suricata
detect-http-cookie.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /** \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * \brief Handle HTTP cookie match
31  *
32  */
33 
34 #include "../suricata-common.h"
35 #include "../suricata.h"
36 #include "../flow-util.h"
37 #include "../flow.h"
38 #include "../app-layer-parser.h"
39 #include "../util-unittest.h"
40 #include "../util-unittest-helper.h"
41 #include "../app-layer.h"
42 #include "../app-layer-htp.h"
43 #include "../app-layer-protos.h"
44 #include "../detect-isdataat.h"
45 
46 /***********************************Unittests**********************************/
47 
48 static int g_http_uri_buffer_id = 0;
49 
50 /**
51  * \test Test that the http_cookie content matches against a http request
52  * which holds the content.
53  */
54 static int DetectEngineHttpCookieTest01(void)
55 {
56  TcpSession ssn;
57  Packet *p = NULL;
58  ThreadVars th_v;
59  DetectEngineCtx *de_ctx = NULL;
60  DetectEngineThreadCtx *det_ctx = NULL;
61  HtpState *http_state = NULL;
62  Flow f;
63  uint8_t http_buf[] =
64  "GET /index.html HTTP/1.0\r\n"
65  "Cookie: CONNECT\r\n"
66  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
67  uint32_t http_len = sizeof(http_buf) - 1;
68  int result = 0;
69  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
70 
71  memset(&th_v, 0, sizeof(th_v));
72  memset(&f, 0, sizeof(f));
73  memset(&ssn, 0, sizeof(ssn));
74 
75  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
76 
77  FLOW_INITIALIZE(&f);
78  f.protoctx = (void *)&ssn;
79  f.proto = IPPROTO_TCP;
80  f.flags |= FLOW_IPV4;
81  p->flow = &f;
82  p->flowflags |= FLOW_PKT_TOSERVER;
83  p->flowflags |= FLOW_PKT_ESTABLISHED;
84  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
85  f.alproto = ALPROTO_HTTP1;
86 
87  StreamTcpInitConfig(true);
88 
89  de_ctx = DetectEngineCtxInit();
90  if (de_ctx == NULL)
91  goto end;
92 
93  de_ctx->flags |= DE_QUIET;
94 
95  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
96  "(msg:\"http header test\"; "
97  "content:\"CONNECT\"; http_cookie; "
98  "sid:1;)");
99  if (de_ctx->sig_list == NULL)
100  goto end;
101 
102  SigGroupBuild(de_ctx);
103  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
104 
105  int r = AppLayerParserParse(
106  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
107  if (r != 0) {
108  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
109  result = 0;
110  goto end;
111  }
112 
113  http_state = f.alstate;
114  if (http_state == NULL) {
115  printf("no http state: ");
116  result = 0;
117  goto end;
118  }
119 
120  /* do detect */
121  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
122 
123  if (!(PacketAlertCheck(p, 1))) {
124  printf("sid 1 didn't match but should have: ");
125  goto end;
126  }
127 
128  result = 1;
129 
130 end:
131  if (alp_tctx != NULL)
132  AppLayerParserThreadCtxFree(alp_tctx);
133  if (de_ctx != NULL)
134  DetectEngineCtxFree(de_ctx);
135 
136  StreamTcpFreeConfig(true);
137  FLOW_DESTROY(&f);
138  UTHFreePackets(&p, 1);
139  return result;
140 }
141 
142 /**
143  * \test Test that the http_cookie content matches against a http request
144  * which holds the content.
145  */
146 static int DetectEngineHttpCookieTest02(void)
147 {
148  TcpSession ssn;
149  Packet *p = NULL;
150  ThreadVars th_v;
151  DetectEngineCtx *de_ctx = NULL;
152  DetectEngineThreadCtx *det_ctx = NULL;
153  HtpState *http_state = NULL;
154  Flow f;
155  uint8_t http_buf[] =
156  "CONNECT /index.html HTTP/1.0\r\n"
157  "Cookie: CONNECT\r\n"
158  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
159  uint32_t http_len = sizeof(http_buf) - 1;
160  int result = 0;
161  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
162 
163  memset(&th_v, 0, sizeof(th_v));
164  memset(&f, 0, sizeof(f));
165  memset(&ssn, 0, sizeof(ssn));
166 
167  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
168 
169  FLOW_INITIALIZE(&f);
170  f.protoctx = (void *)&ssn;
171  f.proto = IPPROTO_TCP;
172  f.flags |= FLOW_IPV4;
173  p->flow = &f;
174  p->flowflags |= FLOW_PKT_TOSERVER;
175  p->flowflags |= FLOW_PKT_ESTABLISHED;
176  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
177  f.alproto = ALPROTO_HTTP1;
178 
179  StreamTcpInitConfig(true);
180 
181  de_ctx = DetectEngineCtxInit();
182  if (de_ctx == NULL)
183  goto end;
184 
185  de_ctx->flags |= DE_QUIET;
186 
187  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
188  "(msg:\"http header test\"; "
189  "content:\"CO\"; depth:4; http_cookie; "
190  "sid:1;)");
191  if (de_ctx->sig_list == NULL)
192  goto end;
193 
194  SigGroupBuild(de_ctx);
195  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
196 
197  int r = AppLayerParserParse(
198  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
199  if (r != 0) {
200  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
201  result = 0;
202  goto end;
203  }
204 
205  http_state = f.alstate;
206  if (http_state == NULL) {
207  printf("no http state: ");
208  result = 0;
209  goto end;
210  }
211 
212  /* do detect */
213  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
214 
215  if (!(PacketAlertCheck(p, 1))) {
216  printf("sid 1 didn't match but should have: ");
217  goto end;
218  }
219 
220  result = 1;
221 
222 end:
223  if (alp_tctx != NULL)
224  AppLayerParserThreadCtxFree(alp_tctx);
225  if (de_ctx != NULL)
226  DetectEngineCtxFree(de_ctx);
227 
228  StreamTcpFreeConfig(true);
229  FLOW_DESTROY(&f);
230  UTHFreePackets(&p, 1);
231  return result;
232 }
233 
234 /**
235  * \test Test that the http_cookie content matches against a http request
236  * which holds the content.
237  */
238 static int DetectEngineHttpCookieTest03(void)
239 {
240  TcpSession ssn;
241  Packet *p = NULL;
242  ThreadVars th_v;
243  DetectEngineCtx *de_ctx = NULL;
244  DetectEngineThreadCtx *det_ctx = NULL;
245  HtpState *http_state = NULL;
246  Flow f;
247  uint8_t http_buf[] =
248  "CONNECT /index.html HTTP/1.0\r\n"
249  "Cookie: CONNECT\r\n"
250  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
251  uint32_t http_len = sizeof(http_buf) - 1;
252  int result = 0;
253  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
254 
255  memset(&th_v, 0, sizeof(th_v));
256  memset(&f, 0, sizeof(f));
257  memset(&ssn, 0, sizeof(ssn));
258 
259  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
260 
261  FLOW_INITIALIZE(&f);
262  f.protoctx = (void *)&ssn;
263  f.proto = IPPROTO_TCP;
264  f.flags |= FLOW_IPV4;
265  p->flow = &f;
266  p->flowflags |= FLOW_PKT_TOSERVER;
267  p->flowflags |= FLOW_PKT_ESTABLISHED;
268  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
269  f.alproto = ALPROTO_HTTP1;
270 
271  StreamTcpInitConfig(true);
272 
273  de_ctx = DetectEngineCtxInit();
274  if (de_ctx == NULL)
275  goto end;
276 
277  de_ctx->flags |= DE_QUIET;
278 
279  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
280  "(msg:\"http header test\"; "
281  "content:!\"ECT\"; depth:4; http_cookie; "
282  "sid:1;)");
283  if (de_ctx->sig_list == NULL)
284  goto end;
285 
286  SigGroupBuild(de_ctx);
287  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
288 
289  int r = AppLayerParserParse(
290  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
291  if (r != 0) {
292  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
293  result = 0;
294  goto end;
295  }
296 
297  http_state = f.alstate;
298  if (http_state == NULL) {
299  printf("no http state: ");
300  result = 0;
301  goto end;
302  }
303 
304  /* do detect */
305  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
306 
307  if (!(PacketAlertCheck(p, 1))) {
308  printf("sid 1 didn't match but should have: ");
309  goto end;
310  }
311 
312  result = 1;
313 
314 end:
315  if (alp_tctx != NULL)
316  AppLayerParserThreadCtxFree(alp_tctx);
317  if (de_ctx != NULL)
318  DetectEngineCtxFree(de_ctx);
319 
320  StreamTcpFreeConfig(true);
321  FLOW_DESTROY(&f);
322  UTHFreePackets(&p, 1);
323  return result;
324 }
325 
326 /**
327  * \test Test that the http_cookie content matches against a http request
328  * which holds the content.
329  */
330 static int DetectEngineHttpCookieTest04(void)
331 {
332  TcpSession ssn;
333  Packet *p = NULL;
334  ThreadVars th_v;
335  DetectEngineCtx *de_ctx = NULL;
336  DetectEngineThreadCtx *det_ctx = NULL;
337  HtpState *http_state = NULL;
338  Flow f;
339  uint8_t http_buf[] =
340  "CONNECT /index.html HTTP/1.0\r\n"
341  "Cookie: CONNECT\r\n"
342  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
343  uint32_t http_len = sizeof(http_buf) - 1;
344  int result = 0;
345  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
346 
347  memset(&th_v, 0, sizeof(th_v));
348  memset(&f, 0, sizeof(f));
349  memset(&ssn, 0, sizeof(ssn));
350 
351  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
352 
353  FLOW_INITIALIZE(&f);
354  f.protoctx = (void *)&ssn;
355  f.proto = IPPROTO_TCP;
356  f.flags |= FLOW_IPV4;
357  p->flow = &f;
358  p->flowflags |= FLOW_PKT_TOSERVER;
359  p->flowflags |= FLOW_PKT_ESTABLISHED;
360  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
361  f.alproto = ALPROTO_HTTP1;
362 
363  StreamTcpInitConfig(true);
364 
365  de_ctx = DetectEngineCtxInit();
366  if (de_ctx == NULL)
367  goto end;
368 
369  de_ctx->flags |= DE_QUIET;
370 
371  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
372  "(msg:\"http header test\"; "
373  "content:\"ECT\"; depth:4; http_cookie; "
374  "sid:1;)");
375  if (de_ctx->sig_list == NULL)
376  goto end;
377 
378  SigGroupBuild(de_ctx);
379  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
380 
381  int r = AppLayerParserParse(
382  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
383  if (r != 0) {
384  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
385  result = 0;
386  goto end;
387  }
388 
389  http_state = f.alstate;
390  if (http_state == NULL) {
391  printf("no http state: ");
392  result = 0;
393  goto end;
394  }
395 
396  /* do detect */
397  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
398 
399  if (PacketAlertCheck(p, 1)) {
400  printf("sid 1 matched but shouldn't have: ");
401  goto end;
402  }
403 
404  result = 1;
405 
406 end:
407  if (alp_tctx != NULL)
408  AppLayerParserThreadCtxFree(alp_tctx);
409  if (de_ctx != NULL)
410  DetectEngineCtxFree(de_ctx);
411 
412  StreamTcpFreeConfig(true);
413  FLOW_DESTROY(&f);
414  UTHFreePackets(&p, 1);
415  return result;
416 }
417 
418 /**
419  * \test Test that the http_cookie content matches against a http request
420  * which holds the content.
