suricata
detect-http-cookie.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /** \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * \brief Handle HTTP cookie match
31  *
32  */
33 
34 #include "../suricata-common.h"
35 #include "../suricata.h"
36 #include "../flow-util.h"
37 #include "../flow.h"
38 #include "../app-layer-parser.h"
39 #include "../util-unittest.h"
40 #include "../util-unittest-helper.h"
41 #include "../app-layer.h"
42 #include "../app-layer-htp.h"
43 #include "../app-layer-protos.h"
44 #include "../detect-isdataat.h"
45 #include "../detect-engine-build.h"
46 #include "../detect-engine-alert.h"
47 
48 /***********************************Unittests**********************************/
49 
50 /**
51  * \test Test that the http_cookie content matches against a http request
52  * which holds the content.
53  */
54 static int DetectEngineHttpCookieTest01(void)
55 {
56  TcpSession ssn;
57  Packet *p = NULL;
58  ThreadVars th_v;
59  DetectEngineCtx *de_ctx = NULL;
60  DetectEngineThreadCtx *det_ctx = NULL;
61  HtpState *http_state = NULL;
62  Flow f;
63  uint8_t http_buf[] =
64  "GET /index.html HTTP/1.0\r\n"
65  "Cookie: CONNECT\r\n"
66  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
67  uint32_t http_len = sizeof(http_buf) - 1;
68  int result = 0;
70 
71  memset(&th_v, 0, sizeof(th_v));
72  memset(&f, 0, sizeof(f));
73  memset(&ssn, 0, sizeof(ssn));
74 
75  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
76 
77  FLOW_INITIALIZE(&f);
78  f.protoctx = (void *)&ssn;
79  f.proto = IPPROTO_TCP;
80  f.flags |= FLOW_IPV4;
81  p->flow = &f;
86 
87  StreamTcpInitConfig(true);
88 
90  if (de_ctx == NULL)
91  goto end;
92 
93  de_ctx->flags |= DE_QUIET;
94 
95  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
96  "(msg:\"http header test\"; "
97  "content:\"CONNECT\"; http_cookie; "
98  "sid:1;)");
99  if (de_ctx->sig_list == NULL)
100  goto end;
101 
103  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
104 
105  int r = AppLayerParserParse(
106  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
107  if (r != 0) {
108  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
109  result = 0;
110  goto end;
111  }
112 
113  http_state = f.alstate;
114  if (http_state == NULL) {
115  printf("no http state: ");
116  result = 0;
117  goto end;
118  }
119 
120  /* do detect */
121  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
122 
123  if (!(PacketAlertCheck(p, 1))) {
124  printf("sid 1 didn't match but should have: ");
125  goto end;
126  }
127 
128  result = 1;
129 
130 end:
131  if (alp_tctx != NULL)
133  if (de_ctx != NULL)
135 
136  StreamTcpFreeConfig(true);
137  FLOW_DESTROY(&f);
138  UTHFreePackets(&p, 1);
139  return result;
140 }
141 
142 /**
143  * \test Test that the http_cookie content matches against a http request
144  * which holds the content.
145  */
146 static int DetectEngineHttpCookieTest02(void)
147 {
148  TcpSession ssn;
149  Packet *p = NULL;
150  ThreadVars th_v;
151  DetectEngineCtx *de_ctx = NULL;
152  DetectEngineThreadCtx *det_ctx = NULL;
153  HtpState *http_state = NULL;
154  Flow f;
155  uint8_t http_buf[] =
156  "CONNECT /index.html HTTP/1.0\r\n"
157  "Cookie: CONNECT\r\n"
158  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
159  uint32_t http_len = sizeof(http_buf) - 1;
160  int result = 0;
162 
163  memset(&th_v, 0, sizeof(th_v));
164  memset(&f, 0, sizeof(f));
165  memset(&ssn, 0, sizeof(ssn));
166 
167  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
168 
169  FLOW_INITIALIZE(&f);
170  f.protoctx = (void *)&ssn;
171  f.proto = IPPROTO_TCP;
172  f.flags |= FLOW_IPV4;
173  p->flow = &f;
178 
179  StreamTcpInitConfig(true);
180 
182  if (de_ctx == NULL)
183  goto end;
184 
185  de_ctx->flags |= DE_QUIET;
186 
187  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
188  "(msg:\"http header test\"; "
189  "content:\"CO\"; depth:4; http_cookie; "
190  "sid:1;)");
191  if (de_ctx->sig_list == NULL)
192  goto end;
193 
195  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
196 
197  int r = AppLayerParserParse(
198  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
199  if (r != 0) {
200  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
201  result = 0;
202  goto end;
203  }
204 
205  http_state = f.alstate;
206  if (http_state == NULL) {
207  printf("no http state: ");
208  result = 0;
209  goto end;
210  }
211 
212  /* do detect */
213  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
214 
215  if (!(PacketAlertCheck(p, 1))) {
216  printf("sid 1 didn't match but should have: ");
217  goto end;
218  }
219 
220  result = 1;
221 
222 end:
223  if (alp_tctx != NULL)
225  if (de_ctx != NULL)
227 
228  StreamTcpFreeConfig(true);
229  FLOW_DESTROY(&f);
230  UTHFreePackets(&p, 1);
231  return result;
232 }
233 
234 /**
235  * \test Test that the http_cookie content matches against a http request
236  * which holds the content.
237  */
238 static int DetectEngineHttpCookieTest03(void)
239 {
240  TcpSession ssn;
241  Packet *p = NULL;
242  ThreadVars th_v;
243  DetectEngineCtx *de_ctx = NULL;
244  DetectEngineThreadCtx *det_ctx = NULL;
245  HtpState *http_state = NULL;
246  Flow f;
247  uint8_t http_buf[] =
248  "CONNECT /index.html HTTP/1.0\r\n"
249  "Cookie: CONNECT\r\n"
250  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
251  uint32_t http_len = sizeof(http_buf) - 1;
252  int result = 0;
254 
255  memset(&th_v, 0, sizeof(th_v));
256  memset(&f, 0, sizeof(f));
257  memset(&ssn, 0, sizeof(ssn));
258 
259  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
260 
261  FLOW_INITIALIZE(&f);
262  f.protoctx = (void *)&ssn;
263  f.proto = IPPROTO_TCP;
264  f.flags |= FLOW_IPV4;
265  p->flow = &f;
270 
271  StreamTcpInitConfig(true);
272 
274  if (de_ctx == NULL)
275  goto end;
276 
277  de_ctx->flags |= DE_QUIET;
278 
279  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
280  "(msg:\"http header test\"; "
281  "content:!\"ECT\"; depth:4; http_cookie; "
282  "sid:1;)");
283  if (de_ctx->sig_list == NULL)
284  goto end;
285 
287  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
288 
289  int r = AppLayerParserParse(
290  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
291  if (r != 0) {
292  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
293  result = 0;
294  goto end;
295  }
296 
297  http_state = f.alstate;
298  if (http_state == NULL) {
299  printf("no http state: ");
300  result = 0;
301  goto end;
302  }
303 
304  /* do detect */
305  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
306 
307  if (!(PacketAlertCheck(p, 1))) {
308  printf("sid 1 didn't match but should have: ");
309  goto end;
310  }
311 
312  result = 1;
313 
314 end:
315  if (alp_tctx != NULL)
317  if (de_ctx != NULL)
319 
320  StreamTcpFreeConfig(true);
321  FLOW_DESTROY(&f);
322  UTHFreePackets(&p, 1);
323  return result;
324 }
325 
326 /**
327  * \test Test that the http_cookie content matches against a http request
328  * which holds the content.
329  */
330 static int DetectEngineHttpCookieTest04(void)
331 {
332  TcpSession ssn;
333  Packet *p = NULL;
334  ThreadVars th_v;
335  DetectEngineCtx *de_ctx = NULL;
336  DetectEngineThreadCtx *det_ctx = NULL;
337  HtpState *http_state = NULL;
338  Flow f;
339  uint8_t http_buf[] =
340  "CONNECT /index.html HTTP/1.0\r\n"
341  "Cookie: CONNECT\r\n"
342  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
343  uint32_t http_len = sizeof(http_buf) - 1;
344  int result = 0;
346 
347  memset(&th_v, 0, sizeof(th_v));
348  memset(&f, 0, sizeof(f));
349  memset(&ssn, 0, sizeof(ssn));
350 
351  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
352 
353  FLOW_INITIALIZE(&f);
354  f.protoctx = (void *)&ssn;
355  f.proto = IPPROTO_TCP;
356  f.flags |= FLOW_IPV4;
357  p->flow = &f;
362 
363  StreamTcpInitConfig(true);
364 
366  if (de_ctx == NULL)
367  goto end;
368 
369  de_ctx->flags |= DE_QUIET;
370 
371  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
372  "(msg:\"http header test\"; "
373  "content:\"ECT\"; depth:4; http_cookie; "
374  "sid:1;)");
375  if (de_ctx->sig_list == NULL)
376  goto end;
377 
379  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
380 
381  int r = AppLayerParserParse(
382  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
383  if (r != 0) {
384  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
385  result = 0;
386  goto end;
387  }
388 
389  http_state = f.alstate;
390  if (http_state == NULL) {
391  printf("no http state: ");
392  result = 0;
393  goto end;
394  }
395 
396  /* do detect */
397  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
398 
399  if (PacketAlertCheck(p, 1)) {
400  printf("sid 1 matched but shouldn't have: ");
401  goto end;
402  }
403 
404  result = 1;
405 
406 end:
407  if (alp_tctx != NULL)
409  if (de_ctx != NULL)
411 
412  StreamTcpFreeConfig(true);
413  FLOW_DESTROY(&f);
414  UTHFreePackets(&p, 1);
415  return result;
416 }
417 
418 /**
419  * \test Test that the http_cookie content matches against a http request
420  * which holds the content.
