suricata
detect-http-header.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
29  *
30  * Implements support for http_header keyword.
31  */
32 
33 #include "../suricata-common.h"
34 #include "../flow.h"
35 #include "../flow-var.h"
36 #include "../flow-util.h"
37 
38 #include "../app-layer.h"
39 #include "../app-layer-parser.h"
40 
41 #include "../app-layer-htp.h"
42 #include "../detect-http-header.h"
43 #include "../detect-http-header-common.h"
44 #include "../detect-engine-build.h"
45 #include "../detect-engine-alert.h"
46 
47 #include "../detect-isdataat.h"
48 
49 #include "../stream-tcp.h"
50 
51 #include "../util-unittest.h"
52 #include "../util-unittest-helper.h"
53 
54 /**
55  * \test Test parser accepting valid rules and rejecting invalid rules
56  */
57 static int DetectHttpHeaderParserTest01(void)
58 {
59  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; http_header; sid:1;)", true));
60  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; nocase; http_header; sid:1;)", true));
61  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; endswith; http_header; sid:1;)", true));
62  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; startswith; http_header; sid:1;)", true));
63  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; startswith; endswith; http_header; sid:1;)", true));
64 
65  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; rawbytes; http_header; sid:1;)", false));
66  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (http_header; sid:1;)", false));
67  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (content:\"abc\"; http_header; sid:1;)", false));
68  PASS;
69 }
70 
71 /**
72  * \test Test parser accepting valid rules and rejecting invalid rules
73  */
74 static int DetectHttpHeaderParserTest02(void)
75 {
76  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; sid:1;)", true));
77  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; nocase; sid:1;)", true));
78  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; endswith; sid:1;)", true));
79  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; startswith; sid:1;)", true));
80  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; startswith; endswith; sid:1;)", true));
81  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; bsize:10; sid:1;)", true));
82 
83  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; rawbytes; sid:1;)", false));
84  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (http.header; sid:1;)", false));
85  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (http.header; content:\"abc\"; sid:1;)", false));
86  PASS;
87 }
88 
89 /**
90  *\test Test that the http_header content matches against a http request
91  * which holds the content.
92  */
93 static int DetectHttpHeaderTest06(void)
94 {
95  TcpSession ssn;
96  Packet *p = NULL;
97  ThreadVars th_v;
98  DetectEngineCtx *de_ctx = NULL;
99  DetectEngineThreadCtx *det_ctx = NULL;
100  HtpState *http_state = NULL;
101  Flow f;
102  uint8_t http_buf[] =
103  "GET /index.html HTTP/1.0\r\n"
104  "Host: www.openinfosecfoundation.org\r\n"
105  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
106  "Content-Type: text/html\r\n"
107  "Content-Length: 26\r\n"
108  "\r\n"
109  "This is dummy message body\r\n";
110  uint32_t http_len = sizeof(http_buf) - 1;
111  int result = 0;
113 
114  memset(&th_v, 0, sizeof(th_v));
115  memset(&f, 0, sizeof(f));
116  memset(&ssn, 0, sizeof(ssn));
117 
118  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
119 
120  FLOW_INITIALIZE(&f);
121  f.protoctx = (void *)&ssn;
122  f.proto = IPPROTO_TCP;
123  f.flags |= FLOW_IPV4;
124  p->flow = &f;
129 
130  StreamTcpInitConfig(true);
131 
133  if (de_ctx == NULL)
134  goto end;
135 
136  de_ctx->flags |= DE_QUIET;
137 
138  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
139  "(msg:\"http header test\"; "
140  "content:\"Content-Type: text/html\"; http_header; "
141  "sid:1;)");
142  if (de_ctx->sig_list == NULL)
143  goto end;
144 
146  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
147 
148  int r = AppLayerParserParse(
149  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
150  if (r != 0) {
151  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
152  result = 0;
153  goto end;
154  }
155 
156  http_state = f.alstate;
157  if (http_state == NULL) {
158  printf("no http state: ");
159  result = 0;
160  goto end;
161  }
162 
163  /* do detect */
164  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
165 
166  if (!(PacketAlertCheck(p, 1))) {
167  printf("sid 1 didn't match but should have: ");
168  goto end;
169  }
170 
171  result = 1;
172 end:
173  if (alp_tctx != NULL)
175  if (de_ctx != NULL)
177 
178  StreamTcpFreeConfig(true);
179  FLOW_DESTROY(&f);
180  UTHFreePackets(&p, 1);
181  return result;
182 }
183 
184 /**
185  *\test Test that the http_header content matches against a http request
186  * which holds the content.
187  */
188 static int DetectHttpHeaderTest07(void)
189 {
190  TcpSession ssn;
191  Packet *p1 = NULL;
192  Packet *p2 = NULL;
193  ThreadVars th_v;
194  DetectEngineThreadCtx *det_ctx = NULL;
195  Flow f;
196  uint8_t http1_buf[] =
197  "GET /index.html HTTP/1.0\r\n"
198  "Host: www.openinfosecfoundation.org\r\n"
199  "User-Agent: Mozi";
200  uint8_t http2_buf[] =
201  "lla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\nContent-Type: text/html\r\n"
202  "Content-Length: 67\r\n"
203  "\r\n"
204  "This is dummy message body1";
205  uint32_t http1_len = sizeof(http1_buf) - 1;
206  uint32_t http2_len = sizeof(http2_buf) - 1;
207 
210 
211  memset(&th_v, 0, sizeof(th_v));
212  memset(&f, 0, sizeof(f));
213  memset(&ssn, 0, sizeof(ssn));
214 
215  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
216  FAIL_IF_NULL(p1);
217  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
218  FAIL_IF_NULL(p2);
219 
220  FLOW_INITIALIZE(&f);
221  f.protoctx = (void *)&ssn;
222  f.proto = IPPROTO_TCP;
223  f.flags |= FLOW_IPV4;
224  p1->flow = &f;
228  p2->flow = &f;
233 
234  StreamTcpInitConfig(true);
235 
238  de_ctx->flags |= DE_QUIET;
239 
240  Signature *s = DetectEngineAppendSig(de_ctx,"alert http any any -> any any "
241  "(msg:\"http header test\"; "
242  "content:\"Mozilla\"; http_header; "
243  "sid:1;)");
244  FAIL_IF_NULL(s);
245 
247  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
248  FAIL_IF_NULL(det_ctx);
249 
250  int r = AppLayerParserParse(
251  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
252  FAIL_IF(r != 0);
253 
254  HtpState *http_state = f.alstate;
255  FAIL_IF_NULL(http_state);
256 
257  /* do detect */
258  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
259  FAIL_IF( (PacketAlertCheck(p1, 1)));
260 
262  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
263  FAIL_IF(r != 0);
264 
265  /* do detect */
266  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
267 
268  FAIL_IF(!(PacketAlertCheck(p2, 1)));
269 
272 
273  StreamTcpFreeConfig(true);
274  FLOW_DESTROY(&f);
275  UTHFreePackets(&p1, 1);
276  UTHFreePackets(&p2, 1);
277  PASS;
278 }
279 
280 /**
281  *\test Test that the http_header content matches against a http request
282  * which holds the content.
283  */
284 static int DetectHttpHeaderTest08(void)
285 {
286  TcpSession ssn;
287  Packet *p1 = NULL;
288  Packet *p2 = NULL;
289  ThreadVars th_v;
290  DetectEngineCtx *de_ctx = NULL;
291  DetectEngineThreadCtx *det_ctx = NULL;
292  HtpState *http_state = NULL;
293  Flow f;
294  uint8_t http1_buf[] =
295  "GET /index.html HTTP/1.0\r\n"
296  "Host: www.openinfosecfoundation.org\r\n";
297  uint8_t http2_buf[] =
298  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
299  "Content-Type: text/html\r\n"
300  "Content-Length: 67\r\n"
301  "\r\n";
302  uint32_t http1_len = sizeof(http1_buf) - 1;
303  uint32_t http2_len = sizeof(http2_buf) - 1;
304  int result = 0;
306 
307  memset(&th_v, 0, sizeof(th_v));
308  memset(&f, 0, sizeof(f));
309  memset(&ssn, 0, sizeof(ssn));
310 
311  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
312  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
313 
314  FLOW_INITIALIZE(&f);
315  f.protoctx = (void *)&ssn;
316  f.proto = IPPROTO_TCP;
317  f.flags |= FLOW_IPV4;
318  p1->flow = &f;
322  p2->flow = &f;
327 
328  StreamTcpInitConfig(true);
329 
331  if (de_ctx == NULL)
332  goto end;
333 
334  de_ctx->flags |= DE_QUIET;
335 
336  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
337  "(msg:\"http header test\"; "
338  "content:\"Gecko/20091221 Firefox/3.5.7\"; http_header; "
339  "sid:1;)");
340  if (de_ctx->sig_list == NULL)
341  goto end;
342 
344  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
345 
346  int r = AppLayerParserParse(
347  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
348  if (r != 0) {
349  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
350  result = 0;
351  goto end;
352  }
353 
354  http_state = f.alstate;
355  if (http_state == NULL) {
356  printf("no http state: ");
357  result = 0;
358  goto end;
359  }
360 
361  /* do detect */
362  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
363 
364  if ((PacketAlertCheck(p1, 1))) {
365  printf("sid 1 didn't match but should have: ");
366  goto end;
367  }
368 
370  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
371  if (r != 0) {
372  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
373  result = 0;
374  goto end;
375  }
376 
377  /* do detect */
378  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
379 
380  if (!(PacketAlertCheck(p2, 1))) {
381  printf("sid 1 didn't match but should have: ");
382  goto end;
383  }
384 
385  result = 1;
386 end:
387  if (alp_tctx != NULL)
389  if (de_ctx != NULL)
391 
392  StreamTcpFreeConfig(true);
393  FLOW_DESTROY(&f);
394  UTHFreePackets(&p1, 1);
395  UTHFreePackets(&p2, 1);
396  return result;
397 }
398 
399 /**
400  *\test Test that the http_header content matches against a http request
401  * which holds the content, against a cross boundary present pattern.
402  */
403 static int DetectHttpHeaderTest09(void)
404 {
405  TcpSession ssn;
406  Packet *p1 = NULL;
407  Packet *p2 = NULL;
408  ThreadVars th_v;
409  DetectEngineCtx *de_ctx = NULL;
410  DetectEngineThreadCtx *det_ctx = NULL;
411  HtpState *http_state = NULL;
412  Flow f;
413  uint8_t http1_buf[] =
414  "GET /index.html HTTP/1.0\r\n"
415  "Host: www.openinfosecfoundation.org\r\n"
416  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n";
417  uint8_t http2_buf[] =
418  "Content-Type: text/html\r\n"
419  "Content-Length: 67\r\n"
420  "\r\n"
421  "This is dummy body\r\n";
422  uint32_t http1_len = sizeof(http1_buf) - 1;
423  uint32_t http2_len = sizeof(http2_buf) - 1;
424  int result = 0;
426 
427  memset(&th_v, 0, sizeof(th_v));
428  memset(&f, 0, sizeof(f));
429  memset(&ssn, 0, sizeof(ssn));
430 
431  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
432  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
433 
434  FLOW_INITIALIZE(&f);
435  f.protoctx = (void *)&ssn;
436  f.proto = IPPROTO_TCP;
437  f.flags |= FLOW_IPV4;
438  p1->flow = &f;
442  p2->flow = &f;
447 
448  StreamTcpInitConfig(true);
449 
451  if (de_ctx == NULL)
452  goto end;
453 
454  de_ctx->flags |= DE_QUIET;
456 
457  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
458  "(msg:\"http header test\"; "
459  "content:\"Firefox/3.5.7|0D 0A|Content\"; http_header; "
460  "sid:1;)");
461  if (de_ctx->sig_list == NULL)
462  goto end;
463 
465  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
466 
467  int r = AppLayerParserParse(
468  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
469  if (r != 0) {
470  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
471  result = 0;
472  goto end;
473  }
474 
475  http_state = f.alstate;
476  if (http_state == NULL) {
477  printf("no http state: ");
478  result = 0;
479  goto end;
480  }
481 
482  /* do detect */
483  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
484 
485  if ((PacketAlertCheck(p1, 1))) {
486  printf("sid 1 matched but shouldn't have: ");
487  goto end;
488  }
489 
491  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
492  if (r != 0) {
493  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
494  result = 0;
495  goto end;
496  }
497 
498  /* do detect */
499  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
500 
501  if (!(PacketAlertCheck(p2, 1))) {
502  printf("sid 1 didn't match but should have: ");
503  goto end;
504  }
505 
506  result = 1;
507 end:
508  if (alp_tctx != NULL)
510  if (de_ctx != NULL)
512 
513  StreamTcpFreeConfig(true);
514  FLOW_DESTROY(&f);
515  UTHFreePackets(&p1, 1);
516  UTHFreePackets(&p2, 1);
517  return result;
518 }
519 
520 /**
521  *\test Test that the http_header content matches against a http request
522  * against a case insensitive pattern.
523  */
524 static int DetectHttpHeaderTest10(void)
525 {
526  TcpSession ssn;
527  Packet *p1 = NULL;
528  Packet *p2 = NULL;
529  ThreadVars th_v;
530  DetectEngineCtx *de_ctx = NULL;
531  DetectEngineThreadCtx *det_ctx = NULL;
532  HtpState *http_state = NULL;
533  Flow f;
534  uint8_t http1_buf[] =
535  "GET /index.html HTTP/1.0\r\n"
536  "Host: www.openinfosecfoundation.org\r\n"
537  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n";
538  uint8_t http2_buf[] =
539  "Content-Type: text/html\r\n"
540  "Content-Length: 67\r\n"
541  "\r\n"
542  "This is dummy body";
543  uint32_t http1_len = sizeof(http1_buf) - 1;
544  uint32_t http2_len = sizeof(http2_buf) - 1;
545  int result = 0;
547 
548  memset(&th_v, 0, sizeof(th_v));
549  memset(&f, 0, sizeof(f));
550  memset(&ssn, 0, sizeof(ssn));
551 
552  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
553  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
554 
555  FLOW_INITIALIZE(&f);
556  f.protoctx = (void *)&ssn;
557  f.proto = IPPROTO_TCP;
558  f.flags |= FLOW_IPV4;
559  p1->flow = &f;
563  p2->flow = &f;
568 
569  StreamTcpInitConfig(true);
570 
572  if (de_ctx == NULL)
573  goto end;
574 
575  de_ctx->flags |= DE_QUIET;
576 
577  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
578  "(msg:\"http header test\"; "
579  "content:\"firefox/3.5.7|0D 0A|content\"; nocase; http_header;"
580  "sid:1;)");
581  if (de_ctx->sig_list == NULL)
582  goto end;
583 
585  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
586 
587  int r = AppLayerParserParse(
588  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
589  if (r != 0) {
590  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
591  result = 0;
592  goto end;
593  }
594 
595  http_state = f.alstate;
596  if (http_state == NULL) {
597  printf("no http state: ");
598  result = 0;
599  goto end;
600  }
601 
602  /* do detect */
603  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
604 
605  if ((PacketAlertCheck(p1, 1))) {
606  printf("sid 1 didn't match but should have: ");
607  goto end;
608  }
609 
611  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
612  if (r != 0) {
613  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
614  result = 0;
615  goto end;
616  }
617 
618  /* do detect */
619  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
620 
621  if (!(PacketAlertCheck(p2, 1))) {
622  printf("sid 1 didn't match but should have: ");
623  goto end;
624  }
625 
626  result = 1;
627 end:
628  if (alp_tctx != NULL)
630  if (de_ctx != NULL)
632 
633  StreamTcpFreeConfig(true);
634  FLOW_DESTROY(&f);
635  UTHFreePackets(&p1, 1);
636  UTHFreePackets(&p2, 1);
637  return result;
638 }
639 
640 /**
641  *\test Test that the negated http_header content matches against a
642  * http request which doesn't hold the content.