421  */
422 static int DetectEngineHttpCookieTest05(void)
423 {
424  TcpSession ssn;
425  Packet *p = NULL;
426  ThreadVars th_v;
427  DetectEngineCtx *de_ctx = NULL;
428  DetectEngineThreadCtx *det_ctx = NULL;
429  HtpState *http_state = NULL;
430  Flow f;
431  uint8_t http_buf[] =
432  "CONNECT /index.html HTTP/1.0\r\n"
433  "Cookie: CONNECT\r\n"
434  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
435  uint32_t http_len = sizeof(http_buf) - 1;
436  int result = 0;
437  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
438 
439  memset(&th_v, 0, sizeof(th_v));
440  memset(&f, 0, sizeof(f));
441  memset(&ssn, 0, sizeof(ssn));
442 
443  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
444 
445  FLOW_INITIALIZE(&f);
446  f.protoctx = (void *)&ssn;
447  f.proto = IPPROTO_TCP;
448  f.flags |= FLOW_IPV4;
449  p->flow = &f;
450  p->flowflags |= FLOW_PKT_TOSERVER;
451  p->flowflags |= FLOW_PKT_ESTABLISHED;
452  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
453  f.alproto = ALPROTO_HTTP1;
454 
455  StreamTcpInitConfig(true);
456 
457  de_ctx = DetectEngineCtxInit();
458  if (de_ctx == NULL)
459  goto end;
460 
461  de_ctx->flags |= DE_QUIET;
462 
463  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
464  "(msg:\"http header test\"; "
465  "content:!\"CON\"; depth:4; http_cookie; "
466  "sid:1;)");
467  if (de_ctx->sig_list == NULL)
468  goto end;
469 
470  SigGroupBuild(de_ctx);
471  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
472 
473  int r = AppLayerParserParse(
474  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
475  if (r != 0) {
476  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
477  result = 0;
478  goto end;
479  }
480 
481  http_state = f.alstate;
482  if (http_state == NULL) {
483  printf("no http state: ");
484  result = 0;
485  goto end;
486  }
487 
488  /* do detect */
489  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
490 
491  if (PacketAlertCheck(p, 1)) {
492  printf("sid 1 matched but shouldn't have: ");
493  goto end;
494  }
495 
496  result = 1;
497 
498 end:
499  if (alp_tctx != NULL)
500  AppLayerParserThreadCtxFree(alp_tctx);
501  if (de_ctx != NULL)
502  DetectEngineCtxFree(de_ctx);
503 
504  StreamTcpFreeConfig(true);
505  FLOW_DESTROY(&f);
506  UTHFreePackets(&p, 1);
507  return result;
508 }
509 
510 /**
511  * \test Test that the http_cookie content matches against a http request
512  * which holds the content.
513  */
514 static int DetectEngineHttpCookieTest06(void)
515 {
516  TcpSession ssn;
517  Packet *p = NULL;
518  ThreadVars th_v;
519  DetectEngineCtx *de_ctx = NULL;
520  DetectEngineThreadCtx *det_ctx = NULL;
521  HtpState *http_state = NULL;
522  Flow f;
523  uint8_t http_buf[] =
524  "CONNECT /index.html HTTP/1.0\r\n"
525  "Cookie: CONNECT\r\n"
526  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
527  uint32_t http_len = sizeof(http_buf) - 1;
528  int result = 0;
529  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
530 
531  memset(&th_v, 0, sizeof(th_v));
532  memset(&f, 0, sizeof(f));
533  memset(&ssn, 0, sizeof(ssn));
534 
535  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
536 
537  FLOW_INITIALIZE(&f);
538  f.protoctx = (void *)&ssn;
539  f.proto = IPPROTO_TCP;
540  f.flags |= FLOW_IPV4;
541  p->flow = &f;
542  p->flowflags |= FLOW_PKT_TOSERVER;
543  p->flowflags |= FLOW_PKT_ESTABLISHED;
544  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
545  f.alproto = ALPROTO_HTTP1;
546 
547  StreamTcpInitConfig(true);
548 
549  de_ctx = DetectEngineCtxInit();
550  if (de_ctx == NULL)
551  goto end;
552 
553  de_ctx->flags |= DE_QUIET;
554 
555  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
556  "(msg:\"http header test\"; "
557  "content:\"ECT\"; offset:3; http_cookie; "
558  "sid:1;)");
559  if (de_ctx->sig_list == NULL)
560  goto end;
561 
562  SigGroupBuild(de_ctx);
563  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
564 
565  int r = AppLayerParserParse(
566  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
567  if (r != 0) {
568  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
569  result = 0;
570  goto end;
571  }
572 
573  http_state = f.alstate;
574  if (http_state == NULL) {
575  printf("no http state: ");
576  result = 0;
577  goto end;
578  }
579 
580  /* do detect */
581  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
582 
583  if (!(PacketAlertCheck(p, 1))) {
584  printf("sid 1 didn't match but should have: ");
585  goto end;
586  }
587 
588  result = 1;
589 
590 end:
591  if (alp_tctx != NULL)
592  AppLayerParserThreadCtxFree(alp_tctx);
593  if (de_ctx != NULL)
594  DetectEngineCtxFree(de_ctx);
595 
596  StreamTcpFreeConfig(true);
597  FLOW_DESTROY(&f);
598  UTHFreePackets(&p, 1);
599  return result;
600 }
601 
602 /**
603  * \test Test that the http_cookie content matches against a http request
604  * which holds the content.
605  */
606 static int DetectEngineHttpCookieTest07(void)
607 {
608  TcpSession ssn;
609  Packet *p = NULL;
610  ThreadVars th_v;
611  DetectEngineCtx *de_ctx = NULL;
612  DetectEngineThreadCtx *det_ctx = NULL;
613  HtpState *http_state = NULL;
614  Flow f;
615  uint8_t http_buf[] =
616  "CONNECT /index.html HTTP/1.0\r\n"
617  "Cookie: CONNECT\r\n"
618  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
619  uint32_t http_len = sizeof(http_buf) - 1;
620  int result = 0;
621  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
622 
623  memset(&th_v, 0, sizeof(th_v));
624  memset(&f, 0, sizeof(f));
625  memset(&ssn, 0, sizeof(ssn));
626 
627  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
628 
629  FLOW_INITIALIZE(&f);
630  f.protoctx = (void *)&ssn;
631  f.proto = IPPROTO_TCP;
632  f.flags |= FLOW_IPV4;
633  p->flow = &f;
634  p->flowflags |= FLOW_PKT_TOSERVER;
635  p->flowflags |= FLOW_PKT_ESTABLISHED;
636  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
637  f.alproto = ALPROTO_HTTP1;
638 
639  StreamTcpInitConfig(true);
640 
641  de_ctx = DetectEngineCtxInit();
642  if (de_ctx == NULL)
643  goto end;
644 
645  de_ctx->flags |= DE_QUIET;
646 
647  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
648  "(msg:\"http header test\"; "
649  "content:!\"CO\"; offset:3; http_cookie; "
650  "sid:1;)");
651  if (de_ctx->sig_list == NULL)
652  goto end;
653 
654  SigGroupBuild(de_ctx);
655  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
656 
657  int r = AppLayerParserParse(
658  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
659  if (r != 0) {
660  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
661  result = 0;
662  goto end;
663  }
664 
665  http_state = f.alstate;
666  if (http_state == NULL) {
667  printf("no http state: ");
668  result = 0;
669  goto end;
670  }
671 
672  /* do detect */
673  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
674 
675  if (!(PacketAlertCheck(p, 1))) {
676  printf("sid 1 didn't match but should have: ");
677  goto end;
678  }
679 
680  result = 1;
681 
682 end:
683  if (alp_tctx != NULL)
684  AppLayerParserThreadCtxFree(alp_tctx);
685  if (de_ctx != NULL)
686  DetectEngineCtxFree(de_ctx);
687 
688  StreamTcpFreeConfig(true);
689  FLOW_DESTROY(&f);
690  UTHFreePackets(&p, 1);
691  return result;
692 }
693 
694 /**
695  * \test Test that the http_cookie content matches against a http request
696  * which holds the content.
697  */
698 static int DetectEngineHttpCookieTest08(void)
699 {
700  TcpSession ssn;
701  Packet *p = NULL;
702  ThreadVars th_v;
703  DetectEngineCtx *de_ctx = NULL;
704  DetectEngineThreadCtx *det_ctx = NULL;
705  HtpState *http_state = NULL;
706  Flow f;
707  uint8_t http_buf[] =
708  "CONNECT /index.html HTTP/1.0\r\n"
709  "Cookie: CONNECT\r\n"
710  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
711  uint32_t http_len = sizeof(http_buf) - 1;
712  int result = 0;
713  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
714 
715  memset(&th_v, 0, sizeof(th_v));
716  memset(&f, 0, sizeof(f));
717  memset(&ssn, 0, sizeof(ssn));
718 
719  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
720 
721  FLOW_INITIALIZE(&f);
722  f.protoctx = (void *)&ssn;
723  f.proto = IPPROTO_TCP;
724  f.flags |= FLOW_IPV4;
725  p->flow = &f;
726  p->flowflags |= FLOW_PKT_TOSERVER;
727  p->flowflags |= FLOW_PKT_ESTABLISHED;
728  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
729  f.alproto = ALPROTO_HTTP1;
730 
731  StreamTcpInitConfig(true);
732 
733  de_ctx = DetectEngineCtxInit();
734  if (de_ctx == NULL)
735  goto end;
736 
737  de_ctx->flags |= DE_QUIET;
738 
739  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
740  "(msg:\"http header test\"; "
741  "content:!\"ECT\"; offset:3; http_cookie; "
742  "sid:1;)");
743  if (de_ctx->sig_list == NULL)
744  goto end;
745 
746  SigGroupBuild(de_ctx);
747  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
748 
749  int r = AppLayerParserParse(
750  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
751  if (r != 0) {
752  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
753  result = 0;
754  goto end;
755  }
756 
757  http_state = f.alstate;
758  if (http_state == NULL) {
759  printf("no http state: ");
760  result = 0;
761  goto end;
762  }
763 
764  /* do detect */
765  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
766 
767  if (PacketAlertCheck(p, 1)) {
768  printf("sid 1 matched but shouldn't have: ");
769  goto end;
770  }
771 
772  result = 1;
773 
774 end:
775  if (alp_tctx != NULL)
776  AppLayerParserThreadCtxFree(alp_tctx);
777  if (de_ctx != NULL)
778  DetectEngineCtxFree(de_ctx);
779 
780  StreamTcpFreeConfig(true);
781  FLOW_DESTROY(&f);
782  UTHFreePackets(&p, 1);
783  return result;
784 }
785 
786 /**
787  * \test Test that the http_cookie content matches against a http request
788  * which holds the content.