421  */
422 static int DetectEngineHttpCookieTest05(void)
423 {
424  TcpSession ssn;
425  Packet *p = NULL;
426  ThreadVars th_v;
427  DetectEngineCtx *de_ctx = NULL;
428  DetectEngineThreadCtx *det_ctx = NULL;
429  HtpState *http_state = NULL;
430  Flow f;
431  uint8_t http_buf[] =
432  "CONNECT /index.html HTTP/1.0\r\n"
433  "Cookie: CONNECT\r\n"
434  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
435  uint32_t http_len = sizeof(http_buf) - 1;
436  int result = 0;
438 
439  memset(&th_v, 0, sizeof(th_v));
440  memset(&f, 0, sizeof(f));
441  memset(&ssn, 0, sizeof(ssn));
442 
443  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
444 
445  FLOW_INITIALIZE(&f);
446  f.protoctx = (void *)&ssn;
447  f.proto = IPPROTO_TCP;
448  f.flags |= FLOW_IPV4;
449  p->flow = &f;
454 
455  StreamTcpInitConfig(true);
456 
458  if (de_ctx == NULL)
459  goto end;
460 
461  de_ctx->flags |= DE_QUIET;
462 
463  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
464  "(msg:\"http header test\"; "
465  "content:!\"CON\"; depth:4; http_cookie; "
466  "sid:1;)");
467  if (de_ctx->sig_list == NULL)
468  goto end;
469 
471  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
472 
473  int r = AppLayerParserParse(
474  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
475  if (r != 0) {
476  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
477  result = 0;
478  goto end;
479  }
480 
481  http_state = f.alstate;
482  if (http_state == NULL) {
483  printf("no http state: ");
484  result = 0;
485  goto end;
486  }
487 
488  /* do detect */
489  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
490 
491  if (PacketAlertCheck(p, 1)) {
492  printf("sid 1 matched but shouldn't have: ");
493  goto end;
494  }
495 
496  result = 1;
497 
498 end:
499  if (alp_tctx != NULL)
501  if (de_ctx != NULL)
503 
504  StreamTcpFreeConfig(true);
505  FLOW_DESTROY(&f);
506  UTHFreePackets(&p, 1);
507  return result;
508 }
509 
510 /**
511  * \test Test that the http_cookie content matches against a http request
512  * which holds the content.
513  */
514 static int DetectEngineHttpCookieTest06(void)
515 {
516  TcpSession ssn;
517  Packet *p = NULL;
518  ThreadVars th_v;
519  DetectEngineCtx *de_ctx = NULL;
520  DetectEngineThreadCtx *det_ctx = NULL;
521  HtpState *http_state = NULL;
522  Flow f;
523  uint8_t http_buf[] =
524  "CONNECT /index.html HTTP/1.0\r\n"
525  "Cookie: CONNECT\r\n"
526  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
527  uint32_t http_len = sizeof(http_buf) - 1;
528  int result = 0;
530 
531  memset(&th_v, 0, sizeof(th_v));
532  memset(&f, 0, sizeof(f));
533  memset(&ssn, 0, sizeof(ssn));
534 
535  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
536 
537  FLOW_INITIALIZE(&f);
538  f.protoctx = (void *)&ssn;
539  f.proto = IPPROTO_TCP;
540  f.flags |= FLOW_IPV4;
541  p->flow = &f;
546 
547  StreamTcpInitConfig(true);
548 
550  if (de_ctx == NULL)
551  goto end;
552 
553  de_ctx->flags |= DE_QUIET;
554 
555  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
556  "(msg:\"http header test\"; "
557  "content:\"ECT\"; offset:3; http_cookie; "
558  "sid:1;)");
559  if (de_ctx->sig_list == NULL)
560  goto end;
561 
563  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
564 
565  int r = AppLayerParserParse(
566  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
567  if (r != 0) {
568  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
569  result = 0;
570  goto end;
571  }
572 
573  http_state = f.alstate;
574  if (http_state == NULL) {
575  printf("no http state: ");
576  result = 0;
577  goto end;
578  }
579 
580  /* do detect */
581  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
582 
583  if (!(PacketAlertCheck(p, 1))) {
584  printf("sid 1 didn't match but should have: ");
585  goto end;
586  }
587 
588  result = 1;
589 
590 end:
591  if (alp_tctx != NULL)
593  if (de_ctx != NULL)
595 
596  StreamTcpFreeConfig(true);
597  FLOW_DESTROY(&f);
598  UTHFreePackets(&p, 1);
599  return result;
600 }
601 
602 /**
603  * \test Test that the http_cookie content matches against a http request
604  * which holds the content.
605  */
606 static int DetectEngineHttpCookieTest07(void)
607 {
608  TcpSession ssn;
609  Packet *p = NULL;
610  ThreadVars th_v;
611  DetectEngineCtx *de_ctx = NULL;
612  DetectEngineThreadCtx *det_ctx = NULL;
613  HtpState *http_state = NULL;
614  Flow f;
615  uint8_t http_buf[] =
616  "CONNECT /index.html HTTP/1.0\r\n"
617  "Cookie: CONNECT\r\n"
618  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
619  uint32_t http_len = sizeof(http_buf) - 1;
620  int result = 0;
622 
623  memset(&th_v, 0, sizeof(th_v));
624  memset(&f, 0, sizeof(f));
625  memset(&ssn, 0, sizeof(ssn));
626 
627  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
628 
629  FLOW_INITIALIZE(&f);
630  f.protoctx = (void *)&ssn;
631  f.proto = IPPROTO_TCP;
632  f.flags |= FLOW_IPV4;
633  p->flow = &f;
638 
639  StreamTcpInitConfig(true);
640 
642  if (de_ctx == NULL)
643  goto end;
644 
645  de_ctx->flags |= DE_QUIET;
646 
647  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
648  "(msg:\"http header test\"; "
649  "content:!\"CO\"; offset:3; http_cookie; "
650  "sid:1;)");
651  if (de_ctx->sig_list == NULL)
652  goto end;
653 
655  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
656 
657  int r = AppLayerParserParse(
658  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
659  if (r != 0) {
660  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
661  result = 0;
662  goto end;
663  }
664 
665  http_state = f.alstate;
666  if (http_state == NULL) {
667  printf("no http state: ");
668  result = 0;
669  goto end;
670  }
671 
672  /* do detect */
673  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
674 
675  if (!(PacketAlertCheck(p, 1))) {
676  printf("sid 1 didn't match but should have: ");
677  goto end;
678  }
679 
680  result = 1;
681 
682 end:
683  if (alp_tctx != NULL)
685  if (de_ctx != NULL)
687 
688  StreamTcpFreeConfig(true);
689  FLOW_DESTROY(&f);
690  UTHFreePackets(&p, 1);
691  return result;
692 }
693 
694 /**
695  * \test Test that the http_cookie content matches against a http request
696  * which holds the content.
