOW_DESTROY(&f);
1052  AppLayerParserThreadCtxFree(alp_tctx);
1053  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1054  DetectEngineCtxFree(de_ctx);
1055  StreamTcpFreeConfig(true);
1056  StatsThreadCleanup(&th_v);
1057  PASS;
1058 }
1059 
1060 /**
1061  * \test Test that the http_cookie content matches against a http request
1062  * which holds the content.
1063  */
1064 static int DetectEngineHttpCookieTest16(void)
1065 {
1066  TcpSession ssn;
1067  ThreadVars th_v;
1068  DetectEngineThreadCtx *det_ctx = NULL;
1069  Flow f;
1070  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
1071  "Cookie: CONNECT\r\n"
1072  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1073  uint32_t http_len = sizeof(http_buf) - 1;
1074  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1075 
1076  memset(&th_v, 0, sizeof(th_v));
1077  memset(&f, 0, sizeof(f));
1078  memset(&ssn, 0, sizeof(ssn));
1079 
1080  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1081 
1082  FLOW_INITIALIZE(&f);
1083  f.protoctx = (void *)&ssn;
1084  f.proto = IPPROTO_TCP;
1085  f.flags |= FLOW_IPV4;
1086  p->flow = &f;
1087  p->flowflags |= FLOW_PKT_TOSERVER;
1088  p->flowflags |= FLOW_PKT_ESTABLISHED;
1089  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1090  f.alproto = ALPROTO_HTTP1;
1091 
1092  StreamTcpInitConfig(true);
1093 
1094  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1095  FAIL_IF_NULL(de_ctx);
1096  de_ctx->flags |= DE_QUIET;
1097 
1098  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1099  "(msg:\"http header test\"; "
1100  "content:\"CO\"; http_cookie; "
1101  "content:\"EC\"; distance:3; http_cookie; "
1102  "sid:1;)");
1103  FAIL_IF_NULL(s);
1104 
1105  SigGroupBuild(de_ctx);
1106  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1107 
1108  int r = AppLayerParserParse(
1109  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1110  FAIL_IF_NOT(r == 0);
1111 
1112  HtpState *http_state = f.alstate;
1113  FAIL_IF_NULL(http_state);
1114 
1115  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1116  FAIL_IF(PacketAlertCheck(p, 1));
1117 
1118  UTHFreePackets(&p, 1);
1119  FLOW_DESTROY(&f);
1120  AppLayerParserThreadCtxFree(alp_tctx);
1121  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1122  DetectEngineCtxFree(de_ctx);
1123  StreamTcpFreeConfig(true);
1124  StatsThreadCleanup(&th_v);
1125  PASS;
1126 }
1127 
1128 /**
1129  * \test Test that the http_cookie content matches against a http request
1130  * which holds the content.
1131  */
1132 static int DetectEngineHttpCookieTest17(void)
1133 {
1134  TcpSession ssn;
1135  ThreadVars th_v;
1136  DetectEngineThreadCtx *det_ctx = NULL;
1137  Flow f;
1138  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
1139  "Cookie: CONNECT\r\n"
1140  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1141  uint32_t http_len = sizeof(http_buf) - 1;
1142  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1143 
1144  memset(&th_v, 0, sizeof(th_v));
1145  memset(&f, 0, sizeof(f));
1146  memset(&ssn, 0, sizeof(ssn));
1147 
1148  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1149 
1150  FLOW_INITIALIZE(&f);
1151  f.protoctx = (void *)&ssn;
1152  f.proto = IPPROTO_TCP;
1153  f.flags |= FLOW_IPV4;
1154  p->flow = &f;
1155  p->flowflags |= FLOW_PKT_TOSERVER;
1156  p->flowflags |= FLOW_PKT_ESTABLISHED;
1157  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1158  f.alproto = ALPROTO_HTTP1;
1159 
1160  StreamTcpInitConfig(true);
1161 
1162  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1163  FAIL_IF_NULL(de_ctx);
1164  de_ctx->flags |= DE_QUIET;
1165 
1166  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1167  "(msg:\"http header test\"; "
