suricata
detect-http-header.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
29  *
30  * Implements support for http_header keyword.
31  */
32 
33 #include "../suricata-common.h"
34 #include "../flow.h"
35 #include "../flow-var.h"
36 #include "../flow-util.h"
37 
38 #include "../app-layer.h"
39 #include "../app-layer-parser.h"
40 
41 #include "../app-layer-htp.h"
42 #include "../detect-http-header.h"
43 #include "../detect-http-header-common.h"
44 #include "../detect-engine-build.h"
45 #include "../detect-engine-alert.h"
46 
47 #include "../detect-isdataat.h"
48 
49 #include "../stream-tcp.h"
50 
51 #include "../util-unittest.h"
52 #include "../util-unittest-helper.h"
53 
54 /**
55  * \test Test parser accepting valid rules and rejecting invalid rules
56  */
57 static int DetectHttpHeaderParserTest01(void)
58 {
59  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; http_header; sid:1;)", true));
60  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; nocase; http_header; sid:1;)", true));
61  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; endswith; http_header; sid:1;)", true));
62  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; startswith; http_header; sid:1;)", true));
63  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; startswith; endswith; http_header; sid:1;)", true));
64 
65  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; rawbytes; http_header; sid:1;)", false));
66  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (http_header; sid:1;)", false));
67  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (content:\"abc\"; http_header; sid:1;)", false));
68  PASS;
69 }
70 
71 /**
72  * \test Test parser accepting valid rules and rejecting invalid rules
73  */
74 static int DetectHttpHeaderParserTest02(void)
75 {
76  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; sid:1;)", true));
77  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; nocase; sid:1;)", true));
78  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; endswith; sid:1;)", true));
79  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; startswith; sid:1;)", true));
80  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; startswith; endswith; sid:1;)", true));
81  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; bsize:10; sid:1;)", true));
82 
83  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; rawbytes; sid:1;)", false));
84  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (http.header; sid:1;)", false));
85  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (http.header; content:\"abc\"; sid:1;)", false));
86  PASS;
87 }
88 
89 /**
90  *\test Test that the http_header content matches against a http request
91  * which holds the content.
92  */
93 static int DetectHttpHeaderTest06(void)
94 {
95  TcpSession ssn;
96  Packet *p = NULL;
97  ThreadVars th_v;
98  DetectEngineCtx *de_ctx = NULL;
99  DetectEngineThreadCtx *det_ctx = NULL;
100  HtpState *http_state = NULL;
101  Flow f;
102  uint8_t http_buf[] =
103  "GET /index.html HTTP/1.0\r\n"
104  "Host: www.openinfosecfoundation.org\r\n"
105  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
106  "Content-Type: text/html\r\n"
107  "Content-Length: 26\r\n"
108  "\r\n"
109  "This is dummy message body\r\n";
110  uint32_t http_len = sizeof(http_buf) - 1;
111  int result = 0;
112  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
113 
114  memset(&th_v, 0, sizeof(th_v));
115  StatsThreadInit(&th_v.stats);
116  memset(&f, 0, sizeof(f));
117  memset(&ssn, 0, sizeof(ssn));
118 
119  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
120 
121  FLOW_INITIALIZE(&f);
122  f.protoctx = (void *)&ssn;
123  f.proto = IPPROTO_TCP;
124  f.flags |= FLOW_IPV4;
125  p->flow = &f;
126  p->flowflags |= FLOW_PKT_TOSERVER;
127  p->flowflags |= FLOW_PKT_ESTABLISHED;
128  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
129  f.alproto = ALPROTO_HTTP1;
130 
131  StreamTcpInitConfig(true);
132 
133  de_ctx = DetectEngineCtxInit();
134  if (de_ctx == NULL)
135  goto end;
136 
137  de_ctx->flags |= DE_QUIET;
138 
139  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
140  "(msg:\"http header test\"; "
141  "content:\"Content-Type: text/html\"; http_header; "
142  "sid:1;)");
143  if (de_ctx->sig_list == NULL)
144  goto end;
145 
146  SigGroupBuild(de_ctx);
147  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
148 
149  int r = AppLayerParserParse(
150  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
151  if (r != 0) {
152  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
153  result = 0;
154  goto end;
155  }
156 
157  http_state = f.alstate;
158  if (http_state == NULL) {
159  printf("no http state: ");
160  result = 0;
161  goto end;
162  }
163 
164  /* do detect */
165  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
166 
167  if (!(PacketAlertCheck(p, 1))) {
168  printf("sid 1 didn't match but should have: ");
169  goto end;
170  }
171 
172  result = 1;
173 end:
174  if (alp_tctx != NULL)
175  AppLayerParserThreadCtxFree(alp_tctx);
176  if (det_ctx != NULL) {
177  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
178  }
179  if (de_ctx != NULL)
180  DetectEngineCtxFree(de_ctx);
181 
182  StreamTcpFreeConfig(true);
183  FLOW_DESTROY(&f);
184  UTHFreePackets(&p, 1);
185  StatsThreadCleanup(&th_v.stats);
186  return result;
187 }
188 
189 /**
190  *\test Test that the http_header content matches against a http request
191  * which holds the content.
192  */
193 static int DetectHttpHeaderTest07(void)
194 {
195  TcpSession ssn;
196  Packet *p1 = NULL;
197  Packet *p2 = NULL;
198  ThreadVars th_v;
199  DetectEngineThreadCtx *det_ctx = NULL;
200  Flow f;
201  uint8_t http1_buf[] =
202  "GET /index.html HTTP/1.0\r\n"
203  "Host: www.openinfosecfoundation.org\r\n"
204  "User-Agent: Mozi";
205  uint8_t http2_buf[] =
206  "lla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\nContent-Type: text/html\r\n"
207  "Content-Length: 67\r\n"
208  "\r\n"
209  "This is dummy message body1";
210  uint32_t http1_len = sizeof(http1_buf) - 1;
211  uint32_t http2_len = sizeof(http2_buf) - 1;
212 
213  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
214  FAIL_IF_NULL(alp_tctx);
215 
216  memset(&th_v, 0, sizeof(th_v));
217  StatsThreadInit(&th_v.stats);
218  memset(&f, 0, sizeof(f));
219  memset(&ssn, 0, sizeof(ssn));
220 
221  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
222  FAIL_IF_NULL(p1);
223  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
224  FAIL_IF_NULL(p2);
225 
226  FLOW_INITIALIZE(&f);
227  f.protoctx = (void *)&ssn;
228  f.proto = IPPROTO_TCP;
229  f.flags |= FLOW_IPV4;
230  p1->flow = &f;
231  p1->flowflags |= FLOW_PKT_TOSERVER;
232  p1->flowflags |= FLOW_PKT_ESTABLISHED;
233  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
234  p2->flow = &f;
235  p2->flowflags |= FLOW_PKT_TOSERVER;
236  p2->flowflags |= FLOW_PKT_ESTABLISHED;
237  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
238  f.alproto = ALPROTO_HTTP1;
239 
240  StreamTcpInitConfig(true);
241 
242  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
243  FAIL_IF_NULL(de_ctx);
244  de_ctx->flags |= DE_QUIET;
245 
246  Signature *s = DetectEngineAppendSig(de_ctx,"alert http any any -> any any "
247  "(msg:\"http header test\"; "
248  "content:\"Mozilla\"; http_header; "
249  "sid:1;)");
250  FAIL_IF_NULL(s);
251 
252  SigGroupBuild(de_ctx);
253  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
254  FAIL_IF_NULL(det_ctx);
255 
256  int r = AppLayerParserParse(
257  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
258  FAIL_IF(r != 0);
259 
260  HtpState *http_state = f.alstate;
261  FAIL_IF_NULL(http_state);
262 
263  /* do detect */
264  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
265  FAIL_IF( (PacketAlertCheck(p1, 1)));
266 
267  r = AppLayerParserParse(
268  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
269  FAIL_IF(r != 0);
270 
271  /* do detect */
272  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
273 
274  FAIL_IF(!(PacketAlertCheck(p2, 1)));
275 
276  AppLayerParserThreadCtxFree(alp_tctx);
277  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
278  DetectEngineCtxFree(de_ctx);
279 
280  StreamTcpFreeConfig(true);
281  FLOW_DESTROY(&f);
282  UTHFreePackets(&p1, 1);
283  UTHFreePackets(&p2, 1);
284  StatsThreadCleanup(&th_v.stats);
285  PASS;
286 }
287 
288 /**
289  *\test Test that the http_header content matches against a http request
290  * which holds the content.