697  */
698 static int DetectEngineHttpCookieTest08(void)
699 {
700  TcpSession ssn;
701  Packet *p = NULL;
702  ThreadVars th_v;
703  DetectEngineCtx *de_ctx = NULL;
704  DetectEngineThreadCtx *det_ctx = NULL;
705  HtpState *http_state = NULL;
706  Flow f;
707  uint8_t http_buf[] =
708  "CONNECT /index.html HTTP/1.0\r\n"
709  "Cookie: CONNECT\r\n"
710  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
711  uint32_t http_len = sizeof(http_buf) - 1;
712  int result = 0;
714 
715  memset(&th_v, 0, sizeof(th_v));
716  memset(&f, 0, sizeof(f));
717  memset(&ssn, 0, sizeof(ssn));
718 
719  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
720 
721  FLOW_INITIALIZE(&f);
722  f.protoctx = (void *)&ssn;
723  f.proto = IPPROTO_TCP;
724  f.flags |= FLOW_IPV4;
725  p->flow = &f;
730 
731  StreamTcpInitConfig(true);
732 
734  if (de_ctx == NULL)
735  goto end;
736 
737  de_ctx->flags |= DE_QUIET;
738 
739  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
740  "(msg:\"http header test\"; "
741  "content:!\"ECT\"; offset:3; http_cookie; "
742  "sid:1;)");
743  if (de_ctx->sig_list == NULL)
744  goto end;
745 
747  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
748 
749  int r = AppLayerParserParse(
750  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
751  if (r != 0) {
752  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
753  result = 0;
754  goto end;
755  }
756 
757  http_state = f.alstate;
758  if (http_state == NULL) {
759  printf("no http state: ");
760  result = 0;
761  goto end;
762  }
763 
764  /* do detect */
765  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
766 
767  if (PacketAlertCheck(p, 1)) {
768  printf("sid 1 matched but shouldn't have: ");
769  goto end;
770  }
771 
772  result = 1;
773 
774 end:
775  if (alp_tctx != NULL)
777  if (de_ctx != NULL)
779 
780  StreamTcpFreeConfig(true);
781  FLOW_DESTROY(&f);
782  UTHFreePackets(&p, 1);
783  return result;
784 }
785 
786 /**
787  * \test Test that the http_cookie content matches against a http request
788  * which holds the content.
789  */
790 static int DetectEngineHttpCookieTest09(void)
791 {
792  TcpSession ssn;
793  Packet *p = NULL;
794  ThreadVars th_v;
795  DetectEngineCtx *de_ctx = NULL;
796  DetectEngineThreadCtx *det_ctx = NULL;
797  HtpState *http_state = NULL;
798  Flow f;
799  uint8_t http_buf[] =
800  "CONNECT /index.html HTTP/1.0\r\n"
801  "Cookie: CONNECT\r\n"
802  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
803  uint32_t http_len = sizeof(http_buf) - 1;
804  int result = 0;
806 
807  memset(&th_v, 0, sizeof(th_v));
808  memset(&f, 0, sizeof(f));
809  memset(&ssn, 0, sizeof(ssn));
810 
811  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
812 
813  FLOW_INITIALIZE(&f);
814  f.protoctx = (void *)&ssn;
815  f.proto = IPPROTO_TCP;
816  f.flags |= FLOW_IPV4;
817  p->flow = &f;
822 
823  StreamTcpInitConfig(true);
824 
826  if (de_ctx == NULL)
827  goto end;
828 
829  de_ctx->flags |= DE_QUIET;
830 
831  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
832  "(msg:\"http header test\"; "
833  "content:\"CON\"; offset:3; http_cookie; "
834  "sid:1;)");
835  if (de_ctx->sig_list == NULL)
836  goto end;
837 
839  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
840 
841  int r = AppLayerParserParse(
842  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
843  if (r != 0) {
844  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
845  result = 0;
846  goto end;
847  }
848 
849  http_state = f.alstate;
850  if (http_state == NULL) {
851  printf("no http state: ");
852  result = 0;
853  goto end;
854  }
855 
856  /* do detect */
857  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
858 
859  if (PacketAlertCheck(p, 1)) {
860  printf("sid 1 matched but shouldn't have: ");
861  goto end;
862  }
863 
864  result = 1;
865 
866 end:
867  if (alp_tctx != NULL)
869  if (de_ctx != NULL)
871 
872  StreamTcpFreeConfig(true);
873  FLOW_DESTROY(&f);
874  UTHFreePackets(&p, 1);
875  return result;
876 }
877 
878 /**
879  * \test Test that the http_cookie content matches against a http request
880  * which holds the content.
881  */
882 static int DetectEngineHttpCookieTest10(void)
883 {
884  TcpSession ssn;
885  Packet *p = NULL;
886  ThreadVars th_v;
887  DetectEngineCtx *de_ctx = NULL;
888  DetectEngineThreadCtx *det_ctx = NULL;
889  HtpState *http_state = NULL;
890  Flow f;
891  uint8_t http_buf[] =
892  "CONNECT /index.html HTTP/1.0\r\n"
893  "Cookie: CONNECT\r\n"
894  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
895  uint32_t http_len = sizeof(http_buf) - 1;
896  int result = 0;
898 
899  memset(&th_v, 0, sizeof(th_v));
900  memset(&f, 0, sizeof(f));
901  memset(&ssn, 0, sizeof(ssn));
902 
903  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
904 
905  FLOW_INITIALIZE(&f);
906  f.protoctx = (void *)&ssn;
907  f.proto = IPPROTO_TCP;
908  f.flags |= FLOW_IPV4;
909  p->flow = &f;
914 
915  StreamTcpInitConfig(true);
916 
918  if (de_ctx == NULL)
919  goto end;
920 
921  de_ctx->flags |= DE_QUIET;
922 
923  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
924  "(msg:\"http header test\"; "
925  "content:\"CO\"; http_cookie; "
926  "content:\"EC\"; within:4; http_cookie; "
927  "sid:1;)");
928  if (de_ctx->sig_list == NULL)
929  goto end;
930 
932  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
933 
934  int r = AppLayerParserParse(
935  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
936  if (r != 0) {
937  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
938  result = 0;
939  goto end;
940  }
941 
942  http_state = f.alstate;
943  if (http_state == NULL) {
944  printf("no http state: ");
945  result = 0;
946  goto end;
947  }
948 
949  /* do detect */
950  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
951 
952  if (!PacketAlertCheck(p, 1)) {
953  printf("sid 1 didn't match but should have: ");
954  goto end;
955  }
956 
957  result = 1;
958 
959 end:
960  if (alp_tctx != NULL)
962  if (de_ctx != NULL)
964 
965  StreamTcpFreeConfig(true);
966  FLOW_DESTROY(&f);
967  UTHFreePackets(&p, 1);
968  return result;
969 }
970 
971 /**
972  * \test Test that the http_cookie content matches against a http request
973  * which holds the content.
974  */
975 static int DetectEngineHttpCookieTest11(void)
976 {
977  TcpSession ssn;
978  Packet *p = NULL;
979  ThreadVars th_v;
980  DetectEngineCtx *de_ctx = NULL;
981  DetectEngineThreadCtx *det_ctx = NULL;
982  HtpState *http_state = NULL;
983  Flow f;
984  uint8_t http_buf[] =
985  "CONNECT /index.html HTTP/1.0\r\n"
986  "Cookie: CONNECT\r\n"
987  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
988  uint32_t http_len = sizeof(http_buf) - 1;
989  int result = 0;
991 
992  memset(&th_v, 0, sizeof(th_v));
993  memset(&f, 0, sizeof(f));
994  memset(&ssn, 0, sizeof(ssn));
995 
996  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
997 
998  FLOW_INITIALIZE(&f);
999  f.protoctx = (void *)&ssn;
1000  f.proto = IPPROTO_TCP;
1001  f.flags |= FLOW_IPV4;
1002  p->flow = &f;
1006  f.alproto = ALPROTO_HTTP1;
1007 
1008  StreamTcpInitConfig(true);
1009 
1011  if (de_ctx == NULL)
1012  goto end;
1013 
1014  de_ctx->flags |= DE_QUIET;
1015 
1016  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1017  "(msg:\"http header test\"; "
1018  "content:\"CO\"; http_cookie; "
1019  "content:!\"EC\"; within:3; http_cookie; "
1020  "sid:1;)");
1021  if (de_ctx->sig_list == NULL)
1022  goto end;
1023 
1025  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1026 
1027  int r = AppLayerParserParse(
1028  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1029  if (r != 0) {
1030  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1031  result = 0;
1032  goto end;
1033  }
1034 
1035  http_state = f.alstate;
1036  if (http_state == NULL) {
1037  printf("no http state: ");
1038  result = 0;
1039  goto end;
1040  }
1041 
1042  /* do detect */
1043  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1044 
1045  if (!PacketAlertCheck(p, 1)) {
1046  printf("sid 1 didn't match but should have: ");
1047  goto end;
1048  }
1049 
1050  result = 1;
1051 
1052 end:
1053  if (alp_tctx != NULL)
1055  if (de_ctx != NULL)
1057 
1058  StreamTcpFreeConfig(true);
1059  FLOW_DESTROY(&f);
1060  UTHFreePackets(&p, 1);
1061  return result;
1062 }
1063 
1064 /**
1065  * \test Test that the http_cookie content matches against a http request
1066  * which holds the content.