1168  "content:\"CO\"; http_cookie; "
1169  "content:!\"EC\"; distance:2; http_cookie; "
1170  "sid:1;)");
1171  FAIL_IF_NULL(s);
1172 
1173  SigGroupBuild(de_ctx);
1174  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1175 
1176  int r = AppLayerParserParse(
1177  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1178  FAIL_IF_NOT(r == 0);
1179 
1180  HtpState *http_state = f.alstate;
1181  FAIL_IF_NULL(http_state);
1182 
1183  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1184  FAIL_IF(PacketAlertCheck(p, 1));
1185 
1186  UTHFreePackets(&p, 1);
1187  FLOW_DESTROY(&f);
1188  AppLayerParserThreadCtxFree(alp_tctx);
1189  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1190  DetectEngineCtxFree(de_ctx);
1191  StreamTcpFreeConfig(true);
1192  StatsThreadCleanup(&th_v);
1193  PASS;
1194 }
1195 
1196 /**
1197  * \test Checks if a http_cookie is registered in a Signature, if content is not
1198  * specified in the signature
1199  */
1200 static int DetectHttpCookieTest01(void)
1201 {
1202  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1203  FAIL_IF_NULL(de_ctx);
1204  de_ctx->flags |= DE_QUIET;
1205  Signature *s =
1206  DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1207  "(msg:\"Testing http_cookie\"; http_cookie;sid:1;)");
1208  FAIL_IF_NOT_NULL(s);
1209  DetectEngineCtxFree(de_ctx);
1210  PASS;
1211 }
1212 
1213 /**
1214  * \test Checks if a http_cookie is registered in a Signature, if some parameter
1215  * is specified with http_cookie in the signature
1216  */
1217 static int DetectHttpCookieTest02(void)
1218 {
1219  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1220  FAIL_IF_NULL(de_ctx);
1221  de_ctx->flags |= DE_QUIET;
1222  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1223  "(msg:\"Testing http_cookie\"; content:\"me\"; "
1224  "http_cookie:woo; sid:1;)");
1225  FAIL_IF_NOT_NULL(s);
1226  DetectEngineCtxFree(de_ctx);
1227  PASS;
1228 }
1229 
1230 /** \test Check the signature working to alert when http_cookie is matched . */
1231 static int DetectHttpCookieSigTest01(void)
1232 {
1233  Flow f;
1234  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
1235  " hellocatchme\r\n\r\n";
1236  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1237  TcpSession ssn;
1238  ThreadVars th_v;
1239  DetectEngineThreadCtx *det_ctx = NULL;
1240  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1241 
1242  memset(&th_v, 0, sizeof(th_v));
1243  memset(&f, 0, sizeof(f));
1244  memset(&ssn, 0, sizeof(ssn));
1245 
1246  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1247 
1248  FLOW_INITIALIZE(&f);
1249  f.protoctx = (void *)&ssn;
1250  f.proto = IPPROTO_TCP;
1251  f.flags |= FLOW_IPV4;
1252 
1253  p->flow = &f;
1254  p->flowflags |= FLOW_PKT_TOSERVER;
1255  p->flowflags |= FLOW_PKT_ESTABLISHED;
1256  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1257  f.alproto = ALPROTO_HTTP1;
1258 
1259  StreamTcpInitConfig(true);
1260 
1261  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1262  FAIL_IF_NULL(de_ctx);
1263  de_ctx->flags |= DE_QUIET;
1264 
1265  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1266  "\"HTTP cookie\"; content:\"me\"; "
1267  "http_cookie; sid:1;)");
1268  FAIL_IF_NULL(s);
1269 
1270  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:\"HTTP "
1271  "cookie\"; content:\"go\"; http_cookie; sid:2;)");
1272  FAIL_IF_NULL(s);
1273 
1274  SigGroupBuild(de_ctx);
1275  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1276 
1277  int r = AppLayerParserParse(
1278  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1279  FAIL_IF_NOT(r == 0);
1280 