291  */
292 static int DetectHttpHeaderTest08(void)
293 {
294  TcpSession ssn;
295  Packet *p1 = NULL;
296  Packet *p2 = NULL;
297  ThreadVars th_v;
298  DetectEngineCtx *de_ctx = NULL;
299  DetectEngineThreadCtx *det_ctx = NULL;
300  HtpState *http_state = NULL;
301  Flow f;
302  uint8_t http1_buf[] =
303  "GET /index.html HTTP/1.0\r\n"
304  "Host: www.openinfosecfoundation.org\r\n";
305  uint8_t http2_buf[] =
306  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
307  "Content-Type: text/html\r\n"
308  "Content-Length: 67\r\n"
309  "\r\n";
310  uint32_t http1_len = sizeof(http1_buf) - 1;
311  uint32_t http2_len = sizeof(http2_buf) - 1;
312  int result = 0;
313  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
314 
315  memset(&th_v, 0, sizeof(th_v));
316  StatsThreadInit(&th_v.stats);
317  memset(&f, 0, sizeof(f));
318  memset(&ssn, 0, sizeof(ssn));
319 
320  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
321  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
322 
323  FLOW_INITIALIZE(&f);
324  f.protoctx = (void *)&ssn;
325  f.proto = IPPROTO_TCP;
326  f.flags |= FLOW_IPV4;
327  p1->flow = &f;
328  p1->flowflags |= FLOW_PKT_TOSERVER;
329  p1->flowflags |= FLOW_PKT_ESTABLISHED;
330  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
331  p2->flow = &f;
332  p2->flowflags |= FLOW_PKT_TOSERVER;
333  p2->flowflags |= FLOW_PKT_ESTABLISHED;
334  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
335  f.alproto = ALPROTO_HTTP1;
336 
337  StreamTcpInitConfig(true);
338 
339  de_ctx = DetectEngineCtxInit();
340  if (de_ctx == NULL)
341  goto end;
342 
343  de_ctx->flags |= DE_QUIET;
344 
345  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
346  "(msg:\"http header test\"; "
347  "content:\"Gecko/20091221 Firefox/3.5.7\"; http_header; "
348  "sid:1;)");
349  if (de_ctx->sig_list == NULL)
350  goto end;
351 
352  SigGroupBuild(de_ctx);
353  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
354 
355  int r = AppLayerParserParse(
356  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
357  if (r != 0) {
358  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
359  result = 0;
360  goto end;
361  }
362 
363  http_state = f.alstate;
364  if (http_state == NULL) {
365  printf("no http state: ");
366  result = 0;
367  goto end;
368  }
369 
370  /* do detect */
371  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
372 
373  if ((PacketAlertCheck(p1, 1))) {
374  printf("sid 1 didn't match but should have: ");
375  goto end;
376  }
377 
378  r = AppLayerParserParse(
379  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
380  if (r != 0) {
381  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
382  result = 0;
383  goto end;
384  }
385 
386  /* do detect */
387  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
388 
389  if (!(PacketAlertCheck(p2, 1))) {
390  printf("sid 1 didn't match but should have: ");
391  goto end;
392  }
393 
394  result = 1;
395 end:
396  if (alp_tctx != NULL)
397  AppLayerParserThreadCtxFree(alp_tctx);
398  if (det_ctx != NULL) {
399  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
400  }
401  if (de_ctx != NULL)
402  DetectEngineCtxFree(de_ctx);
403 
404  StreamTcpFreeConfig(true);
405  FLOW_DESTROY(&f);
406  UTHFreePackets(&p1, 1);
407  UTHFreePackets(&p2, 1);
408  StatsThreadCleanup(&th_v.stats);
409  return result;
410 }
411 
412 /**
413  *\test Test that the http_header content matches against a http request
414  * which holds the content, against a cross boundary present pattern.
415  */
416 static int DetectHttpHeaderTest09(void)
417 {
418  TcpSession ssn;
419  Packet *p1 = NULL;
420  Packet *p2 = NULL;
421  ThreadVars th_v;
422  DetectEngineCtx *de_ctx = NULL;
423  DetectEngineThreadCtx *det_ctx = NULL;
424  HtpState *http_state = NULL;
425  Flow f;
426  uint8_t http1_buf[] =
427  "GET /index.html HTTP/1.0\r\n"
428  "Host: www.openinfosecfoundation.org\r\n"
429  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n";
430  uint8_t http2_buf[] =
431  "Content-Type: text/html\r\n"
432  "Content-Length: 67\r\n"
433  "\r\n"
434  "This is dummy body\r\n";
435  uint32_t http1_len = sizeof(http1_buf) - 1;
436  uint32_t http2_len = sizeof(http2_buf) - 1;
437  int result = 0;
438  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
439 
440  memset(&th_v, 0, sizeof(th_v));
441  StatsThreadInit(&th_v.stats);
442  memset(&f, 0, sizeof(f));
443  memset(&ssn, 0, sizeof(ssn));
444 
445  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
446  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
447 
448  FLOW_INITIALIZE(&f);
449  f.protoctx = (void *)&ssn;
450  f.proto = IPPROTO_TCP;
451  f.flags |= FLOW_IPV4;
452  p1->flow = &f;
453  p1->flowflags |= FLOW_PKT_TOSERVER;
454  p1->flowflags |= FLOW_PKT_ESTABLISHED;
455  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
456  p2->flow = &f;
457  p2->flowflags |= FLOW_PKT_TOSERVER;
458  p2->flowflags |= FLOW_PKT_ESTABLISHED;
459  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
460  f.alproto = ALPROTO_HTTP1;
461 
462  StreamTcpInitConfig(true);
463 
464  de_ctx = DetectEngineCtxInit();
465  if (de_ctx == NULL)
466  goto end;
467 
468  de_ctx->flags |= DE_QUIET;
469  de_ctx->mpm_matcher = mpm_default_matcher;
470 
471  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
472  "(msg:\"http header test\"; "
473  "content:\"Firefox/3.5.7|0D 0A|Content\"; http_header; "
474  "sid:1;)");
475  if (de_ctx->sig_list == NULL)
476  goto end;
477 
478  SigGroupBuild(de_ctx);
479  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
480 
481  int r = AppLayerParserParse(
482  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
483  if (r != 0) {
484  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
485  result = 0;
486  goto end;
487  }
488 
489  http_state = f.alstate;
490  if (http_state == NULL) {
491  printf("no http state: ");
492  result = 0;
493  goto end;
494  }
495 
496  /* do detect */
497  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
498 
499  if ((PacketAlertCheck(p1, 1))) {
500  printf("sid 1 matched but shouldn't have: ");
501  goto end;
502  }
503 
504  r = AppLayerParserParse(
505  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
506  if (r != 0) {
507  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
508  result = 0;
509  goto end;
510  }
511 
512  /* do detect */
513  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
514 
515  if (!(PacketAlertCheck(p2, 1))) {
516  printf("sid 1 didn't match but should have: ");
517  goto end;
518  }
519 
520  result = 1;
521 end:
522  if (alp_tctx != NULL)
523  AppLayerParserThreadCtxFree(alp_tctx);
524  if (det_ctx != NULL) {
525  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
526  }
527  if (de_ctx != NULL)
528  DetectEngineCtxFree(de_ctx);
529 
530  StreamTcpFreeConfig(true);
531  FLOW_DESTROY(&f);
532  UTHFreePackets(&p1, 1);
533  UTHFreePackets(&p2, 1);
534  StatsThreadCleanup(&th_v.stats);
535  return result;
536 }
537 
538 /**
539  *\test Test that the http_header content matches against a http request
540  * against a case insensitive pattern.
541  */
542 static int DetectHttpHeaderTest10(void)
543 {
544  TcpSession ssn;
545  Packet *p1 = NULL;
546  Packet *p2 = NULL;
547  ThreadVars th_v;
548  DetectEngineCtx *de_ctx = NULL;
549  DetectEngineThreadCtx *det_ctx = NULL;
550  HtpState *http_state = NULL;
551  Flow f;
552  uint8_t http1_buf[] =
553  "GET /index.html HTTP/1.0\r\n"
554  "Host: www.openinfosecfoundation.org\r\n"
555  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n";
556  uint8_t http2_buf[] =
557  "Content-Type: text/html\r\n"
558  "Content-Length: 67\r\n"
559  "\r\n"
560  "This is dummy body";
561  uint32_t http1_len = sizeof(http1_buf) - 1;
562  uint32_t http2_len = sizeof(http2_buf) - 1;
563  int result = 0;
564  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
565 
566  memset(&th_v, 0, sizeof(th_v));
567  StatsThreadInit(&th_v.stats);
568  memset(&f, 0, sizeof(f));
569  memset(&ssn, 0, sizeof(ssn));
570 
571  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
572  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
573 
574  FLOW_INITIALIZE(&f);
575  f.protoctx = (void *)&ssn;
576  f.proto = IPPROTO_TCP;
577  f.flags |= FLOW_IPV4;
578  p1->flow = &f;
579  p1->flowflags |= FLOW_PKT_TOSERVER;
580  p1->flowflags |= FLOW_PKT_ESTABLISHED;
581  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
582  p2->flow = &f;
583  p2->flowflags |= FLOW_PKT_TOSERVER;
584  p2->flowflags |= FLOW_PKT_ESTABLISHED;
585  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
586  f.alproto = ALPROTO_HTTP1;
587 
588  StreamTcpInitConfig(true);
589 
590  de_ctx = DetectEngineCtxInit();
591  if (de_ctx == NULL)
592  goto end;
593 
594  de_ctx->flags |= DE_QUIET;
595 
596  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
597  "(msg:\"http header test\"; "
598  "content:\"firefox/3.5.7|0D 0A|content\"; nocase; http_header;"
599  "sid:1;)");
600  if (de_ctx->sig_list == NULL)
601  goto end;
602 
603  SigGroupBuild(de_ctx);
604  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
605 
606  int r = AppLayerParserParse(
607  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
608  if (r != 0) {
609  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
610  result = 0;
611  goto end;
612  }
613 
614  http_state = f.alstate;
615  if (http_state == NULL) {
616  printf("no http state: ");
617  result = 0;
618  goto end;
619  }
620 
621  /* do detect */
622  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
623 
624  if ((PacketAlertCheck(p1, 1))) {
625  printf("sid 1 didn't match but should have: ");
626  goto end;
627  }
628 
629  r = AppLayerParserParse(
630  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
631  if (r != 0) {
632  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
633  result = 0;
634  goto end;
635  }
636 
637  /* do detect */
638  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
639 
640  if (!(PacketAlertCheck(p2, 1))) {
641  printf("sid 1 didn't match but should have: ");
642  goto end;
643  }
644 
645  result = 1;
646 end:
647  if (alp_tctx != NULL)
648  AppLayerParserThreadCtxFree(alp_tctx);
649  if (det_ctx != NULL) {
650  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
651  }
652  if (de_ctx != NULL)
653  DetectEngineCtxFree(de_ctx);
654 
655  StreamTcpFreeConfig(true);
656  FLOW_DESTROY(&f);
657  UTHFreePackets(&p1, 1);
658  UTHFreePackets(&p2, 1);
659  StatsThreadCleanup(&th_v.stats);
660  return result;
661 }
662 
663 /**
664  *\test Test that the negated http_header content matches against a
665  * http request which doesn't hold the content.
