34 #include "../suricata-common.h" 35 #include "../suricata.h" 36 #include "../flow-util.h" 38 #include "../app-layer-parser.h" 39 #include "../util-unittest.h" 40 #include "../util-unittest-helper.h" 41 #include "../app-layer.h" 42 #include "../app-layer-htp.h" 43 #include "../app-layer-protos.h" 44 #include "../detect-isdataat.h" 48 static int g_http_uri_buffer_id = 0;
54 static int DetectEngineHttpCookieTest01(
void)
64 "GET /index.html HTTP/1.0\r\n" 66 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
67 uint32_t http_len =
sizeof(http_buf) - 1;
71 memset(&th_v, 0,
sizeof(th_v));
72 memset(&f, 0,
sizeof(f));
73 memset(&ssn, 0,
sizeof(ssn));
79 f.
proto = IPPROTO_TCP;
96 "(msg:\"http header test\"; " 97 "content:\"CONNECT\"; http_cookie; " 109 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
117 if (http_state == NULL) {
118 printf(
"no http state: ");
127 printf(
"sid 1 didn't match but should have: ");
134 if (alp_tctx != NULL)
149 static int DetectEngineHttpCookieTest02(
void)
159 "CONNECT /index.html HTTP/1.0\r\n" 160 "Cookie: CONNECT\r\n" 161 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
162 uint32_t http_len =
sizeof(http_buf) - 1;
166 memset(&th_v, 0,
sizeof(th_v));
167 memset(&f, 0,
sizeof(f));
168 memset(&ssn, 0,
sizeof(ssn));
174 f.
proto = IPPROTO_TCP;
191 "(msg:\"http header test\"; " 192 "content:\"CO\"; depth:4; http_cookie; " 204 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
212 if (http_state == NULL) {
213 printf(
"no http state: ");
222 printf(
"sid 1 didn't match but should have: ");
229 if (alp_tctx != NULL)
244 static int DetectEngineHttpCookieTest03(
void)
254 "CONNECT /index.html HTTP/1.0\r\n" 255 "Cookie: CONNECT\r\n" 256 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
257 uint32_t http_len =
sizeof(http_buf) - 1;
261 memset(&th_v, 0,
sizeof(th_v));
262 memset(&f, 0,
sizeof(f));
263 memset(&ssn, 0,
sizeof(ssn));
269 f.
proto = IPPROTO_TCP;
286 "(msg:\"http header test\"; " 287 "content:!\"ECT\"; depth:4; http_cookie; " 299 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
307 if (http_state == NULL) {
308 printf(
"no http state: ");
317 printf(
"sid 1 didn't match but should have: ");
324 if (alp_tctx != NULL)
339 static int DetectEngineHttpCookieTest04(
void)
349 "CONNECT /index.html HTTP/1.0\r\n" 350 "Cookie: CONNECT\r\n" 351 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
352 uint32_t http_len =
sizeof(http_buf) - 1;
356 memset(&th_v, 0,
sizeof(th_v));
357 memset(&f, 0,
sizeof(f));
358 memset(&ssn, 0,
sizeof(ssn));
364 f.
proto = IPPROTO_TCP;
381 "(msg:\"http header test\"; " 382 "content:\"ECT\"; depth:4; http_cookie; " 394 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
402 if (http_state == NULL) {
403 printf(
"no http state: ");
412 printf(
"sid 1 matched but shouldn't have: ");
419 if (alp_tctx != NULL)
434 static int DetectEngineHttpCookieTest05(
void)
444 "CONNECT /index.html HTTP/1.0\r\n" 445 "Cookie: CONNECT\r\n" 446 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
447 uint32_t http_len =
sizeof(http_buf) - 1;
451 memset(&th_v, 0,
sizeof(th_v));
452 memset(&f, 0,
sizeof(f));
453 memset(&ssn, 0,
sizeof(ssn));
459 f.