789  */
790 static int DetectEngineHttpCookieTest09(void)
791 {
792  TcpSession ssn;
793  Packet *p = NULL;
794  ThreadVars th_v;
795  DetectEngineCtx *de_ctx = NULL;
796  DetectEngineThreadCtx *det_ctx = NULL;
797  HtpState *http_state = NULL;
798  Flow f;
799  uint8_t http_buf[] =
800  "CONNECT /index.html HTTP/1.0\r\n"
801  "Cookie: CONNECT\r\n"
802  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
803  uint32_t http_len = sizeof(http_buf) - 1;
804  int result = 0;
805  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
806 
807  memset(&th_v, 0, sizeof(th_v));
808  memset(&f, 0, sizeof(f));
809  memset(&ssn, 0, sizeof(ssn));
810 
811  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
812 
813  FLOW_INITIALIZE(&f);
814  f.protoctx = (void *)&ssn;
815  f.proto = IPPROTO_TCP;
816  f.flags |= FLOW_IPV4;
817  p->flow = &f;
818  p->flowflags |= FLOW_PKT_TOSERVER;
819  p->flowflags |= FLOW_PKT_ESTABLISHED;
820  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
821  f.alproto = ALPROTO_HTTP1;
822 
823  StreamTcpInitConfig(true);
824 
825  de_ctx = DetectEngineCtxInit();
826  if (de_ctx == NULL)
827  goto end;
828 
829  de_ctx->flags |= DE_QUIET;
830 
831  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
832  "(msg:\"http header test\"; "
833  "content:\"CON\"; offset:3; http_cookie; "
834  "sid:1;)");
835  if (de_ctx->sig_list == NULL)
836  goto end;
837 
838  SigGroupBuild(de_ctx);
839  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
840 
841  int r = AppLayerParserParse(
842  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
843  if (r != 0) {
844  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
845  result = 0;
846  goto end;
847  }
848 
849  http_state = f.alstate;
850  if (http_state == NULL) {
851  printf("no http state: ");
852  result = 0;
853  goto end;
854  }
855 
856  /* do detect */
857  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
858 
859  if (PacketAlertCheck(p, 1)) {
860  printf("sid 1 matched but shouldn't have: ");
861  goto end;
862  }
863 
864  result = 1;
865 
866 end:
867  if (alp_tctx != NULL)
868  AppLayerParserThreadCtxFree(alp_tctx);
869  if (de_ctx != NULL)
870  DetectEngineCtxFree(de_ctx);
871 
872  StreamTcpFreeConfig(true);
873  FLOW_DESTROY(&f);
874  UTHFreePackets(&p, 1);
875  return result;
876 }
877 
878 /**
879  * \test Test that the http_cookie content matches against a http request
880  * which holds the content.
881  */
882 static int DetectEngineHttpCookieTest10(void)
883 {
884  TcpSession ssn;
885  Packet *p = NULL;
886  ThreadVars th_v;
887  DetectEngineCtx *de_ctx = NULL;
888  DetectEngineThreadCtx *det_ctx = NULL;
889  HtpState *http_state = NULL;
890  Flow f;
891  uint8_t http_buf[] =
892  "CONNECT /index.html HTTP/1.0\r\n"
893  "Cookie: CONNECT\r\n"
894  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
895  uint32_t http_len = sizeof(http_buf) - 1;
896  int result = 0;
897  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
898 
899  memset(&th_v, 0, sizeof(th_v));
900  memset(&f, 0, sizeof(f));
901  memset(&ssn, 0, sizeof(ssn));
902 
903  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
904 
905  FLOW_INITIALIZE(&f);
906  f.protoctx = (void *)&ssn;
907  f.proto = IPPROTO_TCP;
908  f.flags |= FLOW_IPV4;
909  p->flow = &f;
910  p->flowflags |= FLOW_PKT_TOSERVER;
911  p->flowflags |= FLOW_PKT_ESTABLISHED;
912  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
913  f.alproto = ALPROTO_HTTP1;
914 
915  StreamTcpInitConfig(true);
916 
917  de_ctx = DetectEngineCtxInit();
918  if (de_ctx == NULL)
919  goto end;
920 
921  de_ctx->flags |= DE_QUIET;
922 
923  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
924  "(msg:\"http header test\"; "
925  "content:\"CO\"; http_cookie; "
926  "content:\"EC\"; within:4; http_cookie; "
927  "sid:1;)");
928  if (de_ctx->sig_list == NULL)
929  goto end;
930 
931  SigGroupBuild(de_ctx);
932  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
933 
934  int r = AppLayerParserParse(
935  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
936  if (r != 0) {
937  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
938  result = 0;
939  goto end;
940  }
941 
942  http_state = f.alstate;
943  if (http_state == NULL) {
944  printf("no http state: ");
945  result = 0;
946  goto end;
947  }
948 
949  /* do detect */
950  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
951 
952  if (!PacketAlertCheck(p, 1)) {
953  printf("sid 1 didn't match but should have: ");
954  goto end;
955  }
956 
957  result = 1;
958 
959 end:
960  if (alp_tctx != NULL)
961  AppLayerParserThreadCtxFree(alp_tctx);
962  if (de_ctx != NULL)
963  DetectEngineCtxFree(de_ctx);
964 
965  StreamTcpFreeConfig(true);
966  FLOW_DESTROY(&f);
967  UTHFreePackets(&p, 1);
968  return result;
969 }
970 
971 /**
972  * \test Test that the http_cookie content matches against a http request
973  * which holds the content.
974  */
975 static int DetectEngineHttpCookieTest11(void)
976 {
977  TcpSession ssn;
978  Packet *p = NULL;
979  ThreadVars th_v;
980  DetectEngineCtx *de_ctx = NULL;
981  DetectEngineThreadCtx *det_ctx = NULL;
982  HtpState *http_state = NULL;
983  Flow f;
984  uint8_t http_buf[] =
985  "CONNECT /index.html HTTP/1.0\r\n"
986  "Cookie: CONNECT\r\n"
987  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
988  uint32_t http_len = sizeof(http_buf) - 1;
989  int result = 0;
990  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
991 
992  memset(&th_v, 0, sizeof(th_v));
993  memset(&f, 0, sizeof(f));
994  memset(&ssn, 0, sizeof(ssn));
995 
996  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
997 
998  FLOW_INITIALIZE(&f);
999  f.protoctx = (void *)&ssn;
1000  f.proto = IPPROTO_TCP;
1001  f.flags |= FLOW_IPV4;
1002  p->flow = &f;
1003  p->flowflags |= FLOW_PKT_TOSERVER;
1004  p->flowflags |= FLOW_PKT_ESTABLISHED;
1005  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1006  f.alproto = ALPROTO_HTTP1;
1007 
1008  StreamTcpInitConfig(true);
1009 
1010  de_ctx = DetectEngineCtxInit();
1011  if (de_ctx == NULL)
1012  goto end;
1013 
1014  de_ctx->flags |= DE_QUIET;
1015 
1016  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1017  "(msg:\"http header test\"; "
1018  "content:\"CO\"; http_cookie; "
1019  "content:!\"EC\"; within:3; http_cookie; "
1020  "sid:1;)");
1021  if (de_ctx->sig_list == NULL)
1022  goto end;
1023 
1024  SigGroupBuild(de_ctx);
1025  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1026 
1027  int r = AppLayerParserParse(
1028  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1029  if (r != 0) {
1030  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1031  result = 0;
1032  goto end;
1033  }
1034 
1035  http_state = f.alstate;
1036  if (http_state == NULL) {
1037  printf("no http state: ");
1038  result = 0;
1039  goto end;
1040  }
1041 
1042  /* do detect */
1043  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1044 
1045  if (!PacketAlertCheck(p, 1)) {
1046  printf("sid 1 didn't match but should have: ");
1047  goto end;
1048  }
1049 
1050  result = 1;
1051 
1052 end:
1053  if (alp_tctx != NULL)
1054  AppLayerParserThreadCtxFree(alp_tctx);
1055  if (de_ctx != NULL)
1056  DetectEngineCtxFree(de_ctx);
1057 
1058  StreamTcpFreeConfig(true);
1059  FLOW_DESTROY(&f);
1060  UTHFreePackets(&p, 1);
1061  return result;
1062 }
1063 
1064 /**
1065  * \test Test that the http_cookie content matches against a http request
1066  * which holds the content.
1067  */
1068 static int DetectEngineHttpCookieTest12(void)
1069 {
1070  TcpSession ssn;
1071  Packet *p = NULL;
1072  ThreadVars th_v;
1073  DetectEngineCtx *de_ctx = NULL;
1074  DetectEngineThreadCtx *det_ctx = NULL;
1075  HtpState *http_state = NULL;
1076  Flow f;
1077  uint8_t http_buf[] =
1078  "CONNECT /index.html HTTP/1.0\r\n"
1079  "Cookie: CONNECT\r\n"
1080  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1081  uint32_t http_len = sizeof(http_buf) - 1;
1082  int result = 0;
1083  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1084 
1085  memset(&th_v, 0, sizeof(th_v));
1086  memset(&f, 0, sizeof(f));
1087  memset(&ssn, 0, sizeof(ssn));
1088 
1089  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1090 
1091  FLOW_INITIALIZE(&f);
1092  f.protoctx = (void *)&ssn;
1093  f.proto = IPPROTO_TCP;
1094  f.flags |= FLOW_IPV4;
1095  p->flow = &f;
1096  p->flowflags |= FLOW_PKT_TOSERVER;
1097  p->flowflags |= FLOW_PKT_ESTABLISHED;
1098  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1099  f.alproto = ALPROTO_HTTP1;
1100 
1101  StreamTcpInitConfig(true);
1102 
1103  de_ctx = DetectEngineCtxInit();
1104  if (de_ctx == NULL)
1105  goto end;
1106 
1107  de_ctx->flags |= DE_QUIET;
1108 
1109  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1110  "(msg:\"http header test\"; "
1111  "content:\"CO\"; http_cookie; "
1112  "content:\"EC\"; within:3; http_cookie; "
1113  "sid:1;)");
1114  if (de_ctx->sig_list == NULL)
1115  goto end;
1116 
1117  SigGroupBuild(de_ctx);
1118  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1119 
1120  int r = AppLayerParserParse(
1121  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1122  if (r != 0) {
1123  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1124  result = 0;
1125  goto end;
1126  }
1127 
1128  http_state = f.alstate;
1129  if (http_state == NULL) {
1130  printf("no http state: ");
1131  result = 0;
1132  goto end;
1133  }
1134 
1135  /* do detect */
1136  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1137 
1138  if (PacketAlertCheck(p, 1)) {
1139  printf("sid 1 matched but shouldn't have: ");
1140  goto end;
1141  }
1142 
1143  result = 1;
1144 
1145 end:
1146  if (alp_tctx != NULL)
1147  AppLayerParserThreadCtxFree(alp_tctx);
1148  if (de_ctx != NULL)
1149  DetectEngineCtxFree(de_ctx);
1150 
1151  StreamTcpFreeConfig(true);
1152  FLOW_DESTROY(&f);
1153  UTHFreePackets(&p, 1);
1154  return result;
1155 }
1156 
1157 /**
1158  * \test Test that the http_cookie content matches against a http request
1159  * which holds the content.