1067  */
1068 static int DetectEngineHttpCookieTest12(void)
1069 {
1070  TcpSession ssn;
1071  Packet *p = NULL;
1072  ThreadVars th_v;
1073  DetectEngineCtx *de_ctx = NULL;
1074  DetectEngineThreadCtx *det_ctx = NULL;
1075  HtpState *http_state = NULL;
1076  Flow f;
1077  uint8_t http_buf[] =
1078  "CONNECT /index.html HTTP/1.0\r\n"
1079  "Cookie: CONNECT\r\n"
1080  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1081  uint32_t http_len = sizeof(http_buf) - 1;
1082  int result = 0;
1084 
1085  memset(&th_v, 0, sizeof(th_v));
1086  memset(&f, 0, sizeof(f));
1087  memset(&ssn, 0, sizeof(ssn));
1088 
1089  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1090 
1091  FLOW_INITIALIZE(&f);
1092  f.protoctx = (void *)&ssn;
1093  f.proto = IPPROTO_TCP;
1094  f.flags |= FLOW_IPV4;
1095  p->flow = &f;
1099  f.alproto = ALPROTO_HTTP1;
1100 
1101  StreamTcpInitConfig(true);
1102 
1104  if (de_ctx == NULL)
1105  goto end;
1106 
1107  de_ctx->flags |= DE_QUIET;
1108 
1109  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1110  "(msg:\"http header test\"; "
1111  "content:\"CO\"; http_cookie; "
1112  "content:\"EC\"; within:3; http_cookie; "
1113  "sid:1;)");
1114  if (de_ctx->sig_list == NULL)
1115  goto end;
1116 
1118  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1119 
1120  int r = AppLayerParserParse(
1121  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1122  if (r != 0) {
1123  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1124  result = 0;
1125  goto end;
1126  }
1127 
1128  http_state = f.alstate;
1129  if (http_state == NULL) {
1130  printf("no http state: ");
1131  result = 0;
1132  goto end;
1133  }
1134 
1135  /* do detect */
1136  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1137 
1138  if (PacketAlertCheck(p, 1)) {
1139  printf("sid 1 matched but shouldn't have: ");
1140  goto end;
1141  }
1142 
1143  result = 1;
1144 
1145 end:
1146  if (alp_tctx != NULL)
1148  if (de_ctx != NULL)
1150 
1151  StreamTcpFreeConfig(true);
1152  FLOW_DESTROY(&f);
1153  UTHFreePackets(&p, 1);
1154  return result;
1155 }
1156 
1157 /**
1158  * \test Test that the http_cookie content matches against a http request
1159  * which holds the content.
1160  */
1161 static int DetectEngineHttpCookieTest13(void)
1162 {
1163  TcpSession ssn;
1164  Packet *p = NULL;
1165  ThreadVars th_v;
1166  DetectEngineCtx *de_ctx = NULL;
1167  DetectEngineThreadCtx *det_ctx = NULL;
1168  HtpState *http_state = NULL;
1169  Flow f;
1170  uint8_t http_buf[] =
1171  "CONNECT /index.html HTTP/1.0\r\n"
1172  "Cookie: CONNECT\r\n"
1173  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1174  uint32_t http_len = sizeof(http_buf) - 1;
1175  int result = 0;
1177 
1178  memset(&th_v, 0, sizeof(th_v));
1179  memset(&f, 0, sizeof(f));
1180  memset(&ssn, 0, sizeof(ssn));
1181 
1182  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1183 
1184  FLOW_INITIALIZE(&f);
1185  f.protoctx = (void *)&ssn;
1186  f.proto = IPPROTO_TCP;
1187  f.flags |= FLOW_IPV4;
1188  p->flow = &f;
1192  f.alproto = ALPROTO_HTTP1;
1193 
1194  StreamTcpInitConfig(true);
1195 
1197  if (de_ctx == NULL)
1198  goto end;
1199 
1200  de_ctx->flags |= DE_QUIET;
1201 
1202  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1203  "(msg:\"http header test\"; "
1204  "content:\"CO\"; http_cookie; "
1205  "content:!\"EC\"; within:4; http_cookie; "
1206  "sid:1;)");
1207  if (de_ctx->sig_list == NULL)
1208  goto end;
1209 
1211  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1212 
1213  int r = AppLayerParserParse(
1214  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1215  if (r != 0) {
1216  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1217  result = 0;
1218  goto end;
1219  }
1220 
1221  http_state = f.alstate;
1222  if (http_state == NULL) {
1223  printf("no http state: ");
1224  result = 0;
1225  goto end;
1226  }
1227 
1228  /* do detect */
1229  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1230 
1231  if (PacketAlertCheck(p, 1)) {
1232  printf("sid 1 matched but shouldn't have: ");
1233  goto end;
1234  }
1235 
1236  result = 1;
1237 
1238 end:
1239  if (alp_tctx != NULL)
1241  if (de_ctx != NULL)
1243 
1244  StreamTcpFreeConfig(true);
1245  FLOW_DESTROY(&f);
1246  UTHFreePackets(&p, 1);
1247  return result;
1248 }
1249 
1250 /**
1251  * \test Test that the http_cookie content matches against a http request
1252  * which holds the content.
1253  */
1254 static int DetectEngineHttpCookieTest14(void)
1255 {
1256  TcpSession ssn;
1257  Packet *p = NULL;
1258  ThreadVars th_v;
1259  DetectEngineCtx *de_ctx = NULL;
1260  DetectEngineThreadCtx *det_ctx = NULL;
1261  HtpState *http_state = NULL;
1262  Flow f;
1263  uint8_t http_buf[] =
1264  "CONNECT /index.html HTTP/1.0\r\n"
1265  "Cookie: CONNECT\r\n"
1266  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1267  uint32_t http_len = sizeof(http_buf) - 1;
1268  int result = 0;
1270 
1271  memset(&th_v, 0, sizeof(th_v));
1272  memset(&f, 0, sizeof(f));
1273  memset(&ssn, 0, sizeof(ssn));
1274 
1275  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1276 
1277  FLOW_INITIALIZE(&f);
1278  f.protoctx = (void *)&ssn;
1279  f.proto = IPPROTO_TCP;
1280  f.flags |= FLOW_IPV4;
1281  p->flow = &f;
1285  f.alproto = ALPROTO_HTTP1;
1286 
1287  StreamTcpInitConfig(true);
1288 
1290  if (de_ctx == NULL)
1291  goto end;
1292 
1293  de_ctx->flags |= DE_QUIET;
1294 
1295  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1296  "(msg:\"http header test\"; "
1297  "content:\"CO\"; http_cookie; "
1298  "content:\"EC\"; distance:2; http_cookie; "
1299  "sid:1;)");
1300  if (de_ctx->sig_list == NULL)
1301  goto end;
1302 
1304  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1305 
1306  int r = AppLayerParserParse(
1307  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1308  if (r != 0) {
1309  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1310  result = 0;
1311  goto end;
1312  }
1313 
1314  http_state = f.alstate;
1315  if (http_state == NULL) {
1316  printf("no http state: ");
1317  result = 0;
1318  goto end;
1319  }
1320 
1321  /* do detect */
1322  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1323 
1324  if (!PacketAlertCheck(p, 1)) {
1325  printf("sid 1 didn't match but should have: ");
1326  goto end;
1327  }
1328 
1329  result = 1;
1330 
1331 end:
1332  if (alp_tctx != NULL)
1334  if (de_ctx != NULL)
1336 
1337  StreamTcpFreeConfig(true);
1338  FLOW_DESTROY(&f);
1339  UTHFreePackets(&p, 1);
1340  return result;
1341 }
1342 
1343 /**
1344  * \test Test that the http_cookie content matches against a http request
1345  * which holds the content.
1346  */
1347 static int DetectEngineHttpCookieTest15(void)
1348 {
1349  TcpSession ssn;
1350  Packet *p = NULL;
1351  ThreadVars th_v;
1352  DetectEngineCtx *de_ctx = NULL;
1353  DetectEngineThreadCtx *det_ctx = NULL;
1354  HtpState *http_state = NULL;
1355  Flow f;
1356  uint8_t http_buf[] =
1357  "CONNECT /index.html HTTP/1.0\r\n"
1358  "Cookie: CONNECT\r\n"
1359  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1360  uint32_t http_len = sizeof(http_buf) - 1;
1361  int result = 0;
1363 
1364  memset(&th_v, 0, sizeof(th_v));
1365  memset(&f, 0, sizeof(f));
1366  memset(&ssn, 0, sizeof(ssn));
1367 
1368  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1369 
1370  FLOW_INITIALIZE(&f);
1371  f.protoctx = (void *)&ssn;
1372  f.proto = IPPROTO_TCP;
1373  f.flags |= FLOW_IPV4;
1374  p->flow = &f;
1378  f.alproto = ALPROTO_HTTP1;
1379 
1380  StreamTcpInitConfig(true);
1381 
1383  if (de_ctx == NULL)
1384  goto end;
1385 
1386  de_ctx->flags |= DE_QUIET;
1387 
1388  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1389  "(msg:\"http header test\"; "
1390  "content:\"CO\"; http_cookie; "
1391  "content:!\"EC\"; distance:3; http_cookie; "
1392  "sid:1;)");
1393  if (de_ctx->sig_list == NULL)
1394  goto end;
1395 
1397  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1398 
1399  int r = AppLayerParserParse(
1400  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1401  if (r != 0) {
1402  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1403  result = 0;
1404  goto end;
1405  }
1406 
1407  http_state = f.alstate;
1408  if (http_state == NULL) {
1409  printf("no http state: ");
1410  result = 0;
1411  goto end;
1412  }
1413 
1414  /* do detect */
1415  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1416 
1417  if (!PacketAlertCheck(p, 1)) {
1418  printf("sid 1 didn't match but should have: ");
1419  goto end;
1420  }
1421 
1422  result = 1;
1423 
1424 end:
1425  if (alp_tctx != NULL)
1427  if (de_ctx != NULL)
1429 
1430  StreamTcpFreeConfig(true);
1431  FLOW_DESTROY(&f);
1432  UTHFreePackets(&p, 1);
1433  return result;
1434 }
1435 
1436 /**
1437  * \test Test that the http_cookie content matches against a http request
1438  * which holds the content.