666  */
667 static int DetectHttpHeaderTest11(void)
668 {
669  TcpSession ssn;
670  Packet *p = NULL;
671  ThreadVars th_v;
672  DetectEngineCtx *de_ctx = NULL;
673  DetectEngineThreadCtx *det_ctx = NULL;
674  HtpState *http_state = NULL;
675  Flow f;
676  uint8_t http_buf[] =
677  "GET /index.html HTTP/1.0\r\n"
678  "Host: www.openinfosecfoundation.org\r\n"
679  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
680  "Content-Type: text/html\r\n"
681  "Content-Length: 26\r\n"
682  "\r\n"
683  "This is dummy message body\r\n";
684  uint32_t http_len = sizeof(http_buf) - 1;
685  int result = 0;
686  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
687 
688  memset(&th_v, 0, sizeof(th_v));
689  StatsThreadInit(&th_v.stats);
690  memset(&f, 0, sizeof(f));
691  memset(&ssn, 0, sizeof(ssn));
692 
693  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
694 
695  FLOW_INITIALIZE(&f);
696  f.protoctx = (void *)&ssn;
697  f.proto = IPPROTO_TCP;
698  f.flags |= FLOW_IPV4;
699  p->flow = &f;
700  p->flowflags |= FLOW_PKT_TOSERVER;
701  p->flowflags |= FLOW_PKT_ESTABLISHED;
702  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
703  f.alproto = ALPROTO_HTTP1;
704 
705  StreamTcpInitConfig(true);
706 
707  de_ctx = DetectEngineCtxInit();
708  if (de_ctx == NULL)
709  goto end;
710 
711  de_ctx->flags |= DE_QUIET;
712 
713  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
714  "(msg:\"http header test\"; "
715  "content:!\"lalalalala\"; http_header; "
716  "sid:1;)");
717  if (de_ctx->sig_list == NULL)
718  goto end;
719 
720  SigGroupBuild(de_ctx);
721  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
722 
723  int r = AppLayerParserParse(
724  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
725  if (r != 0) {
726  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
727  result = 0;
728  goto end;
729  }
730 
731  http_state = f.alstate;
732  if (http_state == NULL) {
733  printf("no http state: ");
734  result = 0;
735  goto end;
736  }
737 
738  /* do detect */
739  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
740 
741  if (!(PacketAlertCheck(p, 1))) {
742  printf("sid 1 didn't match but should have: ");
743  goto end;
744  }
745 
746  result = 1;
747 end:
748  if (alp_tctx != NULL)
749  AppLayerParserThreadCtxFree(alp_tctx);
750  if (det_ctx != NULL) {
751  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
752  }
753  if (de_ctx != NULL)
754  DetectEngineCtxFree(de_ctx);
755 
756  StreamTcpFreeConfig(true);
757  FLOW_DESTROY(&f);
758  UTHFreePackets(&p, 1);
759  StatsThreadCleanup(&th_v.stats);
760  return result;
761 }
762 
763 /**
764  *\test Negative test that the negated http_header content matches against a
765  * http request which holds hold the content.
766  */
767 static int DetectHttpHeaderTest12(void)
768 {
769  TcpSession ssn;
770  Packet *p = NULL;
771  ThreadVars th_v;
772  DetectEngineCtx *de_ctx = NULL;
773  DetectEngineThreadCtx *det_ctx = NULL;
774  HtpState *http_state = NULL;
775  Flow f;
776  uint8_t http_buf[] =
777  "GET /index.html HTTP/1.0\r\n"
778  "Host: www.openinfosecfoundation.org\r\n"
779  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
780  "Content-Type: text/html\r\n"
781  "Content-Length: 26\r\n"
782  "\r\n"
783  "This is dummy message body\r\n";
784  uint32_t http_len = sizeof(http_buf) - 1;
785  int result = 0;
786  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
787 
788  memset(&th_v, 0, sizeof(th_v));
789  StatsThreadInit(&th_v.stats);
790  memset(&f, 0, sizeof(f));
791  memset(&ssn, 0, sizeof(ssn));
792 
793  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
794 
795  FLOW_INITIALIZE(&f);
796  f.protoctx = (void *)&ssn;
797  f.proto = IPPROTO_TCP;
798  f.flags |= FLOW_IPV4;
799  p->flow = &f;
800  p->flowflags |= FLOW_PKT_TOSERVER;
801  p->flowflags |= FLOW_PKT_ESTABLISHED;
802  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
803  f.alproto = ALPROTO_HTTP1;
804 
805  StreamTcpInitConfig(true);
806 
807  de_ctx = DetectEngineCtxInit();
808  if (de_ctx == NULL)
809  goto end;
810 
811  de_ctx->flags |= DE_QUIET;
812 
813  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
814  "(msg:\"http header test\"; "
815  "content:!\"User-Agent: Mozilla/5.0 \"; http_header; "
816  "sid:1;)");
817  if (de_ctx->sig_list == NULL)
818  goto end;
819 
820  SigGroupBuild(de_ctx);
821  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
822 
823  int r = AppLayerParserParse(
824  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
825  if (r != 0) {
826  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
827  result = 0;
828  goto end;
829  }
830 
831  http_state = f.alstate;
832  if (http_state == NULL) {
833  printf("no http state: ");
834  result = 0;
835  goto end;
836  }
837 
838  /* do detect */
839  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
840 
841  if ((PacketAlertCheck(p, 1))) {
842  printf("sid 1 didn't match but should have: ");
843  goto end;
844  }
845 
846  result = 1;
847 end:
848  if (alp_tctx != NULL)
849  AppLayerParserThreadCtxFree(alp_tctx);
850  if (det_ctx != NULL) {
851  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
852  }
853  if (de_ctx != NULL)
854  DetectEngineCtxFree(de_ctx);
855 
856  StreamTcpFreeConfig(true);
857  FLOW_DESTROY(&f);
858  UTHFreePackets(&p, 1);
859  StatsThreadCleanup(&th_v.stats);
860  return result;
861 }
862 
863 /**
864  *\test Test that the http_header content matches against a http request
865  * which holds the content.