1160  */
1161 static int DetectEngineHttpCookieTest13(void)
1162 {
1163  TcpSession ssn;
1164  Packet *p = NULL;
1165  ThreadVars th_v;
1166  DetectEngineCtx *de_ctx = NULL;
1167  DetectEngineThreadCtx *det_ctx = NULL;
1168  HtpState *http_state = NULL;
1169  Flow f;
1170  uint8_t http_buf[] =
1171  "CONNECT /index.html HTTP/1.0\r\n"
1172  "Cookie: CONNECT\r\n"
1173  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1174  uint32_t http_len = sizeof(http_buf) - 1;
1175  int result = 0;
1176  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1177 
1178  memset(&th_v, 0, sizeof(th_v));
1179  memset(&f, 0, sizeof(f));
1180  memset(&ssn, 0, sizeof(ssn));
1181 
1182  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1183 
1184  FLOW_INITIALIZE(&f);
1185  f.protoctx = (void *)&ssn;
1186  f.proto = IPPROTO_TCP;
1187  f.flags |= FLOW_IPV4;
1188  p->flow = &f;
1189  p->flowflags |= FLOW_PKT_TOSERVER;
1190  p->flowflags |= FLOW_PKT_ESTABLISHED;
1191  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1192  f.alproto = ALPROTO_HTTP1;
1193 
1194  StreamTcpInitConfig(true);
1195 
1196  de_ctx = DetectEngineCtxInit();
1197  if (de_ctx == NULL)
1198  goto end;
1199 
1200  de_ctx->flags |= DE_QUIET;
1201 
1202  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1203  "(msg:\"http header test\"; "
1204  "content:\"CO\"; http_cookie; "
1205  "content:!\"EC\"; within:4; http_cookie; "
1206  "sid:1;)");
1207  if (de_ctx->sig_list == NULL)
1208  goto end;
1209 
1210  SigGroupBuild(de_ctx);
1211  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1212 
1213  int r = AppLayerParserParse(
1214  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1215  if (r != 0) {
1216  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1217  result = 0;
1218  goto end;
1219  }
1220 
1221  http_state = f.alstate;
1222  if (http_state == NULL) {
1223  printf("no http state: ");
1224  result = 0;
1225  goto end;
1226  }
1227 
1228  /* do detect */
1229  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1230 
1231  if (PacketAlertCheck(p, 1)) {
1232  printf("sid 1 matched but shouldn't have: ");
1233  goto end;
1234  }
1235 
1236  result = 1;
1237 
1238 end:
1239  if (alp_tctx != NULL)
1240  AppLayerParserThreadCtxFree(alp_tctx);
1241  if (de_ctx != NULL)
1242  DetectEngineCtxFree(de_ctx);
1243 
1244  StreamTcpFreeConfig(true);
1245  FLOW_DESTROY(&f);
1246  UTHFreePackets(&p, 1);
1247  return result;
1248 }
1249 
1250 /**
1251  * \test Test that the http_cookie content matches against a http request
1252  * which holds the content.
1253  */
1254 static int DetectEngineHttpCookieTest14(void)
1255 {
1256  TcpSession ssn;
1257  Packet *p = NULL;
1258  ThreadVars th_v;
1259  DetectEngineCtx *de_ctx = NULL;
1260  DetectEngineThreadCtx *det_ctx = NULL;
1261  HtpState *http_state = NULL;
1262  Flow f;
1263  uint8_t http_buf[] =
1264  "CONNECT /index.html HTTP/1.0\r\n"
1265  "Cookie: CONNECT\r\n"
1266  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1267  uint32_t http_len = sizeof(http_buf) - 1;
1268  int result = 0;
1269  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1270 
1271  memset(&th_v, 0, sizeof(th_v));
1272  memset(&f, 0, sizeof(f));
1273  memset(&ssn, 0, sizeof(ssn));
1274 
1275  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1276 
1277  FLOW_INITIALIZE(&f);
1278  f.protoctx = (void *)&ssn;
1279  f.proto = IPPROTO_TCP;
1280  f.flags |= FLOW_IPV4;
1281  p->flow = &f;
1282  p->flowflags |= FLOW_PKT_TOSERVER;
1283  p->flowflags |= FLOW_PKT_ESTABLISHED;
1284  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1285  f.alproto = ALPROTO_HTTP1;
1286 
1287  StreamTcpInitConfig(true);
1288 
1289  de_ctx = DetectEngineCtxInit();
1290  if (de_ctx == NULL)
1291  goto end;
1292 
1293  de_ctx->flags |= DE_QUIET;
1294 
1295  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1296  "(msg:\"http header test\"; "
1297  "content:\"CO\"; http_cookie; "
1298  "content:\"EC\"; distance:2; http_cookie; "
1299  "sid:1;)");
1300  if (de_ctx->sig_list == NULL)
1301  goto end;
1302 
1303  SigGroupBuild(de_ctx);
1304  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1305 
1306  int r = AppLayerParserParse(
1307  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1308  if (r != 0) {
1309  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1310  result = 0;
1311  goto end;
1312  }
1313 
1314  http_state = f.alstate;
1315  if (http_state == NULL) {
1316  printf("no http state: ");
1317  result = 0;
1318  goto end;
1319  }
1320 
1321  /* do detect */
1322  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1323 
1324  if (!PacketAlertCheck(p, 1)) {
1325  printf("sid 1 didn't match but should have: ");
1326  goto end;
1327  }
1328 
1329  result = 1;
1330 
1331 end:
1332  if (alp_tctx != NULL)
1333  AppLayerParserThreadCtxFree(alp_tctx);
1334  if (de_ctx != NULL)
1335  DetectEngineCtxFree(de_ctx);
1336 
1337  StreamTcpFreeConfig(true);
1338  FLOW_DESTROY(&f);
1339  UTHFreePackets(&p, 1);
1340  return result;
1341 }
1342 
1343 /**
1344  * \test Test that the http_cookie content matches against a http request
1345  * which holds the content.
1346  */
1347 static int DetectEngineHttpCookieTest15(void)
1348 {
1349  TcpSession ssn;
1350  Packet *p = NULL;
1351  ThreadVars th_v;
1352  DetectEngineCtx *de_ctx = NULL;
1353  DetectEngineThreadCtx *det_ctx = NULL;
1354  HtpState *http_state = NULL;
1355  Flow f;
1356  uint8_t http_buf[] =
1357  "CONNECT /index.html HTTP/1.0\r\n"
1358  "Cookie: CONNECT\r\n"
1359  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1360  uint32_t http_len = sizeof(http_buf) - 1;
1361  int result = 0;
1362  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1363 
1364  memset(&th_v, 0, sizeof(th_v));
1365  memset(&f, 0, sizeof(f));
1366  memset(&ssn, 0, sizeof(ssn));
1367 
1368  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1369 
1370  FLOW_INITIALIZE(&f);
1371  f.protoctx = (void *)&ssn;
1372  f.proto = IPPROTO_TCP;
1373  f.flags |= FLOW_IPV4;
1374  p->flow = &f;
1375  p->flowflags |= FLOW_PKT_TOSERVER;
1376  p->flowflags |= FLOW_PKT_ESTABLISHED;
1377  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1378  f.alproto = ALPROTO_HTTP1;
1379 
1380  StreamTcpInitConfig(true);
1381 
1382  de_ctx = DetectEngineCtxInit();
1383  if (de_ctx == NULL)
1384  goto end;
1385 
1386  de_ctx->flags |= DE_QUIET;
1387 
1388  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1389  "(msg:\"http header test\"; "
1390  "content:\"CO\"; http_cookie; "
1391  "content:!\"EC\"; distance:3; http_cookie; "
1392  "sid:1;)");
1393  if (de_ctx->sig_list == NULL)
1394  goto end;
1395 
1396  SigGroupBuild(de_ctx);
1397  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1398 
1399  int r = AppLayerParserParse(
1400  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1401  if (r != 0) {
1402  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1403  result = 0;
1404  goto end;
1405  }
1406 
1407  http_state = f.alstate;
1408  if (http_state == NULL) {
1409  printf("no http state: ");
1410  result = 0;
1411  goto end;
1412  }
1413 
1414  /* do detect */
1415  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1416 
1417  if (!PacketAlertCheck(p, 1)) {
1418  printf("sid 1 didn't match but should have: ");
1419  goto end;
1420  }
1421 
1422  result = 1;
1423 
1424 end:
1425  if (alp_tctx != NULL)
1426  AppLayerParserThreadCtxFree(alp_tctx);
1427  if (de_ctx != NULL)
1428  DetectEngineCtxFree(de_ctx);
1429 
1430  StreamTcpFreeConfig(true);
1431  FLOW_DESTROY(&f);
1432  UTHFreePackets(&p, 1);
1433  return result;
1434 }
1435 
1436 /**
1437  * \test Test that the http_cookie content matches against a http request
1438  * which holds the content.