643  */
644 static int DetectHttpHeaderTest11(void)
645 {
646  TcpSession ssn;
647  Packet *p = NULL;
648  ThreadVars th_v;
649  DetectEngineCtx *de_ctx = NULL;
650  DetectEngineThreadCtx *det_ctx = NULL;
651  HtpState *http_state = NULL;
652  Flow f;
653  uint8_t http_buf[] =
654  "GET /index.html HTTP/1.0\r\n"
655  "Host: www.openinfosecfoundation.org\r\n"
656  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
657  "Content-Type: text/html\r\n"
658  "Content-Length: 26\r\n"
659  "\r\n"
660  "This is dummy message body\r\n";
661  uint32_t http_len = sizeof(http_buf) - 1;
662  int result = 0;
664 
665  memset(&th_v, 0, sizeof(th_v));
666  memset(&f, 0, sizeof(f));
667  memset(&ssn, 0, sizeof(ssn));
668 
669  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
670 
671  FLOW_INITIALIZE(&f);
672  f.protoctx = (void *)&ssn;
673  f.proto = IPPROTO_TCP;
674  f.flags |= FLOW_IPV4;
675  p->flow = &f;
680 
681  StreamTcpInitConfig(true);
682 
684  if (de_ctx == NULL)
685  goto end;
686 
687  de_ctx->flags |= DE_QUIET;
688 
689  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
690  "(msg:\"http header test\"; "
691  "content:!\"lalalalala\"; http_header; "
692  "sid:1;)");
693  if (de_ctx->sig_list == NULL)
694  goto end;
695 
697  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
698 
699  int r = AppLayerParserParse(
700  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
701  if (r != 0) {
702  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
703  result = 0;
704  goto end;
705  }
706 
707  http_state = f.alstate;
708  if (http_state == NULL) {
709  printf("no http state: ");
710  result = 0;
711  goto end;
712  }
713 
714  /* do detect */
715  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
716 
717  if (!(PacketAlertCheck(p, 1))) {
718  printf("sid 1 didn't match but should have: ");
719  goto end;
720  }
721 
722  result = 1;
723 end:
724  if (alp_tctx != NULL)
726  if (de_ctx != NULL)
728 
729  StreamTcpFreeConfig(true);
730  FLOW_DESTROY(&f);
731  UTHFreePackets(&p, 1);
732  return result;
733 }
734 
735 /**
736  *\test Negative test that the negated http_header content matches against a
737  * http request which holds hold the content.
738  */
739 static int DetectHttpHeaderTest12(void)
740 {
741  TcpSession ssn;
742  Packet *p = NULL;
743  ThreadVars th_v;
744  DetectEngineCtx *de_ctx = NULL;
745  DetectEngineThreadCtx *det_ctx = NULL;
746  HtpState *http_state = NULL;
747  Flow f;
748  uint8_t http_buf[] =
749  "GET /index.html HTTP/1.0\r\n"
750  "Host: www.openinfosecfoundation.org\r\n"
751  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
752  "Content-Type: text/html\r\n"
753  "Content-Length: 26\r\n"
754  "\r\n"
755  "This is dummy message body\r\n";
756  uint32_t http_len = sizeof(http_buf) - 1;
757  int result = 0;
759 
760  memset(&th_v, 0, sizeof(th_v));
761  memset(&f, 0, sizeof(f));
762  memset(&ssn, 0, sizeof(ssn));
763 
764  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
765 
766  FLOW_INITIALIZE(&f);
767  f.protoctx = (void *)&ssn;
768  f.proto = IPPROTO_TCP;
769  f.flags |= FLOW_IPV4;
770  p->flow = &f;
775 
776  StreamTcpInitConfig(true);
777 
779  if (de_ctx == NULL)
780  goto end;
781 
782  de_ctx->flags |= DE_QUIET;
783 
784  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
785  "(msg:\"http header test\"; "
786  "content:!\"User-Agent: Mozilla/5.0 \"; http_header; "
787  "sid:1;)");
788  if (de_ctx->sig_list == NULL)
789  goto end;
790 
792  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
793 
794  int r = AppLayerParserParse(
795  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
796  if (r != 0) {
797  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
798  result = 0;
799  goto end;
800  }
801 
802  http_state = f.alstate;
803  if (http_state == NULL) {
804  printf("no http state: ");
805  result = 0;
806  goto end;
807  }
808 
809  /* do detect */
810  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
811 
812  if ((PacketAlertCheck(p, 1))) {
813  printf("sid 1 didn't match but should have: ");
814  goto end;
815  }
816 
817  result = 1;
818 end:
819  if (alp_tctx != NULL)
821  if (de_ctx != NULL)
823 
824  StreamTcpFreeConfig(true);
825  FLOW_DESTROY(&f);
826  UTHFreePackets(&p, 1);
827  return result;
828 }
829 
830 /**
831  *\test Test that the http_header content matches against a http request
832  * which holds the content.
833  */
834 static int DetectHttpHeaderTest13(void)
835 {
836  TcpSession ssn;
837  Packet *p = NULL;
838  ThreadVars th_v;
839  DetectEngineCtx *de_ctx = NULL;
840  DetectEngineThreadCtx *det_ctx = NULL;
841  HtpState *http_state = NULL;
842  Flow f;
843  uint8_t http_buf[] =
844  "GET /index.html HTTP/1.0\r\n"
845  "Host: www.openinfosecfoundation.org\r\n"
846  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
847  "Content-Type: text/html\r\n"
848  "Content-Length: 100\r\n"
849  "\r\n"
850  "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n";
851  uint32_t http_len = sizeof(http_buf) - 1;
852  int result = 0;
854 
855  memset(&th_v, 0, sizeof(th_v));
856  memset(&f, 0, sizeof(f));
857  memset(&ssn, 0, sizeof(ssn));
858 
859  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
860 
861  FLOW_INITIALIZE(&f);
862  f.protoctx = (void *)&ssn;
863  f.proto = IPPROTO_TCP;
864  f.flags |= FLOW_IPV4;
865 
866  p->flow = &f;
871 
872  StreamTcpInitConfig(true);
873 
875  if (de_ctx == NULL)
876  goto end;
877 
878  de_ctx->flags |= DE_QUIET;
879 
880  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
881  "(msg:\"http header test\"; "
882  "content:\"Host: www.openinfosecfoundation.org\"; http_header; "
883  "sid:1;)");
884  if (de_ctx->sig_list == NULL)
885  goto end;
886 
888  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
889 
890  int r = AppLayerParserParse(
891  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
892  if (r != 0) {
893  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
894  result = 0;
895  goto end;
896  }
897 
898  http_state = f.alstate;
899  if (http_state == NULL) {
900  printf("no http state: ");
901  result = 0;
902  goto end;
903  }
904 
905  /* do detect */
906  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
907 
908  if (!(PacketAlertCheck(p, 1))) {
909  printf("sid 1 didn't match but should have: ");
910  goto end;
911  }
912 
913  result = 1;
914 end:
915  if (alp_tctx != NULL)
917  if (de_ctx != NULL)
919 
920  StreamTcpFreeConfig(true);
921  FLOW_DESTROY(&f);
922  UTHFreePackets(&p, 1);
923  return result;
924 }
925 
926 /** \test app-layer-event:http.host_header_ambiguous should not be set
927  * \bug 640*/
928 static int DetectHttpHeaderTest28(void)
929 {
930  TcpSession ssn;
931  Packet *p = NULL;
932  ThreadVars th_v;
933  DetectEngineCtx *de_ctx = NULL;
934  DetectEngineThreadCtx *det_ctx = NULL;
935  Flow f;
936  uint8_t http_buf[] =
937  "POST http://xxx.intranet.local:8000/xxx HTTP/1.1\r\n"
938  "User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29\r\n"
939  "Host: xxx.intranet.local:8000\r\n"
940  "\r\n";
941  uint32_t http_len = sizeof(http_buf) - 1;
942  int result = 0;
944 
945  memset(&th_v, 0, sizeof(th_v));
946  memset(&f, 0, sizeof(f));
947  memset(&ssn, 0, sizeof(ssn));
948 
949  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
950 
951  FLOW_INITIALIZE(&f);
952  f.protoctx = (void *)&ssn;
953  f.proto = IPPROTO_TCP;
954  f.flags |= FLOW_IPV4;
955  p->flow = &f;
960 
961  StreamTcpInitConfig(true);
962 
964  if (de_ctx == NULL)
965  goto end;
966 
967  de_ctx->flags |= DE_QUIET;
968 
969  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
970  "(app-layer-event:http.host_header_ambiguous; "
971  "sid:1;)");
972  if (de_ctx->sig_list == NULL)
973  goto end;
974 
976  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
977 
978  int r = AppLayerParserParse(
979  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
980  if (r != 0) {
981  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
982  result = 0;
983  goto end;
984  }
985 
986  /* do detect */
987  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
988 
989  if (PacketAlertCheck(p, 1)) {
990  printf("sid 1 matched but shouldnt have: ");
991  goto end;
992  }
993 
994  result = 1;
995  end:
996  if (alp_tctx != NULL)
998  if (de_ctx != NULL)
1000 
1001  StreamTcpFreeConfig(true);
1002  FLOW_DESTROY(&f);
1003  UTHFreePackets(&p, 1);
1004  return result;
1005 }
1006 
1007 /** \test app-layer-event:http.host_header_ambiguous should be set
1008  * \bug 640*/
1009 static int DetectHttpHeaderTest29(void)
1010 {
1011  TcpSession ssn;
1012  Packet *p = NULL;
1013  ThreadVars th_v;
1014  DetectEngineCtx *de_ctx = NULL;
1015  DetectEngineThreadCtx *det_ctx = NULL;
1016  Flow f;
1017  uint8_t http_buf[] =
1018  "POST http://xxx.intranet.local:8001/xxx HTTP/1.1\r\n"
1019  "User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29\r\n"
1020  "Host: xxx.intranet.local:8000\r\n"
1021  "\r\n";
1022  uint32_t http_len = sizeof(http_buf) - 1;
1023  int result = 0;
1025 
1026  memset(&th_v, 0, sizeof(th_v));
1027  memset(&f, 0, sizeof(f));
1028  memset(&ssn, 0, sizeof(ssn));
1029 
1030  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1031 
1032  FLOW_INITIALIZE(&f);
1033  f.protoctx = (void *)&ssn;
1034  f.proto = IPPROTO_TCP;
1035  f.flags |= FLOW_IPV4;
1036  p->flow = &f;
1040  f.alproto = ALPROTO_HTTP1;
1041 
1042  StreamTcpInitConfig(true);
1043 
1045  if (de_ctx == NULL)
1046  goto end;
1047 
1048  de_ctx->flags |= DE_QUIET;
1049 
1050  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1051  "(app-layer-event:http.host_header_ambiguous; "
1052  "sid:1;)");
1053  if (de_ctx->sig_list == NULL)
1054  goto end;
1055 
1057  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1058 
1059  int r = AppLayerParserParse(
1060  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1061  if (r != 0) {
1062  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1063  result = 0;
1064  goto end;
1065  }
1066 
1067  /* do detect */
1068  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1069 
1070  if (!(PacketAlertCheck(p, 1))) {
1071  printf("sid 1 didn't match but should have: ");
1072  goto end;
1073  }
1074 
1075  result = 1;
1076  end:
1077  if (alp_tctx != NULL)
1079  if (de_ctx != NULL)
1081 
1082  StreamTcpFreeConfig(true);
1083  FLOW_DESTROY(&f);
1084  UTHFreePackets(&p, 1);
1085  return result;
1086 }
1087 
1088 /** \test app-layer-event:http.host_header_ambiguous should be set
1089  * \bug 640*/
1090 static int DetectHttpHeaderTest30(void)
1091 {
1092  TcpSession ssn;
1093  Packet *p = NULL;
1094  ThreadVars th_v;
1095  DetectEngineCtx *de_ctx = NULL;
1096  DetectEngineThreadCtx *det_ctx = NULL;
1097  Flow f;
1098  uint8_t http_buf[] =
1099  "POST http://xxx.intranet.local:8000/xxx HTTP/1.1\r\n"
1100  "User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29\r\n"
1101  "Host: xyz.intranet.local:8000\r\n"
1102  "\r\n";
1103  uint32_t http_len = sizeof(http_buf) - 1;
1104  int result = 0;
1106 
1107  memset(&th_v, 0, sizeof(th_v));
1108  memset(&f, 0, sizeof(f));
1109  memset(&ssn, 0, sizeof(ssn));
1110 
1111  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1112 
1113  FLOW_INITIALIZE(&f);
1114  f.protoctx = (void *)&ssn;
1115  f.proto = IPPROTO_TCP;
1116  f.flags |= FLOW_IPV4;
1117  p->flow = &f;
1121  f.alproto = ALPROTO_HTTP1;
1122 
1123  StreamTcpInitConfig(true);
1124 
1126  if (de_ctx == NULL)
1127  goto end;
1128 
1129  de_ctx->flags |= DE_QUIET;
1130 
1131  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1132  "(app-layer-event:http.host_header_ambiguous; "
1133  "sid:1;)");
1134  if (de_ctx->sig_list == NULL)
1135  goto end;
1136 
1138  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1139 
1140  int r = AppLayerParserParse(
1141  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1142  if (r != 0) {
1143  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1144  result = 0;
1145  goto end;
1146  }
1147 
1148  /* do detect */
1149  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1150 
1151  if (!(PacketAlertCheck(p, 1))) {
1152  printf("sid 1 didn't match but should have: ");
1153  goto end;
1154  }
1155 
1156  result = 1;
1157  end:
1158  if (alp_tctx != NULL)
1160  if (de_ctx != NULL)
1162 
1163  StreamTcpFreeConfig(true);
1164  FLOW_DESTROY(&f);
1165  UTHFreePackets(&p, 1);
1166  return result;
1167 }
1168 
1169 static int DetectHttpHeaderIsdataatParseTest(void)
1170 {
1173  de_ctx->flags |= DE_QUIET;
1174 
1176  "alert tcp any any -> any any ("
1177  "flow:to_server; "
1178  "content:\"one\"; http_header; "
1179  "isdataat:!4,relative; sid:1;)");
1180  FAIL_IF_NULL(s);
1181 
1182  SigMatch *sm = DetectBufferGetLastSigMatch(s, g_http_header_buffer_id);
1183  FAIL_IF_NULL(sm);
1185 
1186  DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
1189  FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
1190 
1192  PASS;
1193 }
1194 
1195 /**
1196  *\test Test that the http_header content matches against a http request
1197  * which holds the content.
1198  */
1199 static int DetectEngineHttpHeaderTest01(void)
1200 {
1201  TcpSession ssn;
1202  Packet *p = NULL;
1203  ThreadVars th_v;
1204  DetectEngineCtx *de_ctx = NULL;
1205  DetectEngineThreadCtx *det_ctx = NULL;
1206  HtpState *http_state = NULL;
1207  Flow f;
1208  uint8_t http_buf[] =
1209  "GET /index.html HTTP/1.0\r\n"
1210  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1211  uint32_t http_len = sizeof(http_buf) - 1;
1212  int result = 0;
1214 
1215  memset(&th_v, 0, sizeof(th_v));
1216  memset(&f, 0, sizeof(f));
1217  memset(&ssn, 0, sizeof(ssn));
1218 
1219  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1220 
1221  FLOW_INITIALIZE(&f);
1222  f.protoctx = (void *)&ssn;
1223  f.proto = IPPROTO_TCP;
1224  f.flags |= FLOW_IPV4;
1225  p->flow = &f;
1229  f.alproto = ALPROTO_HTTP1;
1230 
1231  StreamTcpInitConfig(true);
1232 
1234  if (de_ctx == NULL)
1235  goto end;
1236 
1237  de_ctx->flags |= DE_QUIET;
1238 
1239  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1240  "(msg:\"http header test\"; "
1241  "content:\"one\"; http_header; "
1242  "sid:1;)");
1243  if (de_ctx->sig_list == NULL)
1244  goto end;
1245 
1247  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1248 
1249  int r = AppLayerParserParse(
1250  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1251  if (r != 0) {
1252  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1253  result = 0;
1254  goto end;
1255  }
1256 
1257  http_state = f.alstate;
1258  if (http_state == NULL) {
1259  printf("no http state: ");
1260  result = 0;
1261  goto end;
1262  }
1263 
1264  /* do detect */
1265  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1266 
1267  if (!(PacketAlertCheck(p, 1))) {
1268  printf("sid 1 didn't match but should have: ");
1269  goto end;
1270  }
1271 
1272  result = 1;
1273 end:
1274  if (alp_tctx != NULL)
1276  if (de_ctx != NULL)
1278 
1279  StreamTcpFreeConfig(true);
1280  FLOW_DESTROY(&f);
1281  UTHFreePackets(&p, 1);
1282  return result;
1283 }
1284 
1285 /**
1286  *\test Test that the http_header content matches against a http request
1287  * which holds the content.