866  */
867 static int DetectHttpHeaderTest13(void)
868 {
869  TcpSession ssn;
870  Packet *p = NULL;
871  ThreadVars th_v;
872  DetectEngineCtx *de_ctx = NULL;
873  DetectEngineThreadCtx *det_ctx = NULL;
874  HtpState *http_state = NULL;
875  Flow f;
876  uint8_t http_buf[] =
877  "GET /index.html HTTP/1.0\r\n"
878  "Host: www.openinfosecfoundation.org\r\n"
879  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
880  "Content-Type: text/html\r\n"
881  "Content-Length: 100\r\n"
882  "\r\n"
883  "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n";
884  uint32_t http_len = sizeof(http_buf) - 1;
885  int result = 0;
886  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
887 
888  memset(&th_v, 0, sizeof(th_v));
889  StatsThreadInit(&th_v.stats);
890  memset(&f, 0, sizeof(f));
891  memset(&ssn, 0, sizeof(ssn));
892 
893  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
894 
895  FLOW_INITIALIZE(&f);
896  f.protoctx = (void *)&ssn;
897  f.proto = IPPROTO_TCP;
898  f.flags |= FLOW_IPV4;
899 
900  p->flow = &f;
901  p->flowflags |= FLOW_PKT_TOSERVER;
902  p->flowflags |= FLOW_PKT_ESTABLISHED;
903  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
904  f.alproto = ALPROTO_HTTP1;
905 
906  StreamTcpInitConfig(true);
907 
908  de_ctx = DetectEngineCtxInit();
909  if (de_ctx == NULL)
910  goto end;
911 
912  de_ctx->flags |= DE_QUIET;
913 
914  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
915  "(msg:\"http header test\"; "
916  "content:\"Host: www.openinfosecfoundation.org\"; http_header; "
917  "sid:1;)");
918  if (de_ctx->sig_list == NULL)
919  goto end;
920 
921  SigGroupBuild(de_ctx);
922  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
923 
924  int r = AppLayerParserParse(
925  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
926  if (r != 0) {
927  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
928  result = 0;
929  goto end;
930  }
931 
932  http_state = f.alstate;
933  if (http_state == NULL) {
934  printf("no http state: ");
935  result = 0;
936  goto end;
937  }
938 
939  /* do detect */
940  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
941 
942  if (!(PacketAlertCheck(p, 1))) {
943  printf("sid 1 didn't match but should have: ");
944  goto end;
945  }
946 
947  result = 1;
948 end:
949  if (alp_tctx != NULL)
950  AppLayerParserThreadCtxFree(alp_tctx);
951  if (det_ctx != NULL) {
952  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
953  }
954  if (de_ctx != NULL)
955  DetectEngineCtxFree(de_ctx);
956 
957  StreamTcpFreeConfig(true);
958  FLOW_DESTROY(&f);
959  UTHFreePackets(&p, 1);
960  StatsThreadCleanup(&th_v.stats);
961  return result;
962 }
963 
964 /** \test app-layer-event:http.host_header_ambiguous should not be set
965  * \bug 640*/
966 static int DetectHttpHeaderTest28(void)
967 {
968  TcpSession ssn;
969  Packet *p = NULL;
970  ThreadVars th_v;
971  DetectEngineCtx *de_ctx = NULL;
972  DetectEngineThreadCtx *det_ctx = NULL;
973  Flow f;
974  uint8_t http_buf[] =
975  "POST http://xxx.intranet.local:8000/xxx HTTP/1.1\r\n"
976  "User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29\r\n"
977  "Host: xxx.intranet.local:8000\r\n"
978  "\r\n";
979  uint32_t http_len = sizeof(http_buf) - 1;
980  int result = 0;
981  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
982 
983  memset(&th_v, 0, sizeof(th_v));
984  StatsThreadInit(&th_v.stats);
985  memset(&f, 0, sizeof(f));
986  memset(&ssn, 0, sizeof(ssn));
987 
988  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
989 
990  FLOW_INITIALIZE(&f);
991  f.protoctx = (void *)&ssn;
992  f.proto = IPPROTO_TCP;
993  f.flags |= FLOW_IPV4;
994  p->flow = &f;
995  p->flowflags |= FLOW_PKT_TOSERVER;
996  p->flowflags |= FLOW_PKT_ESTABLISHED;
997  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
998  f.alproto = ALPROTO_HTTP1;
999 
1000  StreamTcpInitConfig(true);
1001 
1002  de_ctx = DetectEngineCtxInit();
1003  if (de_ctx == NULL)
1004  goto end;
1005 
1006  de_ctx->flags |= DE_QUIET;
1007 
1008  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1009  "(app-layer-event:http.host_header_ambiguous; "
1010  "sid:1;)");
1011  if (de_ctx->sig_list == NULL)
1012  goto end;
1013 
1014  SigGroupBuild(de_ctx);
1015  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1016 
1017  int r = AppLayerParserParse(
1018  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1019  if (r != 0) {
1020  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1021  result = 0;
1022  goto end;
1023  }
1024 
1025  /* do detect */
1026  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1027 
1028  if (PacketAlertCheck(p, 1)) {
1029  printf("sid 1 matched but shouldnt have: ");
1030  goto end;
1031  }
1032 
1033  result = 1;
1034  end:
1035  if (alp_tctx != NULL)
1036  AppLayerParserThreadCtxFree(alp_tctx);
1037  if (det_ctx != NULL) {
1038  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1039  }
1040  if (de_ctx != NULL)
1041  DetectEngineCtxFree(de_ctx);
1042 
1043  StreamTcpFreeConfig(true);
1044  FLOW_DESTROY(&f);
1045  UTHFreePackets(&p, 1);
1046  StatsThreadCleanup(&th_v.stats);
1047  return result;
1048 }
1049 
1050 /** \test app-layer-event:http.host_header_ambiguous should be set
1051  * \bug 640*/
1052 static int DetectHttpHeaderTest29(void)
1053 {
1054  TcpSession ssn;
1055  Packet *p = NULL;
1056  ThreadVars th_v;
1057  DetectEngineCtx *de_ctx = NULL;
1058  DetectEngineThreadCtx *det_ctx = NULL;
1059  Flow f;
1060  uint8_t http_buf[] =
1061  "POST http://xxx.intranet.local:8001/xxx HTTP/1.1\r\n"
1062  "User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29\r\n"
1063  "Host: xxx.intranet.local:8000\r\n"
1064  "\r\n";
1065  uint32_t http_len = sizeof(http_buf) - 1;
1066  int result = 0;
1067  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1068 
1069  memset(&th_v, 0, sizeof(th_v));
1070  StatsThreadInit(&th_v.stats);
1071  memset(&f, 0, sizeof(f));
1072  memset(&ssn, 0, sizeof(ssn));
1073 
1074  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1075 
1076  FLOW_INITIALIZE(&f);
1077  f.protoctx = (void *)&ssn;
1078  f.proto = IPPROTO_TCP;
1079  f.flags |= FLOW_IPV4;
1080  p->flow = &f;
1081  p->flowflags |= FLOW_PKT_TOSERVER;
1082  p->flowflags |= FLOW_PKT_ESTABLISHED;
1083  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1084  f.alproto = ALPROTO_HTTP1;
1085 
1086  StreamTcpInitConfig(true);
1087 
1088  de_ctx = DetectEngineCtxInit();
1089  if (de_ctx == NULL)
1090  goto end;
1091 
1092  de_ctx->flags |= DE_QUIET;
1093 
1094  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1095  "(app-layer-event:http.host_header_ambiguous; "
1096  "sid:1;)");
1097  if (de_ctx->sig_list == NULL)
1098  goto end;
1099 
1100  SigGroupBuild(de_ctx);
1101  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1102 
1103  int r = AppLayerParserParse(
1104  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1105  if (r != 0) {
1106  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1107  result = 0;
1108  goto end;
1109  }
1110 
1111  /* do detect */
1112  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1113 
1114  if (!(PacketAlertCheck(p, 1))) {
1115  printf("sid 1 didn't match but should have: ");
1116  goto end;
1117  }
1118 
1119  result = 1;
1120  end:
1121  if (alp_tctx != NULL)
1122  AppLayerParserThreadCtxFree(alp_tctx);
1123  if (det_ctx != NULL) {
1124  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1125  }
1126  if (de_ctx != NULL)
1127  DetectEngineCtxFree(de_ctx);
1128 
1129  StreamTcpFreeConfig(true);
1130  FLOW_DESTROY(&f);
1131  UTHFreePackets(&p, 1);
1132  StatsThreadCleanup(&th_v.stats);
1133  return result;
1134 }
1135 
1136 /** \test app-layer-event:http.host_header_ambiguous should be set
1137  * \bug 640*/
1138 static int DetectHttpHeaderTest30(void)
1139 {
1140  TcpSession ssn;
1141  Packet *p = NULL;
1142  ThreadVars th_v;
1143  DetectEngineCtx *de_ctx = NULL;
1144  DetectEngineThreadCtx *det_ctx = NULL;
1145  Flow f;
1146  uint8_t http_buf[] =
1147  "POST http://xxx.intranet.local:8000/xxx HTTP/1.1\r\n"
1148  "User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29\r\n"
1149  "Host: xyz.intranet.local:8000\r\n"
1150  "\r\n";
1151  uint32_t http_len = sizeof(http_buf) - 1;
1152  int result = 0;
1153  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1154 
1155  memset(&th_v, 0, sizeof(th_v));
1156  StatsThreadInit(&th_v.stats);
1157  memset(&f, 0, sizeof(f));
1158  memset(&ssn, 0, sizeof(ssn));
1159 
1160  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1161 
1162  FLOW_INITIALIZE(&f);
1163  f.protoctx = (void *)&ssn;
1164  f.proto = IPPROTO_TCP;
1165  f.flags |= FLOW_IPV4;
1166  p->flow = &f;
1167  p->flowflags |= FLOW_PKT_TOSERVER;
1168  p->flowflags |= FLOW_PKT_ESTABLISHED;
1169  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1170  f.alproto = ALPROTO_HTTP1;
1171 
1172  StreamTcpInitConfig(true);
1173 
1174  de_ctx = DetectEngineCtxInit();
1175  if (de_ctx == NULL)
1176  goto end;
1177 
1178  de_ctx->flags |= DE_QUIET;
1179 
1180  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1181  "(app-layer-event:http.host_header_ambiguous; "
1182  "sid:1;)");
1183  if (de_ctx->sig_list == NULL)
1184  goto end;
1185 
1186  SigGroupBuild(de_ctx);
1187  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1188 
1189  int r = AppLayerParserParse(
1190  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1191  if (r != 0) {
1192  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1193  result = 0;
1194  goto end;
1195  }
1196 
1197  /* do detect */
1198  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1199 
1200  if (!(PacketAlertCheck(p, 1))) {
1201  printf("sid 1 didn't match but should have: ");
1202  goto end;
1203  }
1204 
1205  result = 1;
1206  end:
1207  if (alp_tctx != NULL)
1208  AppLayerParserThreadCtxFree(alp_tctx);
1209  if (det_ctx != NULL) {
1210  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1211  }
1212  if (de_ctx != NULL)
1213  DetectEngineCtxFree(de_ctx);
1214 
1215  StreamTcpFreeConfig(true);
1216  FLOW_DESTROY(&f);
1217  UTHFreePackets(&p, 1);
1218  StatsThreadCleanup(&th_v.stats);
1219  return result;
1220 }
1221 
1222 static int DetectHttpHeaderIsdataatParseTest(void)
1223 {
1224  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1225  FAIL_IF_NULL(de_ctx);
1226  de_ctx->flags |= DE_QUIET;
1227 
1228  Signature *s = DetectEngineAppendSig(de_ctx,
1229  "alert tcp any any -> any any ("
1230  "flow:to_server; "
1231  "content:\"one\"; http_header; "
1232  "isdataat:!4,relative; sid:1;)");
1233  FAIL_IF_NULL(s);
1234 
1235  SigMatch *sm = DetectBufferGetLastSigMatch(s, g_http_header_buffer_id);
1236  FAIL_IF_NULL(sm);
1237  FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
1238 
1239  DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
1240  FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
1241  FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
1242  FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
1243 
1244  DetectEngineCtxFree(de_ctx);
1245  PASS;
1246 }
1247 
1248 /**
1249  *\test Test that the http_header content matches against a http request
1250  * which holds the content.