1281  HtpState *http_state = f.alstate;
1282  FAIL_IF_NULL(http_state);
1283 
1284  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1285  FAIL_IF(!(PacketAlertCheck(p, 1)));
1286  FAIL_IF(PacketAlertCheck(p, 2));
1287 
1288  UTHFreePackets(&p, 1);
1289  FLOW_DESTROY(&f);
1290  AppLayerParserThreadCtxFree(alp_tctx);
1291  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1292  DetectEngineCtxFree(de_ctx);
1293  StreamTcpFreeConfig(true);
1294  StatsThreadCleanup(&th_v);
1295  PASS;
1296 }
1297 
1298 /** \test Check the signature working to alert when http_cookie is not present */
1299 static int DetectHttpCookieSigTest02(void)
1300 {
1301  Flow f;
1302  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1303  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1304  TcpSession ssn;
1305  ThreadVars th_v;
1306  DetectEngineThreadCtx *det_ctx = NULL;
1307  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1308 
1309  memset(&th_v, 0, sizeof(th_v));
1310  memset(&f, 0, sizeof(f));
1311  memset(&ssn, 0, sizeof(ssn));
1312 
1313  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1314 
1315  FLOW_INITIALIZE(&f);
1316  f.protoctx = (void *)&ssn;
1317  f.proto = IPPROTO_TCP;
1318  f.flags |= FLOW_IPV4;
1319 
1320  p->flow = &f;
1321  p->flowflags |= FLOW_PKT_TOSERVER;
1322  p->flowflags |= FLOW_PKT_ESTABLISHED;
1323  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1324  f.alproto = ALPROTO_HTTP1;
1325 
1326  StreamTcpInitConfig(true);
1327 
1328  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1329  FAIL_IF_NULL(de_ctx);
1330  de_ctx->flags |= DE_QUIET;
1331 
1332  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1333  "\"HTTP cookie\"; content:\"me\"; "
1334  "http_cookie; sid:1;)");
1335  FAIL_IF_NULL(s);
1336 
1337  SigGroupBuild(de_ctx);
1338  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1339 
1340  int r = AppLayerParserParse(
1341  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1342  FAIL_IF_NOT(r == 0);
1343 
1344  HtpState *http_state = f.alstate;
1345  FAIL_IF_NULL(http_state);
1346 
1347  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1348  FAIL_IF(PacketAlertCheck(p, 1));
1349 
1350  UTHFreePackets(&p, 1);
1351  FLOW_DESTROY(&f);
1352  AppLayerParserThreadCtxFree(alp_tctx);
1353  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1354  DetectEngineCtxFree(de_ctx);
1355  StreamTcpFreeConfig(true);
1356  StatsThreadCleanup(&th_v);
1357  PASS;
1358 }
1359 
1360 /** \test Check the signature working to alert when http_cookie is not present */
1361 static int DetectHttpCookieSigTest03(void)
1362 {
1363  Flow f;
1364  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
1365  "Cookie: dummy\r\n\r\n";
1366  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1367  TcpSession ssn;
1368  ThreadVars th_v;
1369  DetectEngineThreadCtx *det_ctx = NULL;
1370  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1371 
1372  memset(&th_v, 0, sizeof(th_v));
1373  memset(&f, 0, sizeof(f));
1374  memset(&ssn, 0, sizeof(ssn));
1375 
1376  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1377 
1378  FLOW_INITIALIZE(&f);
1379  f.protoctx = (void *)&ssn;
1380  f.proto = IPPROTO_TCP;
1381  f.flags |= FLOW_IPV4;
1382 
1383  p->flow = &f;
1384  p->flowflags |= FLOW_PKT_TOSERVER;
1385  p->flowflags |= FLOW_PKT_ESTABLISHED;
1386  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1387  f.alproto = ALPROTO_HTTP1;
1388 
1389  StreamTcpInitConfig(true);
1390 
1391  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1392  FAIL_IF_NULL(de_ctx);
1393  de_ctx->flags |= DE_QUIET;
1394 
1395  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1396  "\"HTTP cookie\"; content:\"boo\"; "