1288  */
1289 static int DetectEngineHttpHeaderTest02(void)
1290 {
1291  TcpSession ssn;
1292  Packet *p = NULL;
1293  ThreadVars th_v;
1294  DetectEngineCtx *de_ctx = NULL;
1295  DetectEngineThreadCtx *det_ctx = NULL;
1296  HtpState *http_state = NULL;
1297  Flow f;
1298  uint8_t http_buf[] =
1299  "GET /index.html HTTP/1.0\r\n"
1300  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1301  uint32_t http_len = sizeof(http_buf) - 1;
1302  int result = 0;
1304 
1305  memset(&th_v, 0, sizeof(th_v));
1306  memset(&f, 0, sizeof(f));
1307  memset(&ssn, 0, sizeof(ssn));
1308 
1309  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1310 
1311  FLOW_INITIALIZE(&f);
1312  f.protoctx = (void *)&ssn;
1313  f.proto = IPPROTO_TCP;
1314  f.flags |= FLOW_IPV4;
1315  p->flow = &f;
1319  f.alproto = ALPROTO_HTTP1;
1320 
1321  StreamTcpInitConfig(true);
1322 
1324  if (de_ctx == NULL)
1325  goto end;
1326 
1327  de_ctx->flags |= DE_QUIET;
1328 
1329  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1330  "(msg:\"http header test\"; "
1331  "content:\"one\"; depth:15; http_header; "
1332  "sid:1;)");
1333  if (de_ctx->sig_list == NULL)
1334  goto end;
1335 
1337  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1338 
1339  int r = AppLayerParserParse(
1340  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1341  if (r != 0) {
1342  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1343  result = 0;
1344  goto end;
1345  }
1346 
1347  http_state = f.alstate;
1348  if (http_state == NULL) {
1349  printf("no http state: ");
1350  result = 0;
1351  goto end;
1352  }
1353 
1354  /* do detect */
1355  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1356 
1357  if (!(PacketAlertCheck(p, 1))) {
1358  printf("sid 1 didn't match but should have: ");
1359  goto end;
1360  }
1361 
1362  result = 1;
1363 end:
1364  if (alp_tctx != NULL)
1366  if (de_ctx != NULL)
1368 
1369  StreamTcpFreeConfig(true);
1370  FLOW_DESTROY(&f);
1371  UTHFreePackets(&p, 1);
1372  return result;
1373 }
1374 
1375 /**
1376  *\test Test that the http_header content matches against a http request
1377  * which holds the content.
1378  */
1379 static int DetectEngineHttpHeaderTest03(void)
1380 {
1381  TcpSession ssn;
1382  Packet *p = NULL;
1383  ThreadVars th_v;
1384  DetectEngineCtx *de_ctx = NULL;
1385  DetectEngineThreadCtx *det_ctx = NULL;
1386  HtpState *http_state = NULL;
1387  Flow f;
1388  uint8_t http_buf[] =
1389  "GET /index.html HTTP/1.0\r\n"
1390  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1391  uint32_t http_len = sizeof(http_buf) - 1;
1392  int result = 0;
1394 
1395  memset(&th_v, 0, sizeof(th_v));
1396  memset(&f, 0, sizeof(f));
1397  memset(&ssn, 0, sizeof(ssn));
1398 
1399  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1400 
1401  FLOW_INITIALIZE(&f);
1402  f.protoctx = (void *)&ssn;
1403  f.proto = IPPROTO_TCP;
1404  f.flags |= FLOW_IPV4;
1405  p->flow = &f;
1409  f.alproto = ALPROTO_HTTP1;
1410 
1411  StreamTcpInitConfig(true);
1412 
1414  if (de_ctx == NULL)
1415  goto end;
1416 
1417  de_ctx->flags |= DE_QUIET;
1418 
1419  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1420  "(msg:\"http header test\"; "
1421  "content:!\"one\"; depth:5; http_header; "
1422  "sid:1;)");
1423  if (de_ctx->sig_list == NULL)
1424  goto end;
1425 
1427  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1428 
1429  int r = AppLayerParserParse(
1430  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1431  if (r != 0) {
1432  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1433  result = 0;
1434  goto end;
1435  }
1436 
1437  http_state = f.alstate;
1438  if (http_state == NULL) {
1439  printf("no http state: ");
1440  result = 0;
1441  goto end;
1442  }
1443 
1444  /* do detect */
1445  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1446 
1447  if (!(PacketAlertCheck(p, 1))) {
1448  printf("sid 1 didn't match but should have: ");
1449  goto end;
1450  }
1451 
1452  result = 1;
1453 end:
1454  if (alp_tctx != NULL)
1456  if (de_ctx != NULL)
1458 
1459  StreamTcpFreeConfig(true);
1460  FLOW_DESTROY(&f);
1461  UTHFreePackets(&p, 1);
1462  return result;
1463 }
1464 
1465 /**
1466  *\test Test that the http_header content matches against a http request
1467  * which holds the content.
1468  */
1469 static int DetectEngineHttpHeaderTest04(void)
1470 {
1471  TcpSession ssn;
1472  Packet *p = NULL;
1473  ThreadVars th_v;
1474  DetectEngineCtx *de_ctx = NULL;
1475  DetectEngineThreadCtx *det_ctx = NULL;
1476  HtpState *http_state = NULL;
1477  Flow f;
1478  uint8_t http_buf[] =
1479  "GET /index.html HTTP/1.0\r\n"
1480  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1481  uint32_t http_len = sizeof(http_buf) - 1;
1482  int result = 0;
1484 
1485  memset(&th_v, 0, sizeof(th_v));
1486  memset(&f, 0, sizeof(f));
1487  memset(&ssn, 0, sizeof(ssn));
1488 
1489  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1490 
1491  FLOW_INITIALIZE(&f);
1492  f.protoctx = (void *)&ssn;
1493  f.proto = IPPROTO_TCP;
1494  f.flags |= FLOW_IPV4;
1495  p->flow = &f;
1499  f.alproto = ALPROTO_HTTP1;
1500 
1501  StreamTcpInitConfig(true);
1502 
1504  if (de_ctx == NULL)
1505  goto end;
1506 
1507  de_ctx->flags |= DE_QUIET;
1508 
1509  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1510  "(msg:\"http header test\"; "
1511  "content:\"one\"; depth:5; http_header; "
1512  "sid:1;)");
1513  if (de_ctx->sig_list == NULL)
1514  goto end;
1515 
1517  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1518 
1519  int r = AppLayerParserParse(
1520  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1521  if (r != 0) {
1522  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1523  result = 0;
1524  goto end;
1525  }
1526 
1527  http_state = f.alstate;
1528  if (http_state == NULL) {
1529  printf("no http state: ");
1530  result = 0;
1531  goto end;
1532  }
1533 
1534  /* do detect */
1535  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1536 
1537  if (PacketAlertCheck(p, 1)) {
1538  printf("sid 1 matched but shouldn't have: ");
1539  goto end;
1540  }
1541 
1542  result = 1;
1543 end:
1544  if (alp_tctx != NULL)
1546  if (de_ctx != NULL)
1548 
1549  StreamTcpFreeConfig(true);
1550  FLOW_DESTROY(&f);
1551  UTHFreePackets(&p, 1);
1552  return result;
1553 }
1554 
1555 /**
1556  *\test Test that the http_header content matches against a http request
1557  * which holds the content.
1558  */
1559 static int DetectEngineHttpHeaderTest05(void)
1560 {
1561  TcpSession ssn;
1562  Packet *p = NULL;
1563  ThreadVars th_v;
1564  DetectEngineCtx *de_ctx = NULL;
1565  DetectEngineThreadCtx *det_ctx = NULL;
1566  HtpState *http_state = NULL;
1567  Flow f;
1568  uint8_t http_buf[] =
1569  "GET /index.html HTTP/1.0\r\n"
1570  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1571  uint32_t http_len = sizeof(http_buf) - 1;
1572  int result = 0;
1574 
1575  memset(&th_v, 0, sizeof(th_v));
1576  memset(&f, 0, sizeof(f));
1577  memset(&ssn, 0, sizeof(ssn));
1578 
1579  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1580 
1581  FLOW_INITIALIZE(&f);
1582  f.protoctx = (void *)&ssn;
1583  f.proto = IPPROTO_TCP;
1584  f.flags |= FLOW_IPV4;
1585  p->flow = &f;
1589  f.alproto = ALPROTO_HTTP1;
1590 
1591  StreamTcpInitConfig(true);
1592 
1594  if (de_ctx == NULL)
1595  goto end;
1596 
1597  de_ctx->flags |= DE_QUIET;
1598 
1599  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1600  "(msg:\"http header test\"; "
1601  "content:!\"one\"; depth:15; http_header; "
1602  "sid:1;)");
1603  if (de_ctx->sig_list == NULL)
1604  goto end;
1605 
1607  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1608 
1609  int r = AppLayerParserParse(
1610  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1611  if (r != 0) {
1612  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1613  result = 0;
1614  goto end;
1615  }
1616 
1617  http_state = f.alstate;
1618  if (http_state == NULL) {
1619  printf("no http state: ");
1620  result = 0;
1621  goto end;
1622  }
1623 
1624  /* do detect */
1625  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1626 
1627  if (PacketAlertCheck(p, 1)) {
1628  printf("sid 1 matched but shouldn't have: ");
1629  goto end;
1630  }
1631 
1632  result = 1;
1633 end:
1634  if (alp_tctx != NULL)
1636  if (de_ctx != NULL)
1638 
1639  StreamTcpFreeConfig(true);
1640  FLOW_DESTROY(&f);
1641  UTHFreePackets(&p, 1);
1642  return result;
1643 }
1644 
1645 /**
1646  *\test Test that the http_header content matches against a http request
1647  * which holds the content.
1648  */
1649 static int DetectEngineHttpHeaderTest06(void)
1650 {
1651  TcpSession ssn;
1652  Packet *p = NULL;
1653  ThreadVars th_v;
1654  DetectEngineCtx *de_ctx = NULL;
1655  DetectEngineThreadCtx *det_ctx = NULL;
1656  HtpState *http_state = NULL;
1657  Flow f;
1658  uint8_t http_buf[] =
1659  "GET /index.html HTTP/1.0\r\n"
1660  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1661  uint32_t http_len = sizeof(http_buf) - 1;
1662  int result = 0;
1664 
1665  memset(&th_v, 0, sizeof(th_v));
1666  memset(&f, 0, sizeof(f));
1667  memset(&ssn, 0, sizeof(ssn));
1668 
1669  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1670 
1671  FLOW_INITIALIZE(&f);
1672  f.protoctx = (void *)&ssn;
1673  f.proto = IPPROTO_TCP;
1674  f.flags |= FLOW_IPV4;
1675  p->flow = &f;
1679  f.alproto = ALPROTO_HTTP1;
1680 
1681  StreamTcpInitConfig(true);
1682 
1684  if (de_ctx == NULL)
1685  goto end;
1686 
1687  de_ctx->flags |= DE_QUIET;
1688 
1689  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1690  "(msg:\"http header test\"; "
1691  "content:\"one\"; offset:10; http_header; "
1692  "sid:1;)");
1693  if (de_ctx->sig_list == NULL)
1694  goto end;
1695 
1697  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1698 
1699  int r = AppLayerParserParse(
1700  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1701  if (r != 0) {
1702  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1703  result = 0;
1704  goto end;
1705  }
1706 
1707  http_state = f.alstate;
1708  if (http_state == NULL) {
1709  printf("no http state: ");
1710  result = 0;
1711  goto end;
1712  }
1713 
1714  /* do detect */
1715  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1716 
1717  if (!(PacketAlertCheck(p, 1))) {
1718  printf("sid 1 didn't match but should have: ");
1719  goto end;
1720  }
1721 
1722  result = 1;
1723 end:
1724  if (alp_tctx != NULL)
1726  if (de_ctx != NULL)
1728 
1729  StreamTcpFreeConfig(true);
1730  FLOW_DESTROY(&f);
1731  UTHFreePackets(&p, 1);
1732  return result;
1733 }
1734 
1735 /**
1736  *\test Test that the http_header content matches against a http request
1737  * which holds the content.
1738  */
1739 static int DetectEngineHttpHeaderTest07(void)
1740 {
1741  TcpSession ssn;
1742  Packet *p = NULL;
1743  ThreadVars th_v;
1744  DetectEngineCtx *de_ctx = NULL;
1745  DetectEngineThreadCtx *det_ctx = NULL;
1746  HtpState *http_state = NULL;
1747  Flow f;
1748  uint8_t http_buf[] =
1749  "GET /index.html HTTP/1.0\r\n"
1750  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1751  uint32_t http_len = sizeof(http_buf) - 1;
1752  int result = 0;
1754 
1755  memset(&th_v, 0, sizeof(th_v));
1756  memset(&f, 0, sizeof(f));
1757  memset(&ssn, 0, sizeof(ssn));
1758 
1759  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1760 
1761  FLOW_INITIALIZE(&f);
1762  f.protoctx = (void *)&ssn;
1763  f.proto = IPPROTO_TCP;
1764  f.flags |= FLOW_IPV4;
1765  p->flow = &f;
1769  f.alproto = ALPROTO_HTTP1;
1770 
1771  StreamTcpInitConfig(true);
1772 
1774  if (de_ctx == NULL)
1775  goto end;
1776 
1777  de_ctx->flags |= DE_QUIET;
1778 
1779  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1780  "(msg:\"http header test\"; "
1781  "content:!\"one\"; offset:15; http_header; "
1782  "sid:1;)");
1783  if (de_ctx->sig_list == NULL)
1784  goto end;
1785 
1787  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1788 
1789  int r = AppLayerParserParse(
1790  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1791  if (r != 0) {
1792  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1793  result = 0;
1794  goto end;
1795  }
1796 
1797  http_state = f.alstate;
1798  if (http_state == NULL) {
1799  printf("no http state: ");
1800  result = 0;
1801  goto end;
1802  }
1803 
1804  /* do detect */
1805  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1806 
1807  if (!(PacketAlertCheck(p, 1))) {
1808  printf("sid 1 didn't match but should have: ");
1809  goto end;
1810  }
1811 
1812  result = 1;
1813 end:
1814  if (alp_tctx != NULL)
1816  if (de_ctx != NULL)
1818 
1819  StreamTcpFreeConfig(true);
1820  FLOW_DESTROY(&f);
1821  UTHFreePackets(&p, 1);
1822  return result;
1823 }
1824 
1825 /**
1826  *\test Test that the http_header content matches against a http request
1827  * which holds the content.