proto = IPPROTO_TCP;
476 "(msg:\"http header test\"; " 477 "content:!\"CON\"; depth:4; http_cookie; " 489 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
497 if (http_state == NULL) {
498 printf(
"no http state: ");
507 printf(
"sid 1 matched but shouldn't have: ");
514 if (alp_tctx != NULL)
529 static int DetectEngineHttpCookieTest06(
void)
539 "CONNECT /index.html HTTP/1.0\r\n" 540 "Cookie: CONNECT\r\n" 541 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
542 uint32_t http_len =
sizeof(http_buf) - 1;
546 memset(&th_v, 0,
sizeof(th_v));
547 memset(&f, 0,
sizeof(f));
548 memset(&ssn, 0,
sizeof(ssn));
554 f.
proto = IPPROTO_TCP;
571 "(msg:\"http header test\"; " 572 "content:\"ECT\"; offset:3; http_cookie; " 584 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
592 if (http_state == NULL) {
593 printf(
"no http state: ");
602 printf(
"sid 1 didn't match but should have: ");
609 if (alp_tctx != NULL)
624 static int DetectEngineHttpCookieTest07(
void)
634 "CONNECT /index.html HTTP/1.0\r\n" 635 "Cookie: CONNECT\r\n" 636 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
637 uint32_t http_len =
sizeof(http_buf) - 1;
641 memset(&th_v, 0,
sizeof(th_v));
642 memset(&f, 0,
sizeof(f));
643 memset(&ssn, 0,
sizeof(ssn));
649 f.
proto = IPPROTO_TCP;
666 "(msg:\"http header test\"; " 667 "content:!\"CO\"; offset:3; http_cookie; " 679 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
687 if (http_state == NULL) {
688 printf(
"no http state: ");
697 printf(
"sid 1 didn't match but should have: ");
704 if (alp_tctx != NULL)
719 static int DetectEngineHttpCookieTest08(
void)
729 "CONNECT /index.html HTTP/1.0\r\n" 730 "Cookie: CONNECT\r\n" 731 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
732 uint32_t http_len =
sizeof(http_buf) - 1;
736 memset(&th_v, 0,
sizeof(th_v));
737 memset(&f, 0,
sizeof(f));
738 memset(&ssn, 0,
sizeof(ssn));
744 f.
proto = IPPROTO_TCP;
761 "(msg:\"http header test\"; " 762 "content:!\"ECT\"; offset:3; http_cookie; " 774 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
782 if (http_state == NULL) {
783 printf(
"no http state: ");
792 printf(
"sid 1 matched but shouldn't have: ");
799 if (alp_tctx != NULL)
814 static int DetectEngineHttpCookieTest09(
void)
824 "CONNECT /index.html HTTP/1.0\r\n" 825 "Cookie: CONNECT\r\n" 826 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
827 uint32_t http_len =
sizeof(http_buf) - 1;
831 memset(&th_v, 0,
sizeof(th_v));
832 memset(&f, 0,
sizeof(f));
833 memset(&ssn, 0,
sizeof(ssn));
839 f.
proto = IPPROTO_TCP;
856 "(msg:\"http header test\"; " 857 "content:\"CON\"; offset:3; http_cookie; " 869 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
877 if (http_state == NULL) {
878 printf(
"no http state: ");
887 printf(
"sid 1 matched but shouldn't have: ");
894 if (alp_tctx != NULL)
909 static int DetectEngineHttpCookieTest10(
void)
919 "CONNECT /index.html HTTP/1.0\r\n" 920 "Cookie: CONNECT\r\n" 921 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
922 uint32_t http_len =
sizeof(http_buf) - 1;
926 memset(&th_v, 0,
sizeof(th_v));
927 memset(&f, 0,
sizeof(f));
928 memset(&ssn, 0,
sizeof(ssn));
934 f.
proto = IPPROTO_TCP;
951 "(msg:\"http header test\"; " 952 "content:\"CO\"; http_cookie; " 953 "content:\"EC\"; within:4; http_cookie; " 965 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
973 if (http_state == NULL) {
974 printf(
"no http state: ");
983 printf(
"sid 1 didn't match but should have: ");
990 if (alp_tctx != NULL)
1005 static int DetectEngineHttpCookieTest11(
void)
1014 uint8_t http_buf[] =
1015 "CONNECT /index.html HTTP/1.0\r\n" 1016 "Cookie: CONNECT\r\n" 1017 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1018 uint32_t http_len =
sizeof(http_buf) - 1;
1022 memset(&th_v, 0,
sizeof(th_v));
1023 memset(&f, 0,
sizeof(f));
1024 memset(&ssn, 0,
sizeof(ssn));
1030 f.