1397  "http_cookie; sid:1;)");
1398  FAIL_IF_NULL(s);
1399 
1400  SigGroupBuild(de_ctx);
1401  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1402 
1403  int r = AppLayerParserParse(
1404  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1405  FAIL_IF_NOT(r == 0);
1406 
1407  HtpState *http_state = f.alstate;
1408  FAIL_IF_NULL(http_state);
1409 
1410  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1411  FAIL_IF(PacketAlertCheck(p, 1));
1412 
1413  UTHFreePackets(&p, 1);
1414  FLOW_DESTROY(&f);
1415  AppLayerParserThreadCtxFree(alp_tctx);
1416  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1417  DetectEngineCtxFree(de_ctx);
1418  StreamTcpFreeConfig(true);
1419  StatsThreadCleanup(&th_v);
1420  PASS;
1421 }
1422 
1423 /** \test Check the signature working to alert when http_cookie is not present */
1424 static int DetectHttpCookieSigTest04(void)
1425 {
1426  Flow f;
1427  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
1428  "Cookie: dummy\r\n\r\n";
1429  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1430  TcpSession ssn;
1431  ThreadVars th_v;
1432  DetectEngineThreadCtx *det_ctx = NULL;
1433  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1434 
1435  memset(&th_v, 0, sizeof(th_v));
1436  memset(&f, 0, sizeof(f));
1437  memset(&ssn, 0, sizeof(ssn));
1438 
1439  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1440 
1441  FLOW_INITIALIZE(&f);
1442  f.protoctx = (void *)&ssn;
1443  f.proto = IPPROTO_TCP;
1444  f.flags |= FLOW_IPV4;
1445 
1446  p->flow = &f;
1447  p->flowflags |= FLOW_PKT_TOSERVER;
1448  p->flowflags |= FLOW_PKT_ESTABLISHED;
1449  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1450  f.alproto = ALPROTO_HTTP1;
1451 
1452  StreamTcpInitConfig(true);
1453 
1454  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1455  FAIL_IF_NULL(de_ctx);
1456  de_ctx->flags |= DE_QUIET;
1457 
1458  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1459  "\"HTTP cookie\"; content:!\"boo\"; "
1460  "http_cookie; sid:1;)");
1461  FAIL_IF_NULL(s);
1462 
1463  SigGroupBuild(de_ctx);
1464  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1465 
1466  int r = AppLayerParserParse(
1467  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1468  FAIL_IF_NOT(r == 0);
1469 
1470  HtpState *http_state = f.alstate;
1471  FAIL_IF_NULL(http_state);
1472 
1473  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1474  FAIL_IF(!PacketAlertCheck(p, 1));
1475 
1476  UTHFreePackets(&p, 1);
1477  FLOW_DESTROY(&f);
1478  AppLayerParserThreadCtxFree(alp_tctx);
1479  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1480  DetectEngineCtxFree(de_ctx);
1481  StreamTcpFreeConfig(true);
1482  StatsThreadCleanup(&th_v);
1483  PASS;
1484 }
1485 
1486 /** \test Check the signature working to alert when http_cookie is not present */
1487 static int DetectHttpCookieSigTest05(void)
1488 {
1489  Flow f;
1490  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
1491  "Cookie: DuMmY\r\n\r\n";
1492  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1493  TcpSession ssn;
1494  ThreadVars th_v;
1495  DetectEngineThreadCtx *det_ctx = NULL;
1496  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1497 
1498  memset(&th_v, 0, sizeof(th_v));
1499  memset(&f, 0, sizeof(f));
1500  memset(&ssn, 0, sizeof(ssn));
1501 
1502  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1503 
1504  FLOW_INITIALIZE(&f);
1505  f.protoctx = (void *)&ssn;
1506  f.proto = IPPROTO_TCP;
1507  f.flags |= FLOW_IPV4;
1508 
1509  p->flow = &f;
1510  p->flowflags |= FLOW_PKT_TOSERVER;
1511  p->flowflags |= FLOW_PKT_ESTABLISHED;