1828  */
1829 static int DetectEngineHttpHeaderTest08(void)
1830 {
1831  TcpSession ssn;
1832  Packet *p = NULL;
1833  ThreadVars th_v;
1834  DetectEngineCtx *de_ctx = NULL;
1835  DetectEngineThreadCtx *det_ctx = NULL;
1836  HtpState *http_state = NULL;
1837  Flow f;
1838  uint8_t http_buf[] =
1839  "GET /index.html HTTP/1.0\r\n"
1840  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1841  uint32_t http_len = sizeof(http_buf) - 1;
1842  int result = 0;
1844 
1845  memset(&th_v, 0, sizeof(th_v));
1846  memset(&f, 0, sizeof(f));
1847  memset(&ssn, 0, sizeof(ssn));
1848 
1849  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1850 
1851  FLOW_INITIALIZE(&f);
1852  f.protoctx = (void *)&ssn;
1853  f.proto = IPPROTO_TCP;
1854  f.flags |= FLOW_IPV4;
1855  p->flow = &f;
1859  f.alproto = ALPROTO_HTTP1;
1860 
1861  StreamTcpInitConfig(true);
1862 
1864  if (de_ctx == NULL)
1865  goto end;
1866 
1867  de_ctx->flags |= DE_QUIET;
1868 
1869  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1870  "(msg:\"http header test\"; "
1871  "content:\"one\"; offset:15; http_header; "
1872  "sid:1;)");
1873  if (de_ctx->sig_list == NULL)
1874  goto end;
1875 
1877  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1878 
1879  int r = AppLayerParserParse(
1880  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1881  if (r != 0) {
1882  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1883  result = 0;
1884  goto end;
1885  }
1886 
1887  http_state = f.alstate;
1888  if (http_state == NULL) {
1889  printf("no http state: ");
1890  result = 0;
1891  goto end;
1892  }
1893 
1894  /* do detect */
1895  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1896 
1897  if (PacketAlertCheck(p, 1)) {
1898  printf("sid 1 matched but shouldn't have: ");
1899  goto end;
1900  }
1901 
1902  result = 1;
1903 end:
1904  if (alp_tctx != NULL)
1906  if (de_ctx != NULL)
1908 
1909  StreamTcpFreeConfig(true);
1910  FLOW_DESTROY(&f);
1911  UTHFreePackets(&p, 1);
1912  return result;
1913 }
1914 
1915 /**
1916  *\test Test that the http_header content matches against a http request
1917  * which holds the content.
1918  */
1919 static int DetectEngineHttpHeaderTest09(void)
1920 {
1921  TcpSession ssn;
1922  Packet *p = NULL;
1923  ThreadVars th_v;
1924  DetectEngineCtx *de_ctx = NULL;
1925  DetectEngineThreadCtx *det_ctx = NULL;
1926  HtpState *http_state = NULL;
1927  Flow f;
1928  uint8_t http_buf[] =
1929  "GET /index.html HTTP/1.0\r\n"
1930  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1931  uint32_t http_len = sizeof(http_buf) - 1;
1932  int result = 0;
1934 
1935  memset(&th_v, 0, sizeof(th_v));
1936  memset(&f, 0, sizeof(f));
1937  memset(&ssn, 0, sizeof(ssn));
1938 
1939  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1940 
1941  FLOW_INITIALIZE(&f);
1942  f.protoctx = (void *)&ssn;
1943  f.proto = IPPROTO_TCP;
1944  f.flags |= FLOW_IPV4;
1945  p->flow = &f;
1949  f.alproto = ALPROTO_HTTP1;
1950 
1951  StreamTcpInitConfig(true);
1952 
1954  if (de_ctx == NULL)
1955  goto end;
1956 
1957  de_ctx->flags |= DE_QUIET;
1958 
1959  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1960  "(msg:\"http header test\"; "
1961  "content:!\"one\"; offset:10; http_header; "
1962  "sid:1;)");
1963  if (de_ctx->sig_list == NULL)
1964  goto end;
1965 
1967  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1968 
1969  int r = AppLayerParserParse(
1970  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1971  if (r != 0) {
1972  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1973  result = 0;
1974  goto end;
1975  }
1976 
1977  http_state = f.alstate;
1978  if (http_state == NULL) {
1979  printf("no http state: ");
1980  result = 0;
1981  goto end;
1982  }
1983 
1984  /* do detect */
1985  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1986 
1987  if (PacketAlertCheck(p, 1)) {
1988  printf("sid 1 matched but shouldn't have: ");
1989  goto end;
1990  }
1991 
1992  result = 1;
1993 end:
1994  if (alp_tctx != NULL)
1996  if (de_ctx != NULL)
1998 
1999  StreamTcpFreeConfig(true);
2000  FLOW_DESTROY(&f);
2001  UTHFreePackets(&p, 1);
2002  return result;
2003 }
2004 
2005 /**
2006  *\test Test that the http_header content matches against a http request
2007  * which holds the content.
2008  */
2009 static int DetectEngineHttpHeaderTest10(void)
2010 {
2011  TcpSession ssn;
2012  Packet *p = NULL;
2013  ThreadVars th_v;
2014  DetectEngineCtx *de_ctx = NULL;
2015  DetectEngineThreadCtx *det_ctx = NULL;
2016  HtpState *http_state = NULL;
2017  Flow f;
2018  uint8_t http_buf[] =
2019  "GET /index.html HTTP/1.0\r\n"
2020  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2021  uint32_t http_len = sizeof(http_buf) - 1;
2022  int result = 0;
2024 
2025  memset(&th_v, 0, sizeof(th_v));
2026  memset(&f, 0, sizeof(f));
2027  memset(&ssn, 0, sizeof(ssn));
2028 
2029  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2030 
2031  FLOW_INITIALIZE(&f);
2032  f.protoctx = (void *)&ssn;
2033  f.proto = IPPROTO_TCP;
2034  f.flags |= FLOW_IPV4;
2035  p->flow = &f;
2039  f.alproto = ALPROTO_HTTP1;
2040 
2041  StreamTcpInitConfig(true);
2042 
2044  if (de_ctx == NULL)
2045  goto end;
2046 
2047  de_ctx->flags |= DE_QUIET;
2048 
2049  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2050  "(msg:\"http header test\"; "
2051  "content:\"one\"; http_header; content:\"three\"; http_header; within:10; "
2052  "sid:1;)");
2053  if (de_ctx->sig_list == NULL)
2054  goto end;
2055 
2057  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2058 
2059  int r = AppLayerParserParse(
2060  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2061  if (r != 0) {
2062  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2063  result = 0;
2064  goto end;
2065  }
2066 
2067  http_state = f.alstate;
2068  if (http_state == NULL) {
2069  printf("no http state: ");
2070  result = 0;
2071  goto end;
2072  }
2073 
2074  /* do detect */
2075  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2076 
2077  if (!(PacketAlertCheck(p, 1))) {
2078  printf("sid 1 didn't match but should have: ");
2079  goto end;
2080  }
2081 
2082  result = 1;
2083 end:
2084  if (alp_tctx != NULL)
2086  if (de_ctx != NULL)
2088 
2089  StreamTcpFreeConfig(true);
2090  FLOW_DESTROY(&f);
2091  UTHFreePackets(&p, 1);
2092  return result;
2093 }
2094 
2095 /**
2096  *\test Test that the http_header content matches against a http request
2097  * which holds the content.
2098  */
2099 static int DetectEngineHttpHeaderTest11(void)
2100 {
2101  TcpSession ssn;
2102  Packet *p = NULL;
2103  ThreadVars th_v;
2104  DetectEngineCtx *de_ctx = NULL;
2105  DetectEngineThreadCtx *det_ctx = NULL;
2106  HtpState *http_state = NULL;
2107  Flow f;
2108  uint8_t http_buf[] =
2109  "GET /index.html HTTP/1.0\r\n"
2110  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2111  uint32_t http_len = sizeof(http_buf) - 1;
2112  int result = 0;
2114 
2115  memset(&th_v, 0, sizeof(th_v));
2116  memset(&f, 0, sizeof(f));
2117  memset(&ssn, 0, sizeof(ssn));
2118 
2119  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2120 
2121  FLOW_INITIALIZE(&f);
2122  f.protoctx = (void *)&ssn;
2123  f.proto = IPPROTO_TCP;
2124  f.flags |= FLOW_IPV4;
2125  p->flow = &f;
2129  f.alproto = ALPROTO_HTTP1;
2130 
2131  StreamTcpInitConfig(true);
2132 
2134  if (de_ctx == NULL)
2135  goto end;
2136 
2137  de_ctx->flags |= DE_QUIET;
2138 
2139  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2140  "(msg:\"http header test\"; "
2141  "content:\"one\"; http_header; content:!\"three\"; http_header; within:5; "
2142  "sid:1;)");
2143  if (de_ctx->sig_list == NULL)
2144  goto end;
2145 
2147  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2148 
2149  int r = AppLayerParserParse(
2150  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2151  if (r != 0) {
2152  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2153  result = 0;
2154  goto end;
2155  }
2156 
2157  http_state = f.alstate;
2158  if (http_state == NULL) {
2159  printf("no http state: ");
2160  result = 0;
2161  goto end;
2162  }
2163 
2164  /* do detect */
2165  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2166 
2167  if (!(PacketAlertCheck(p, 1))) {
2168  printf("sid 1 didn't match but should have: ");
2169  goto end;
2170  }
2171 
2172  result = 1;
2173 end:
2174  if (alp_tctx != NULL)
2176  if (de_ctx != NULL)
2178 
2179  StreamTcpFreeConfig(true);
2180  FLOW_DESTROY(&f);
2181  UTHFreePackets(&p, 1);
2182  return result;
2183 }
2184 
2185 /**
2186  *\test Test that the http_header content matches against a http request
2187  * which holds the content.
2188  */
2189 static int DetectEngineHttpHeaderTest12(void)
2190 {
2191  TcpSession ssn;
2192  Packet *p = NULL;
2193  ThreadVars th_v;
2194  DetectEngineCtx *de_ctx = NULL;
2195  DetectEngineThreadCtx *det_ctx = NULL;
2196  HtpState *http_state = NULL;
2197  Flow f;
2198  uint8_t http_buf[] =
2199  "GET /index.html HTTP/1.0\r\n"
2200  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2201  uint32_t http_len = sizeof(http_buf) - 1;
2202  int result = 0;
2204 
2205  memset(&th_v, 0, sizeof(th_v));
2206  memset(&f, 0, sizeof(f));
2207  memset(&ssn, 0, sizeof(ssn));
2208 
2209  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2210 
2211  FLOW_INITIALIZE(&f);
2212  f.protoctx = (void *)&ssn;
2213  f.proto = IPPROTO_TCP;
2214  f.flags |= FLOW_IPV4;
2215  p->flow = &f;
2219  f.alproto = ALPROTO_HTTP1;
2220 
2221  StreamTcpInitConfig(true);
2222 
2224  if (de_ctx == NULL)
2225  goto end;
2226 
2227  de_ctx->flags |= DE_QUIET;
2228 
2229  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2230  "(msg:\"http header test\"; "
2231  "content:\"one\"; http_header; content:!\"three\"; http_header; within:10; "
2232  "sid:1;)");
2233  if (de_ctx->sig_list == NULL)
2234  goto end;
2235 
2237  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2238 
2239  int r = AppLayerParserParse(
2240  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2241  if (r != 0) {
2242  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2243  result = 0;
2244  goto end;
2245  }
2246 
2247  http_state = f.alstate;
2248  if (http_state == NULL) {
2249  printf("no http state: ");
2250  result = 0;
2251  goto end;
2252  }
2253 
2254  /* do detect */
2255  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2256 
2257  if (PacketAlertCheck(p, 1)) {
2258  printf("sid 1 matched but shouldn't have: ");
2259  goto end;
2260  }
2261 
2262  result = 1;
2263 end:
2264  if (alp_tctx != NULL)
2266  if (de_ctx != NULL)
2268 
2269  StreamTcpFreeConfig(true);
2270  FLOW_DESTROY(&f);
2271  UTHFreePackets(&p, 1);
2272  return result;
2273 }
2274 
2275 /**
2276  *\test Test that the http_header content matches against a http request
2277  * which holds the content.
2278  */
2279 static int DetectEngineHttpHeaderTest13(void)
2280 {
2281  TcpSession ssn;
2282  Packet *p = NULL;
2283  ThreadVars th_v;
2284  DetectEngineCtx *de_ctx = NULL;
2285  DetectEngineThreadCtx *det_ctx = NULL;
2286  HtpState *http_state = NULL;
2287  Flow f;
2288  uint8_t http_buf[] =
2289  "GET /index.html HTTP/1.0\r\n"
2290  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2291  uint32_t http_len = sizeof(http_buf) - 1;
2292  int result = 0;
2294 
2295  memset(&th_v, 0, sizeof(th_v));
2296  memset(&f, 0, sizeof(f));
2297  memset(&ssn, 0, sizeof(ssn));
2298 
2299  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2300 
2301  FLOW_INITIALIZE(&f);
2302  f.protoctx = (void *)&ssn;
2303  f.proto = IPPROTO_TCP;
2304  f.flags |= FLOW_IPV4;
2305  p->flow = &f;
2309  f.alproto = ALPROTO_HTTP1;
2310 
2311  StreamTcpInitConfig(true);
2312 
2314  if (de_ctx == NULL)
2315  goto end;
2316 
2317  de_ctx->flags |= DE_QUIET;
2318 
2319  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2320  "(msg:\"http header test\"; "
2321  "content:\"one\"; http_header; content:\"three\"; http_header; within:5; "
2322  "sid:1;)");
2323  if (de_ctx->sig_list == NULL)
2324  goto end;
2325 
2327  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2328 
2329  int r = AppLayerParserParse(
2330  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2331  if (r != 0) {
2332  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2333  result = 0;
2334  goto end;
2335  }
2336 
2337  http_state = f.alstate;
2338  if (http_state == NULL) {
2339  printf("no http state: ");
2340  result = 0;
2341  goto end;
2342  }
2343 
2344  /* do detect */
2345  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2346 
2347  if (PacketAlertCheck(p, 1)) {
2348  printf("sid 1 matched but shouldn't have: ");
2349  goto end;
2350  }
2351 
2352  result = 1;
2353 end:
2354  if (alp_tctx != NULL)
2356  if (de_ctx != NULL)
2358 
2359  StreamTcpFreeConfig(true);
2360  FLOW_DESTROY(&f);
2361  UTHFreePackets(&p, 1);
2362  return result;
2363 }
2364 
2365 /**
2366  *\test Test that the http_header content matches against a http request
2367  * which holds the content.
2368  */
2369 static int DetectEngineHttpHeaderTest14(void)
2370 {
2371  TcpSession ssn;
2372  Packet *p = NULL;
2373  ThreadVars th_v;
2374  DetectEngineCtx *de_ctx = NULL;
2375  DetectEngineThreadCtx *det_ctx = NULL;
2376  HtpState *http_state = NULL;
2377  Flow f;
2378  uint8_t http_buf[] =
2379  "GET /index.html HTTP/1.0\r\n"
2380  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2381  uint32_t http_len = sizeof(http_buf) - 1;
2382  int result = 0;
2384 
2385  memset(&th_v, 0, sizeof(th_v));
2386  memset(&f, 0, sizeof(f));
2387  memset(&ssn, 0, sizeof(ssn));
2388 
2389  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2390 
2391  FLOW_INITIALIZE(&f);
2392  f.protoctx = (void *)&ssn;
2393  f.proto = IPPROTO_TCP;
2394  f.flags |= FLOW_IPV4;
2395  p->flow = &f;
2399  f.alproto = ALPROTO_HTTP1;
2400 
2401  StreamTcpInitConfig(true);
2402 
2404  if (de_ctx == NULL)
2405  goto end;
2406 
2407  de_ctx->flags |= DE_QUIET;
2408 
2409  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2410  "(msg:\"http header test\"; "
2411  "content:\"one\"; http_header; content:\"five\"; http_header; distance:7; "
2412  "sid:1;)");
2413  if (de_ctx->sig_list == NULL)
2414  goto end;
2415 
2417  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2418 
2419  int r = AppLayerParserParse(
2420  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2421  if (r != 0) {
2422  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2423  result = 0;
2424  goto end;
2425  }
2426 
2427  http_state = f.alstate;
2428  if (http_state == NULL) {
2429  printf("no http state: ");
2430  result = 0;
2431  goto end;
2432  }
2433 
2434  /* do detect */
2435  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2436 
2437  if (!(PacketAlertCheck(p, 1))) {
2438  printf("sid 1 didn't match but should have: ");
2439  goto end;
2440  }
2441 
2442  result = 1;
2443 end:
2444  if (alp_tctx != NULL)
2446  if (de_ctx != NULL)
2448 
2449  StreamTcpFreeConfig(true);
2450  FLOW_DESTROY(&f);
2451  UTHFreePackets(&p, 1);
2452  return result;
2453 }
2454 
2455 /**
2456  *\test Test that the http_header content matches against a http request
2457  * which holds the content.