1439  */
1440 static int DetectEngineHttpCookieTest16(void)
1441 {
1442  TcpSession ssn;
1443  Packet *p = NULL;
1444  ThreadVars th_v;
1445  DetectEngineCtx *de_ctx = NULL;
1446  DetectEngineThreadCtx *det_ctx = NULL;
1447  HtpState *http_state = NULL;
1448  Flow f;
1449  uint8_t http_buf[] =
1450  "CONNECT /index.html HTTP/1.0\r\n"
1451  "Cookie: CONNECT\r\n"
1452  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1453  uint32_t http_len = sizeof(http_buf) - 1;
1454  int result = 0;
1456 
1457  memset(&th_v, 0, sizeof(th_v));
1458  memset(&f, 0, sizeof(f));
1459  memset(&ssn, 0, sizeof(ssn));
1460 
1461  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1462 
1463  FLOW_INITIALIZE(&f);
1464  f.protoctx = (void *)&ssn;
1465  f.proto = IPPROTO_TCP;
1466  f.flags |= FLOW_IPV4;
1467  p->flow = &f;
1471  f.alproto = ALPROTO_HTTP1;
1472 
1473  StreamTcpInitConfig(true);
1474 
1476  if (de_ctx == NULL)
1477  goto end;
1478 
1479  de_ctx->flags |= DE_QUIET;
1480 
1481  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1482  "(msg:\"http header test\"; "
1483  "content:\"CO\"; http_cookie; "
1484  "content:\"EC\"; distance:3; http_cookie; "
1485  "sid:1;)");
1486  if (de_ctx->sig_list == NULL)
1487  goto end;
1488 
1490  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1491 
1492  int r = AppLayerParserParse(
1493  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1494  if (r != 0) {
1495  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1496  result = 0;
1497  goto end;
1498  }
1499 
1500  http_state = f.alstate;
1501  if (http_state == NULL) {
1502  printf("no http state: ");
1503  result = 0;
1504  goto end;
1505  }
1506 
1507  /* do detect */
1508  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1509 
1510  if (PacketAlertCheck(p, 1)) {
1511  printf("sid 1 matched but shouldn't have: ");
1512  goto end;
1513  }
1514 
1515  result = 1;
1516 
1517 end:
1518  if (alp_tctx != NULL)
1520  if (de_ctx != NULL)
1522 
1523  StreamTcpFreeConfig(true);
1524  FLOW_DESTROY(&f);
1525  UTHFreePackets(&p, 1);
1526  return result;
1527 }
1528 
1529 /**
1530  * \test Test that the http_cookie content matches against a http request
1531  * which holds the content.
1532  */
1533 static int DetectEngineHttpCookieTest17(void)
1534 {
1535  TcpSession ssn;
1536  Packet *p = NULL;
1537  ThreadVars th_v;
1538  DetectEngineCtx *de_ctx = NULL;
1539  DetectEngineThreadCtx *det_ctx = NULL;
1540  HtpState *http_state = NULL;
1541  Flow f;
1542  uint8_t http_buf[] =
1543  "CONNECT /index.html HTTP/1.0\r\n"
1544  "Cookie: CONNECT\r\n"
1545  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1546  uint32_t http_len = sizeof(http_buf) - 1;
1547  int result = 0;
1549 
1550  memset(&th_v, 0, sizeof(th_v));
1551  memset(&f, 0, sizeof(f));
1552  memset(&ssn, 0, sizeof(ssn));
1553 
1554  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1555 
1556  FLOW_INITIALIZE(&f);
1557  f.protoctx = (void *)&ssn;
1558  f.proto = IPPROTO_TCP;
1559  f.flags |= FLOW_IPV4;
1560  p->flow = &f;
1564  f.alproto = ALPROTO_HTTP1;
1565 
1566  StreamTcpInitConfig(true);
1567 
1569  if (de_ctx == NULL)
1570  goto end;
1571 
1572  de_ctx->flags |= DE_QUIET;
1573 
1574  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1575  "(msg:\"http header test\"; "
1576  "content:\"CO\"; http_cookie; "
1577  "content:!\"EC\"; distance:2; http_cookie; "
1578  "sid:1;)");
1579  if (de_ctx->sig_list == NULL)
1580  goto end;
1581 
1583  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1584 
1585  int r = AppLayerParserParse(
1586  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1587  if (r != 0) {
1588  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1589  result = 0;
1590  goto end;
1591  }
1592 
1593  http_state = f.alstate;
1594  if (http_state == NULL) {
1595  printf("no http state: ");
1596  result = 0;
1597  goto end;
1598  }
1599 
1600  /* do detect */
1601  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1602 
1603  if (PacketAlertCheck(p, 1)) {
1604  printf("sid 1 matched but shouldn't have: ");
1605  goto end;
1606  }
1607 
1608  result = 1;
1609 
1610 end:
1611  if (alp_tctx != NULL)
1613  if (de_ctx != NULL)
1615 
1616  StreamTcpFreeConfig(true);
1617  FLOW_DESTROY(&f);
1618  UTHFreePackets(&p, 1);
1619  return result;
1620 }
1621 
1622 /**
1623  * \test Checks if a http_cookie is registered in a Signature, if content is not
1624  * specified in the signature
1625  */
1626 static int DetectHttpCookieTest01(void)
1627 {
1628  DetectEngineCtx *de_ctx = NULL;
1629  int result = 0;
1630 
1631  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1632  goto end;
1633 
1634  de_ctx->flags |= DE_QUIET;
1635  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1636  "(msg:\"Testing http_cookie\"; http_cookie;sid:1;)");
1637  if (de_ctx->sig_list == NULL)
1638  result = 1;
1639 
1640 end:
1641  if (de_ctx != NULL)
1643  return result;
1644 }
1645 
1646 /**
1647  * \test Checks if a http_cookie is registered in a Signature, if some parameter
1648  * is specified with http_cookie in the signature
1649  */
1650 static int DetectHttpCookieTest02(void)
1651 {
1652  DetectEngineCtx *de_ctx = NULL;
1653  int result = 0;
1654 
1655  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1656  goto end;
1657 
1658  de_ctx->flags |= DE_QUIET;
1659  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1660  "(msg:\"Testing http_cookie\"; content:\"me\"; "
1661  "http_cookie:woo; sid:1;)");
1662  if (de_ctx->sig_list == NULL)
1663  result = 1;
1664 
1665 end:
1666  if (de_ctx != NULL)
1668  return result;
1669 }
1670 
1671 /** \test Check the signature working to alert when http_cookie is matched . */
1672 static int DetectHttpCookieSigTest01(void)
1673 {
1674  int result = 0;
1675  Flow f;
1676  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
1677  " hellocatchme\r\n\r\n";
1678  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1679  TcpSession ssn;
1680  Packet *p = NULL;
1681  Signature *s = NULL;
1682  ThreadVars th_v;
1683  DetectEngineThreadCtx *det_ctx = NULL;
1684  HtpState *http_state = NULL;
1686 
1687  memset(&th_v, 0, sizeof(th_v));
1688  memset(&f, 0, sizeof(f));
1689  memset(&ssn, 0, sizeof(ssn));
1690 
1691  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1692 
1693  FLOW_INITIALIZE(&f);
1694  f.protoctx = (void *)&ssn;
1695  f.proto = IPPROTO_TCP;
1696  f.flags |= FLOW_IPV4;
1697 
1698  p->flow = &f;
1702  f.alproto = ALPROTO_HTTP1;
1703 
1704  StreamTcpInitConfig(true);
1705 
1707  if (de_ctx == NULL) {
1708  goto end;
1709  }
1710 
1711  de_ctx->flags |= DE_QUIET;
1712 
1713  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
1714  "\"HTTP cookie\"; content:\"me\"; "
1715  "http_cookie; sid:1;)");
1716  if (s == NULL) {
1717  goto end;
1718  }
1719 
1720  s->next = SigInit(de_ctx,"alert http any any -> any any (msg:\"HTTP "
1721  "cookie\"; content:\"go\"; http_cookie; sid:2;)");
1722  if (s->next == NULL) {
1723  goto end;
1724  }
1725 
1726 
1728  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1729 
1730  int r = AppLayerParserParse(
1731  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1732  if (r != 0) {
1733  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1734  result = 0;
1735  goto end;
1736  }
1737 
1738  http_state = f.alstate;
1739  if (http_state == NULL) {
1740  printf("no http state: ");
1741  result = 0;
1742  goto end;
1743  }
1744 
1745  /* do detect */
1746  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1747 
1748  if (!(PacketAlertCheck(p, 1))) {
1749  printf("sid 1 didn't match but should have: ");
1750  goto end;
1751  }
1752  if (PacketAlertCheck(p, 2)) {
1753  printf("sid 2 matched but shouldn't: ");
1754  goto end;
1755  }
1756 
1757  result = 1;
1758 end:
1759  if (alp_tctx != NULL)
1761  if (det_ctx != NULL) {
1762  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1763  }