1512  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1513  f.alproto = ALPROTO_HTTP1;
1514 
1515  StreamTcpInitConfig(true);
1516 
1517  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1518  FAIL_IF_NULL(de_ctx);
1519  de_ctx->flags |= DE_QUIET;
1520 
1521  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1522  "\"HTTP cookie\"; content:\"dummy\"; nocase; "
1523  "http_cookie; sid:1;)");
1524  FAIL_IF_NULL(s);
1525 
1526  SigGroupBuild(de_ctx);
1527  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1528 
1529  int r = AppLayerParserParse(
1530  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1531  FAIL_IF_NOT(r == 0);
1532 
1533  HtpState *http_state = f.alstate;
1534  FAIL_IF_NULL(http_state);
1535 
1536  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1537  FAIL_IF(!PacketAlertCheck(p, 1));
1538 
1539  UTHFreePackets(&p, 1);
1540  FLOW_DESTROY(&f);
1541  AppLayerParserThreadCtxFree(alp_tctx);
1542  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1543  DetectEngineCtxFree(de_ctx);
1544  StreamTcpFreeConfig(true);
1545  StatsThreadCleanup(&th_v);
1546  PASS;
1547 }
1548 
1549 /** \test Check the signature working to alert when http_cookie is not present */
1550 static int DetectHttpCookieSigTest06(void)
1551 {
1552  Flow f;
1553  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
1554  "Cookie: DuMmY\r\n\r\n";
1555  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1556  TcpSession ssn;
1557  ThreadVars th_v;
1558  DetectEngineThreadCtx *det_ctx = NULL;
1559  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1560 
1561  memset(&th_v, 0, sizeof(th_v));
1562  memset(&f, 0, sizeof(f));
1563  memset(&ssn, 0, sizeof(ssn));
1564 
1565  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1566 
1567  FLOW_INITIALIZE(&f);
1568  f.protoctx = (void *)&ssn;
1569  f.proto = IPPROTO_TCP;
1570  f.flags |= FLOW_IPV4;
1571 
1572  p->flow = &f;
1573  p->flowflags |= FLOW_PKT_TOSERVER;
1574  p->flowflags |= FLOW_PKT_ESTABLISHED;
1575  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1576  f.alproto = ALPROTO_HTTP1;
1577 
1578  StreamTcpInitConfig(true);
1579 
1580  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1581  FAIL_IF_NULL(de_ctx);
1582  de_ctx->flags |= DE_QUIET;
1583 
1584  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1585  "\"HTTP cookie\"; content:\"dummy\"; "
1586  "http_cookie; nocase; sid:1;)");
1587  FAIL_IF_NULL(s);
1588 
1589  SigGroupBuild(de_ctx);
1590  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1591 
1592  int r = AppLayerParserParse(
1593  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1594  FAIL_IF_NOT(r == 0);
1595 
1596  HtpState *http_state = f.alstate;
1597  FAIL_IF_NULL(http_state);
1598 
1599  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1600  FAIL_IF(!PacketAlertCheck(p, 1));
1601 
1602  UTHFreePackets(&p, 1);
1603  FLOW_DESTROY(&f);
1604  AppLayerParserThreadCtxFree(alp_tctx);
1605  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1606  DetectEngineCtxFree(de_ctx);
1607  StreamTcpFreeConfig(true);
1608  StatsThreadCleanup(&th_v);
1609  PASS;
1610 }
1611 
1612 /** \test Check the signature working to alert when http_cookie is not present */
1613 static int DetectHttpCookieSigTest07(void)
1614 {
1615  Flow f;
1616  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
1617  "Cookie: dummy\r\n\r\n";
1618  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1619  TcpSession ssn;
1620  ThreadVars th_v;
1621  DetectEngineThreadCtx *det_ctx = NULL;
1622  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1623 
1624  memset(&th_v, 0, sizeof(th_v));
1625  memset(&f, 0, sizeof(f));
1626  memset(&ssn, 0, sizeof(ssn));