proto = IPPROTO_TCP;
1047 "(msg:\"http header test\"; " 1048 "content:\"CO\"; http_cookie; " 1049 "content:!\"EC\"; within:3; http_cookie; " 1061 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1069 if (http_state == NULL) {
1070 printf(
"no http state: ");
1079 printf(
"sid 1 didn't match but should have: ");
1086 if (alp_tctx != NULL)
1101 static int DetectEngineHttpCookieTest12(
void)
1110 uint8_t http_buf[] =
1111 "CONNECT /index.html HTTP/1.0\r\n" 1112 "Cookie: CONNECT\r\n" 1113 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1114 uint32_t http_len =
sizeof(http_buf) - 1;
1118 memset(&th_v, 0,
sizeof(th_v));
1119 memset(&f, 0,
sizeof(f));
1120 memset(&ssn, 0,
sizeof(ssn));
1126 f.
proto = IPPROTO_TCP;
1143 "(msg:\"http header test\"; " 1144 "content:\"CO\"; http_cookie; " 1145 "content:\"EC\"; within:3; http_cookie; " 1157 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1165 if (http_state == NULL) {
1166 printf(
"no http state: ");
1175 printf(
"sid 1 matched but shouldn't have: ");
1182 if (alp_tctx != NULL)
1197 static int DetectEngineHttpCookieTest13(
void)
1206 uint8_t http_buf[] =
1207 "CONNECT /index.html HTTP/1.0\r\n" 1208 "Cookie: CONNECT\r\n" 1209 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1210 uint32_t http_len =
sizeof(http_buf) - 1;
1214 memset(&th_v, 0,
sizeof(th_v));
1215 memset(&f, 0,
sizeof(f));
1216 memset(&ssn, 0,
sizeof(ssn));
1222 f.
proto = IPPROTO_TCP;
1239 "(msg:\"http header test\"; " 1240 "content:\"CO\"; http_cookie; " 1241 "content:!\"EC\"; within:4; http_cookie; " 1253 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1261 if (http_state == NULL) {
1262 printf(
"no http state: ");
1271 printf(
"sid 1 matched but shouldn't have: ");
1278 if (alp_tctx != NULL)
1293 static int DetectEngineHttpCookieTest14(
void)
1302 uint8_t http_buf[] =
1303 "CONNECT /index.html HTTP/1.0\r\n" 1304 "Cookie: CONNECT\r\n" 1305 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1306 uint32_t http_len =
sizeof(http_buf) - 1;
1310 memset(&th_v, 0,
sizeof(th_v));
1311 memset(&f, 0,
sizeof(f));
1312 memset(&ssn, 0,
sizeof(ssn));
1318 f.
proto = IPPROTO_TCP;
1335 "(msg:\"http header test\"; " 1336 "content:\"CO\"; http_cookie; " 1337 "content:\"EC\"; distance:2; http_cookie; " 1349 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1357 if (http_state == NULL) {
1358 printf(
"no http state: ");
1367 printf(
"sid 1 didn't match but should have: ");
1374 if (alp_tctx != NULL)
1389 static int DetectEngineHttpCookieTest15(
void)
1398 uint8_t http_buf[] =
1399 "CONNECT /index.html HTTP/1.0\r\n" 1400 "Cookie: CONNECT\r\n" 1401 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1402 uint32_t http_len =
sizeof(http_buf) - 1;
1406 memset(&th_v, 0,
sizeof(th_v));
1407 memset(&f, 0,
sizeof(f));
1408 memset(&ssn, 0,
sizeof(ssn));
1414 f.
proto = IPPROTO_TCP;
1431 "(msg:\"http header test\"; " 1432 "content:\"CO\"; http_cookie; " 1433 "content:!\"EC\"; distance:3; http_cookie; " 1445 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1453 if (http_state == NULL) {
1454 printf(
"no http state: ");
1463 printf(
"sid 1 didn't match but should have: ");
1470 if (alp_tctx != NULL)
1485 static int DetectEngineHttpCookieTest16(
void)
1494 uint8_t http_buf[] =
1495 "CONNECT /index.html HTTP/1.0\r\n" 1496 "Cookie: CONNECT\r\n" 1497 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1498 uint32_t http_len =
sizeof(http_buf) - 1;
1502 memset(&th_v, 0,
sizeof(th_v));
1503 memset(&f, 0,
sizeof(f));
1504 memset(&ssn, 0,
sizeof(ssn));
1510 f.