1764  if (de_ctx != NULL) {
1766  }
1767 
1768  StreamTcpFreeConfig(true);
1769 
1770  UTHFreePackets(&p, 1);
1771  return result;
1772 }
1773 
1774 /** \test Check the signature working to alert when http_cookie is not present */
1775 static int DetectHttpCookieSigTest02(void)
1776 {
1777  int result = 0;
1778  Flow f;
1779  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1780  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1781  TcpSession ssn;
1782  Packet *p = NULL;
1783  Signature *s = NULL;
1784  ThreadVars th_v;
1785  DetectEngineThreadCtx *det_ctx = NULL;
1786  HtpState *http_state = NULL;
1788 
1789  memset(&th_v, 0, sizeof(th_v));
1790  memset(&p, 0, sizeof(p));
1791  memset(&f, 0, sizeof(f));
1792  memset(&ssn, 0, sizeof(ssn));
1793 
1794  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1795 
1796  FLOW_INITIALIZE(&f);
1797  f.protoctx = (void *)&ssn;
1798  f.proto = IPPROTO_TCP;
1799  f.flags |= FLOW_IPV4;
1800 
1801  p->flow = &f;
1805  f.alproto = ALPROTO_HTTP1;
1806 
1807  StreamTcpInitConfig(true);
1808 
1810  if (de_ctx == NULL) {
1811  goto end;
1812  }
1813 
1814  de_ctx->flags |= DE_QUIET;
1815 
1816  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
1817  "\"HTTP cookie\"; content:\"me\"; "
1818  "http_cookie; sid:1;)");
1819  if (s == NULL) {
1820  goto end;
1821  }
1822 
1824  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1825 
1826  int r = AppLayerParserParse(
1827  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1828  if (r != 0) {
1829  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1830  result = 0;
1831  goto end;
1832  }
1833 
1834  http_state = f.alstate;
1835  if (http_state == NULL) {
1836  printf("no http state: ");
1837  result = 0;
1838  goto end;
1839  }
1840 
1841  /* do detect */
1842  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1843 
1844  if ((PacketAlertCheck(p, 1))) {
1845  goto end;
1846  }
1847 
1848  result = 1;
1849 
1850 end:
1851  if (alp_tctx != NULL)
1853  if (det_ctx != NULL) {
1854  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1855  }
1856  if (de_ctx != NULL) {
1858  }
1859  StreamTcpFreeConfig(true);
1860  UTHFreePackets(&p, 1);
1861  return result;
1862 }
1863 
1864 /** \test Check the signature working to alert when http_cookie is not present */
1865 static int DetectHttpCookieSigTest03(void)
1866 {
1867  int result = 0;
1868  Flow f;
1869  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
1870  "Cookie: dummy\r\n\r\n";
1871  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1872  TcpSession ssn;
1873  Packet *p = NULL;
1874  Signature *s = NULL;
1875  ThreadVars th_v;
1876  DetectEngineThreadCtx *det_ctx = NULL;
1877  HtpState *http_state = NULL;
1879 
1880  memset(&th_v, 0, sizeof(th_v));
1881  memset(&f, 0, sizeof(f));
1882  memset(&ssn, 0, sizeof(ssn));
1883 
1884  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1885 
1886  FLOW_INITIALIZE(&f);
1887  f.protoctx = (void *)&ssn;
1888  f.proto = IPPROTO_TCP;
1889  f.flags |= FLOW_IPV4;
1890 
1891  p->flow = &f;
1895  f.alproto = ALPROTO_HTTP1;
1896 
1897  StreamTcpInitConfig(true);
1898 
1900  if (de_ctx == NULL) {
1901  goto end;
1902  }
1903 
1904  de_ctx->flags |= DE_QUIET;
1905 
1906  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
1907  "\"HTTP cookie\"; content:\"boo\"; "
1908  "http_cookie; sid:1;)");
1909  if (s == NULL) {
1910  goto end;
1911  }
1912 
1914  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1915 
1916  int r = AppLayerParserParse(
1917  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1918  if (r != 0) {
1919  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1920  result = 0;
1921  goto end;
1922  }
1923 
1924  http_state = f.alstate;
1925  if (http_state == NULL) {
1926  printf("no http state: ");
1927  result = 0;
1928  goto end;
1929  }
1930 
1931  /* do detect */
1932  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1933 
1934  if ((PacketAlertCheck(p, 1))) {
1935  goto end;
1936  }
1937 
1938  result = 1;
1939 end:
1940  if (alp_tctx != NULL)
1942  if (det_ctx != NULL) {
1943  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1944  }
1945  if (de_ctx != NULL) {
1947  }
1948 
1949  StreamTcpFreeConfig(true);
1950  UTHFreePackets(&p, 1);
1951  return result;
1952 }
1953 
1954 /** \test Check the signature working to alert when http_cookie is not present */
1955 static int DetectHttpCookieSigTest04(void)
1956 {
1957  int result = 0;
1958  Flow f;
1959  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
1960  "Cookie: dummy\r\n\r\n";
1961  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1962  TcpSession ssn;
1963  Packet *p = NULL;
1964  Signature *s = NULL;
1965  ThreadVars th_v;
1966  DetectEngineThreadCtx *det_ctx = NULL;
1967  HtpState *http_state = NULL;
1969 
1970  memset(&th_v, 0, sizeof(th_v));
1971  memset(&p, 0, sizeof(p));
1972  memset(&f, 0, sizeof(f));
1973  memset(&ssn, 0, sizeof(ssn));
1974 
1975  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1976 
1977  FLOW_INITIALIZE(&f);
1978  f.protoctx = (void *)&ssn;
1979  f.proto = IPPROTO_TCP;
1980  f.flags |= FLOW_IPV4;
1981 
1982  p->flow = &f;
1986  f.alproto = ALPROTO_HTTP1;
1987 
1988  StreamTcpInitConfig(true);
1989 
1991  if (de_ctx == NULL) {
1992  goto end;
1993  }
1994 
1995  de_ctx->flags |= DE_QUIET;
1996 
1997  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
1998  "\"HTTP cookie\"; content:!\"boo\"; "
1999  "http_cookie; sid:1;)");
2000  if (s == NULL) {
2001  goto end;
2002  }
2003 
2005  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2006 
2007  int r = AppLayerParserParse(
2008  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2009  if (r != 0) {
2010  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2011  result = 0;
2012  goto end;
2013  }
2014 
2015  http_state = f.alstate;
2016  if (http_state == NULL) {
2017  printf("no http state: ");
2018  result = 0;
2019  goto end;
2020  }
2021 
2022  /* do detect */
2023  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2024 
2025  if (!PacketAlertCheck(p, 1)) {
2026  goto end;
2027  }
2028 
2029  result = 1;
2030 end:
2031  if (alp_tctx != NULL)
2033  if (det_ctx != NULL) {
2034  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2035  }
2036  if (de_ctx != NULL) {
2038  }
2039 
2040  StreamTcpFreeConfig(true);
2041  UTHFreePackets(&p, 1);
2042  return result;
2043 }
2044 
2045 /** \test Check the signature working to alert when http_cookie is not present */
2046 static int DetectHttpCookieSigTest05(void)
2047 {
2048  int result = 0;
2049  Flow f;
2050  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2051  "Cookie: DuMmY\r\n\r\n";
2052  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2053  TcpSession ssn;
2054  Packet *p = NULL;
2055  Signature *s = NULL;
2056  ThreadVars th_v;
2057  DetectEngineThreadCtx *det_ctx = NULL;
2058  HtpState *http_state = NULL;
2060 
2061  memset(&th_v, 0, sizeof(th_v));
2062  memset(&p, 0, sizeof(p));
2063  memset(&f, 0, sizeof(f));
2064  memset(&ssn, 0, sizeof(ssn));
2065 
2066  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2067 
2068  FLOW_INITIALIZE(&f);
2069  f.protoctx = (void *)&ssn;
2070  f.proto = IPPROTO_TCP;
2071  f.flags |= FLOW_IPV4;
2072 
2073  p->flow = &f;
2077  f.alproto = ALPROTO_HTTP1;
2078 
2079  StreamTcpInitConfig(true);
2080 
2082  if (de_ctx == NULL) {
2083  goto end;
2084  }
2085 
2086  de_ctx->flags |= DE_QUIET;
2087 
2088  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2089  "\"HTTP cookie\"; content:\"dummy\"; nocase; "
2090  "http_cookie; sid:1;)");
2091  if (s == NULL) {
2092  goto end;
2093  }
2094 
2096  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2097 
2098  int r = AppLayerParserParse(
2099  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2100  if (r != 0) {
2101  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2102  result = 0;