1439  */
1440 static int DetectEngineHttpCookieTest16(void)
1441 {
1442  TcpSession ssn;
1443  Packet *p = NULL;
1444  ThreadVars th_v;
1445  DetectEngineCtx *de_ctx = NULL;
1446  DetectEngineThreadCtx *det_ctx = NULL;
1447  HtpState *http_state = NULL;
1448  Flow f;
1449  uint8_t http_buf[] =
1450  "CONNECT /index.html HTTP/1.0\r\n"
1451  "Cookie: CONNECT\r\n"
1452  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1453  uint32_t http_len = sizeof(http_buf) - 1;
1454  int result = 0;
1455  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1456 
1457  memset(&th_v, 0, sizeof(th_v));
1458  memset(&f, 0, sizeof(f));
1459  memset(&ssn, 0, sizeof(ssn));
1460 
1461  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1462 
1463  FLOW_INITIALIZE(&f);
1464  f.protoctx = (void *)&ssn;
1465  f.proto = IPPROTO_TCP;
1466  f.flags |= FLOW_IPV4;
1467  p->flow = &f;
1468  p->flowflags |= FLOW_PKT_TOSERVER;
1469  p->flowflags |= FLOW_PKT_ESTABLISHED;
1470  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1471  f.alproto = ALPROTO_HTTP1;
1472 
1473  StreamTcpInitConfig(true);
1474 
1475  de_ctx = DetectEngineCtxInit();
1476  if (de_ctx == NULL)
1477  goto end;
1478 
1479  de_ctx->flags |= DE_QUIET;
1480 
1481  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1482  "(msg:\"http header test\"; "
1483  "content:\"CO\"; http_cookie; "
1484  "content:\"EC\"; distance:3; http_cookie; "
1485  "sid:1;)");
1486  if (de_ctx->sig_list == NULL)
1487  goto end;
1488 
1489  SigGroupBuild(de_ctx);
1490  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1491 
1492  int r = AppLayerParserParse(
1493  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1494  if (r != 0) {
1495  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1496  result = 0;
1497  goto end;
1498  }
1499 
1500  http_state = f.alstate;
1501  if (http_state == NULL) {
1502  printf("no http state: ");
1503  result = 0;
1504  goto end;
1505  }
1506 
1507  /* do detect */
1508  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1509 
1510  if (PacketAlertCheck(p, 1)) {
1511  printf("sid 1 matched but shouldn't have: ");
1512  goto end;
1513  }
1514 
1515  result = 1;
1516 
1517 end:
1518  if (alp_tctx != NULL)
1519  AppLayerParserThreadCtxFree(alp_tctx);
1520  if (de_ctx != NULL)
1521  DetectEngineCtxFree(de_ctx);
1522 
1523  StreamTcpFreeConfig(true);
1524  FLOW_DESTROY(&f);
1525  UTHFreePackets(&p, 1);
1526  return result;
1527 }
1528 
1529 /**
1530  * \test Test that the http_cookie content matches against a http request
1531  * which holds the content.
1532  */
1533 static int DetectEngineHttpCookieTest17(void)
1534 {
1535  TcpSession ssn;
1536  Packet *p = NULL;
1537  ThreadVars th_v;
1538  DetectEngineCtx *de_ctx = NULL;
1539  DetectEngineThreadCtx *det_ctx = NULL;
1540  HtpState *http_state = NULL;
1541  Flow f;
1542  uint8_t http_buf[] =
1543  "CONNECT /index.html HTTP/1.0\r\n"
1544  "Cookie: CONNECT\r\n"
1545  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1546  uint32_t http_len = sizeof(http_buf) - 1;
1547  int result = 0;
1548  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1549 
1550  memset(&th_v, 0, sizeof(th_v));
1551  memset(&f, 0, sizeof(f));
1552  memset(&ssn, 0, sizeof(ssn));
1553 
1554  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1555 
1556  FLOW_INITIALIZE(&f);
1557  f.protoctx = (void *)&ssn;
1558  f.proto = IPPROTO_TCP;
1559  f.flags |= FLOW_IPV4;
1560  p->flow = &f;
1561  p->flowflags |= FLOW_PKT_TOSERVER;
1562  p->flowflags |= FLOW_PKT_ESTABLISHED;
1563  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1564  f.alproto = ALPROTO_HTTP1;
1565 
1566  StreamTcpInitConfig(true);
1567 
1568  de_ctx = DetectEngineCtxInit();
1569  if (de_ctx == NULL)
1570  goto end;
1571 
1572  de_ctx->flags |= DE_QUIET;
1573 
1574  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1575  "(msg:\"http header test\"; "
1576  "content:\"CO\"; http_cookie; "
1577  "content:!\"EC\"; distance:2; http_cookie; "
1578  "sid:1;)");
1579  if (de_ctx->sig_list == NULL)
1580  goto end;
1581 
1582  SigGroupBuild(de_ctx);
1583  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1584 
1585  int r = AppLayerParserParse(
1586  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1587  if (r != 0) {
1588  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1589  result = 0;
1590  goto end;
1591  }
1592 
1593  http_state = f.alstate;
1594  if (http_state == NULL) {
1595  printf("no http state: ");
1596  result = 0;
1597  goto end;
1598  }
1599 
1600  /* do detect */
1601  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1602 
1603  if (PacketAlertCheck(p, 1)) {
1604  printf("sid 1 matched but shouldn't have: ");
1605  goto end;
1606  }
1607 
1608  result = 1;
1609 
1610 end:
1611  if (alp_tctx != NULL)
1612  AppLayerParserThreadCtxFree(alp_tctx);
1613  if (de_ctx != NULL)
1614  DetectEngineCtxFree(de_ctx);
1615 
1616  StreamTcpFreeConfig(true);
1617  FLOW_DESTROY(&f);
1618  UTHFreePackets(&p, 1);
1619  return result;
1620 }
1621 
1622 /**
1623  * \test Checks if a http_cookie is registered in a Signature, if content is not
1624  * specified in the signature
1625  */
1626 static int DetectHttpCookieTest01(void)
1627 {
1628  DetectEngineCtx *de_ctx = NULL;
1629  int result = 0;
1630 
1631  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1632  goto end;
1633 
1634  de_ctx->flags |= DE_QUIET;
1635  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1636  "(msg:\"Testing http_cookie\"; http_cookie;sid:1;)");
1637  if (de_ctx->sig_list == NULL)
1638  result = 1;
1639 
1640 end:
1641  if (de_ctx != NULL)
1642  DetectEngineCtxFree(de_ctx);
1643  return result;
1644 }
1645 
1646 /**
1647  * \test Checks if a http_cookie is registered in a Signature, if some parameter
1648  * is specified with http_cookie in the signature
1649  */
1650 static int DetectHttpCookieTest02(void)
1651 {
1652  DetectEngineCtx *de_ctx = NULL;
1653  int result = 0;
1654 
1655  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1656  goto end;
1657 
1658  de_ctx->flags |= DE_QUIET;
1659  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1660  "(msg:\"Testing http_cookie\"; content:\"me\"; "
1661  "http_cookie:woo; sid:1;)");
1662  if (de_ctx->sig_list == NULL)
1663  result = 1;
1664 
1665 end:
1666  if (de_ctx != NULL)
1667  DetectEngineCtxFree(de_ctx);
1668  return result;
1669 }
1670 
1671 /**
1672  * \test Checks if a http_cookie is registered in a Signature
1673  */
1674 static int DetectHttpCookieTest03(void)
1675 {
1676  SigMatch *sm = NULL;
1677  DetectEngineCtx *de_ctx = NULL;
1678  int result = 0;
1679 
1680  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1681  goto end;
1682 
1683  de_ctx->flags |= DE_QUIET;
1684  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1685  "(msg:\"Testing http_cookie\"; content:\"one\"; "
1686  "http_cookie; content:\"two\"; http_cookie; "
1687  "content:\"two\"; http_cookie; "
1688  "sid:1;)");
1689  if (de_ctx->sig_list == NULL) {
1690  printf("sig parse failed: ");
1691  goto end;
1692  }
1693 
1694  result = 0;
1695  sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id];
1696  if (sm == NULL) {
1697  printf("no sigmatch(es): ");
1698  goto end;
1699  }
1700 
1701  while (sm != NULL) {
1702  if (sm->type == DETECT_CONTENT) {
1703  result = 1;
1704  } else {
1705  printf("expected DETECT_CONTENT for http_cookie, got %d: ", sm->type);
1706  goto end;
1707  }
1708  sm = sm->next;
1709  }
1710 
1711 end:
1712  if (de_ctx != NULL)
1713  DetectEngineCtxFree(de_ctx);
1714  return result;
1715 }
1716 
1717 /**
1718  * \test Checks if a http_cookie is registered in a Signature, when fast_pattern
1719  * is also specified in the signature (now it should)
1720  */
1721 static int DetectHttpCookieTest04(void)
1722 {
1723  DetectEngineCtx *de_ctx = NULL;
1724  int result = 0;
1725 
1726  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1727  goto end;
1728 
1729  de_ctx->flags |= DE_QUIET;
1730  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1731  "(msg:\"Testing http_cookie\"; content:\"one\"; "
1732  "fast_pattern; http_cookie; sid:1;)");
1733  if (de_ctx->sig_list != NULL)
1734  result = 1;
1735 
1736 end:
1737  if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
1738  return result;
1739 }
1740 
1741 /**
1742  * \test Checks if a http_cookie is registered in a Signature, when rawbytes is
1743  * also specified in the signature
1744  */
1745 static int DetectHttpCookieTest05(void)
1746 {
1747  DetectEngineCtx *de_ctx = NULL;
1748  int result = 0;
1749 
1750  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1751  goto end;
1752 
1753  de_ctx->flags |= DE_QUIET;
1754  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1755  "(msg:\"Testing http_cookie\"; content:\"one\"; "
1756  "rawbytes; http_cookie; sid:1;)");
1757  if (de_ctx->sig_list == NULL)
1758  result = 1;
1759 
1760  end:
1761  if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
1762  return result;
1763 }
1764 
1765 /**
1766  * \test Checks if a http_cookie is registered in a Signature, when rawbytes is
1767  * also specified in the signature
1768  */
1769 static int DetectHttpCookieTest06(void)
1770 {
1771  DetectEngineCtx *de_ctx = NULL;
1772  int result = 0;
1773 
1774  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1775  goto end;
1776 
1777  de_ctx->flags |= DE_QUIET;
1778  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1779  "(msg:\"Testing http_cookie\"; content:\"one\"; "
1780  "http_cookie; uricontent:\"abc\"; sid:1;)");
1781  if (de_ctx->sig_list == NULL)
1782  goto end;
1783 
1784  Signature *s = de_ctx->sig_list;
1785 
1786  BUG_ON(s->sm_lists[g_http_cookie_buffer_id] == NULL);
1787 
1788  if (s->sm_lists[g_http_cookie_buffer_id]->type != DETECT_CONTENT)
1789  goto end;
1790 
1791  if (s->sm_lists[g_http_uri_buffer_id] == NULL) {
1792  printf("expected another SigMatch, got NULL: ");
1793  goto end;
1794  }
1795 
1796  if (s->sm_lists[g_http_uri_buffer_id]->type != DETECT_CONTENT) {
1797  goto end;
1798  }
1799 
1800  result = 1;
1801 end:
1802  if (de_ctx != NULL) {
1803  DetectEngineCtxFree(de_ctx);
1804  }
1805  return result;
1806 }
1807 
1808 /** \test Check the signature working to alert when http_cookie is matched . */
1809 static int DetectHttpCookieSigTest01(void)
1810 {
1811  int result = 0;
1812  Flow f;
1813  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
1814  " hellocatchme\r\n\r\n";
1815  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1816  TcpSession ssn;