2458  */
2459 static int DetectEngineHttpHeaderTest15(void)
2460 {
2461  TcpSession ssn;
2462  Packet *p = NULL;
2463  ThreadVars th_v;
2464  DetectEngineCtx *de_ctx = NULL;
2465  DetectEngineThreadCtx *det_ctx = NULL;
2466  HtpState *http_state = NULL;
2467  Flow f;
2468  uint8_t http_buf[] =
2469  "GET /index.html HTTP/1.0\r\n"
2470  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2471  uint32_t http_len = sizeof(http_buf) - 1;
2472  int result = 0;
2474 
2475  memset(&th_v, 0, sizeof(th_v));
2476  memset(&f, 0, sizeof(f));
2477  memset(&ssn, 0, sizeof(ssn));
2478 
2479  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2480 
2481  FLOW_INITIALIZE(&f);
2482  f.protoctx = (void *)&ssn;
2483  f.proto = IPPROTO_TCP;
2484  f.flags |= FLOW_IPV4;
2485  p->flow = &f;
2489  f.alproto = ALPROTO_HTTP1;
2490 
2491  StreamTcpInitConfig(true);
2492 
2494  if (de_ctx == NULL)
2495  goto end;
2496 
2497  de_ctx->flags |= DE_QUIET;
2498 
2499  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2500  "(msg:\"http header test\"; "
2501  "content:\"one\"; http_header; content:!\"five\"; http_header; distance:15; "
2502  "sid:1;)");
2503  if (de_ctx->sig_list == NULL)
2504  goto end;
2505 
2507  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2508 
2509  int r = AppLayerParserParse(
2510  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2511  if (r != 0) {
2512  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2513  result = 0;
2514  goto end;
2515  }
2516 
2517  http_state = f.alstate;
2518  if (http_state == NULL) {
2519  printf("no http state: ");
2520  result = 0;
2521  goto end;
2522  }
2523 
2524  /* do detect */
2525  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2526 
2527  if (!(PacketAlertCheck(p, 1))) {
2528  printf("sid 1 didn't match but should have: ");
2529  goto end;
2530  }
2531 
2532  result = 1;
2533 end:
2534  if (alp_tctx != NULL)
2536  if (de_ctx != NULL)
2538 
2539  StreamTcpFreeConfig(true);
2540  FLOW_DESTROY(&f);
2541  UTHFreePackets(&p, 1);
2542  return result;
2543 }
2544 
2545 /**
2546  *\test Test that the http_header content matches against a http request
2547  * which holds the content.
2548  */
2549 static int DetectEngineHttpHeaderTest16(void)
2550 {
2551  TcpSession ssn;
2552  Packet *p = NULL;
2553  ThreadVars th_v;
2554  DetectEngineCtx *de_ctx = NULL;
2555  DetectEngineThreadCtx *det_ctx = NULL;
2556  HtpState *http_state = NULL;
2557  Flow f;
2558  uint8_t http_buf[] =
2559  "GET /index.html HTTP/1.0\r\n"
2560  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2561  uint32_t http_len = sizeof(http_buf) - 1;
2562  int result = 0;
2564 
2565  memset(&th_v, 0, sizeof(th_v));
2566  memset(&f, 0, sizeof(f));
2567  memset(&ssn, 0, sizeof(ssn));
2568 
2569  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2570 
2571  FLOW_INITIALIZE(&f);
2572  f.protoctx = (void *)&ssn;
2573  f.proto = IPPROTO_TCP;
2574  f.flags |= FLOW_IPV4;
2575  p->flow = &f;
2579  f.alproto = ALPROTO_HTTP1;
2580 
2581  StreamTcpInitConfig(true);
2582 
2584  if (de_ctx == NULL)
2585  goto end;
2586 
2587  de_ctx->flags |= DE_QUIET;
2588 
2589  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2590  "(msg:\"http header test\"; "
2591  "content:\"one\"; http_header; content:!\"five\"; http_header; distance:7; "
2592  "sid:1;)");
2593  if (de_ctx->sig_list == NULL)
2594  goto end;
2595 
2597  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2598 
2599  int r = AppLayerParserParse(
2600  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2601  if (r != 0) {
2602  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2603  result = 0;
2604  goto end;
2605  }
2606 
2607  http_state = f.alstate;
2608  if (http_state == NULL) {
2609  printf("no http state: ");
2610  result = 0;
2611  goto end;
2612  }
2613 
2614  /* do detect */
2615  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2616 
2617  if (PacketAlertCheck(p, 1)) {
2618  printf("sid 1 matched but shouldn't have: ");
2619  goto end;
2620  }
2621 
2622  result = 1;
2623 end:
2624  if (alp_tctx != NULL)
2626  if (de_ctx != NULL)
2628 
2629  StreamTcpFreeConfig(true);
2630  FLOW_DESTROY(&f);
2631  UTHFreePackets(&p, 1);
2632  return result;
2633 }
2634 
2635 /**
2636  *\test Test that the http_header content matches against a http request
2637  * which holds the content.
2638  */
2639 static int DetectEngineHttpHeaderTest17(void)
2640 {
2641  TcpSession ssn;
2642  Packet *p = NULL;
2643  ThreadVars th_v;
2644  DetectEngineCtx *de_ctx = NULL;
2645  DetectEngineThreadCtx *det_ctx = NULL;
2646  HtpState *http_state = NULL;
2647  Flow f;
2648  uint8_t http_buf[] =
2649  "GET /index.html HTTP/1.0\r\n"
2650  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2651  uint32_t http_len = sizeof(http_buf) - 1;
2652  int result = 0;
2654 
2655  memset(&th_v, 0, sizeof(th_v));
2656  memset(&f, 0, sizeof(f));
2657  memset(&ssn, 0, sizeof(ssn));
2658 
2659  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2660 
2661  FLOW_INITIALIZE(&f);
2662  f.protoctx = (void *)&ssn;
2663  f.proto = IPPROTO_TCP;
2664  f.flags |= FLOW_IPV4;
2665  p->flow = &f;
2669  f.alproto = ALPROTO_HTTP1;
2670 
2671  StreamTcpInitConfig(true);
2672 
2674  if (de_ctx == NULL)
2675  goto end;
2676 
2677  de_ctx->flags |= DE_QUIET;
2678 
2679  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2680  "(msg:\"http header test\"; "
2681  "content:\"one\"; http_header; content:\"five\"; http_header; distance:15; "
2682  "sid:1;)");
2683  if (de_ctx->sig_list == NULL)
2684  goto end;
2685 
2687  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2688 
2689  int r = AppLayerParserParse(
2690  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2691  if (r != 0) {
2692  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2693  result = 0;
2694  goto end;
2695  }
2696 
2697  http_state = f.alstate;
2698  if (http_state == NULL) {
2699  printf("no http state: ");
2700  result = 0;
2701  goto end;
2702  }
2703 
2704  /* do detect */
2705  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2706 
2707  if (PacketAlertCheck(p, 1)) {
2708  printf("sid 1 matched but shouldn't have: ");
2709  goto end;
2710  }
2711 
2712  result = 1;
2713 end:
2714  if (alp_tctx != NULL)
2716  if (de_ctx != NULL)
2718 
2719  StreamTcpFreeConfig(true);
2720  FLOW_DESTROY(&f);
2721  UTHFreePackets(&p, 1);
2722  return result;
2723 }
2724 
2725 static int DetectEngineHttpHeaderTest20(void)
2726 {
2727  TcpSession ssn;
2728  Packet *p1 = NULL;
2729  Packet *p2 = NULL;
2730  ThreadVars th_v;
2731  DetectEngineCtx *de_ctx = NULL;
2732  DetectEngineThreadCtx *det_ctx = NULL;
2733  HtpState *http_state = NULL;
2734  Flow f;
2735  uint8_t http1_buf[] =
2736  "GET /index.html HTTP/1.0\r\n"
2737  "Host: This_is_dummy_body1";
2738  uint8_t http2_buf[] =
2739  "This_is_dummy_message_body2\r\n"
2740  "\r\n";
2741  uint32_t http1_len = sizeof(http1_buf) - 1;
2742  uint32_t http2_len = sizeof(http2_buf) - 1;
2743  int result = 0;
2745 
2746  memset(&th_v, 0, sizeof(th_v));
2747  memset(&f, 0, sizeof(f));
2748  memset(&ssn, 0, sizeof(ssn));
2749 
2750  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2751  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2752 
2753  FLOW_INITIALIZE(&f);
2754  f.protoctx = (void *)&ssn;
2755  f.proto = IPPROTO_TCP;
2756  f.flags |= FLOW_IPV4;
2757 
2758  p1->flow = &f;
2762  p2->flow = &f;
2766  f.alproto = ALPROTO_HTTP1;
2767 
2768  StreamTcpInitConfig(true);
2769 
2771  if (de_ctx == NULL)
2772  goto end;
2773 
2774  de_ctx->flags |= DE_QUIET;
2775 
2776  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2777  "(msg:\"http client body test\"; "
2778  "pcre:/body1/H; "
2779  "content:!\"dummy\"; http_header; within:7; "
2780  "sid:1;)");
2781  if (de_ctx->sig_list == NULL)
2782  goto end;
2783 
2785  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2786 
2787  int r = AppLayerParserParse(
2788  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2789  if (r != 0) {
2790  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2791  result = 0;
2792  goto end;
2793  }
2794 
2795  http_state = f.alstate;
2796  if (http_state == NULL) {
2797  printf("no http state: \n");
2798  result = 0;
2799  goto end;
2800  }
2801 
2802  /* do detect */
2803  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2804 
2805  if (PacketAlertCheck(p1, 1)) {
2806  printf("sid 1 matched but shouldn't have\n");
2807  goto end;
2808  }
2809 
2810  r = AppLayerParserParse(
2811  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2812  if (r != 0) {
2813  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2814  result = 0;
2815  goto end;
2816  }
2817 
2818  /* do detect */
2819  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2820 
2821  if (!PacketAlertCheck(p2, 1)) {
2822  printf("sid 1 didn't match but shouldn't have");
2823  goto end;
2824  }
2825 
2826  result = 1;
2827 
2828 end:
2829  if (alp_tctx != NULL)
2831  if (de_ctx != NULL)
2833 
2834  StreamTcpFreeConfig(true);
2835  FLOW_DESTROY(&f);
2836  UTHFreePackets(&p1, 1);
2837  UTHFreePackets(&p2, 1);
2838  return result;
2839 }
2840 
2841 static int DetectEngineHttpHeaderTest21(void)
2842 {
2843  TcpSession ssn;
2844  Packet *p1 = NULL;
2845  Packet *p2 = NULL;
2846  ThreadVars th_v;
2847  DetectEngineCtx *de_ctx = NULL;
2848  DetectEngineThreadCtx *det_ctx = NULL;
2849  HtpState *http_state = NULL;
2850  Flow f;
2851  uint8_t http1_buf[] =
2852  "GET /index.html HTTP/1.0\r\n"
2853  "Host: This_is_dummy_body1";
2854  uint8_t http2_buf[] =
2855  "This_is_dummy_message_body2\r\n"
2856  "\r\n";
2857  uint32_t http1_len = sizeof(http1_buf) - 1;
2858  uint32_t http2_len = sizeof(http2_buf) - 1;
2859  int result = 0;
2861 
2862  memset(&th_v, 0, sizeof(th_v));
2863  memset(&f, 0, sizeof(f));
2864  memset(&ssn, 0, sizeof(ssn));
2865 
2866  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2867  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2868 
2869  FLOW_INITIALIZE(&f);
2870  f.protoctx = (void *)&ssn;
2871  f.proto = IPPROTO_TCP;
2872  f.flags |= FLOW_IPV4;
2873 
2874  p1->flow = &f;
2878  p2->flow = &f;
2882  f.alproto = ALPROTO_HTTP1;
2883 
2884  StreamTcpInitConfig(true);
2885 
2887  if (de_ctx == NULL)
2888  goto end;
2889 
2890  de_ctx->flags |= DE_QUIET;
2891 
2892  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2893  "(msg:\"http client body test\"; "
2894  "pcre:/body1/H; "
2895  "content:!\"dummy\"; within:7; http_header; "
2896  "sid:1;)");
2897  if (de_ctx->sig_list == NULL)
2898  goto end;
2899 
2901  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2902 
2903  int r = AppLayerParserParse(
2904  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2905  if (r != 0) {
2906  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2907  result = 0;
2908  goto end;
2909  }
2910 
2911  http_state = f.alstate;
2912  if (http_state == NULL) {
2913  printf("no http state: \n");
2914  result = 0;
2915  goto end;
2916  }
2917 
2918  /* do detect */
2919  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2920 
2921  if (PacketAlertCheck(p1, 1)) {
2922  printf("sid 1 matched but shouldn't have\n");
2923  goto end;
2924  }
2925 
2926  r = AppLayerParserParse(
2927  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2928  if (r != 0) {
2929  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2930  result = 0;
2931  goto end;
2932  }
2933 
2934  /* do detect */
2935  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2936 
2937  if (!PacketAlertCheck(p2, 1)) {
2938  printf("sid 1 didn't match but shouldn't have");
2939  goto end;
2940  }
2941 
2942  result = 1;
2943 
2944 end:
2945  if (alp_tctx != NULL)
2947  if (de_ctx != NULL)
2949 
2950  StreamTcpFreeConfig(true);
2951  FLOW_DESTROY(&f);
2952  UTHFreePackets(&p1, 1);
2953  UTHFreePackets(&p2, 1);
2954  return result;
2955 }
2956 
2957 static int DetectEngineHttpHeaderTest22(void)
2958 {
2959  TcpSession ssn;
2960  Packet *p1 = NULL;
2961  Packet *p2 = NULL;
2962  ThreadVars th_v;
2963  DetectEngineCtx *de_ctx = NULL;
2964  DetectEngineThreadCtx *det_ctx = NULL;
2965  HtpState *http_state = NULL;
2966  Flow f;
2967  uint8_t http1_buf[] =
2968  "GET /index.html HTTP/1.0\r\n"
2969  "Host: This_is_dummy_body1";
2970  uint8_t http2_buf[] =
2971  "This_is_dummy_message_body2\r\n"
2972  "\r\n";
2973  uint32_t http1_len = sizeof(http1_buf) - 1;
2974  uint32_t http2_len = sizeof(http2_buf) - 1;
2975  int result = 0;
2977 
2978  memset(&th_v, 0, sizeof(th_v));
2979  memset(&f, 0, sizeof(f));
2980  memset(&ssn, 0, sizeof(ssn));
2981 
2982  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2983  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2984 
2985  FLOW_INITIALIZE(&f);
2986  f.protoctx = (void *)&ssn;
2987  f.proto = IPPROTO_TCP;
2988  f.flags |= FLOW_IPV4;
2989 
2990  p1->flow = &f;
2994  p2->flow = &f;
2998  f.alproto = ALPROTO_HTTP1;
2999 
3000  StreamTcpInitConfig(true);
3001 
3003  if (de_ctx == NULL)
3004  goto end;
3005 
3006  de_ctx->flags |= DE_QUIET;
3007 
3008  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3009  "(msg:\"http client body test\"; "
3010  "pcre:/body1/H; "
3011  "content:!\"dummy\"; distance:3; http_header; "
3012  "sid:1;)");
3013  if (de_ctx->sig_list == NULL)
3014  goto end;
3015 
3017  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3018 
3019  int r = AppLayerParserParse(
3020  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3021  if (r != 0) {
3022  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3023  result = 0;
3024  goto end;
3025  }
3026 
3027  http_state = f.alstate;
3028  if (http_state == NULL) {
3029  printf("no http state: \n");
3030  result = 0;
3031  goto end;
3032  }
3033 
3034  /* do detect */
3035  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3036 
3037  if (PacketAlertCheck(p1, 1)) {
3038  printf("sid 1 matched but shouldn't have\n");
3039  goto end;
3040  }
3041 
3042  r = AppLayerParserParse(