2103  goto end;
2104  }
2105 
2106  http_state = f.alstate;
2107  if (http_state == NULL) {
2108  printf("no http state: ");
2109  result = 0;
2110  goto end;
2111  }
2112 
2113  /* do detect */
2114  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2115 
2116  if (!PacketAlertCheck(p, 1)) {
2117  goto end;
2118  }
2119 
2120  result = 1;
2121 end:
2122  if (alp_tctx != NULL)
2124  if (det_ctx != NULL) {
2125  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2126  }
2127  if (de_ctx != NULL) {
2129  }
2130 
2131  StreamTcpFreeConfig(true);
2132  UTHFreePackets(&p, 1);
2133  return result;
2134 }
2135 
2136 /** \test Check the signature working to alert when http_cookie is not present */
2137 static int DetectHttpCookieSigTest06(void)
2138 {
2139  int result = 0;
2140  Flow f;
2141  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2142  "Cookie: DuMmY\r\n\r\n";
2143  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2144  TcpSession ssn;
2145  Packet *p = NULL;
2146  Signature *s = NULL;
2147  ThreadVars th_v;
2148  DetectEngineThreadCtx *det_ctx = NULL;
2149  HtpState *http_state = NULL;
2151 
2152  memset(&th_v, 0, sizeof(th_v));
2153  memset(&p, 0, sizeof(p));
2154  memset(&f, 0, sizeof(f));
2155  memset(&ssn, 0, sizeof(ssn));
2156 
2157  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2158 
2159  FLOW_INITIALIZE(&f);
2160  f.protoctx = (void *)&ssn;
2161  f.proto = IPPROTO_TCP;
2162  f.flags |= FLOW_IPV4;
2163 
2164  p->flow = &f;
2168  f.alproto = ALPROTO_HTTP1;
2169 
2170  StreamTcpInitConfig(true);
2171 
2173  if (de_ctx == NULL) {
2174  goto end;
2175  }
2176 
2177  de_ctx->flags |= DE_QUIET;
2178 
2179  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2180  "\"HTTP cookie\"; content:\"dummy\"; "
2181  "http_cookie; nocase; sid:1;)");
2182  if (s == NULL) {
2183  printf("sig parse failed: ");
2184  goto end;
2185  }
2186 
2188  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2189 
2190  int r = AppLayerParserParse(
2191  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2192  if (r != 0) {
2193  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2194  goto end;
2195  }
2196 
2197  http_state = f.alstate;
2198  if (http_state == NULL) {
2199  printf("no http state: ");
2200  goto end;
2201  }
2202 
2203  /* do detect */
2204  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2205 
2206  if (!PacketAlertCheck(p, 1)) {
2207  printf("sig 1 failed to match: ");
2208  goto end;
2209  }
2210 
2211  result = 1;
2212 end:
2213  if (alp_tctx != NULL)
2215  if (det_ctx != NULL) {
2216  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2217  }
2218  if (de_ctx != NULL) {
2220  }
2221 
2222  StreamTcpFreeConfig(true);
2223  UTHFreePackets(&p, 1);
2224  return result;
2225 }
2226 
2227 /** \test Check the signature working to alert when http_cookie is not present */
2228 static int DetectHttpCookieSigTest07(void)
2229 {
2230  int result = 0;
2231  Flow f;
2232  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2233  "Cookie: dummy\r\n\r\n";
2234  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2235  TcpSession ssn;
2236  Packet *p = NULL;
2237  Signature *s = NULL;
2238  ThreadVars th_v;
2239  DetectEngineThreadCtx *det_ctx = NULL;
2240  HtpState *http_state = NULL;
2242 
2243  memset(&th_v, 0, sizeof(th_v));
2244  memset(&f, 0, sizeof(f));
2245  memset(&ssn, 0, sizeof(ssn));
2246 
2247  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2248 
2249  FLOW_INITIALIZE(&f);
2250  f.protoctx = (void *)&ssn;
2251  f.proto = IPPROTO_TCP;
2252  f.flags |= FLOW_IPV4;
2253 
2254  p->flow = &f;
2258  f.alproto = ALPROTO_HTTP1;
2259 
2260  StreamTcpInitConfig(true);
2261 
2263  if (de_ctx == NULL) {
2264  goto end;
2265  }
2266 
2267  de_ctx->flags |= DE_QUIET;
2268 
2269  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2270  "\"HTTP cookie\"; content:!\"dummy\"; "
2271  "http_cookie; sid:1;)");
2272  if (s == NULL) {
2273  goto end;
2274  }
2275 
2277  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2278 
2279  int r = AppLayerParserParse(
2280  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2281  if (r != 0) {
2282  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2283  result = 0;
2284  goto end;
2285  }
2286 
2287  http_state = f.alstate;
2288  if (http_state == NULL) {
2289  printf("no http state: ");
2290  result = 0;
2291  goto end;
2292  }
2293 
2294  /* do detect */
2295  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2296 
2297  if (PacketAlertCheck(p, 1)) {
2298  goto end;
2299  }
2300 
2301  result = 1;
2302 end:
2303  if (alp_tctx != NULL)
2305  if (det_ctx != NULL) {
2306  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2307  }
2308  if (de_ctx != NULL) {
2310  }
2311 
2312  StreamTcpFreeConfig(true);
2313  UTHFreePackets(&p, 1);
2314  return result;
2315 }
2316 
2317 /**
2318  * \test Check the signature working to alert against set-cookie
2319  */
2320 static int DetectHttpCookieSigTest08(void)
2321 {
2322  int result = 0;
2323  Flow f;
2324 
2325  uint8_t httpbuf_request[] =
2326  "GET / HTTP/1.1\r\n"
2327  "User-Agent: Mozilla/1.0\r\n"
2328  "\r\n";
2329  uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the \0 */
2330 
2331  uint8_t httpbuf_response[] =
2332  "HTTP/1.1 200 OK\r\n"
2333  "Set-Cookie: response_user_agent\r\n"
2334  "\r\n";
2335  uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the \0 */
2336 
2337  TcpSession ssn;
2338  Packet *p1 = NULL, *p2 = NULL;
2339  Signature *s = NULL;
2340  ThreadVars th_v;
2341  DetectEngineThreadCtx *det_ctx = NULL;
2342  HtpState *http_state = NULL;
2344 
2345  memset(&th_v, 0, sizeof(th_v));
2346  memset(&f, 0, sizeof(f));
2347  memset(&ssn, 0, sizeof(ssn));
2348 
2349  FLOW_INITIALIZE(&f);
2350  f.protoctx = (void *)&ssn;
2351  f.proto = IPPROTO_TCP;
2352  f.flags |= FLOW_IPV4;
2353  f.alproto = ALPROTO_HTTP1;
2354 
2355  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2356  p1->flow = &f;
2360 
2361  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2362  p2->flow = &f;
2363  p2->flowflags |= FLOW_PKT_TOCLIENT;
2364  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2365  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2366 
2367  StreamTcpInitConfig(true);
2368 
2370  if (de_ctx == NULL) {
2371  goto end;
2372  }
2373 
2374  de_ctx->flags |= DE_QUIET;
2375 
2376  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2377  "(flow:to_client; content:\"response_user_agent\"; "
2378  "http_cookie; sid:1;)");
2379  if (s == NULL) {
2380  goto end;
2381  }
2382 
2384  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2385 
2386  /* request */
2387  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf_request,
2388  httpbuf_request_len);
2389  if (r != 0) {
2390  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2391  result = 0;
2392  goto end;
2393  }
2394 
2395  http_state = f.alstate;
2396  if (http_state == NULL) {
2397  printf("no http state: ");
2398  goto end;
2399  }
2400 
2401  /* do detect */
2402  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2403  if (PacketAlertCheck(p1, 1)) {
2404  goto end;
2405  }
2406 
2407  /* response */
2408  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf_response,
2409  httpbuf_response_len);
2410  if (r != 0) {
2411  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2412  result = 0;
2413  goto end;
2414  }
2415 
2416  /* do detect */
2417  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2418  if (!PacketAlertCheck(p2, 1)) {
2419  goto end;
2420  }
2421 
2422  result = 1;
2423 
2424 end:
2425  if (alp_tctx != NULL)
2427  if (det_ctx != NULL) {
2428  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2429  }
2430  if (de_ctx != NULL) {
2432  }
2433 
2434  StreamTcpFreeConfig(true);
2435  UTHFreePackets(&p1, 1);
2436  UTHFreePackets(&p2, 1);
2437  return result;