1251  */
1252 static int DetectEngineHttpHeaderTest01(void)
1253 {
1254  TcpSession ssn;
1255  Packet *p = NULL;
1256  ThreadVars th_v;
1257  DetectEngineCtx *de_ctx = NULL;
1258  DetectEngineThreadCtx *det_ctx = NULL;
1259  HtpState *http_state = NULL;
1260  Flow f;
1261  uint8_t http_buf[] =
1262  "GET /index.html HTTP/1.0\r\n"
1263  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1264  uint32_t http_len = sizeof(http_buf) - 1;
1265  int result = 0;
1266  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1267 
1268  memset(&th_v, 0, sizeof(th_v));
1269  StatsThreadInit(&th_v.stats);
1270  memset(&f, 0, sizeof(f));
1271  memset(&ssn, 0, sizeof(ssn));
1272 
1273  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1274 
1275  FLOW_INITIALIZE(&f);
1276  f.protoctx = (void *)&ssn;
1277  f.proto = IPPROTO_TCP;
1278  f.flags |= FLOW_IPV4;
1279  p->flow = &f;
1280  p->flowflags |= FLOW_PKT_TOSERVER;
1281  p->flowflags |= FLOW_PKT_ESTABLISHED;
1282  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1283  f.alproto = ALPROTO_HTTP1;
1284 
1285  StreamTcpInitConfig(true);
1286 
1287  de_ctx = DetectEngineCtxInit();
1288  if (de_ctx == NULL)
1289  goto end;
1290 
1291  de_ctx->flags |= DE_QUIET;
1292 
1293  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1294  "(msg:\"http header test\"; "
1295  "content:\"one\"; http_header; "
1296  "sid:1;)");
1297  if (de_ctx->sig_list == NULL)
1298  goto end;
1299 
1300  SigGroupBuild(de_ctx);
1301  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1302 
1303  int r = AppLayerParserParse(
1304  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1305  if (r != 0) {
1306  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1307  result = 0;
1308  goto end;
1309  }
1310 
1311  http_state = f.alstate;
1312  if (http_state == NULL) {
1313  printf("no http state: ");
1314  result = 0;
1315  goto end;
1316  }
1317 
1318  /* do detect */
1319  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1320 
1321  if (!(PacketAlertCheck(p, 1))) {
1322  printf("sid 1 didn't match but should have: ");
1323  goto end;
1324  }
1325 
1326  result = 1;
1327 end:
1328  if (alp_tctx != NULL)
1329  AppLayerParserThreadCtxFree(alp_tctx);
1330  if (det_ctx != NULL) {
1331  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1332  }
1333  if (de_ctx != NULL)
1334  DetectEngineCtxFree(de_ctx);
1335 
1336  StreamTcpFreeConfig(true);
1337  FLOW_DESTROY(&f);
1338  UTHFreePackets(&p, 1);
1339  StatsThreadCleanup(&th_v.stats);
1340  return result;
1341 }
1342 
1343 /**
1344  *\test Test that the http_header content matches against a http request
1345  * which holds the content.
1346  */
1347 static int DetectEngineHttpHeaderTest02(void)
1348 {
1349  TcpSession ssn;
1350  Packet *p = NULL;
1351  ThreadVars th_v;
1352  DetectEngineCtx *de_ctx = NULL;
1353  DetectEngineThreadCtx *det_ctx = NULL;
1354  HtpState *http_state = NULL;
1355  Flow f;
1356  uint8_t http_buf[] =
1357  "GET /index.html HTTP/1.0\r\n"
1358  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1359  uint32_t http_len = sizeof(http_buf) - 1;
1360  int result = 0;
1361  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1362 
1363  memset(&th_v, 0, sizeof(th_v));
1364  StatsThreadInit(&th_v.stats);
1365  memset(&f, 0, sizeof(f));
1366  memset(&ssn, 0, sizeof(ssn));
1367 
1368  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1369 
1370  FLOW_INITIALIZE(&f);
1371  f.protoctx = (void *)&ssn;
1372  f.proto = IPPROTO_TCP;
1373  f.flags |= FLOW_IPV4;
1374  p->flow = &f;
1375  p->flowflags |= FLOW_PKT_TOSERVER;
1376  p->flowflags |= FLOW_PKT_ESTABLISHED;
1377  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1378  f.alproto = ALPROTO_HTTP1;
1379 
1380  StreamTcpInitConfig(true);
1381 
1382  de_ctx = DetectEngineCtxInit();
1383  if (de_ctx == NULL)
1384  goto end;
1385 
1386  de_ctx->flags |= DE_QUIET;
1387 
1388  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1389  "(msg:\"http header test\"; "
1390  "content:\"one\"; depth:15; http_header; "
1391  "sid:1;)");
1392  if (de_ctx->sig_list == NULL)
1393  goto end;
1394 
1395  SigGroupBuild(de_ctx);
1396  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1397 
1398  int r = AppLayerParserParse(
1399  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1400  if (r != 0) {
1401  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1402  result = 0;
1403  goto end;
1404  }
1405 
1406  http_state = f.alstate;
1407  if (http_state == NULL) {
1408  printf("no http state: ");
1409  result = 0;
1410  goto end;
1411  }
1412 
1413  /* do detect */
1414  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1415 
1416  if (!(PacketAlertCheck(p, 1))) {
1417  printf("sid 1 didn't match but should have: ");
1418  goto end;
1419  }
1420 
1421  result = 1;
1422 end:
1423  if (alp_tctx != NULL)
1424  AppLayerParserThreadCtxFree(alp_tctx);
1425  if (det_ctx != NULL) {
1426  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1427  }
1428  if (de_ctx != NULL)
1429  DetectEngineCtxFree(de_ctx);
1430 
1431  StreamTcpFreeConfig(true);
1432  FLOW_DESTROY(&f);
1433  UTHFreePackets(&p, 1);
1434  StatsThreadCleanup(&th_v.stats);
1435  return result;
1436 }
1437 
1438 /**
1439  *\test Test that the http_header content matches against a http request
1440  * which holds the content.