3043  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3044  if (r != 0) {
3045  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3046  result = 0;
3047  goto end;
3048  }
3049 
3050  /* do detect */
3051  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3052 
3053  if (PacketAlertCheck(p2, 1)) {
3054  printf("sid 1 matched but shouldn't have");
3055  goto end;
3056  }
3057 
3058  result = 1;
3059 
3060 end:
3061  if (alp_tctx != NULL)
3063  if (de_ctx != NULL)
3065 
3066  StreamTcpFreeConfig(true);
3067  FLOW_DESTROY(&f);
3068  UTHFreePackets(&p1, 1);
3069  UTHFreePackets(&p2, 1);
3070  return result;
3071 }
3072 
3073 static int DetectEngineHttpHeaderTest23(void)
3074 {
3075  TcpSession ssn;
3076  Packet *p1 = NULL;
3077  Packet *p2 = NULL;
3078  ThreadVars th_v;
3079  DetectEngineCtx *de_ctx = NULL;
3080  DetectEngineThreadCtx *det_ctx = NULL;
3081  HtpState *http_state = NULL;
3082  Flow f;
3083  uint8_t http1_buf[] =
3084  "GET /index.html HTTP/1.0\r\n"
3085  "Host: This_is_dummy_body1";
3086  uint8_t http2_buf[] =
3087  "This_is_dummy_message_body2\r\n"
3088  "\r\n";
3089  uint32_t http1_len = sizeof(http1_buf) - 1;
3090  uint32_t http2_len = sizeof(http2_buf) - 1;
3091  int result = 0;
3093 
3094  memset(&th_v, 0, sizeof(th_v));
3095  memset(&f, 0, sizeof(f));
3096  memset(&ssn, 0, sizeof(ssn));
3097 
3098  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3099  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3100 
3101  FLOW_INITIALIZE(&f);
3102  f.protoctx = (void *)&ssn;
3103  f.proto = IPPROTO_TCP;
3104  f.flags |= FLOW_IPV4;
3105 
3106  p1->flow = &f;
3110  p2->flow = &f;
3114  f.alproto = ALPROTO_HTTP1;
3115 
3116  StreamTcpInitConfig(true);
3117 
3119  if (de_ctx == NULL)
3120  goto end;
3121 
3122  de_ctx->flags |= DE_QUIET;
3123 
3124  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3125  "(msg:\"http client body test\"; "
3126  "pcre:/body1/H; "
3127  "content:!\"dummy\"; distance:13; http_header; "
3128  "sid:1;)");
3129  if (de_ctx->sig_list == NULL)
3130  goto end;
3131 
3133  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3134 
3135  int r = AppLayerParserParse(
3136  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3137  if (r != 0) {
3138  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3139  result = 0;
3140  goto end;
3141  }
3142 
3143  http_state = f.alstate;
3144  if (http_state == NULL) {
3145  printf("no http state: \n");
3146  result = 0;
3147  goto end;
3148  }
3149 
3150  /* do detect */
3151  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3152 
3153  if (PacketAlertCheck(p1, 1)) {
3154  printf("sid 1 matched but shouldn't have\n");
3155  goto end;
3156  }
3157 
3158  r = AppLayerParserParse(
3159  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3160  if (r != 0) {
3161  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3162  result = 0;
3163  goto end;
3164  }
3165 
3166  /* do detect */
3167  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3168 
3169  if (!PacketAlertCheck(p2, 1)) {
3170  printf("sid 1 didn't match but should have");
3171  goto end;
3172  }
3173 
3174  result = 1;
3175 
3176 end:
3177  if (alp_tctx != NULL)
3179  if (de_ctx != NULL)
3181 
3182  StreamTcpFreeConfig(true);
3183  FLOW_DESTROY(&f);
3184  UTHFreePackets(&p1, 1);
3185  UTHFreePackets(&p2, 1);
3186  return result;
3187 }
3188 
3189 static int DetectEngineHttpHeaderTest24(void)
3190 {
3191  TcpSession ssn;
3192  Packet *p1 = NULL;
3193  Packet *p2 = NULL;
3194  ThreadVars th_v;
3195  DetectEngineCtx *de_ctx = NULL;
3196  DetectEngineThreadCtx *det_ctx = NULL;
3197  HtpState *http_state = NULL;
3198  Flow f;
3199  uint8_t http1_buf[] =
3200  "GET /index.html HTTP/1.0\r\n"
3201  "Host: This_is_dummy_body1";
3202  uint8_t http2_buf[] =
3203  "This_is_dummy_message_body2\r\n"
3204  "\r\n";
3205  uint32_t http1_len = sizeof(http1_buf) - 1;
3206  uint32_t http2_len = sizeof(http2_buf) - 1;
3207  int result = 0;
3209 
3210  memset(&th_v, 0, sizeof(th_v));
3211  memset(&f, 0, sizeof(f));
3212  memset(&ssn, 0, sizeof(ssn));
3213 
3214  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3215  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3216 
3217  FLOW_INITIALIZE(&f);
3218  f.protoctx = (void *)&ssn;
3219  f.proto = IPPROTO_TCP;
3220  f.flags |= FLOW_IPV4;
3221 
3222  p1->flow = &f;
3226  p2->flow = &f;
3230  f.alproto = ALPROTO_HTTP1;
3231 
3232  StreamTcpInitConfig(true);
3233 
3235  if (de_ctx == NULL)
3236  goto end;
3237 
3238  de_ctx->flags |= DE_QUIET;
3239 
3240  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3241  "(msg:\"http client body test\"; "
3242  "pcre:/body1/H; "
3243  "content:\"dummy\"; within:15; http_header; "
3244  "sid:1;)");
3245  if (de_ctx->sig_list == NULL)
3246  goto end;
3247 
3249  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3250 
3251  int r = AppLayerParserParse(
3252  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3253  if (r != 0) {
3254  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3255  result = 0;
3256  goto end;
3257  }
3258 
3259  http_state = f.alstate;
3260  if (http_state == NULL) {
3261  printf("no http state: \n");
3262  result = 0;
3263  goto end;
3264  }
3265 
3266  /* do detect */
3267  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3268 
3269  if (PacketAlertCheck(p1, 1)) {
3270  printf("sid 1 matched but shouldn't have\n");
3271  goto end;
3272  }
3273 
3274  r = AppLayerParserParse(
3275  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3276  if (r != 0) {
3277  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3278  result = 0;
3279  goto end;
3280  }
3281 
3282  /* do detect */
3283  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3284 
3285  if (!PacketAlertCheck(p2, 1)) {
3286  printf("sid 1 didn't match but should have");
3287  goto end;
3288  }
3289 
3290  result = 1;
3291 
3292 end:
3293  if (alp_tctx != NULL)
3295  if (de_ctx != NULL)
3297 
3298  StreamTcpFreeConfig(true);
3299  FLOW_DESTROY(&f);
3300  UTHFreePackets(&p1, 1);
3301  UTHFreePackets(&p2, 1);
3302  return result;
3303 }
3304 
3305 static int DetectEngineHttpHeaderTest25(void)
3306 {
3307  TcpSession ssn;
3308  Packet *p1 = NULL;
3309  Packet *p2 = NULL;
3310  ThreadVars th_v;
3311  DetectEngineCtx *de_ctx = NULL;
3312  DetectEngineThreadCtx *det_ctx = NULL;
3313  HtpState *http_state = NULL;
3314  Flow f;
3315  uint8_t http1_buf[] =
3316  "GET /index.html HTTP/1.0\r\n"
3317  "Host: This_is_dummy_body1";
3318  uint8_t http2_buf[] =
3319  "This_is_dummy_message_body2\r\n"
3320  "\r\n";
3321  uint32_t http1_len = sizeof(http1_buf) - 1;
3322  uint32_t http2_len = sizeof(http2_buf) - 1;
3323  int result = 0;
3325 
3326  memset(&th_v, 0, sizeof(th_v));
3327  memset(&f, 0, sizeof(f));
3328  memset(&ssn, 0, sizeof(ssn));
3329 
3330  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3331  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3332 
3333  FLOW_INITIALIZE(&f);
3334  f.protoctx = (void *)&ssn;
3335  f.proto = IPPROTO_TCP;
3336  f.flags |= FLOW_IPV4;
3337 
3338  p1->flow = &f;
3342  p2->flow = &f;
3346  f.alproto = ALPROTO_HTTP1;
3347 
3348  StreamTcpInitConfig(true);
3349 
3351  if (de_ctx == NULL)
3352  goto end;
3353 
3354  de_ctx->flags |= DE_QUIET;
3355 
3356  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3357  "(msg:\"http client body test\"; "
3358  "pcre:/body1/H; "
3359  "content:\"dummy\"; within:10; http_header; "
3360  "sid:1;)");
3361  if (de_ctx->sig_list == NULL)
3362  goto end;
3363 
3365  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3366 
3367  int r = AppLayerParserParse(
3368  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3369  if (r != 0) {
3370  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3371  result = 0;
3372  goto end;
3373  }
3374 
3375  http_state = f.alstate;
3376  if (http_state == NULL) {
3377  printf("no http state: \n");
3378  result = 0;
3379  goto end;
3380  }
3381 
3382  /* do detect */
3383  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3384 
3385  if (PacketAlertCheck(p1, 1)) {
3386  printf("sid 1 matched but shouldn't have\n");
3387  goto end;
3388  }
3389 
3390  r = AppLayerParserParse(
3391  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3392  if (r != 0) {
3393  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3394  result = 0;
3395  goto end;
3396  }
3397 
3398  /* do detect */
3399  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3400 
3401  if (PacketAlertCheck(p2, 1)) {
3402  printf("sid 1 matched but shouldn't have");
3403  goto end;
3404  }
3405 
3406  result = 1;
3407 
3408 end:
3409  if (alp_tctx != NULL)
3411  if (de_ctx != NULL)
3413 
3414  StreamTcpFreeConfig(true);
3415  FLOW_DESTROY(&f);
3416  UTHFreePackets(&p1, 1);
3417  UTHFreePackets(&p2, 1);
3418  return result;
3419 }
3420 
3421 static int DetectEngineHttpHeaderTest26(void)
3422 {
3423  TcpSession ssn;
3424  Packet *p1 = NULL;
3425  Packet *p2 = NULL;
3426  ThreadVars th_v;
3427  DetectEngineCtx *de_ctx = NULL;
3428  DetectEngineThreadCtx *det_ctx = NULL;
3429  HtpState *http_state = NULL;
3430  Flow f;
3431  uint8_t http1_buf[] =
3432  "GET /index.html HTTP/1.0\r\n"
3433  "Host: This_is_dummy_body1";
3434  uint8_t http2_buf[] =
3435  "This_is_dummy_message_body2\r\n"
3436  "\r\n";
3437  uint32_t http1_len = sizeof(http1_buf) - 1;
3438  uint32_t http2_len = sizeof(http2_buf) - 1;
3439  int result = 0;
3441 
3442  memset(&th_v, 0, sizeof(th_v));
3443  memset(&f, 0, sizeof(f));
3444  memset(&ssn, 0, sizeof(ssn));
3445 
3446  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3447  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3448 
3449  FLOW_INITIALIZE(&f);
3450  f.protoctx = (void *)&ssn;
3451  f.proto = IPPROTO_TCP;
3452  f.flags |= FLOW_IPV4;
3453 
3454  p1->flow = &f;
3458  p2->flow = &f;
3462  f.alproto = ALPROTO_HTTP1;
3463 
3464  StreamTcpInitConfig(true);
3465 
3467  if (de_ctx == NULL)
3468  goto end;
3469 
3470  de_ctx->flags |= DE_QUIET;
3471 
3472  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3473  "(msg:\"http client body test\"; "
3474  "pcre:/body1/H; "
3475  "content:\"dummy\"; distance:8; http_header; "
3476  "sid:1;)");
3477  if (de_ctx->sig_list == NULL)
3478  goto end;
3479 
3481  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3482 
3483  int r = AppLayerParserParse(
3484  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3485  if (r != 0) {
3486  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3487  result = 0;
3488  goto end;
3489  }
3490 
3491  http_state = f.alstate;
3492  if (http_state == NULL) {
3493  printf("no http state: \n");
3494  result = 0;
3495  goto end;
3496  }
3497 
3498  /* do detect */
3499  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3500 
3501  if (PacketAlertCheck(p1, 1)) {
3502  printf("sid 1 matched but shouldn't have\n");
3503  goto end;
3504  }
3505 
3506  r = AppLayerParserParse(
3507  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3508  if (r != 0) {
3509  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3510  result = 0;
3511  goto end;
3512  }
3513 
3514  /* do detect */
3515  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3516 
3517  if (!PacketAlertCheck(p2, 1)) {
3518  printf("sid 1 didn't match but should have");
3519  goto end;
3520  }
3521 
3522  result = 1;
3523 
3524 end:
3525  if (alp_tctx != NULL)
3527  if (de_ctx != NULL)
3529 
3530  StreamTcpFreeConfig(true);
3531  FLOW_DESTROY(&f);
3532  UTHFreePackets(&p1, 1);
3533  UTHFreePackets(&p2, 1);
3534  return result;
3535 }
3536 
3537 static int DetectEngineHttpHeaderTest27(void)
3538 {
3539  TcpSession ssn;
3540  Packet *p1 = NULL;
3541  Packet *p2 = NULL;
3542  ThreadVars th_v;
3543  DetectEngineCtx *de_ctx = NULL;
3544  DetectEngineThreadCtx *det_ctx = NULL;
3545  HtpState *http_state = NULL;
3546  Flow f;
3547  uint8_t http1_buf[] =
3548  "GET /index.html HTTP/1.0\r\n"
3549  "Host: This_is_dummy_body1";
3550  uint8_t http2_buf[] =
3551  "This_is_dummy_message_body2\r\n"
3552  "\r\n";
3553  uint32_t http1_len = sizeof(http1_buf) - 1;
3554  uint32_t http2_len = sizeof(http2_buf) - 1;
3555  int result = 0;
3557 
3558  memset(&th_v, 0, sizeof(th_v));
3559  memset(&f, 0, sizeof(f));
3560  memset(&ssn, 0, sizeof(ssn));
3561 
3562  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3563  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3564 
3565  FLOW_INITIALIZE(&f);
3566  f.protoctx = (void *)&ssn;
3567  f.proto = IPPROTO_TCP;
3568  f.flags |= FLOW_IPV4;
3569 
3570  p1->flow = &f;
3574  p2->flow = &f;
3578  f.alproto = ALPROTO_HTTP1;
3579 
3580  StreamTcpInitConfig(true);
3581 
3583  if (de_ctx == NULL)
3584  goto end;
3585 
3586  de_ctx->flags |= DE_QUIET;
3587 
3588  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3589  "(msg:\"http client body test\"; "
3590  "pcre:/body1/H; "
3591  "content:\"dummy\"; distance:14; http_header; "
3592  "sid:1;)");
3593  if (de_ctx->sig_list == NULL)
3594  goto end;
3595 
3597  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3598 
3599  int r = AppLayerParserParse(
3600  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3601  if (r != 0) {
3602  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3603  result = 0;
3604  goto end;
3605  }
3606 
3607  http_state = f.alstate;
3608  if (http_state == NULL) {
3609  printf("no http state: \n");
3610  result = 0;
3611  goto end;
3612  }
3613 
3614  /* do detect */
3615  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3616 
3617  if (PacketAlertCheck(p1, 1)) {
3618  printf("sid 1 matched but shouldn't have\n");
3619  goto end;
3620  }
3621 
3622  r = AppLayerParserParse(
3623  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3624  if (r != 0) {
3625  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3626  result = 0;
3627  goto end;
3628  }
3629 
3630  /* do detect */
3631  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3632 
3633  if (PacketAlertCheck(p2, 1)) {
3634  printf("sid 1 matched but shouldn't have");