proto = IPPROTO_TCP;
1527 "(msg:\"http header test\"; " 1528 "content:\"CO\"; http_cookie; " 1529 "content:\"EC\"; distance:3; http_cookie; " 1541 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1549 if (http_state == NULL) {
1550 printf(
"no http state: ");
1559 printf(
"sid 1 matched but shouldn't have: ");
1566 if (alp_tctx != NULL)
1581 static int DetectEngineHttpCookieTest17(
void)
1590 uint8_t http_buf[] =
1591 "CONNECT /index.html HTTP/1.0\r\n" 1592 "Cookie: CONNECT\r\n" 1593 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1594 uint32_t http_len =
sizeof(http_buf) - 1;
1598 memset(&th_v, 0,
sizeof(th_v));
1599 memset(&f, 0,
sizeof(f));
1600 memset(&ssn, 0,
sizeof(ssn));
1606 f.
proto = IPPROTO_TCP;
1623 "(msg:\"http header test\"; " 1624 "content:\"CO\"; http_cookie; " 1625 "content:!\"EC\"; distance:2; http_cookie; " 1637 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1645 if (http_state == NULL) {
1646 printf(
"no http state: ");
1655 printf(
"sid 1 matched but shouldn't have: ");
1662 if (alp_tctx != NULL)
1677 static int DetectHttpCookieTest01(
void)
1687 "(msg:\"Testing http_cookie\"; http_cookie;sid:1;)");
1701 static int DetectHttpCookieTest02(
void)
1711 "(msg:\"Testing http_cookie\"; content:\"me\"; " 1712 "http_cookie:woo; sid:1;)");
1725 static int DetectHttpCookieTest03(
void)
1736 "(msg:\"Testing http_cookie\"; content:\"one\"; " 1737 "http_cookie; content:\"two\"; http_cookie; " 1738 "content:\"two\"; http_cookie; " 1741 printf(
"sig parse failed: ");
1746 sm = de_ctx->
sig_list->sm_lists[g_http_cookie_buffer_id];
1748 printf(
"no sigmatch(es): ");
1752 while (sm != NULL) {
1756 printf(
"expected DETECT_CONTENT for http_cookie, got %d: ", sm->
type);
1772 static int DetectHttpCookieTest04(
void)
1782 "(msg:\"Testing http_cookie\"; content:\"one\"; " 1783 "fast_pattern; http_cookie; sid:1;)");
1796 static int DetectHttpCookieTest05(
void)
1806 "(msg:\"Testing http_cookie\"; content:\"one\"; " 1807 "rawbytes; http_cookie; sid:1;)");
1820 static int DetectHttpCookieTest06(
void)
1830 "(msg:\"Testing http_cookie\"; content:\"one\"; " 1831 "http_cookie; uricontent:\"abc\"; sid:1;)");
1837 BUG_ON(s->sm_lists[g_http_cookie_buffer_id] == NULL);
1839 if (s->sm_lists[g_http_cookie_buffer_id]->type !=
DETECT_CONTENT)
1842 if (s->sm_lists[g_http_uri_buffer_id] == NULL) {
1843 printf(
"expected another SigMatch, got NULL: ");
1853 if (de_ctx != NULL) {
1860 static int DetectHttpCookieSigTest01(
void)
1864 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:" 1865 " hellocatchme\r\n\r\n";
1866 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1875 memset(&th_v, 0,
sizeof(th_v));
1876 memset(&f, 0,
sizeof(f));
1877 memset(&ssn, 0,
sizeof(ssn));
1883 f.