1627 
1628  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1629 
1630  FLOW_INITIALIZE(&f);
1631  f.protoctx = (void *)&ssn;
1632  f.proto = IPPROTO_TCP;
1633  f.flags |= FLOW_IPV4;
1634 
1635  p->flow = &f;
1636  p->flowflags |= FLOW_PKT_TOSERVER;
1637  p->flowflags |= FLOW_PKT_ESTABLISHED;
1638  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1639  f.alproto = ALPROTO_HTTP1;
1640 
1641  StreamTcpInitConfig(true);
1642 
1643  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1644  FAIL_IF_NULL(de_ctx);
1645  de_ctx->flags |= DE_QUIET;
1646 
1647  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1648  "\"HTTP cookie\"; content:!\"dummy\"; "
1649  "http_cookie; sid:1;)");
1650  FAIL_IF_NULL(s);
1651 
1652  SigGroupBuild(de_ctx);
1653  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1654 
1655  int r = AppLayerParserParse(
1656  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1657  FAIL_IF_NOT(r == 0);
1658 
1659  HtpState *http_state = f.alstate;
1660  FAIL_IF_NULL(http_state);
1661 
1662  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1663  FAIL_IF(PacketAlertCheck(p, 1));
1664 
1665  UTHFreePackets(&p, 1);
1666  FLOW_DESTROY(&f);
1667  AppLayerParserThreadCtxFree(alp_tctx);
1668  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1669  DetectEngineCtxFree(de_ctx);
1670  StreamTcpFreeConfig(true);
1671  StatsThreadCleanup(&th_v);
1672  PASS;
1673 }
1674 
1675 /**
1676  * \test Check the signature working to alert against set-cookie
1677  */
1678 static int DetectHttpCookieSigTest08(void)
1679 {
1680  uint8_t httpbuf_request[] = "GET / HTTP/1.1\r\n"
1681  "User-Agent: Mozilla/1.0\r\n"
1682  "\r\n";
1683  uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the \0 */
1684 
1685  uint8_t httpbuf_response[] = "HTTP/1.1 200 OK\r\n"
1686  "Set-Cookie: response_user_agent\r\n"
1687  "\r\n";
1688  uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the \0 */
1689 
1690  Flow f;
1691  TcpSession ssn;
1692  ThreadVars th_v;
1693  DetectEngineThreadCtx *det_ctx = NULL;
1694  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1695 
1696  memset(&th_v, 0, sizeof(th_v));
1697  memset(&f, 0, sizeof(f));
1698  memset(&ssn, 0, sizeof(ssn));
1699 
1700  FLOW_INITIALIZE(&f);
1701  f.protoctx = (void *)&ssn;
1702  f.proto = IPPROTO_TCP;
1703  f.flags |= FLOW_IPV4;
1704  f.alproto = ALPROTO_HTTP1;
1705 
1706  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1707  p1->flow = &f;
1708  p1->flowflags |= FLOW_PKT_TOSERVER;
1709  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1710  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1711 
1712  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1713  p2->flow = &f;
1714  p2->flowflags |= FLOW_PKT_TOCLIENT;
1715  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1716  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1717 
1718  StreamTcpInitConfig(true);
1719 
1720  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1721  FAIL_IF_NULL(de_ctx);
1722  de_ctx->flags |= DE_QUIET;
1723 
1724  Signature *s =
1725  DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1726  "(flow:to_client; content:\"response_user_agent\"; "
1727  "http_cookie; sid:1;)");
1728  FAIL_IF_NULL(s);
1729 
1730  SigGroupBuild(de_ctx);
1731  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1732 
1733  /* request */
1734  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf_request,
1735  httpbuf_request_len);
1736  FAIL_IF(r != 0);
1737 
1738  HtpState *http_state = f.alstate;
1739  FAIL_IF_NULL(http_state);
1740 
1741  /* do detect */
1742  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1743  FAIL_IF(PacketAlertCheck(p1, 1));