3635  goto end;
3636  }
3637 
3638  result = 1;
3639 
3640 end:
3641  if (alp_tctx != NULL)
3643  if (de_ctx != NULL)
3645 
3646  StreamTcpFreeConfig(true);
3647  FLOW_DESTROY(&f);
3648  UTHFreePackets(&p1, 1);
3649  UTHFreePackets(&p2, 1);
3650  return result;
3651 }
3652 
3653 static int DetectEngineHttpHeaderTest28(void)
3654 {
3655  TcpSession ssn;
3656  Packet *p1 = NULL;
3657  Packet *p2 = NULL;
3658  ThreadVars th_v;
3659  DetectEngineCtx *de_ctx = NULL;
3660  DetectEngineThreadCtx *det_ctx = NULL;
3661  HtpState *http_state = NULL;
3662  Flow f;
3663  uint8_t http_buf1[] =
3664  "GET /index.html HTTP/1.0\r\n"
3665  "Host: www.openinfosecfoundation.org\r\n"
3666  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3667  "\r\n";
3668  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
3669  uint8_t http_buf2[] =
3670  "HTTP/1.0 200 ok\r\n"
3671  "Content-Type: text/html\r\n"
3672  "Content-Length: 6\r\n"
3673  "\r\n"
3674  "abcdef";
3675  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
3676  int result = 0;
3678 
3679  memset(&th_v, 0, sizeof(th_v));
3680  memset(&f, 0, sizeof(f));
3681  memset(&ssn, 0, sizeof(ssn));
3682 
3683  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3684  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3685 
3686  FLOW_INITIALIZE(&f);
3687  f.protoctx = (void *)&ssn;
3688  f.proto = IPPROTO_TCP;
3689  f.flags |= FLOW_IPV4;
3690 
3691  p1->flow = &f;
3695  p2->flow = &f;
3699  f.alproto = ALPROTO_HTTP1;
3700 
3701  StreamTcpInitConfig(true);
3702 
3704  if (de_ctx == NULL)
3705  goto end;
3706 
3707  de_ctx->flags |= DE_QUIET;
3708 
3709  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3710  "(msg:\"http header test\"; "
3711  "content:\"Content-Length: 6\"; http_header; "
3712  "sid:1;)");
3713  if (de_ctx->sig_list == NULL)
3714  goto end;
3715 
3717  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3718 
3719  int r = AppLayerParserParse(
3720  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
3721  if (r != 0) {
3722  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3723  result = 0;
3724  goto end;
3725  }
3726 
3727  http_state = f.alstate;
3728  if (http_state == NULL) {
3729  printf("no http state: \n");
3730  result = 0;
3731  goto end;
3732  }
3733 
3734  /* do detect */
3735  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3736 
3737  if (PacketAlertCheck(p1, 1)) {
3738  printf("sid 1 matched but shouldn't have\n");
3739  goto end;
3740  }
3741 
3742  r = AppLayerParserParse(
3743  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_buf2_len);
3744  if (r != 0) {
3745  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3746  result = 0;
3747  goto end;
3748  }
3749 
3750  /* do detect */
3751  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3752 
3753  FAIL_IF(!PacketAlertCheck(p2, 1));
3754 
3755  result = 1;
3756 
3757 end:
3758  if (alp_tctx != NULL)
3760  if (de_ctx != NULL)
3762 
3763  StreamTcpFreeConfig(true);
3764  FLOW_DESTROY(&f);
3765  UTHFreePackets(&p1, 1);
3766  UTHFreePackets(&p2, 1);
3767  return result;
3768 }
3769 
3770 static int DetectEngineHttpHeaderTest29(void)
3771 {
3772  TcpSession ssn;
3773  Packet *p1 = NULL;
3774  Packet *p2 = NULL;
3775  ThreadVars th_v;
3776  DetectEngineCtx *de_ctx = NULL;
3777  DetectEngineThreadCtx *det_ctx = NULL;
3778  HtpState *http_state = NULL;
3779  Flow f;
3780  uint8_t http_buf1[] =
3781  "GET /index.html HTTP/1.0\r\n"
3782  "Host: www.openinfosecfoundation.org\r\n"
3783  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3784  "\r\n";
3785  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
3786  uint8_t http_buf2[] =
3787  "HTTP/1.0 200 ok\r\n"
3788  "Content-Type: text/html\r\n"
3789  "Content-Length: 6\r\n"
3790  "\r\n"
3791  "abcdef";
3792  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
3793  int result = 0;
3795 
3796  memset(&th_v, 0, sizeof(th_v));
3797  memset(&f, 0, sizeof(f));
3798  memset(&ssn, 0, sizeof(ssn));
3799 
3800  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3801  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3802 
3803  FLOW_INITIALIZE(&f);
3804  f.protoctx = (void *)&ssn;
3805  f.proto = IPPROTO_TCP;
3806  f.flags |= FLOW_IPV4;
3807 
3808  p1->flow = &f;
3812  p2->flow = &f;
3816  f.alproto = ALPROTO_HTTP1;
3817 
3818  StreamTcpInitConfig(true);
3819 
3821  if (de_ctx == NULL)
3822  goto end;
3823 
3824  de_ctx->flags |= DE_QUIET;
3825 
3826  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3827  "(msg:\"http header test\"; "
3828  "content:\"Content-Length: 7\"; http_header; "
3829  "sid:1;)");
3830  if (de_ctx->sig_list == NULL)
3831  goto end;
3832 
3834  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3835 
3836  int r = AppLayerParserParse(
3837  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
3838  if (r != 0) {
3839  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3840  result = 0;
3841  goto end;
3842  }
3843 
3844  http_state = f.alstate;
3845  if (http_state == NULL) {
3846  printf("no http state: \n");
3847  result = 0;
3848  goto end;
3849  }
3850 
3851  /* do detect */
3852  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3853 
3854  if (PacketAlertCheck(p1, 1)) {
3855  printf("sid 1 matched but shouldn't have\n");
3856  goto end;
3857  }
3858 
3859  r = AppLayerParserParse(
3860  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_buf2_len);
3861  if (r != 0) {
3862  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3863  result = 0;
3864  goto end;
3865  }
3866 
3867  /* do detect */
3868  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3869 
3870  if (PacketAlertCheck(p2, 1)) {
3871  printf("sid 1 matched but shouldn't have");
3872  goto end;
3873  }
3874 
3875  result = 1;
3876 
3877 end:
3878  if (alp_tctx != NULL)
3880  if (de_ctx != NULL)
3882 
3883  StreamTcpFreeConfig(true);
3884  FLOW_DESTROY(&f);
3885  UTHFreePackets(&p1, 1);
3886  UTHFreePackets(&p2, 1);
3887  return result;
3888 }
3889 
3890 #if 0
3891 
3892 static int DetectEngineHttpHeaderTest30(void)
3893 {
3894  int result = 0;
3896 
3897  if (de_ctx == NULL) {
3898  goto end;
3899  }
3900 
3901  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
3902  "(msg:\"http header test\"; "
3903  "content:\"Content-Length: 6\"; http_header; "
3904  "content:\"User-Agent: Mozilla\"; http_header; "
3905  "sid:1;)");
3906  if (de_ctx->sig_list != NULL) {
3907  goto end;
3908  }
3909 
3910  result = 1;
3911 
3912  end:
3913  if (de_ctx != NULL)
3915  return result;
3916 }
3917 
3918 #endif /* #if 0 */
3919 
3920 static int DetectEngineHttpHeaderTest30(void)
3921 {
3922  TcpSession ssn;
3923  Packet *p1 = NULL;
3924  Packet *p2 = NULL;
3925  ThreadVars th_v;
3926  DetectEngineCtx *de_ctx = NULL;
3927  DetectEngineThreadCtx *det_ctx = NULL;
3928  HtpState *http_state = NULL;
3929  Flow f;
3930  uint8_t http_buf1[] =
3931  "GET /index.html HTTP/1.0\r\n"
3932  "Host: www.openinfosecfoundation.org\r\n"
3933  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3934  "\r\n";
3935  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
3936  uint8_t http_buf2[] =
3937  "HTTP/1.0 200 ok\r\n"
3938  "Set-Cookie: dummycookieset\r\n"
3939  "Content-Type: text/html\r\n"
3940  "Content-Length: 6\r\n"
3941  "\r\n"
3942  "abcdef";
3943  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
3944  int result = 0;
3946 
3947  memset(&th_v, 0, sizeof(th_v));
3948  memset(&f, 0, sizeof(f));
3949  memset(&ssn, 0, sizeof(ssn));
3950 
3951  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3952  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3953 
3954  FLOW_INITIALIZE(&f);
3955  f.protoctx = (void *)&ssn;
3956  f.proto = IPPROTO_TCP;
3957  f.flags |= FLOW_IPV4;
3958 
3959  p1->flow = &f;
3963  p2->flow = &f;
3967  f.alproto = ALPROTO_HTTP1;
3968 
3969  StreamTcpInitConfig(true);
3970 
3972  if (de_ctx == NULL)
3973  goto end;
3974 
3975  de_ctx->flags |= DE_QUIET;
3976 
3977  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3978  "(msg:\"http header test\"; "
3979  "content:\"dummycookieset\"; http_header; "
3980  "sid:1;)");
3981  if (de_ctx->sig_list == NULL)
3982  goto end;
3983 
3985  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3986 
3987  int r = AppLayerParserParse(
3988  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
3989  if (r != 0) {
3990  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3991  result = 0;
3992  goto end;
3993  }
3994 
3995  http_state = f.alstate;
3996  if (http_state == NULL) {
3997  printf("no http state: \n");
3998  result = 0;
3999  goto end;
4000  }
4001 
4002  /* do detect */
4003  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4004 
4005  if (PacketAlertCheck(p1, 1)) {
4006  printf("sid 1 matched but shouldn't have\n");
4007  goto end;
4008  }
4009 
4010  r = AppLayerParserParse(
4011  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_buf2_len);
4012  if (r != 0) {
4013  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
4014  result = 0;
4015  goto end;
4016  }
4017 
4018  /* do detect */
4019  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4020 
4021  if (PacketAlertCheck(p2, 1)) {
4022  printf("sid 1 matched but shouldn't have\n");
4023  goto end;
4024  }
4025 
4026  result = 1;
4027 
4028 end:
4029  if (alp_tctx != NULL)
4031  if (de_ctx != NULL)
4033 
4034  StreamTcpFreeConfig(true);
4035  FLOW_DESTROY(&f);
4036  UTHFreePackets(&p1, 1);
4037  UTHFreePackets(&p2, 1);
4038  return result;
4039 }
4040 
4041 /** \test reassembly bug where headers with names of length 6 were
4042  * skipped
4043  */
4044 static int DetectEngineHttpHeaderTest31(void)
4045 {
4046  TcpSession ssn;
4047  Packet *p1 = NULL;
4048  ThreadVars th_v;
4049  DetectEngineCtx *de_ctx = NULL;
4050  DetectEngineThreadCtx *det_ctx = NULL;
4051  HtpState *http_state = NULL;
4052  Flow f;
4053  uint8_t http1_buf[] =
4054  "GET /index.html HTTP/1.0\r\n"
4055  "Accept: blah\r\n"
4056  "Cookie: blah\r\n"
4057  "Crazy6: blah\r\n"
4058  "SixZix: blah\r\n\r\n";
4059  uint32_t http1_len = sizeof(http1_buf) - 1;
4060  int result = 0;
4062 
4063  memset(&th_v, 0, sizeof(th_v));
4064  memset(&f, 0, sizeof(f));
4065  memset(&ssn, 0, sizeof(ssn));
4066 
4067  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4068 
4069  FLOW_INITIALIZE(&f);
4070  f.protoctx = (void *)&ssn;
4071  f.proto = IPPROTO_TCP;
4072  f.flags |= FLOW_IPV4;
4073 
4074  p1->flow = &f;
4078  f.alproto = ALPROTO_HTTP1;
4079 
4080  StreamTcpInitConfig(true);
4081 
4083  if (de_ctx == NULL)
4084  goto end;
4085 
4086  de_ctx->flags |= DE_QUIET;
4087 
4088  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4089  "(content:\"Accept|3a|\"; http_header; "
4090  "content:!\"Cookie|3a|\"; http_header; "
4091  "content:\"Crazy6|3a|\"; http_header; "
4092  "content:\"SixZix|3a|\"; http_header; "
4093  "sid:1;)");
4094  if (de_ctx->sig_list == NULL)
4095  goto end;
4096 
4098  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4099 
4100  int r = AppLayerParserParse(
4101  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4102  if (r != 0) {
4103  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4104  result = 0;
4105  goto end;
4106  }
4107 
4108  http_state = f.alstate;
4109  if (http_state == NULL) {
4110  printf("no http state: \n");
4111  result = 0;
4112  goto end;
4113  }
4114 
4115  /* do detect */
4116  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4117 
4118  if (!(PacketAlertCheck(p1, 1))) {
4119  printf("sid 1 didn't match but should have: ");
4120  goto end;
4121  }
4122 
4123  result = 1;
4124 
4125 end:
4126  if (alp_tctx != NULL)
4128  if (de_ctx != NULL)
4130 
4131  StreamTcpFreeConfig(true);
4132  FLOW_DESTROY(&f);
4133  UTHFreePackets(&p1, 1);
4134  return result;
4135 }
4136 
4137 /**
4138  * \test Trailing headers.
4139  */
4140 static int DetectEngineHttpHeaderTest32(void)
4141 {
4142  TcpSession ssn;
4143  Packet *p1 = NULL;
4144  ThreadVars th_v;
4145  DetectEngineCtx *de_ctx = NULL;
4146  DetectEngineThreadCtx *det_ctx = NULL;
4147  HtpState *http_state = NULL;
4148  Flow f;
4149  uint8_t http1_buf[] =
4150  "GET /index.html HTTP/1.0\r\n"
4151  "host: boom\r\n"
4152  "Transfer-Encoding: chunked\r\n"
4153  "\r\n"
4154  "13\r\n"
4155  "This is dummy body1\r\n"
4156  "0\r\n"
4157  "Dummy-Header: kaboom\r\n"
4158  "\r\n";
4159  uint32_t http1_len = sizeof(http1_buf) - 1;
4160  int result = 0;
4162 
4163  memset(&th_v, 0, sizeof(th_v));
4164  memset(&f, 0, sizeof(f));
4165  memset(&ssn, 0, sizeof(ssn));
4166 
4167  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4168 
4169  FLOW_INITIALIZE(&f);
4170  f.protoctx = (void *)&ssn;
4171  f.proto = IPPROTO_TCP;
4172  f.flags |= FLOW_IPV4;
4173 
4174  p1->flow = &f;
4178  f.alproto = ALPROTO_HTTP1;
4179 
4180  StreamTcpInitConfig(true);
4181 
4183  if (de_ctx == NULL)
4184  goto end;
4185 
4186  de_ctx->flags |= DE_QUIET;
4187 
4188  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4189  "(content:\"Dummy\"; http_header; "
4190  "sid:1;)");
4191  if (de_ctx->sig_list == NULL)
4192  goto end;
4193 
4195  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4196 
4197  int r = AppLayerParserParse(
4198  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4199  if (r != 0) {
4200  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4201  result = 0;
4202  goto end;
4203  }
4204 
4205  http_state = f.alstate;
4206  if (http_state == NULL) {
4207  printf("no http state: \n");
4208  result = 0;
4209  goto end;
4210  }
4211 
4212  /* do detect */
4213  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4214 
4215  if (!(PacketAlertCheck(p1, 1))) {
4216  printf("sid 1 didn't match but should have: ");
4217  goto end;
4218  }
4219 
4220  result = 1;
4221 
4222 end:
4223  if (alp_tctx != NULL)
4225  if (de_ctx != NULL)
4227 
4228  StreamTcpFreeConfig(true);
4229  FLOW_DESTROY(&f);
4230  UTHFreePackets(&p1, 1);
4231  return result;
4232 }
4233 
4234 /**
4235  * \test Trailing headers.