proto = IPPROTO_TCP;
1895 if (de_ctx == NULL) {
1901 s = de_ctx->
sig_list =
SigInit(de_ctx,
"alert http any any -> any any (msg:" 1902 "\"HTTP cookie\"; content:\"me\"; " 1903 "http_cookie; sid:1;)");
1908 s->
next =
SigInit(de_ctx,
"alert http any any -> any any (msg:\"HTTP " 1909 "cookie\"; content:\"go\"; http_cookie; sid:2;)");
1910 if (s->
next == NULL) {
1922 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1930 if (http_state == NULL) {
1931 printf(
"no http state: ");
1940 printf(
"sid 1 didn't match but should have: ");
1944 printf(
"sid 2 matched but shouldn't: ");
1950 if (alp_tctx != NULL)
1952 if (det_ctx != NULL) {
1955 if (de_ctx != NULL) {
1966 static int DetectHttpCookieSigTest02(
void)
1970 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1971 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1980 memset(&th_v, 0,
sizeof(th_v));
1981 memset(&p, 0,
sizeof(p));
1982 memset(&f, 0,
sizeof(f));
1983 memset(&ssn, 0,
sizeof(ssn));
1989 f.
proto = IPPROTO_TCP;
2001 if (de_ctx == NULL) {
2007 s = de_ctx->
sig_list =
SigInit(de_ctx,
"alert http any any -> any any (msg:" 2008 "\"HTTP cookie\"; content:\"me\"; " 2009 "http_cookie; sid:1;)");
2021 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2029 if (http_state == NULL) {
2030 printf(
"no http state: ");
2045 if (alp_tctx != NULL)
2047 if (det_ctx != NULL) {
2050 if (de_ctx != NULL) {
2059 static int DetectHttpCookieSigTest03(
void)
2063 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n" 2064 "Cookie: dummy\r\n\r\n";
2065 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2074 memset(&th_v, 0,
sizeof(th_v));
2075 memset(&f, 0,
sizeof(f));
2076 memset(&ssn, 0,
sizeof(ssn));
2082 f.
proto = IPPROTO_TCP;
2094 if (de_ctx == NULL) {
2100 s = de_ctx->
sig_list =
SigInit(de_ctx,
"alert http any any -> any any (msg:" 2101 "\"HTTP cookie\"; content:\"boo\"; " 2102 "http_cookie; sid:1;)");
2114 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2122 if (http_state == NULL) {
2123 printf(
"no http state: ");
2137 if (alp_tctx != NULL)
2139 if (det_ctx != NULL) {
2142 if (de_ctx != NULL) {
2152 static int DetectHttpCookieSigTest04(
void)
2156 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n" 2157 "Cookie: dummy\r\n\r\n";
2158 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2167 memset(&th_v, 0,
sizeof(th_v));
2168 memset(&p, 0,
sizeof(p));
2169 memset(&f, 0,
sizeof(f));
2170 memset(&ssn, 0,
sizeof(ssn));
2176 f.
proto = IPPROTO_TCP;
2188 if (de_ctx == NULL) {
2194 s = de_ctx->
sig_list =
SigInit(de_ctx,
"alert http any any -> any any (msg:" 2195 "\"HTTP cookie\"; content:!\"boo\"; " 2196 "http_cookie; sid:1;)");
2208 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2216 if (http_state == NULL) {
2217 printf(
"no http state: ");
2231 if (alp_tctx != NULL)
2233 if (det_ctx != NULL) {
2236 if (de_ctx != NULL) {
2246 static int DetectHttpCookieSigTest05(
void)
2250 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n" 2251 "Cookie: DuMmY\r\n\r\n";
2252 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2261 memset(&th_v, 0,
sizeof(th_v));
2262 memset(&p, 0,
sizeof(p));
2263 memset(&f, 0,
sizeof(f));
2264 memset(&ssn, 0,
sizeof(ssn));
2270 f.
proto = IPPROTO_TCP;
2282 if (de_ctx == NULL) {
2288 s = de_ctx->
sig_list =
SigInit(de_ctx,
"alert http any any -> any any (msg:" 2289 "\"HTTP cookie\"; content:\"dummy\"; nocase; " 2290 "http_cookie; sid:1;)");
2302 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2310 if (http_state == NULL) {
2311 printf(
"no http state: ");
2325 if (alp_tctx != NULL)
2327 if (det_ctx != NULL) {
2330 if (de_ctx != NULL) {
2340 static int DetectHttpCookieSigTest06(
void)
2344 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n" 2345 "Cookie: DuMmY\r\n\r\n";
2346 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2355 memset(&th_v, 0,
sizeof(th_v));
2356 memset(&p, 0,
sizeof(p));
2357 memset(&f, 0,
sizeof(f));
2358 memset(&ssn, 0,
sizeof(ssn));
2364 f.