1744 
1745  /* response */
1746  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf_response,
1747  httpbuf_response_len);
1748  FAIL_IF(r != 0);
1749 
1750  /* do detect */
1751  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1752  FAIL_IF(!PacketAlertCheck(p2, 1));
1753 
1754  UTHFreePackets(&p1, 1);
1755  UTHFreePackets(&p2, 1);
1756  FLOW_DESTROY(&f);
1757 
1758  AppLayerParserThreadCtxFree(alp_tctx);
1759  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1760  DetectEngineCtxFree(de_ctx);
1761  StreamTcpFreeConfig(true);
1762  StatsThreadCleanup(&th_v);
1763  PASS;
1764 }
1765 
1766 /**
1767  * \test Check the signature working to alert against cookie/set-cookie
1768  */
1769 static int DetectHttpCookieSigTest09(void)
1770 {
1771  uint8_t httpbuf_request[] = "GET / HTTP/1.1\r\n"
1772  "Cookie: request_user_agent\r\n"
1773  "User-Agent: Mozilla/1.0\r\n"
1774  "\r\n";
1775  uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the \0 */
1776 
1777  uint8_t httpbuf_response[] = "HTTP/1.1 200 OK\r\n"
1778  "Set-Cookie: response_user_agent\r\n"
1779  "\r\n";
1780  uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the \0 */
1781  Flow f;
1782  TcpSession ssn;
1783  ThreadVars th_v;
1784  DetectEngineThreadCtx *det_ctx = NULL;
1785  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1786 
1787  memset(&th_v, 0, sizeof(th_v));
1788  memset(&f, 0, sizeof(f));
1789  memset(&ssn, 0, sizeof(ssn));
1790 
1791  FLOW_INITIALIZE(&f);
1792  f.protoctx = (void *)&ssn;
1793  f.proto = IPPROTO_TCP;
1794  f.flags |= FLOW_IPV4;
1795  f.alproto = ALPROTO_HTTP1;
1796 
1797  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1798  p1->flow = &f;
1799  p1->flowflags |= FLOW_PKT_TOSERVER;
1800  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1801  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1802 
1803  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1804  p2->flow = &f;
1805  p2->flowflags |= FLOW_PKT_TOCLIENT;
1806  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1807  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1808 
1809  StreamTcpInitConfig(true);
1810 
1811  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1812  FAIL_IF_NULL(de_ctx);
1813  de_ctx->flags |= DE_QUIET;
1814 
1815  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1816  "(flow:to_server; content:\"request_user_agent\"; "
1817  "http_cookie; sid:1;)");
1818  FAIL_IF_NULL(s);
1819  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1820  "(flow:to_client; content:\"response_user_agent\"; "
1821  "http_cookie; sid:2;)");
1822  FAIL_IF_NULL(s);
1823 
1824  SigGroupBuild(de_ctx);
1825  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1826 
1827  /* request */
1828  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf_request,
1829  httpbuf_request_len);
1830  FAIL_IF_NOT(r == 0);
1831 
1832  HtpState *http_state = f.alstate;
1833  FAIL_IF_NULL(http_state);
1834 
1835  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1836  FAIL_IF(!PacketAlertCheck(p1, 1));
1837  FAIL_IF(PacketAlertCheck(p1, 2));
1838 
1839  /* response */
1840  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf_response,
1841  httpbuf_response_len);
1842  FAIL_IF_NOT(r == 0);
1843 
1844  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1845  FAIL_IF(PacketAlertCheck(p2, 1));
1846  FAIL_IF(!PacketAlertCheck(p2, 2));
1847 
1848  UTHFreePackets(&p1, 1);
1849  UTHFreePackets(&p2, 1);
1850  FLOW_DESTROY(&f);
1851  AppLayerParserThreadCtxFree(alp_tctx);
1852  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1853  DetectEngineCtxFree(de_ctx);
1854  StreamTcpFreeConfig(true);