1817  Packet *p = NULL;
1818  Signature *s = NULL;
1819  ThreadVars th_v;
1820  DetectEngineThreadCtx *det_ctx = NULL;
1821  HtpState *http_state = NULL;
1822  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1823 
1824  memset(&th_v, 0, sizeof(th_v));
1825  memset(&f, 0, sizeof(f));
1826  memset(&ssn, 0, sizeof(ssn));
1827 
1828  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1829 
1830  FLOW_INITIALIZE(&f);
1831  f.protoctx = (void *)&ssn;
1832  f.proto = IPPROTO_TCP;
1833  f.flags |= FLOW_IPV4;
1834 
1835  p->flow = &f;
1836  p->flowflags |= FLOW_PKT_TOSERVER;
1837  p->flowflags |= FLOW_PKT_ESTABLISHED;
1838  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1839  f.alproto = ALPROTO_HTTP1;
1840 
1841  StreamTcpInitConfig(true);
1842 
1843  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1844  if (de_ctx == NULL) {
1845  goto end;
1846  }
1847 
1848  de_ctx->flags |= DE_QUIET;
1849 
1850  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
1851  "\"HTTP cookie\"; content:\"me\"; "
1852  "http_cookie; sid:1;)");
1853  if (s == NULL) {
1854  goto end;
1855  }
1856 
1857  s->next = SigInit(de_ctx,"alert http any any -> any any (msg:\"HTTP "
1858  "cookie\"; content:\"go\"; http_cookie; sid:2;)");
1859  if (s->next == NULL) {
1860  goto end;
1861  }
1862 
1863 
1864  SigGroupBuild(de_ctx);
1865  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1866 
1867  int r = AppLayerParserParse(
1868  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1869  if (r != 0) {
1870  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1871  result = 0;
1872  goto end;
1873  }
1874 
1875  http_state = f.alstate;
1876  if (http_state == NULL) {
1877  printf("no http state: ");
1878  result = 0;
1879  goto end;
1880  }
1881 
1882  /* do detect */
1883  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1884 
1885  if (!(PacketAlertCheck(p, 1))) {
1886  printf("sid 1 didn't match but should have: ");
1887  goto end;
1888  }
1889  if (PacketAlertCheck(p, 2)) {
1890  printf("sid 2 matched but shouldn't: ");
1891  goto end;
1892  }
1893 
1894  result = 1;
1895 end:
1896  if (alp_tctx != NULL)
1897  AppLayerParserThreadCtxFree(alp_tctx);
1898  if (det_ctx != NULL) {
1899  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1900  }
1901  if (de_ctx != NULL) {
1902  DetectEngineCtxFree(de_ctx);
1903  }
1904 
1905  StreamTcpFreeConfig(true);
1906 
1907  UTHFreePackets(&p, 1);
1908  return result;
1909 }
1910 
1911 /** \test Check the signature working to alert when http_cookie is not present */
1912 static int DetectHttpCookieSigTest02(void)
1913 {
1914  int result = 0;
1915  Flow f;
1916  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1917  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1918  TcpSession ssn;
1919  Packet *p = NULL;
1920  Signature *s = NULL;
1921  ThreadVars th_v;
1922  DetectEngineThreadCtx *det_ctx = NULL;
1923  HtpState *http_state = NULL;
1924  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1925 
1926  memset(&th_v, 0, sizeof(th_v));
1927  memset(&p, 0, sizeof(p));
1928  memset(&f, 0, sizeof(f));
1929  memset(&ssn, 0, sizeof(ssn));
1930 
1931  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1932 
1933  FLOW_INITIALIZE(&f);
1934  f.protoctx = (void *)&ssn;
1935  f.proto = IPPROTO_TCP;
1936  f.flags |= FLOW_IPV4;
1937 
1938  p->flow = &f;
1939  p->flowflags |= FLOW_PKT_TOSERVER;
1940  p->flowflags |= FLOW_PKT_ESTABLISHED;
1941  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1942  f.alproto = ALPROTO_HTTP1;
1943 
1944  StreamTcpInitConfig(true);
1945 
1946  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1947  if (de_ctx == NULL) {
1948  goto end;
1949  }
1950 
1951  de_ctx->flags |= DE_QUIET;
1952 
1953  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
1954  "\"HTTP cookie\"; content:\"me\"; "
1955  "http_cookie; sid:1;)");
1956  if (s == NULL) {
1957  goto end;
1958  }
1959 
1960  SigGroupBuild(de_ctx);
1961  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1962 
1963  int r = AppLayerParserParse(
1964  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1965  if (r != 0) {
1966  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1967  result = 0;
1968  goto end;
1969  }
1970 
1971  http_state = f.alstate;
1972  if (http_state == NULL) {
1973  printf("no http state: ");
1974  result = 0;
1975  goto end;
1976  }
1977 
1978  /* do detect */
1979  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1980 
1981  if ((PacketAlertCheck(p, 1))) {
1982  goto end;
1983  }
1984 
1985  result = 1;
1986 
1987 end:
1988  if (alp_tctx != NULL)
1989  AppLayerParserThreadCtxFree(alp_tctx);
1990  if (det_ctx != NULL) {
1991  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1992  }
1993  if (de_ctx != NULL) {
1994  DetectEngineCtxFree(de_ctx);
1995  }
1996  StreamTcpFreeConfig(true);
1997  UTHFreePackets(&p, 1);
1998  return result;
1999 }
2000 
2001 /** \test Check the signature working to alert when http_cookie is not present */
2002 static int DetectHttpCookieSigTest03(void)
2003 {
2004  int result = 0;
2005  Flow f;
2006  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2007  "Cookie: dummy\r\n\r\n";
2008  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2009  TcpSession ssn;
2010  Packet *p = NULL;
2011  Signature *s = NULL;
2012  ThreadVars th_v;
2013  DetectEngineThreadCtx *det_ctx = NULL;
2014  HtpState *http_state = NULL;
2015  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2016 
2017  memset(&th_v, 0, sizeof(th_v));
2018  memset(&f, 0, sizeof(f));
2019  memset(&ssn, 0, sizeof(ssn));
2020 
2021  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2022 
2023  FLOW_INITIALIZE(&f);
2024  f.protoctx = (void *)&ssn;
2025  f.proto = IPPROTO_TCP;
2026  f.flags |= FLOW_IPV4;
2027 
2028  p->flow = &f;
2029  p->flowflags |= FLOW_PKT_TOSERVER;
2030  p->flowflags |= FLOW_PKT_ESTABLISHED;
2031  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2032  f.alproto = ALPROTO_HTTP1;
2033 
2034  StreamTcpInitConfig(true);
2035 
2036  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2037  if (de_ctx == NULL) {
2038  goto end;
2039  }
2040 
2041  de_ctx->flags |= DE_QUIET;
2042 
2043  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2044  "\"HTTP cookie\"; content:\"boo\"; "
2045  "http_cookie; sid:1;)");
2046  if (s == NULL) {
2047  goto end;
2048  }
2049 
2050  SigGroupBuild(de_ctx);
2051  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2052 
2053  int r = AppLayerParserParse(
2054  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2055  if (r != 0) {
2056  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2057  result = 0;
2058  goto end;
2059  }
2060 
2061  http_state = f.alstate;
2062  if (http_state == NULL) {
2063  printf("no http state: ");
2064  result = 0;
2065  goto end;
2066  }
2067 
2068  /* do detect */
2069  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2070 
2071  if ((PacketAlertCheck(p, 1))) {
2072  goto end;
2073  }
2074 
2075  result = 1;
2076 end:
2077  if (alp_tctx != NULL)
2078  AppLayerParserThreadCtxFree(alp_tctx);
2079  if (det_ctx != NULL) {
2080  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2081  }
2082  if (de_ctx != NULL) {
2083  DetectEngineCtxFree(de_ctx);
2084  }
2085 
2086  StreamTcpFreeConfig(true);
2087  UTHFreePackets(&p, 1);
2088  return result;
2089 }
2090 
2091 /** \test Check the signature working to alert when http_cookie is not present */
2092 static int DetectHttpCookieSigTest04(void)
2093 {
2094  int result = 0;
2095  Flow f;
2096  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2097  "Cookie: dummy\r\n\r\n";
2098  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2099  TcpSession ssn;
2100  Packet *p = NULL;
2101  Signature *s = NULL;
2102  ThreadVars th_v;
2103  DetectEngineThreadCtx *det_ctx = NULL;
2104  HtpState *http_state = NULL;
2105  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2106 
2107  memset(&th_v, 0, sizeof(th_v));
2108  memset(&p, 0, sizeof(p));
2109  memset(&f, 0, sizeof(f));
2110  memset(&ssn, 0, sizeof(ssn));
2111 
2112  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2113 
2114  FLOW_INITIALIZE(&f);
2115  f.protoctx = (void *)&ssn;
2116  f.proto = IPPROTO_TCP;
2117  f.flags |= FLOW_IPV4;
2118 
2119  p->flow = &f;
2120  p->flowflags |= FLOW_PKT_TOSERVER;
2121  p->flowflags |= FLOW_PKT_ESTABLISHED;
2122  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2123  f.alproto = ALPROTO_HTTP1;
2124 
2125  StreamTcpInitConfig(true);
2126 
2127  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2128  if (de_ctx == NULL) {
2129  goto end;
2130  }
2131 
2132  de_ctx->flags |= DE_QUIET;
2133 
2134  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2135  "\"HTTP cookie\"; content:!\"boo\"; "
2136  "http_cookie; sid:1;)");
2137  if (s == NULL) {
2138  goto end;
2139  }
2140 
2141  SigGroupBuild(de_ctx);
2142  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2143 
2144  int r = AppLayerParserParse(
2145  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2146  if (r != 0) {
2147  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2148  result = 0;
2149  goto end;
2150  }
2151 
2152  http_state = f.alstate;
2153  if (http_state == NULL) {
2154  printf("no http state: ");
2155  result = 0;
2156  goto end;
2157  }
2158 
2159  /* do detect */
2160  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2161 
2162  if (!PacketAlertCheck(p, 1)) {
2163  goto end;
2164  }
2165 
2166  result = 1;
2167 end:
2168  if (alp_tctx != NULL)
2169  AppLayerParserThreadCtxFree(alp_tctx);
2170  if (det_ctx != NULL) {
2171  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2172  }
2173  if (de_ctx != NULL) {
2174  DetectEngineCtxFree(de_ctx);
2175  }
2176 
2177  StreamTcpFreeConfig(true);
2178  UTHFreePackets(&p, 1);
2179  return result;
2180 }
2181 
2182 /** \test Check the signature working to alert when http_cookie is not present */
2183 static int DetectHttpCookieSigTest05(void)
2184 {
2185  int result = 0;
2186  Flow f;
2187  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2188  "Cookie: DuMmY\r\n\r\n";
2189  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2190  TcpSession ssn;
2191  Packet *p = NULL;
2192  Signature *s = NULL;
2193  ThreadVars th_v;
2194  DetectEngineThreadCtx *det_ctx = NULL;
2195  HtpState *http_state = NULL;
2196  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2197 
2198  memset(&th_v, 0, sizeof(th_v));
2199  memset(&p, 0, sizeof(p));
2200  memset(&f, 0, sizeof(f));