proto = IPPROTO_TCP;
2376 if (de_ctx == NULL) {
2382 s = de_ctx->
sig_list =
SigInit(de_ctx,
"alert http any any -> any any (msg:" 2383 "\"HTTP cookie\"; content:\"dummy\"; " 2384 "http_cookie; nocase; sid:1;)");
2386 printf(
"sig parse failed: ");
2397 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2404 if (http_state == NULL) {
2405 printf(
"no http state: ");
2413 printf(
"sig 1 failed to match: ");
2419 if (alp_tctx != NULL)
2421 if (det_ctx != NULL) {
2424 if (de_ctx != NULL) {
2434 static int DetectHttpCookieSigTest07(
void)
2438 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n" 2439 "Cookie: dummy\r\n\r\n";
2440 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2449 memset(&th_v, 0,
sizeof(th_v));
2450 memset(&f, 0,
sizeof(f));
2451 memset(&ssn, 0,
sizeof(ssn));
2457 f.
proto = IPPROTO_TCP;
2469 if (de_ctx == NULL) {
2475 s = de_ctx->
sig_list =
SigInit(de_ctx,
"alert http any any -> any any (msg:" 2476 "\"HTTP cookie\"; content:!\"dummy\"; " 2477 "http_cookie; sid:1;)");
2489 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2497 if (http_state == NULL) {
2498 printf(
"no http state: ");
2512 if (alp_tctx != NULL)
2514 if (det_ctx != NULL) {
2517 if (de_ctx != NULL) {
2529 static int DetectHttpCookieSigTest08(
void)
2534 uint8_t httpbuf_request[] =
2535 "GET / HTTP/1.1\r\n" 2536 "User-Agent: Mozilla/1.0\r\n" 2538 uint32_t httpbuf_request_len =
sizeof(httpbuf_request) - 1;
2540 uint8_t httpbuf_response[] =
2541 "HTTP/1.1 200 OK\r\n" 2542 "Set-Cookie: response_user_agent\r\n" 2544 uint32_t httpbuf_response_len =
sizeof(httpbuf_response) - 1;
2547 Packet *p1 = NULL, *p2 = NULL;
2554 memset(&th_v, 0,
sizeof(th_v));
2555 memset(&f, 0,
sizeof(f));
2556 memset(&ssn, 0,
sizeof(ssn));
2560 f.
proto = IPPROTO_TCP;
2579 if (de_ctx == NULL) {
2585 s = de_ctx->
sig_list =
SigInit(de_ctx,
"alert http any any -> any any " 2586 "(flow:to_client; content:\"response_user_agent\"; " 2587 "http_cookie; sid:1;)");
2599 httpbuf_request_len);
2601 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2609 if (http_state == NULL) {
2610 printf(
"no http state: ");
2624 httpbuf_response_len);
2626 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2642 if (alp_tctx != NULL)
2644 if (det_ctx != NULL) {
2647 if (de_ctx != NULL) {
2660 static int DetectHttpCookieSigTest09(
void)
2665 uint8_t httpbuf_request[] =
2666 "GET / HTTP/1.1\r\n" 2667 "Cookie: request_user_agent\r\n" 2668 "User-Agent: Mozilla/1.0\r\n" 2670 uint32_t httpbuf_request_len =
sizeof(httpbuf_request) - 1;
2672 uint8_t httpbuf_response[] =
2673 "HTTP/1.1 200 OK\r\n" 2674 "Set-Cookie: response_user_agent\r\n" 2676 uint32_t httpbuf_response_len =
sizeof(httpbuf_response) - 1;
2679 Packet *p1 = NULL, *p2 = NULL;
2686 memset(&th_v, 0,
sizeof(th_v));
2687 memset(&f, 0,
sizeof(f));
2688 memset(&ssn, 0,
sizeof(ssn));
2692 f.