2438 }
2439 
2440 /**
2441  * \test Check the signature working to alert against cookie/set-cookie
2442  */
2443 static int DetectHttpCookieSigTest09(void)
2444 {
2445  int result = 0;
2446  Flow f;
2447 
2448  uint8_t httpbuf_request[] =
2449  "GET / HTTP/1.1\r\n"
2450  "Cookie: request_user_agent\r\n"
2451  "User-Agent: Mozilla/1.0\r\n"
2452  "\r\n";
2453  uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the \0 */
2454 
2455  uint8_t httpbuf_response[] =
2456  "HTTP/1.1 200 OK\r\n"
2457  "Set-Cookie: response_user_agent\r\n"
2458  "\r\n";
2459  uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the \0 */
2460 
2461  TcpSession ssn;
2462  Packet *p1 = NULL, *p2 = NULL;
2463  Signature *s = NULL;
2464  ThreadVars th_v;
2465  DetectEngineThreadCtx *det_ctx = NULL;
2466  HtpState *http_state = NULL;
2468 
2469  memset(&th_v, 0, sizeof(th_v));
2470  memset(&f, 0, sizeof(f));
2471  memset(&ssn, 0, sizeof(ssn));
2472 
2473  FLOW_INITIALIZE(&f);
2474  f.protoctx = (void *)&ssn;
2475  f.proto = IPPROTO_TCP;
2476  f.flags |= FLOW_IPV4;
2477  f.alproto = ALPROTO_HTTP1;
2478 
2479  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2480  p1->flow = &f;
2484 
2485  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2486  p2->flow = &f;
2487  p2->flowflags |= FLOW_PKT_TOCLIENT;
2488  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2489  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2490 
2491  StreamTcpInitConfig(true);
2492 
2494  if (de_ctx == NULL) {
2495  goto end;
2496  }
2497 
2498  de_ctx->flags |= DE_QUIET;
2499 
2500  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2501  "(flow:to_server; content:\"request_user_agent\"; "
2502  "http_cookie; sid:1;)");
2503  if (s == NULL) {
2504  goto end;
2505  }
2506  s = de_ctx->sig_list->next = SigInit(de_ctx,"alert http any any -> any any "
2507  "(flow:to_client; content:\"response_user_agent\"; "
2508  "http_cookie; sid:2;)");
2509  if (s == NULL) {
2510  goto end;
2511  }
2512 
2514  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2515 
2516  /* request */
2517  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf_request,
2518  httpbuf_request_len);
2519  if (r != 0) {
2520  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2521  result = 0;
2522  goto end;
2523  }
2524 
2525  http_state = f.alstate;
2526  if (http_state == NULL) {
2527  printf("no http state: ");
2528  goto end;
2529  }
2530 
2531  /* do detect */
2532  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2533  if (!PacketAlertCheck(p1, 1) || PacketAlertCheck(p1, 2)) {
2534  goto end;
2535  }
2536 
2537  /* response */
2538  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf_response,
2539  httpbuf_response_len);
2540  if (r != 0) {
2541  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2542  result = 0;
2543  goto end;
2544  }
2545 
2546  /* do detect */
2547  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2548  if (PacketAlertCheck(p2, 1) || !PacketAlertCheck(p2, 2)) {
2549  goto end;
2550  }
2551 
2552  result = 1;
2553 
2554 end:
2555  if (alp_tctx != NULL)
2557  if (det_ctx != NULL) {
2558  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2559  }
2560  if (de_ctx != NULL) {
2562  }
2563 
2564  StreamTcpFreeConfig(true);
2565  UTHFreePackets(&p1, 1);
2566  UTHFreePackets(&p2, 1);
2567  return result;
2568 }
2569 
2570 /**
2571  * \brief Register the UNITTESTS for the http_cookie keyword
2572  */
2574 {
2575  UtRegisterTest("DetectHttpCookieTest01", DetectHttpCookieTest01);
2576  UtRegisterTest("DetectHttpCookieTest02", DetectHttpCookieTest02);
2577  UtRegisterTest("DetectHttpCookieSigTest01", DetectHttpCookieSigTest01);
2578  UtRegisterTest("DetectHttpCookieSigTest02", DetectHttpCookieSigTest02);
2579  UtRegisterTest("DetectHttpCookieSigTest03", DetectHttpCookieSigTest03);
2580  UtRegisterTest("DetectHttpCookieSigTest04", DetectHttpCookieSigTest04);
2581  UtRegisterTest("DetectHttpCookieSigTest05", DetectHttpCookieSigTest05);
2582  UtRegisterTest("DetectHttpCookieSigTest06", DetectHttpCookieSigTest06);
2583  UtRegisterTest("DetectHttpCookieSigTest07", DetectHttpCookieSigTest07);
2584  UtRegisterTest("DetectHttpCookieSigTest08", DetectHttpCookieSigTest08);
2585  UtRegisterTest("DetectHttpCookieSigTest09", DetectHttpCookieSigTest09);
2586  UtRegisterTest("DetectEngineHttpCookieTest01",
2587  DetectEngineHttpCookieTest01);
2588  UtRegisterTest("DetectEngineHttpCookieTest02",
2589  DetectEngineHttpCookieTest02);
2590  UtRegisterTest("DetectEngineHttpCookieTest03",
2591  DetectEngineHttpCookieTest03);
2592  UtRegisterTest("DetectEngineHttpCookieTest04",
2593  DetectEngineHttpCookieTest04);
2594  UtRegisterTest("DetectEngineHttpCookieTest05",
2595  DetectEngineHttpCookieTest05);
2596  UtRegisterTest("DetectEngineHttpCookieTest06",
2597  DetectEngineHttpCookieTest06);
2598  UtRegisterTest("DetectEngineHttpCookieTest07",
2599  DetectEngineHttpCookieTest07);
2600  UtRegisterTest("DetectEngineHttpCookieTest08",
2601  DetectEngineHttpCookieTest08);
2602  UtRegisterTest("DetectEngineHttpCookieTest09",
2603  DetectEngineHttpCookieTest09);
2604  UtRegisterTest("DetectEngineHttpCookieTest10",
2605  DetectEngineHttpCookieTest10);
2606  UtRegisterTest("DetectEngineHttpCookieTest11",
2607  DetectEngineHttpCookieTest11);
2608  UtRegisterTest("DetectEngineHttpCookieTest12",
2609  DetectEngineHttpCookieTest12);
2610  UtRegisterTest("DetectEngineHttpCookieTest13",
2611  DetectEngineHttpCookieTest13);
2612  UtRegisterTest("DetectEngineHttpCookieTest14",
2613  DetectEngineHttpCookieTest14);
2614  UtRegisterTest("DetectEngineHttpCookieTest15",
2615  DetectEngineHttpCookieTest15);
2616  UtRegisterTest("DetectEngineHttpCookieTest16",
2617  DetectEngineHttpCookieTest16);
2618  UtRegisterTest("DetectEngineHttpCookieTest17",
2619  DetectEngineHttpCookieTest17);
2620 }
2621 /**
2622  * @}
2623  */
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_::proto
uint8_t proto
Definition: flow.h:378
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:513
Flow_
Flow data structure.
Definition: flow.h:356
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:843
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2623
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:300
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:232
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:359
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1950
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:507
Flow_::protoctx
void * protoctx
Definition: flow.h:446
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
HtpState_
Definition: app-layer-htp.h:238
Signature_::next
struct Signature_ * next
Definition: detect.h:675
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1098
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3365
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2289
Packet_
Definition: decode.h:476
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:233
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2145
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:279
Packet_::flow
struct Flow_ * flow
Definition: decode.h:515
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1272
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3592
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:851
Flow_::alstate
void * alstate
Definition: flow.h:481
Flow_::flags
uint32_t flags
Definition: flow.h:426
Signature_
Signature container.
Definition: detect.h:603
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:234
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2584
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:845
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:58
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:455
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1265
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:450