4236  */
4237 static int DetectEngineHttpHeaderTest33(void)
4238 {
4239  TcpSession ssn;
4240  Packet *p1 = NULL;
4241  Packet *p2 = NULL;
4242  ThreadVars th_v;
4243  DetectEngineCtx *de_ctx = NULL;
4244  DetectEngineThreadCtx *det_ctx = NULL;
4245  HtpState *http_state = NULL;
4246  Flow f;
4247  uint8_t http1_buf[] =
4248  "GET /index.html HTTP/1.0\r\n"
4249  "host: boom\r\n"
4250  "Transfer-Encoding: chunked\r\n"
4251  "\r\n"
4252  "13\r\n"
4253  "This is dummy body1\r\n"
4254  "0\r\n";
4255  uint8_t http2_buf[] =
4256  "Dummy-Header: kaboom\r\n"
4257  "\r\n";
4258  uint32_t http1_len = sizeof(http1_buf) - 1;
4259  uint32_t http2_len = sizeof(http2_buf) - 1;
4260 
4263 
4264  memset(&th_v, 0, sizeof(th_v));
4265  memset(&f, 0, sizeof(f));
4266  memset(&ssn, 0, sizeof(ssn));
4267 
4268  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4269  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4270 
4271  FLOW_INITIALIZE(&f);
4272  f.protoctx = (void *)&ssn;
4273  f.proto = IPPROTO_TCP;
4274  f.flags |= FLOW_IPV4;
4275 
4276  p1->flow = &f;
4280  p2->flow = &f;
4284  f.alproto = ALPROTO_HTTP1;
4285 
4286  StreamTcpInitConfig(true);
4287 
4289  FAIL_IF(de_ctx == NULL);
4290  de_ctx->flags |= DE_QUIET;
4291 
4292  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4293  "(content:\"Dummy\"; http_header; "
4294  "sid:1;)");
4295  FAIL_IF(de_ctx->sig_list == NULL);
4296 
4298  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4299 
4300  int r = AppLayerParserParse(
4301  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4302  FAIL_IF_NOT(r == 0);
4303 
4304  http_state = f.alstate;
4305  FAIL_IF(http_state == NULL);
4306 
4307  /* do detect */
4308  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4309 
4310  FAIL_IF(PacketAlertCheck(p1, 1));
4311 
4312  r = AppLayerParserParse(
4313  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4314  FAIL_IF_NOT(r == 0);
4315 
4316  /* do detect */
4317  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4318 
4319  FAIL_IF(!PacketAlertCheck(p2, 1));
4320 
4323 
4324  StreamTcpFreeConfig(true);
4325  FLOW_DESTROY(&f);
4326  UTHFreePackets(&p1, 1);
4327  UTHFreePackets(&p2, 1);
4328  PASS;
4329 }
4330 
4331 /**
4332  * \test Trailing headers.
4333  */
4334 static int DetectEngineHttpHeaderTest34(void)
4335 {
4336  TcpSession ssn;
4337  ThreadVars th_v;
4338  DetectEngineCtx *de_ctx = NULL;
4339  DetectEngineThreadCtx *det_ctx = NULL;
4340  HtpState *http_state = NULL;
4341  Flow f;
4342  uint8_t http1_buf[] =
4343  "GET /index.html HTTP/1.0\r\n"
4344  "host: boom\r\n"
4345  "Dummy-Header1: blah\r\n"
4346  "Transfer-Encoding: chunked\r\n"
4347  "\r\n";
4348  uint8_t http2_buf[] =
4349  "13\r\n"
4350  "This is dummy body1\r\n"
4351  "0\r\n";
4352  uint8_t http3_buf[] =
4353  "Dummy-Header2: kaboom\r\n"
4354  "\r\n";
4355  uint32_t http1_len = sizeof(http1_buf) - 1;
4356  uint32_t http2_len = sizeof(http2_buf) - 1;
4357  uint32_t http3_len = sizeof(http3_buf) - 1;
4358 
4361 
4362  memset(&th_v, 0, sizeof(th_v));
4363  memset(&f, 0, sizeof(f));
4364  memset(&ssn, 0, sizeof(ssn));
4365 
4366  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4367  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4368  Packet *p3 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4369 
4370  FLOW_INITIALIZE(&f);
4371  f.protoctx = (void *)&ssn;
4372  f.proto = IPPROTO_TCP;
4373  f.flags |= FLOW_IPV4;
4374 
4375  p1->flow = &f;
4379  p1->pcap_cnt = 1;
4380  p2->flow = &f;
4384  p2->pcap_cnt = 2;
4385  p3->flow = &f;
4389  p3->pcap_cnt = 3;
4390  f.alproto = ALPROTO_HTTP1;
4391 
4392  StreamTcpInitConfig(true);
4393 
4395  FAIL_IF(de_ctx == NULL);
4396  de_ctx->flags |= DE_QUIET;
4397 
4398  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4399  "(content:\"Dummy\"; http_header; content:\"Header2\"; http_header; within:8; "
4400  "sid:1;)");
4401  FAIL_IF(de_ctx->sig_list == NULL);
4402 
4404  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4405 
4406  int r = AppLayerParserParse(
4407  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4408  FAIL_IF_NOT(r == 0);
4409 
4410  http_state = f.alstate;
4411  FAIL_IF(http_state == NULL);
4412 
4413  /* do detect */
4414  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4415  FAIL_IF(PacketAlertCheck(p1, 1));
4416 
4417  r = AppLayerParserParse(
4418  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4419  FAIL_IF_NOT(r == 0);
4420 
4421  /* do detect */
4422  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4423  FAIL_IF(PacketAlertCheck(p2, 1));
4424 
4425  r = AppLayerParserParse(
4426  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http3_buf, http3_len);
4427  FAIL_IF_NOT(r == 0);
4428 
4429  /* do detect */
4430  SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
4431  FAIL_IF(!PacketAlertCheck(p3, 1)); /* should match in trailer */
4432 
4435 
4436  StreamTcpFreeConfig(true);
4437  FLOW_DESTROY(&f);
4438  UTHFreePackets(&p1, 1);
4439  UTHFreePackets(&p2, 1);
4440  UTHFreePackets(&p3, 1);
4441  PASS;
4442 }
4443 
4444 /**
4445  * \test Trailing headers.
4446  */
4447 static int DetectEngineHttpHeaderTest35(void)
4448 {
4449  TcpSession ssn;
4450  ThreadVars th_v;
4451  DetectEngineCtx *de_ctx = NULL;
4452  DetectEngineThreadCtx *det_ctx = NULL;
4453  HtpState *http_state = NULL;
4454  Flow f;
4455  uint8_t http1_buf[] =
4456  "GET /index.html HTTP/1.0\r\n"
4457  "host: boom\r\n"
4458  "Dummy-Header1: blah\r\n"
4459  "Transfer-Encoding: chunked\r\n"
4460  "\r\n";
4461  uint8_t http2_buf[] =
4462  "13\r\n"
4463  "This is dummy body1\r\n"
4464  "0\r\n";
4465  uint8_t http3_buf[] =
4466  "Dummy-Header2: kaboom\r\n"
4467  "\r\n";
4468  uint32_t http1_len = sizeof(http1_buf) - 1;
4469  uint32_t http2_len = sizeof(http2_buf) - 1;
4470  uint32_t http3_len = sizeof(http3_buf) - 1;
4471 
4474 
4475  memset(&th_v, 0, sizeof(th_v));
4476  memset(&f, 0, sizeof(f));
4477  memset(&ssn, 0, sizeof(ssn));
4478 
4479  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4480  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4481  Packet *p3 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4482 
4483  FLOW_INITIALIZE(&f);
4484  f.protoctx = (void *)&ssn;
4485  f.proto = IPPROTO_TCP;
4486  f.flags |= FLOW_IPV4;
4487 
4488  p1->flow = &f;
4492  p1->pcap_cnt = 1;
4493  p2->flow = &f;
4497  p2->pcap_cnt = 2;
4498  p3->flow = &f;
4502  p3->pcap_cnt = 3;
4503  f.alproto = ALPROTO_HTTP1;
4504 
4505  StreamTcpInitConfig(true);
4506 
4508  FAIL_IF(de_ctx == NULL);
4509  de_ctx->flags |= DE_QUIET;
4510 
4511  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4512  "(content:\"Dummy\"; http_header; fast_pattern; content:\"Header2\"; http_header; within:8; "
4513  "sid:1;)");
4514  FAIL_IF(de_ctx->sig_list == NULL);
4515 
4517  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4518 
4519  int r = AppLayerParserParse(
4520  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4521  FAIL_IF_NOT(r == 0);
4522 
4523  http_state = f.alstate;
4524  FAIL_IF(http_state == NULL);
4525 
4526  /* do detect */
4527  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4528  FAIL_IF(PacketAlertCheck(p1, 1));
4529 
4530  r = AppLayerParserParse(
4531  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4532  FAIL_IF_NOT(r == 0);
4533 
4534  /* do detect */
4535  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4536  FAIL_IF(PacketAlertCheck(p2, 1));
4537 
4538  r = AppLayerParserParse(
4539  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http3_buf, http3_len);
4540  FAIL_IF_NOT(r == 0);
4541 
4542  /* do detect */
4543  SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
4544  FAIL_IF(!PacketAlertCheck(p3, 1)); /* should match in trailer */
4545 
4548 
4549  StreamTcpFreeConfig(true);
4550  FLOW_DESTROY(&f);
4551  UTHFreePackets(&p1, 1);
4552  UTHFreePackets(&p2, 1);
4553  UTHFreePackets(&p3, 1);
4554  PASS;
4555 }
4556 
4558 {
4559  UtRegisterTest("DetectHttpHeaderParserTest01", DetectHttpHeaderParserTest01);
4560  UtRegisterTest("DetectHttpHeaderParserTest02", DetectHttpHeaderParserTest02);
4561 
4562  UtRegisterTest("DetectHttpHeaderTest06", DetectHttpHeaderTest06);
4563  UtRegisterTest("DetectHttpHeaderTest07", DetectHttpHeaderTest07);
4564  UtRegisterTest("DetectHttpHeaderTest08", DetectHttpHeaderTest08);
4565  UtRegisterTest("DetectHttpHeaderTest09", DetectHttpHeaderTest09);
4566  UtRegisterTest("DetectHttpHeaderTest10", DetectHttpHeaderTest10);
4567  UtRegisterTest("DetectHttpHeaderTest11", DetectHttpHeaderTest11);
4568  UtRegisterTest("DetectHttpHeaderTest12", DetectHttpHeaderTest12);
4569  UtRegisterTest("DetectHttpHeaderTest13", DetectHttpHeaderTest13);
4570  UtRegisterTest("DetectHttpHeaderTest28", DetectHttpHeaderTest28);
4571  UtRegisterTest("DetectHttpHeaderTest29", DetectHttpHeaderTest29);
4572  UtRegisterTest("DetectHttpHeaderTest30", DetectHttpHeaderTest30);
4573 
4574  UtRegisterTest("DetectHttpHeaderIsdataatParseTest",
4575  DetectHttpHeaderIsdataatParseTest);
4576 
4577  UtRegisterTest("DetectEngineHttpHeaderTest01",
4578  DetectEngineHttpHeaderTest01);
4579  UtRegisterTest("DetectEngineHttpHeaderTest02",
4580  DetectEngineHttpHeaderTest02);
4581  UtRegisterTest("DetectEngineHttpHeaderTest03",
4582  DetectEngineHttpHeaderTest03);
4583  UtRegisterTest("DetectEngineHttpHeaderTest04",
4584  DetectEngineHttpHeaderTest04);
4585  UtRegisterTest("DetectEngineHttpHeaderTest05",
4586  DetectEngineHttpHeaderTest05);
4587  UtRegisterTest("DetectEngineHttpHeaderTest06",
4588  DetectEngineHttpHeaderTest06);
4589  UtRegisterTest("DetectEngineHttpHeaderTest07",
4590  DetectEngineHttpHeaderTest07);
4591  UtRegisterTest("DetectEngineHttpHeaderTest08",
4592  DetectEngineHttpHeaderTest08);
4593  UtRegisterTest("DetectEngineHttpHeaderTest09",
4594  DetectEngineHttpHeaderTest09);
4595  UtRegisterTest("DetectEngineHttpHeaderTest10",
4596  DetectEngineHttpHeaderTest10);
4597  UtRegisterTest("DetectEngineHttpHeaderTest11",
4598  DetectEngineHttpHeaderTest11);
4599  UtRegisterTest("DetectEngineHttpHeaderTest12",
4600  DetectEngineHttpHeaderTest12);
4601  UtRegisterTest("DetectEngineHttpHeaderTest13",
4602  DetectEngineHttpHeaderTest13);
4603  UtRegisterTest("DetectEngineHttpHeaderTest14",
4604  DetectEngineHttpHeaderTest14);
4605  UtRegisterTest("DetectEngineHttpHeaderTest15",
4606  DetectEngineHttpHeaderTest15);
4607  UtRegisterTest("DetectEngineHttpHeaderTest16",
4608  DetectEngineHttpHeaderTest16);
4609  UtRegisterTest("DetectEngineHttpHeaderTest17",
4610  DetectEngineHttpHeaderTest17);
4611  UtRegisterTest("DetectEngineHttpHeaderTest20",
4612  DetectEngineHttpHeaderTest20);
4613  UtRegisterTest("DetectEngineHttpHeaderTest21",
4614  DetectEngineHttpHeaderTest21);
4615  UtRegisterTest("DetectEngineHttpHeaderTest22",
4616  DetectEngineHttpHeaderTest22);
4617  UtRegisterTest("DetectEngineHttpHeaderTest23",
4618  DetectEngineHttpHeaderTest23);
4619  UtRegisterTest("DetectEngineHttpHeaderTest24",
4620  DetectEngineHttpHeaderTest24);
4621  UtRegisterTest("DetectEngineHttpHeaderTest25",
4622  DetectEngineHttpHeaderTest25);
4623  UtRegisterTest("DetectEngineHttpHeaderTest26",
4624  DetectEngineHttpHeaderTest26);
4625  UtRegisterTest("DetectEngineHttpHeaderTest27",
4626  DetectEngineHttpHeaderTest27);
4627  UtRegisterTest("DetectEngineHttpHeaderTest28",
4628  DetectEngineHttpHeaderTest28);
4629  UtRegisterTest("DetectEngineHttpHeaderTest29",
4630  DetectEngineHttpHeaderTest29);
4631  UtRegisterTest("DetectEngineHttpHeaderTest30",
4632  DetectEngineHttpHeaderTest30);
4633  UtRegisterTest("DetectEngineHttpHeaderTest31",
4634  DetectEngineHttpHeaderTest31);
4635 #if 0
4636  UtRegisterTest("DetectEngineHttpHeaderTest30",
4637  DetectEngineHttpHeaderTest30, 1);
4638 #endif
4639  UtRegisterTest("DetectEngineHttpHeaderTest32",
4640  DetectEngineHttpHeaderTest32);
4641  UtRegisterTest("DetectEngineHttpHeaderTest33 -- Trailer",
4642  DetectEngineHttpHeaderTest33);
4643  UtRegisterTest("DetectEngineHttpHeaderTest34 -- Trailer",
4644  DetectEngineHttpHeaderTest34);
4645  UtRegisterTest("DetectEngineHttpHeaderTest35 -- Trailer",
4646  DetectEngineHttpHeaderTest35);
4647 }
4648 
4649 /**
4650  * @}
4651  */
UTHParseSignature
int UTHParseSignature(const char *str, bool expect)
parser a sig and see if the expected result is correct
Definition: util-unittest-helper.c:911
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1021
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:34
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:608
Flow_::proto
uint8_t proto
Definition: flow.h:373
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:474
Flow_
Flow data structure.
Definition: flow.h:351
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:836
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2580
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:312
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
DE_QUIET
#define DE_QUIET
Definition: detect.h:321
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:340
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:48
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1884
DetectIsdataatData_
Definition: detect-isdataat.h:32
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2620
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:468
Flow_::protoctx
void * protoctx
Definition: flow.h:441
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
HtpState_
Definition: app-layer-htp.h:244
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:463
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1092
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:839
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2314
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:350
Packet_
Definition: decode.h:437
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:224
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:291
Packet_::flow
struct Flow_ * flow
Definition: decode.h:476
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3291
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:794
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1303
SigMatch_::type
uint16_t type
Definition: detect.h:348
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:844
DetectBufferGetLastSigMatch
SigMatch * DetectBufferGetLastSigMatch(const Signature *s, const uint32_t buf_id)
Definition: detect-engine.c:1361
ISDATAAT_NEGATED
#define ISDATAAT_NEGATED
Definition: detect-isdataat.h:29
Flow_::alstate
void * alstate
Definition: flow.h:476
Flow_::flags
uint32_t flags
Definition: flow.h:421
Signature_
Signature container.
Definition: detect.h:593
SigMatch_
a single match condition for a signature
Definition: detect.h:347
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:82
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:225
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2541
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:838
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:65
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
DetectHttpHeaderRegisterTests
void DetectHttpHeaderRegisterTests(void)
Definition: detect-http-header.c:4557
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1018
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:471