proto = IPPROTO_TCP;
2711 if (de_ctx == NULL) {
2717 s = de_ctx->
sig_list =
SigInit(de_ctx,
"alert http any any -> any any " 2718 "(flow:to_server; content:\"request_user_agent\"; " 2719 "http_cookie; sid:1;)");
2724 "(flow:to_client; content:\"response_user_agent\"; " 2725 "http_cookie; sid:2;)");
2737 httpbuf_request_len);
2739 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2747 if (http_state == NULL) {
2748 printf(
"no http state: ");
2762 httpbuf_response_len);
2764 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2780 if (alp_tctx != NULL)
2782 if (det_ctx != NULL) {
2785 if (de_ctx != NULL) {
2795 static int DetectHttpCookieIsdataatParseTest(
void)
2802 "alert tcp any any -> any any (" 2803 "content:\"one\"; http_cookie; " 2804 "isdataat:!4,relative; sid:1;)");
2827 UtRegisterTest(
"DetectHttpCookieTest01", DetectHttpCookieTest01);
2828 UtRegisterTest(
"DetectHttpCookieTest02", DetectHttpCookieTest02);
2829 UtRegisterTest(
"DetectHttpCookieTest03", DetectHttpCookieTest03);
2830 UtRegisterTest(
"DetectHttpCookieTest04", DetectHttpCookieTest04);
2831 UtRegisterTest(
"DetectHttpCookieTest05", DetectHttpCookieTest05);
2832 UtRegisterTest(
"DetectHttpCookieTest06", DetectHttpCookieTest06);
2833 UtRegisterTest(
"DetectHttpCookieSigTest01", DetectHttpCookieSigTest01);
2834 UtRegisterTest(
"DetectHttpCookieSigTest02", DetectHttpCookieSigTest02);
2835 UtRegisterTest(
"DetectHttpCookieSigTest03", DetectHttpCookieSigTest03);
2836 UtRegisterTest(
"DetectHttpCookieSigTest04", DetectHttpCookieSigTest04);
2837 UtRegisterTest(
"DetectHttpCookieSigTest05", DetectHttpCookieSigTest05);
2838 UtRegisterTest(
"DetectHttpCookieSigTest06", DetectHttpCookieSigTest06);
2839 UtRegisterTest(
"DetectHttpCookieSigTest07", DetectHttpCookieSigTest07);
2840 UtRegisterTest(
"DetectHttpCookieSigTest08", DetectHttpCookieSigTest08);
2841 UtRegisterTest(
"DetectHttpCookieSigTest09", DetectHttpCookieSigTest09);
2843 DetectHttpCookieIsdataatParseTest);
2845 DetectEngineHttpCookieTest01);
2847 DetectEngineHttpCookieTest02);
2849 DetectEngineHttpCookieTest03);
2851 DetectEngineHttpCookieTest04);
2853 DetectEngineHttpCookieTest05);
2855 DetectEngineHttpCookieTest06);
2857 DetectEngineHttpCookieTest07);
2859 DetectEngineHttpCookieTest08);
2861 DetectEngineHttpCookieTest09);
2863 DetectEngineHttpCookieTest10);
2865 DetectEngineHttpCookieTest11);
2867 DetectEngineHttpCookieTest12);
2869 DetectEngineHttpCookieTest13);
2871 DetectEngineHttpCookieTest14);
2873 DetectEngineHttpCookieTest15);
2875 DetectEngineHttpCookieTest16);
2877 DetectEngineHttpCookieTest17);
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
SignatureInitData * init_data
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
#define FLOWLOCK_UNLOCK(fb)
#define PASS
Pass the test.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PKT_ESTABLISHED
#define ISDATAAT_RELATIVE
void StreamTcpFreeConfig(char quiet)
#define FLOWLOCK_WRLOCK(fb)
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define ISDATAAT_RAWBYTES
main detection engine ctx
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
int DetectBufferTypeGetByName(const char *name)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
#define FLOW_PKT_TOSERVER
struct SigMatch_ ** smlists_tail
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
#define FLOW_INITIALIZE(f)
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Per thread variable structure.
#define FLOW_PKT_TOCLIENT
AppProto alproto
application level protocol
void DetectHttpCookieRegisterTests(void)
Register the UNITTESTS for the http_cookie keyword.
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
a single match condition for a signature
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
DetectEngineCtx * DetectEngineCtxInit(void)
1.8.11 