1441  */
1442 static int DetectEngineHttpHeaderTest03(void)
1443 {
1444  TcpSession ssn;
1445  Packet *p = NULL;
1446  ThreadVars th_v;
1447  DetectEngineCtx *de_ctx = NULL;
1448  DetectEngineThreadCtx *det_ctx = NULL;
1449  HtpState *http_state = NULL;
1450  Flow f;
1451  uint8_t http_buf[] =
1452  "GET /index.html HTTP/1.0\r\n"
1453  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1454  uint32_t http_len = sizeof(http_buf) - 1;
1455  int result = 0;
1456  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1457 
1458  memset(&th_v, 0, sizeof(th_v));
1459  StatsThreadInit(&th_v.stats);
1460  memset(&f, 0, sizeof(f));
1461  memset(&ssn, 0, sizeof(ssn));
1462 
1463  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1464 
1465  FLOW_INITIALIZE(&f);
1466  f.protoctx = (void *)&ssn;
1467  f.proto = IPPROTO_TCP;
1468  f.flags |= FLOW_IPV4;
1469  p->flow = &f;
1470  p->flowflags |= FLOW_PKT_TOSERVER;
1471  p->flowflags |= FLOW_PKT_ESTABLISHED;
1472  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1473  f.alproto = ALPROTO_HTTP1;
1474 
1475  StreamTcpInitConfig(true);
1476 
1477  de_ctx = DetectEngineCtxInit();
1478  if (de_ctx == NULL)
1479  goto end;
1480 
1481  de_ctx->flags |= DE_QUIET;
1482 
1483  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1484  "(msg:\"http header test\"; "
1485  "content:!\"one\"; depth:5; http_header; "
1486  "sid:1;)");
1487  if (de_ctx->sig_list == NULL)
1488  goto end;
1489 
1490  SigGroupBuild(de_ctx);
1491  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1492 
1493  int r = AppLayerParserParse(
1494  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1495  if (r != 0) {
1496  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1497  result = 0;
1498  goto end;
1499  }
1500 
1501  http_state = f.alstate;
1502  if (http_state == NULL) {
1503  printf("no http state: ");
1504  result = 0;
1505  goto end;
1506  }
1507 
1508  /* do detect */
1509  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1510 
1511  if (!(PacketAlertCheck(p, 1))) {
1512  printf("sid 1 didn't match but should have: ");
1513  goto end;
1514  }
1515 
1516  result = 1;
1517 end:
1518  if (alp_tctx != NULL)
1519  AppLayerParserThreadCtxFree(alp_tctx);
1520  if (det_ctx != NULL) {
1521  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1522  }
1523  if (de_ctx != NULL)
1524  DetectEngineCtxFree(de_ctx);
1525 
1526  StreamTcpFreeConfig(true);
1527  FLOW_DESTROY(&f);
1528  UTHFreePackets(&p, 1);
1529  StatsThreadCleanup(&th_v.stats);
1530  return result;
1531 }
1532 
1533 /**
1534  *\test Test that the http_header content matches against a http request
1535  * which holds the content.
1536  */
1537 static int DetectEngineHttpHeaderTest04(void)
1538 {
1539  TcpSession ssn;
1540  Packet *p = NULL;
1541  ThreadVars th_v;
1542  DetectEngineCtx *de_ctx = NULL;
1543  DetectEngineThreadCtx *det_ctx = NULL;
1544  HtpState *http_state = NULL;
1545  Flow f;
1546  uint8_t http_buf[] =
1547  "GET /index.html HTTP/1.0\r\n"
1548  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1549  uint32_t http_len = sizeof(http_buf) - 1;
1550  int result = 0;
1551  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1552 
1553  memset(&th_v, 0, sizeof(th_v));
1554  StatsThreadInit(&th_v.stats);
1555  memset(&f, 0, sizeof(f));
1556  memset(&ssn, 0, sizeof(ssn));
1557 
1558  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1559 
1560  FLOW_INITIALIZE(&f);
1561  f.protoctx = (void *)&ssn;
1562  f.proto = IPPROTO_TCP;
1563  f.flags |= FLOW_IPV4;
1564  p->flow = &f;
1565  p->flowflags |= FLOW_PKT_TOSERVER;
1566  p->flowflags |= FLOW_PKT_ESTABLISHED;
1567  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1568  f.alproto = ALPROTO_HTTP1;
1569 
1570  StreamTcpInitConfig(true);
1571 
1572  de_ctx = DetectEngineCtxInit();
1573  if (de_ctx == NULL)
1574  goto end;
1575 
1576  de_ctx->flags |= DE_QUIET;
1577 
1578  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1579  "(msg:\"http header test\"; "
1580  "content:\"one\"; depth:5; http_header; "
1581  "sid:1;)");
1582  if (de_ctx->sig_list == NULL)
1583  goto end;
1584 
1585  SigGroupBuild(de_ctx);
1586  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1587 
1588  int r = AppLayerParserParse(
1589  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1590  if (r != 0) {
1591  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1592  result = 0;
1593  goto end;
1594  }
1595 
1596  http_state = f.alstate;
1597  if (http_state == NULL) {
1598  printf("no http state: ");
1599  result = 0;
1600  goto end;
1601  }
1602 
1603  /* do detect */
1604  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1605 
1606  if (PacketAlertCheck(p, 1)) {
1607  printf("sid 1 matched but shouldn't have: ");
1608  goto end;
1609  }
1610 
1611  result = 1;
1612 end:
1613  if (alp_tctx != NULL)
1614  AppLayerParserThreadCtxFree(alp_tctx);
1615  if (det_ctx != NULL) {
1616  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1617  }
1618  if (de_ctx != NULL)
1619  DetectEngineCtxFree(de_ctx);
1620 
1621  StreamTcpFreeConfig(true);
1622  FLOW_DESTROY(&f);
1623  UTHFreePackets(&p, 1);
1624  StatsThreadCleanup(&th_v.stats);
1625  return result;
1626 }
1627 
1628 /**
1629  *\test Test that the http_header content matches against a http request
1630  * which holds the content.
1631  */
1632 static int DetectEngineHttpHeaderTest05(void)
1633 {
1634  TcpSession ssn;
1635  Packet *p = NULL;
1636  ThreadVars th_v;
1637  DetectEngineCtx *de_ctx = NULL;
1638  DetectEngineThreadCtx *det_ctx = NULL;
1639  HtpState *http_state = NULL;
1640  Flow f;
1641  uint8_t http_buf[] =
1642  "GET /index.html HTTP/1.0\r\n"
1643  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1644  uint32_t http_len = sizeof(http_buf) - 1;
1645  int result = 0;
1646  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1647 
1648  memset(&th_v, 0, sizeof(th_v));
1649  StatsThreadInit(&th_v.stats);
1650  memset(&f, 0, sizeof(f));
1651  memset(&ssn, 0, sizeof(ssn));
1652 
1653  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1654 
1655  FLOW_INITIALIZE(&f);
1656  f.protoctx = (void *)&ssn;
1657  f.proto = IPPROTO_TCP;
1658  f.flags |= FLOW_IPV4;
1659  p->flow = &f;
1660  p->flowflags |= FLOW_PKT_TOSERVER;
1661  p->flowflags |= FLOW_PKT_ESTABLISHED;
1662  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1663  f.alproto = ALPROTO_HTTP1;
1664 
1665  StreamTcpInitConfig(true);
1666 
1667  de_ctx = DetectEngineCtxInit();
1668  if (de_ctx == NULL)
1669  goto end;
1670 
1671  de_ctx->flags |= DE_QUIET;
1672 
1673  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1674  "(msg:\"http header test\"; "
1675  "content:!\"one\"; depth:15; http_header; "
1676  "sid:1;)");
1677  if (de_ctx->sig_list == NULL)
1678  goto end;
1679 
1680  SigGroupBuild(de_ctx);
1681  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1682 
1683  int r = AppLayerParserParse(
1684  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1685  if (r != 0) {
1686  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1687  result = 0;
1688  goto end;
1689  }
1690 
1691  http_state = f.alstate;
1692  if (http_state == NULL) {
1693  printf("no http state: ");
1694  result = 0;
1695  goto end;
1696  }
1697 
1698  /* do detect */
1699  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1700 
1701  if (PacketAlertCheck(p, 1)) {
1702  printf("sid 1 matched but shouldn't have: ");
1703  goto end;
1704  }
1705 
1706  result = 1;
1707 end:
1708  if (alp_tctx != NULL)
1709  AppLayerParserThreadCtxFree(alp_tctx);
1710  if (det_ctx != NULL) {
1711  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1712  }
1713  if (de_ctx != NULL)
1714  DetectEngineCtxFree(de_ctx);
1715 
1716  StreamTcpFreeConfig(true);
1717  FLOW_DESTROY(&f);
1718  UTHFreePackets(&p, 1);
1719  StatsThreadCleanup(&th_v.stats);
1720  return result;
1721 }
1722 
1723 /**
1724  *\test Test that the http_header content matches against a http request
1725  * which holds the content.