2201  memset(&ssn, 0, sizeof(ssn));
2202 
2203  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2204 
2205  FLOW_INITIALIZE(&f);
2206  f.protoctx = (void *)&ssn;
2207  f.proto = IPPROTO_TCP;
2208  f.flags |= FLOW_IPV4;
2209 
2210  p->flow = &f;
2211  p->flowflags |= FLOW_PKT_TOSERVER;
2212  p->flowflags |= FLOW_PKT_ESTABLISHED;
2213  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2214  f.alproto = ALPROTO_HTTP1;
2215 
2216  StreamTcpInitConfig(true);
2217 
2218  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2219  if (de_ctx == NULL) {
2220  goto end;
2221  }
2222 
2223  de_ctx->flags |= DE_QUIET;
2224 
2225  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2226  "\"HTTP cookie\"; content:\"dummy\"; nocase; "
2227  "http_cookie; sid:1;)");
2228  if (s == NULL) {
2229  goto end;
2230  }
2231 
2232  SigGroupBuild(de_ctx);
2233  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2234 
2235  int r = AppLayerParserParse(
2236  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2237  if (r != 0) {
2238  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2239  result = 0;
2240  goto end;
2241  }
2242 
2243  http_state = f.alstate;
2244  if (http_state == NULL) {
2245  printf("no http state: ");
2246  result = 0;
2247  goto end;
2248  }
2249 
2250  /* do detect */
2251  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2252 
2253  if (!PacketAlertCheck(p, 1)) {
2254  goto end;
2255  }
2256 
2257  result = 1;
2258 end:
2259  if (alp_tctx != NULL)
2260  AppLayerParserThreadCtxFree(alp_tctx);
2261  if (det_ctx != NULL) {
2262  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2263  }
2264  if (de_ctx != NULL) {
2265  DetectEngineCtxFree(de_ctx);
2266  }
2267 
2268  StreamTcpFreeConfig(true);
2269  UTHFreePackets(&p, 1);
2270  return result;
2271 }
2272 
2273 /** \test Check the signature working to alert when http_cookie is not present */
2274 static int DetectHttpCookieSigTest06(void)
2275 {
2276  int result = 0;
2277  Flow f;
2278  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2279  "Cookie: DuMmY\r\n\r\n";
2280  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2281  TcpSession ssn;
2282  Packet *p = NULL;
2283  Signature *s = NULL;
2284  ThreadVars th_v;
2285  DetectEngineThreadCtx *det_ctx = NULL;
2286  HtpState *http_state = NULL;
2287  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2288 
2289  memset(&th_v, 0, sizeof(th_v));
2290  memset(&p, 0, sizeof(p));
2291  memset(&f, 0, sizeof(f));
2292  memset(&ssn, 0, sizeof(ssn));
2293 
2294  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2295 
2296  FLOW_INITIALIZE(&f);
2297  f.protoctx = (void *)&ssn;
2298  f.proto = IPPROTO_TCP;
2299  f.flags |= FLOW_IPV4;
2300 
2301  p->flow = &f;
2302  p->flowflags |= FLOW_PKT_TOSERVER;
2303  p->flowflags |= FLOW_PKT_ESTABLISHED;
2304  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2305  f.alproto = ALPROTO_HTTP1;
2306 
2307  StreamTcpInitConfig(true);
2308 
2309  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2310  if (de_ctx == NULL) {
2311  goto end;
2312  }
2313 
2314  de_ctx->flags |= DE_QUIET;
2315 
2316  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2317  "\"HTTP cookie\"; content:\"dummy\"; "
2318  "http_cookie; nocase; sid:1;)");
2319  if (s == NULL) {
2320  printf("sig parse failed: ");
2321  goto end;
2322  }
2323 
2324  SigGroupBuild(de_ctx);
2325  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2326 
2327  int r = AppLayerParserParse(
2328  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2329  if (r != 0) {
2330  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2331  goto end;
2332  }
2333 
2334  http_state = f.alstate;
2335  if (http_state == NULL) {
2336  printf("no http state: ");
2337  goto end;
2338  }
2339 
2340  /* do detect */
2341  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2342 
2343  if (!PacketAlertCheck(p, 1)) {
2344  printf("sig 1 failed to match: ");
2345  goto end;
2346  }
2347 
2348  result = 1;
2349 end:
2350  if (alp_tctx != NULL)
2351  AppLayerParserThreadCtxFree(alp_tctx);
2352  if (det_ctx != NULL) {
2353  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2354  }
2355  if (de_ctx != NULL) {
2356  DetectEngineCtxFree(de_ctx);
2357  }
2358 
2359  StreamTcpFreeConfig(true);
2360  UTHFreePackets(&p, 1);
2361  return result;
2362 }
2363 
2364 /** \test Check the signature working to alert when http_cookie is not present */
2365 static int DetectHttpCookieSigTest07(void)
2366 {
2367  int result = 0;
2368  Flow f;
2369  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2370  "Cookie: dummy\r\n\r\n";
2371  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2372  TcpSession ssn;
2373  Packet *p = NULL;
2374  Signature *s = NULL;
2375  ThreadVars th_v;
2376  DetectEngineThreadCtx *det_ctx = NULL;
2377  HtpState *http_state = NULL;
2378  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2379 
2380  memset(&th_v, 0, sizeof(th_v));
2381  memset(&f, 0, sizeof(f));
2382  memset(&ssn, 0, sizeof(ssn));
2383 
2384  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2385 
2386  FLOW_INITIALIZE(&f);
2387  f.protoctx = (void *)&ssn;
2388  f.proto = IPPROTO_TCP;
2389  f.flags |= FLOW_IPV4;
2390 
2391  p->flow = &f;
2392  p->flowflags |= FLOW_PKT_TOSERVER;
2393  p->flowflags |= FLOW_PKT_ESTABLISHED;
2394  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2395  f.alproto = ALPROTO_HTTP1;
2396 
2397  StreamTcpInitConfig(true);
2398 
2399  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2400  if (de_ctx == NULL) {
2401  goto end;
2402  }
2403 
2404  de_ctx->flags |= DE_QUIET;
2405 
2406  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2407  "\"HTTP cookie\"; content:!\"dummy\"; "
2408  "http_cookie; sid:1;)");
2409  if (s == NULL) {
2410  goto end;
2411  }
2412 
2413  SigGroupBuild(de_ctx);
2414  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2415 
2416  int r = AppLayerParserParse(
2417  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2418  if (r != 0) {
2419  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2420  result = 0;
2421  goto end;
2422  }
2423 
2424  http_state = f.alstate;
2425  if (http_state == NULL) {
2426  printf("no http state: ");
2427  result = 0;
2428  goto end;
2429  }
2430 
2431  /* do detect */
2432  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2433 
2434  if (PacketAlertCheck(p, 1)) {
2435  goto end;
2436  }
2437 
2438  result = 1;
2439 end:
2440  if (alp_tctx != NULL)
2441  AppLayerParserThreadCtxFree(alp_tctx);
2442  if (det_ctx != NULL) {
2443  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2444  }
2445  if (de_ctx != NULL) {
2446  DetectEngineCtxFree(de_ctx);
2447  }
2448 
2449  StreamTcpFreeConfig(true);
2450  UTHFreePackets(&p, 1);
2451  return result;
2452 }
2453 
2454 /**
2455  * \test Check the signature working to alert against set-cookie
2456  */
2457 static int DetectHttpCookieSigTest08(void)
2458 {
2459  int result = 0;
2460  Flow f;
2461 
2462  uint8_t httpbuf_request[] =
2463  "GET / HTTP/1.1\r\n"
2464  "User-Agent: Mozilla/1.0\r\n"
2465  "\r\n";
2466  uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the \0 */
2467 
2468  uint8_t httpbuf_response[] =
2469  "HTTP/1.1 200 OK\r\n"
2470  "Set-Cookie: response_user_agent\r\n"
2471  "\r\n";
2472  uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the \0 */
2473 
2474  TcpSession ssn;
2475  Packet *p1 = NULL, *p2 = NULL;
2476  Signature *s = NULL;
2477  ThreadVars th_v;
2478  DetectEngineThreadCtx *det_ctx = NULL;
2479  HtpState *http_state = NULL;
2480  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2481 
2482  memset(&th_v, 0, sizeof(th_v));
2483  memset(&f, 0, sizeof(f));
2484  memset(&ssn, 0, sizeof(ssn));
2485 
2486  FLOW_INITIALIZE(&f);
2487  f.protoctx = (void *)&ssn;
2488  f.proto = IPPROTO_TCP;
2489  f.flags |= FLOW_IPV4;
2490  f.alproto = ALPROTO_HTTP1;
2491 
2492  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2493  p1->flow = &f;
2494  p1->flowflags |= FLOW_PKT_TOSERVER;
2495  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2496  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2497 
2498  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2499  p2->flow = &f;
2500  p2->flowflags |= FLOW_PKT_TOCLIENT;
2501  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2502  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2503 
2504  StreamTcpInitConfig(true);
2505 
2506  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2507  if (de_ctx == NULL) {
2508  goto end;
2509  }
2510 
2511  de_ctx->flags |= DE_QUIET;
2512 
2513  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2514  "(flow:to_client; content:\"response_user_agent\"; "
2515  "http_cookie; sid:1;)");
2516  if (s == NULL) {
2517  goto end;
2518  }
2519 
2520  SigGroupBuild(de_ctx);
2521  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2522 
2523  /* request */
2524  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf_request,
2525  httpbuf_request_len);
2526  if (r != 0) {
2527  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2528  result = 0;
2529  goto end;
2530  }
2531 
2532  http_state = f.alstate;
2533  if (http_state == NULL) {
2534  printf("no http state: ");
2535  goto end;
2536  }
2537 
2538  /* do detect */
2539  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2540  if (PacketAlertCheck(p1, 1)) {
2541  goto end;
2542  }
2543 
2544  /* response */
2545  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf_response,
2546  httpbuf_response_len);
2547  if (r != 0) {
2548  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2549  result = 0;
2550  goto end;
2551  }
2552 
2553  /* do detect */
2554  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2555  if (!PacketAlertCheck(p2, 1)) {
2556  goto end;
2557  }
2558 
2559  result = 1;
2560 
2561 end:
2562  if (alp_tctx != NULL)
2563  AppLayerParserThreadCtxFree(alp_tctx);
2564  if (det_ctx != NULL) {
2565  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2566  }
2567  if (de_ctx != NULL) {
2568  DetectEngineCtxFree(de_ctx);
2569  }
2570 
2571  StreamTcpFreeConfig(true);
2572  UTHFreePackets(&p1, 1);
2573  UTHFreePackets(&p2, 1);
2574  return result;
2575 }
2576 
2577 /**
2578  * \test Check the signature working to alert against cookie/set-cookie
2579  */
2580 static int DetectHttpCookieSigTest09(void)
2581 {
2582  int result = 0;
2583  Flow f;
2584 
2585  uint8_t httpbuf_request[] =
2586  "GET / HTTP/1.1\r\n"
2587  "Cookie: request_user_agent\r\n"