1855  StatsThreadCleanup(&th_v);
1856  PASS;
1857 }
1858 
1859 /**
1860  * \brief Register the UNITTESTS for the http_cookie keyword
1861  */
1862 void DetectHttpCookieRegisterTests(void)
1863 {
1864  UtRegisterTest("DetectHttpCookieTest01", DetectHttpCookieTest01);
1865  UtRegisterTest("DetectHttpCookieTest02", DetectHttpCookieTest02);
1866  UtRegisterTest("DetectHttpCookieSigTest01", DetectHttpCookieSigTest01);
1867  UtRegisterTest("DetectHttpCookieSigTest02", DetectHttpCookieSigTest02);
1868  UtRegisterTest("DetectHttpCookieSigTest03", DetectHttpCookieSigTest03);
1869  UtRegisterTest("DetectHttpCookieSigTest04", DetectHttpCookieSigTest04);
1870  UtRegisterTest("DetectHttpCookieSigTest05", DetectHttpCookieSigTest05);
1871  UtRegisterTest("DetectHttpCookieSigTest06", DetectHttpCookieSigTest06);
1872  UtRegisterTest("DetectHttpCookieSigTest07", DetectHttpCookieSigTest07);
1873  UtRegisterTest("DetectHttpCookieSigTest08", DetectHttpCookieSigTest08);
1874  UtRegisterTest("DetectHttpCookieSigTest09", DetectHttpCookieSigTest09);
1875  UtRegisterTest("DetectEngineHttpCookieTest01", DetectEngineHttpCookieTest01);
1876  UtRegisterTest("DetectEngineHttpCookieTest02", DetectEngineHttpCookieTest02);
1877  UtRegisterTest("DetectEngineHttpCookieTest03", DetectEngineHttpCookieTest03);
1878  UtRegisterTest("DetectEngineHttpCookieTest04", DetectEngineHttpCookieTest04);
1879  UtRegisterTest("DetectEngineHttpCookieTest05", DetectEngineHttpCookieTest05);
1880  UtRegisterTest("DetectEngineHttpCookieTest06", DetectEngineHttpCookieTest06);
1881  UtRegisterTest("DetectEngineHttpCookieTest07", DetectEngineHttpCookieTest07);
1882  UtRegisterTest("DetectEngineHttpCookieTest08", DetectEngineHttpCookieTest08);
1883  UtRegisterTest("DetectEngineHttpCookieTest09", DetectEngineHttpCookieTest09);
1884  UtRegisterTest("DetectEngineHttpCookieTest10", DetectEngineHttpCookieTest10);
1885  UtRegisterTest("DetectEngineHttpCookieTest11", DetectEngineHttpCookieTest11);
1886  UtRegisterTest("DetectEngineHttpCookieTest12", DetectEngineHttpCookieTest12);
1887  UtRegisterTest("DetectEngineHttpCookieTest13", DetectEngineHttpCookieTest13);
1888  UtRegisterTest("DetectEngineHttpCookieTest14", DetectEngineHttpCookieTest14);
1889  UtRegisterTest("DetectEngineHttpCookieTest15", DetectEngineHttpCookieTest15);
1890  UtRegisterTest("DetectEngineHttpCookieTest16", DetectEngineHttpCookieTest16);
1891  UtRegisterTest("DetectEngineHttpCookieTest17", DetectEngineHttpCookieTest17);
1892 }
1893 /**
1894  * @}
1895  */
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_::proto
uint8_t proto
Definition: flow.h:370
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
Flow_
Flow data structure.
Definition: flow.h:348
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2416
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3439
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
Flow_::protoctx
void * protoctx
Definition: flow.h:433
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
HtpState_
Definition: app-layer-htp.h:181
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3364
Packet_
Definition: decode.h:501
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2194
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1291
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3596
Flow_::alstate
void * alstate
Definition: flow.h:471
Flow_::flags
uint32_t flags
Definition: flow.h:413
Signature_
Signature container.
Definition: detect.h:668
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
StatsThreadCleanup
void StatsThreadCleanup(ThreadVars *tv)
Definition: counters.c:1324
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456