1726  */
1727 static int DetectEngineHttpHeaderTest06(void)
1728 {
1729  TcpSession ssn;
1730  Packet *p = NULL;
1731  ThreadVars th_v;
1732  DetectEngineCtx *de_ctx = NULL;
1733  DetectEngineThreadCtx *det_ctx = NULL;
1734  HtpState *http_state = NULL;
1735  Flow f;
1736  uint8_t http_buf[] =
1737  "GET /index.html HTTP/1.0\r\n"
1738  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1739  uint32_t http_len = sizeof(http_buf) - 1;
1740  int result = 0;
1741  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1742 
1743  memset(&th_v, 0, sizeof(th_v));
1744  StatsThreadInit(&th_v.stats);
1745  memset(&f, 0, sizeof(f));
1746  memset(&ssn, 0, sizeof(ssn));
1747 
1748  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1749 
1750  FLOW_INITIALIZE(&f);
1751  f.protoctx = (void *)&ssn;
1752  f.proto = IPPROTO_TCP;
1753  f.flags |= FLOW_IPV4;
1754  p->flow = &f;
1755  p->flowflags |= FLOW_PKT_TOSERVER;
1756  p->flowflags |= FLOW_PKT_ESTABLISHED;
1757  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1758  f.alproto = ALPROTO_HTTP1;
1759 
1760  StreamTcpInitConfig(true);
1761 
1762  de_ctx = DetectEngineCtxInit();
1763  if (de_ctx == NULL)
1764  goto end;
1765 
1766  de_ctx->flags |= DE_QUIET;
1767 
1768  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1769  "(msg:\"http header test\"; "
1770  "content:\"one\"; offset:10; http_header; "
1771  "sid:1;)");
1772  if (de_ctx->sig_list == NULL)
1773  goto end;
1774 
1775  SigGroupBuild(de_ctx);
1776  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1777 
1778  int r = AppLayerParserParse(
1779  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1780  if (r != 0) {
1781  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1782  result = 0;
1783  goto end;
1784  }
1785 
1786  http_state = f.alstate;
1787  if (http_state == NULL) {
1788  printf("no http state: ");
1789  result = 0;
1790  goto end;
1791  }
1792 
1793  /* do detect */
1794  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1795 
1796  if (!(PacketAlertCheck(p, 1))) {
1797  printf("sid 1 didn't match but should have: ");
1798  goto end;
1799  }
1800 
1801  result = 1;
1802 end:
1803  if (alp_tctx != NULL)
1804  AppLayerParserThreadCtxFree(alp_tctx);
1805  if (det_ctx != NULL) {
1806  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1807  }
1808  if (de_ctx != NULL)
1809  DetectEngineCtxFree(de_ctx);
1810 
1811  StreamTcpFreeConfig(true);
1812  FLOW_DESTROY(&f);
1813  UTHFreePackets(&p, 1);
1814  StatsThreadCleanup(&th_v.stats);
1815  return result;
1816 }
1817 
1818 /**
1819  *\test Test that the http_header content matches against a http request
1820  * which holds the content.
1821  */
1822 static int DetectEngineHttpHeaderTest07(void)
1823 {
1824  TcpSession ssn;
1825  Packet *p = NULL;
1826  ThreadVars th_v;
1827  DetectEngineCtx *de_ctx = NULL;
1828  DetectEngineThreadCtx *det_ctx = NULL;
1829  HtpState *http_state = NULL;
1830  Flow f;
1831  uint8_t http_buf[] =
1832  "GET /index.html HTTP/1.0\r\n"
1833  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1834  uint32_t http_len = sizeof(http_buf) - 1;
1835  int result = 0;
1836  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1837 
1838  memset(&th_v, 0, sizeof(th_v));
1839  StatsThreadInit(&th_v.stats);
1840  memset(&f, 0, sizeof(f));
1841  memset(&ssn, 0, sizeof(ssn));
1842 
1843  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1844 
1845  FLOW_INITIALIZE(&f);
1846  f.protoctx = (void *)&ssn;
1847  f.proto = IPPROTO_TCP;
1848  f.flags |= FLOW_IPV4;
1849  p->flow = &f;
1850  p->flowflags |= FLOW_PKT_TOSERVER;
1851  p->flowflags |= FLOW_PKT_ESTABLISHED;
1852  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1853  f.alproto = ALPROTO_HTTP1;
1854 
1855  StreamTcpInitConfig(true);
1856 
1857  de_ctx = DetectEngineCtxInit();
1858  if (de_ctx == NULL)
1859  goto end;
1860 
1861  de_ctx->flags |= DE_QUIET;
1862 
1863  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1864  "(msg:\"http header test\"; "
1865  "content:!\"one\"; offset:15; http_header; "
1866  "sid:1;)");
1867  if (de_ctx->sig_list == NULL)
1868  goto end;
1869 
1870  SigGroupBuild(de_ctx);
1871  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1872 
1873  int r = AppLayerParserParse(
1874  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1875  if (r != 0) {
1876  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1877  result = 0;
1878  goto end;
1879  }
1880 
1881  http_state = f.alstate;
1882  if (http_state == NULL) {
1883  printf("no http state: ");
1884  result = 0;
1885  goto end;
1886  }
1887 
1888  /* do detect */
1889  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1890 
1891  if (!(PacketAlertCheck(p, 1))) {
1892  printf("sid 1 didn't match but should have: ");
1893  goto end;
1894  }
1895 
1896  result = 1;
1897 end:
1898  if (alp_tctx != NULL)
1899  AppLayerParserThreadCtxFree(alp_tctx);
1900  if (det_ctx != NULL) {
1901  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1902  }
1903  if (de_ctx != NULL)
1904  DetectEngineCtxFree(de_ctx);
1905 
1906  StreamTcpFreeConfig(true);
1907  FLOW_DESTROY(&f);
1908  UTHFreePackets(&p, 1);
1909  StatsThreadCleanup(&th_v.stats);
1910  return result;
1911 }
1912 
1913 /**
1914  *\test Test that the http_header content matches against a http request
1915  * which holds the content.
1916  */
1917 static int DetectEngineHttpHeaderTest08(void)
1918 {
1919  TcpSession ssn;
1920  Packet *p = NULL;
1921  ThreadVars th_v;
1922  DetectEngineCtx *de_ctx = NULL;
1923  DetectEngineThreadCtx *det_ctx = NULL;
1924  HtpState *http_state = NULL;
1925  Flow f;
1926  uint8_t http_buf[] =
1927  "GET /index.html HTTP/1.0\r\n"
1928  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1929  uint32_t http_len = sizeof(http_buf) - 1;
1930  int result = 0;
1931  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1932 
1933  memset(&th_v, 0, sizeof(th_v));
1934  StatsThreadInit(&th_v.stats);
1935  memset(&f, 0, sizeof(f));
1936  memset(&ssn, 0, sizeof(ssn));
1937 
1938  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1939 
1940  FLOW_INITIALIZE(&f);
1941  f.protoctx = (void *)&ssn;
1942  f.proto = IPPROTO_TCP;
1943  f.flags |= FLOW_IPV4;
1944  p->flow = &f;
1945  p->flowflags |= FLOW_PKT_TOSERVER;
1946  p->flowflags |= FLOW_PKT_ESTABLISHED;
1947  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1948  f.alproto = ALPROTO_HTTP1;
1949 
1950  StreamTcpInitConfig(true);
1951 
1952  de_ctx = DetectEngineCtxInit();
1953  if (de_ctx == NULL)
1954  goto end;
1955 
1956  de_ctx->flags |= DE_QUIET;
1957 
1958  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1959  "(msg:\"http header test\"; "
1960  "content:\"one\"; offset:15; http_header; "
1961  "sid:1;)");
1962  if (de_ctx->sig_list == NULL)
1963  goto end;
1964 
1965  SigGroupBuild(de_ctx);
1966  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1967 
1968  int r = AppLayerParserParse(
1969  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1970  if (r != 0) {
1971  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1972  result = 0;
1973  goto end;
1974  }
1975 
1976  http_state = f.alstate;
1977  if (http_state == NULL) {
1978  printf("no http state: ");
1979  result = 0;
1980  goto end;
1981  }
1982 
1983  /* do detect */
1984  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1985 
1986  if (PacketAlertCheck(p, 1)) {
1987  printf("sid 1 matched but shouldn't have: ");
1988  goto end;
1989  }
1990 
1991  result = 1;
1992 end:
1993  if (alp_tctx != NULL)
1994  AppLayerParserThreadCtxFree(alp_tctx);
1995  if (det_ctx != NULL) {
1996  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1997  }
1998  if (de_ctx != NULL)
1999  DetectEngineCtxFree(de_ctx);
2000 
2001  StreamTcpFreeConfig(true);
2002  FLOW_DESTROY(&f);
2003  UTHFreePackets(&p, 1);
2004  StatsThreadCleanup(&th_v.stats);
2005  return result;
2006 }
2007 
2008 /**
2009  *\test Test that the http_header content matches against a http request
2010  * which holds the content.