2588  "User-Agent: Mozilla/1.0\r\n"
2589  "\r\n";
2590  uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the \0 */
2591 
2592  uint8_t httpbuf_response[] =
2593  "HTTP/1.1 200 OK\r\n"
2594  "Set-Cookie: response_user_agent\r\n"
2595  "\r\n";
2596  uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the \0 */
2597 
2598  TcpSession ssn;
2599  Packet *p1 = NULL, *p2 = NULL;
2600  Signature *s = NULL;
2601  ThreadVars th_v;
2602  DetectEngineThreadCtx *det_ctx = NULL;
2603  HtpState *http_state = NULL;
2604  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2605 
2606  memset(&th_v, 0, sizeof(th_v));
2607  memset(&f, 0, sizeof(f));
2608  memset(&ssn, 0, sizeof(ssn));
2609 
2610  FLOW_INITIALIZE(&f);
2611  f.protoctx = (void *)&ssn;
2612  f.proto = IPPROTO_TCP;
2613  f.flags |= FLOW_IPV4;
2614  f.alproto = ALPROTO_HTTP1;
2615 
2616  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2617  p1->flow = &f;
2618  p1->flowflags |= FLOW_PKT_TOSERVER;
2619  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2620  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2621 
2622  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2623  p2->flow = &f;
2624  p2->flowflags |= FLOW_PKT_TOCLIENT;
2625  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2626  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2627 
2628  StreamTcpInitConfig(true);
2629 
2630  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2631  if (de_ctx == NULL) {
2632  goto end;
2633  }
2634 
2635  de_ctx->flags |= DE_QUIET;
2636 
2637  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2638  "(flow:to_server; content:\"request_user_agent\"; "
2639  "http_cookie; sid:1;)");
2640  if (s == NULL) {
2641  goto end;
2642  }
2643  s = de_ctx->sig_list->next = SigInit(de_ctx,"alert http any any -> any any "
2644  "(flow:to_client; content:\"response_user_agent\"; "
2645  "http_cookie; sid:2;)");
2646  if (s == NULL) {
2647  goto end;
2648  }
2649 
2650  SigGroupBuild(de_ctx);
2651  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2652 
2653  /* request */
2654  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf_request,
2655  httpbuf_request_len);
2656  if (r != 0) {
2657  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2658  result = 0;
2659  goto end;
2660  }
2661 
2662  http_state = f.alstate;
2663  if (http_state == NULL) {
2664  printf("no http state: ");
2665  goto end;
2666  }
2667 
2668  /* do detect */
2669  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2670  if (!PacketAlertCheck(p1, 1) || PacketAlertCheck(p1, 2)) {
2671  goto end;
2672  }
2673 
2674  /* response */
2675  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf_response,
2676  httpbuf_response_len);
2677  if (r != 0) {
2678  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2679  result = 0;
2680  goto end;
2681  }
2682 
2683  /* do detect */
2684  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2685  if (PacketAlertCheck(p2, 1) || !PacketAlertCheck(p2, 2)) {
2686  goto end;
2687  }
2688 
2689  result = 1;
2690 
2691 end:
2692  if (alp_tctx != NULL)
2693  AppLayerParserThreadCtxFree(alp_tctx);
2694  if (det_ctx != NULL) {
2695  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2696  }
2697  if (de_ctx != NULL) {
2698  DetectEngineCtxFree(de_ctx);
2699  }
2700 
2701  StreamTcpFreeConfig(true);
2702  UTHFreePackets(&p1, 1);
2703  UTHFreePackets(&p2, 1);
2704  return result;
2705 }
2706 
2707 static int DetectHttpCookieIsdataatParseTest(void)
2708 {
2709  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2710  FAIL_IF_NULL(de_ctx);
2711  de_ctx->flags |= DE_QUIET;
2712 
2713  Signature *s = DetectEngineAppendSig(de_ctx,
2714  "alert tcp any any -> any any ("
2715  "content:\"one\"; http_cookie; "
2716  "isdataat:!4,relative; sid:1;)");
2717  FAIL_IF_NULL(s);
2718 
2719  SigMatch *sm = s->init_data->smlists_tail[g_http_cookie_buffer_id];
2720  FAIL_IF_NULL(sm);
2721  FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
2722 
2723  DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
2724  FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
2725  FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
2726  FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
2727 
2728  DetectEngineCtxFree(de_ctx);
2729  PASS;
2730 }
2731 
2732 /**
2733  * \brief Register the UNITTESTS for the http_cookie keyword
2734  */
2735 void DetectHttpCookieRegisterTests (void)
2736 {
2737  g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
2738 
2739  UtRegisterTest("DetectHttpCookieTest01", DetectHttpCookieTest01);
2740  UtRegisterTest("DetectHttpCookieTest02", DetectHttpCookieTest02);
2741  UtRegisterTest("DetectHttpCookieTest03", DetectHttpCookieTest03);
2742  UtRegisterTest("DetectHttpCookieTest04", DetectHttpCookieTest04);
2743  UtRegisterTest("DetectHttpCookieTest05", DetectHttpCookieTest05);
2744  UtRegisterTest("DetectHttpCookieTest06", DetectHttpCookieTest06);
2745  UtRegisterTest("DetectHttpCookieSigTest01", DetectHttpCookieSigTest01);
2746  UtRegisterTest("DetectHttpCookieSigTest02", DetectHttpCookieSigTest02);
2747  UtRegisterTest("DetectHttpCookieSigTest03", DetectHttpCookieSigTest03);
2748  UtRegisterTest("DetectHttpCookieSigTest04", DetectHttpCookieSigTest04);
2749  UtRegisterTest("DetectHttpCookieSigTest05", DetectHttpCookieSigTest05);
2750  UtRegisterTest("DetectHttpCookieSigTest06", DetectHttpCookieSigTest06);
2751  UtRegisterTest("DetectHttpCookieSigTest07", DetectHttpCookieSigTest07);
2752  UtRegisterTest("DetectHttpCookieSigTest08", DetectHttpCookieSigTest08);
2753  UtRegisterTest("DetectHttpCookieSigTest09", DetectHttpCookieSigTest09);
2754  UtRegisterTest("DetectHttpCookieIsdataatParseTest",
2755  DetectHttpCookieIsdataatParseTest);
2756  UtRegisterTest("DetectEngineHttpCookieTest01",
2757  DetectEngineHttpCookieTest01);
2758  UtRegisterTest("DetectEngineHttpCookieTest02",
2759  DetectEngineHttpCookieTest02);
2760  UtRegisterTest("DetectEngineHttpCookieTest03",
2761  DetectEngineHttpCookieTest03);
2762  UtRegisterTest("DetectEngineHttpCookieTest04",
2763  DetectEngineHttpCookieTest04);
2764  UtRegisterTest("DetectEngineHttpCookieTest05",
2765  DetectEngineHttpCookieTest05);
2766  UtRegisterTest("DetectEngineHttpCookieTest06",
2767  DetectEngineHttpCookieTest06);
2768  UtRegisterTest("DetectEngineHttpCookieTest07",
2769  DetectEngineHttpCookieTest07);
2770  UtRegisterTest("DetectEngineHttpCookieTest08",
2771  DetectEngineHttpCookieTest08);
2772  UtRegisterTest("DetectEngineHttpCookieTest09",
2773  DetectEngineHttpCookieTest09);
2774  UtRegisterTest("DetectEngineHttpCookieTest10",
2775  DetectEngineHttpCookieTest10);
2776  UtRegisterTest("DetectEngineHttpCookieTest11",
2777  DetectEngineHttpCookieTest11);
2778  UtRegisterTest("DetectEngineHttpCookieTest12",
2779  DetectEngineHttpCookieTest12);
2780  UtRegisterTest("DetectEngineHttpCookieTest13",
2781  DetectEngineHttpCookieTest13);
2782  UtRegisterTest("DetectEngineHttpCookieTest14",
2783  DetectEngineHttpCookieTest14);
2784  UtRegisterTest("DetectEngineHttpCookieTest15",
2785  DetectEngineHttpCookieTest15);
2786  UtRegisterTest("DetectEngineHttpCookieTest16",
2787  DetectEngineHttpCookieTest16);
2788  UtRegisterTest("DetectEngineHttpCookieTest17",
2789  DetectEngineHttpCookieTest17);
2790 }
2791 /**
2792  * @}
2793  */
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1185
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:60
Flow_::proto
uint8_t proto
Definition: flow.h:378
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:137
Packet_::flags
uint32_t flags
Definition: decode.h:477
Flow_
Flow data structure.
Definition: flow.h:356
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2116
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:794
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2439
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:327
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:226
DE_QUIET
#define DE_QUIET
Definition: detect.h:297
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1782
DetectIsdataatData_
Definition: detect-isdataat.h:35
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:473
Flow_::protoctx
void * protoctx
Definition: flow.h:454
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
HtpState_
Definition: app-layer-htp.h:247
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1084
Signature_::next
struct Signature_ * next
Definition: detect.h:623
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:545
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:359
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:40
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1043
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:20
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:327
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:326
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:281
Packet_
Definition: decode.h:442
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:620
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:227
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1954
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:306
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2421
Packet_::flow
struct Flow_ * flow
Definition: decode.h:479
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3146
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:666
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1244
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3358
SigMatch_::type
uint16_t type
Definition: detect.h:324
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:800
ISDATAAT_NEGATED
#define ISDATAAT_NEGATED
Definition: detect-isdataat.h:29
Flow_::alstate
void * alstate
Definition: flow.h:489
Flow_::flags
uint32_t flags
Definition: flow.h:434
Signature_
Signature container.
Definition: detect.h:549
SigMatch_
a single match condition for a signature
Definition: detect.h:323
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:80
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:228
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2400
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:795
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:86
TcpSession_
Definition: stream-tcp-private.h:274
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:463
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:131
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1182
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468