2011  */
2012 static int DetectEngineHttpHeaderTest09(void)
2013 {
2014  TcpSession ssn;
2015  Packet *p = NULL;
2016  ThreadVars th_v;
2017  DetectEngineCtx *de_ctx = NULL;
2018  DetectEngineThreadCtx *det_ctx = NULL;
2019  HtpState *http_state = NULL;
2020  Flow f;
2021  uint8_t http_buf[] =
2022  "GET /index.html HTTP/1.0\r\n"
2023  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2024  uint32_t http_len = sizeof(http_buf) - 1;
2025  int result = 0;
2026  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2027 
2028  memset(&th_v, 0, sizeof(th_v));
2029  StatsThreadInit(&th_v.stats);
2030  memset(&f, 0, sizeof(f));
2031  memset(&ssn, 0, sizeof(ssn));
2032 
2033  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2034 
2035  FLOW_INITIALIZE(&f);
2036  f.protoctx = (void *)&ssn;
2037  f.proto = IPPROTO_TCP;
2038  f.flags |= FLOW_IPV4;
2039  p->flow = &f;
2040  p->flowflags |= FLOW_PKT_TOSERVER;
2041  p->flowflags |= FLOW_PKT_ESTABLISHED;
2042  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2043  f.alproto = ALPROTO_HTTP1;
2044 
2045  StreamTcpInitConfig(true);
2046 
2047  de_ctx = DetectEngineCtxInit();
2048  if (de_ctx == NULL)
2049  goto end;
2050 
2051  de_ctx->flags |= DE_QUIET;
2052 
2053  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2054  "(msg:\"http header test\"; "
2055  "content:!\"one\"; offset:10; http_header; "
2056  "sid:1;)");
2057  if (de_ctx->sig_list == NULL)
2058  goto end;
2059 
2060  SigGroupBuild(de_ctx);
2061  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2062 
2063  int r = AppLayerParserParse(
2064  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2065  if (r != 0) {
2066  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2067  result = 0;
2068  goto end;
2069  }
2070 
2071  http_state = f.alstate;
2072  if (http_state == NULL) {
2073  printf("no http state: ");
2074  result = 0;
2075  goto end;
2076  }
2077 
2078  /* do detect */
2079  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2080 
2081  if (PacketAlertCheck(p, 1)) {
2082  printf("sid 1 matched but shouldn't have: ");
2083  goto end;
2084  }
2085 
2086  result = 1;
2087 end:
2088  if (alp_tctx != NULL)
2089  AppLayerParserThreadCtxFree(alp_tctx);
2090  if (det_ctx != NULL) {
2091  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2092  }
2093  if (de_ctx != NULL)
2094  DetectEngineCtxFree(de_ctx);
2095 
2096  StreamTcpFreeConfig(true);
2097  FLOW_DESTROY(&f);
2098  UTHFreePackets(&p, 1);
2099  StatsThreadCleanup(&th_v.stats);
2100  return result;
2101 }
2102 
2103 /**
2104  *\test Test that the http_header content matches against a http request
2105  * which holds the content.
2106  */
2107 static int DetectEngineHttpHeaderTest10(void)
2108 {
2109  TcpSession ssn;
2110  Packet *p = NULL;
2111  ThreadVars th_v;
2112  DetectEngineCtx *de_ctx = NULL;
2113  DetectEngineThreadCtx *det_ctx = NULL;
2114  HtpState *http_state = NULL;
2115  Flow f;
2116  uint8_t http_buf[] =
2117  "GET /index.html HTTP/1.0\r\n"
2118  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2119  uint32_t http_len = sizeof(http_buf) - 1;
2120  int result = 0;
2121  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2122 
2123  memset(&th_v, 0, sizeof(th_v));
2124  StatsThreadInit(&th_v.stats);
2125  memset(&f, 0, sizeof(f));
2126  memset(&ssn, 0, sizeof(ssn));
2127 
2128  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2129 
2130  FLOW_INITIALIZE(&f);
2131  f.protoctx = (void *)&ssn;
2132  f.proto = IPPROTO_TCP;
2133  f.flags |= FLOW_IPV4;
2134  p->flow = &f;
2135  p->flowflags |= FLOW_PKT_TOSERVER;
2136  p->flowflags |= FLOW_PKT_ESTABLISHED;
2137  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2138  f.alproto = ALPROTO_HTTP1;
2139 
2140  StreamTcpInitConfig(true);
2141 
2142  de_ctx = DetectEngineCtxInit();
2143  if (de_ctx == NULL)
2144  goto end;
2145 
2146  de_ctx->flags |= DE_QUIET;
2147 
2148  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2149  "(msg:\"http header test\"; "
2150  "content:\"one\"; http_header; content:\"three\"; http_header; within:10; "
2151  "sid:1;)");
2152  if (de_ctx->sig_list == NULL)
2153  goto end;
2154 
2155  SigGroupBuild(de_ctx);
2156  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2157 
2158  int r = AppLayerParserParse(
2159  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2160  if (r != 0) {
2161  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2162  result = 0;
2163  goto end;
2164  }
2165 
2166  http_state = f.alstate;
2167  if (http_state == NULL) {
2168  printf("no http state: ");
2169  result = 0;
2170  goto end;
2171  }
2172 
2173  /* do detect */
2174  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2175 
2176  if (!(PacketAlertCheck(p, 1))) {
2177  printf("sid 1 didn't match but should have: ");
2178  goto end;
2179  }
2180 
2181  result = 1;
2182 end:
2183  if (alp_tctx != NULL)
2184  AppLayerParserThreadCtxFree(alp_tctx);
2185  if (det_ctx != NULL) {
2186  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2187  }
2188  if (de_ctx != NULL)
2189  DetectEngineCtxFree(de_ctx);
2190 
2191  StreamTcpFreeConfig(true);
2192  FLOW_DESTROY(&f);
2193  UTHFreePackets(&p, 1);
2194  StatsThreadCleanup(&th_v.stats);
2195  return result;
2196 }
2197 
2198 /**
2199  *\test Test that the http_header content matches against a http request
2200  * which holds the content.
2201  */
2202 static int DetectEngineHttpHeaderTest11(void)
2203 {
2204  TcpSession ssn;
2205  Packet *p = NULL;
2206  ThreadVars th_v;
2207  DetectEngineCtx *de_ctx = NULL;
2208  DetectEngineThreadCtx *det_ctx = NULL;
2209  HtpState *http_state = NULL;
2210  Flow f;
2211  uint8_t http_buf[] =
2212  "GET /index.html HTTP/1.0\r\n"
2213  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2214  uint32_t http_len = sizeof(http_buf) - 1;
2215  int result = 0;
2216  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2217 
2218  memset(&th_v, 0, sizeof(th_v));
2219  StatsThreadInit(&th_v.stats);
2220  memset(&f, 0, sizeof(f));
2221  memset(&ssn, 0, sizeof(ssn));
2222 
2223  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2224 
2225  FLOW_INITIALIZE(&f);
2226  f.protoctx = (void *)&ssn;
2227  f.proto = IPPROTO_TCP;
2228  f.flags |= FLOW_IPV4;
2229  p->flow = &f;
2230  p->flowflags |= FLOW_PKT_TOSERVER;
2231  p->flowflags |= FLOW_PKT_ESTABLISHED;
2232  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2233  f.alproto = ALPROTO_HTTP1;
2234 
2235  StreamTcpInitConfig(true);
2236 
2237  de_ctx = DetectEngineCtxInit();
2238  if (de_ctx == NULL)
2239  goto end;
2240 
2241  de_ctx->flags |= DE_QUIET;
2242 
2243  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2244  "(msg:\"http header test\"; "
2245  "content:\"one\"; http_header; content:!\"three\"; http_header; within:5; "
2246  "sid:1;)");
2247  if (de_ctx->sig_list == NULL)
2248  goto end;
2249 
2250  SigGroupBuild(de_ctx);
2251  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2252 
2253  int r = AppLayerParserParse(
2254  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2255  if (r != 0) {
2256  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2257  result = 0;
2258  goto end;
2259  }
2260 
2261  http_state = f.alstate;
2262  if (http_state == NULL) {
2263  printf("no http state: ");
2264  result = 0;
2265  goto end;
2266  }
2267 
2268  /* do detect */
2269  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2270 
2271  if (!(PacketAlertCheck(p, 1))) {
2272  printf("sid 1 didn't match but should have: ");
2273  goto end;
2274  }
2275 
2276  result = 1;
2277 end:
2278  if (alp_tctx != NULL)
2279  AppLayerParserThreadCtxFree(alp_tctx);
2280  if (det_ctx != NULL) {
2281  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2282  }
2283  if (de_ctx != NULL)
2284  DetectEngineCtxFree(de_ctx);
2285 
2286  StreamTcpFreeConfig(true);
2287  FLOW_DESTROY(&f);
2288  UTHFreePackets(&p, 1);
2289  StatsThreadCleanup(&th_v.stats);
2290  return result;
2291 }
2292 
2293 /**
2294  *\test Test that the http_header content matches against a http request
2295  * which holds the content.
2296  */
2297 static int DetectEngineHttpHeaderTest12(void)
2298 {
2299  TcpSession ssn;
2300  Packet *p = NULL;
2301  ThreadVars th_v;
2302  DetectEngineCtx *de_ctx = NULL;
2303  DetectEngineThreadCtx *det_ctx = NULL;
2304  HtpState *http_state = NULL;
2305  Flow f;
2306  uint8_t http_buf[] =
2307  "GET /index.html HTTP/1.0\r\n"
2308  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2309  uint32_t http_len = sizeof(http_buf) - 1;
2310  int result = 0;
2311  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2312 
2313  memset(&th_v, 0, sizeof(th_v));
2314  StatsThreadInit(&th_v.stats);
2315  memset(&f, 0, sizeof(f));
2316  memset(&ssn, 0, sizeof(ssn));
2317 
2318  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2319 
2320  FLOW_INITIALIZE(&f);
2321  f.protoctx = (void *)&ssn;
2322  f.proto = IPPROTO_TCP;
2323  f.flags |= FLOW_IPV4;
2324  p->flow = &f;
2325  p->flowflags |= FLOW_PKT_TOSERVER;
2326  p->flowflags |= FLOW_PKT_ESTABLISHED;
2327  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2328  f.alproto = ALPROTO_HTTP1;
2329 
2330  StreamTcpInitConfig(true);
2331 
2332  de_ctx = DetectEngineCtxInit();
2333  if (de_ctx == NULL)
2334  goto end;
2335 
2336  de_ctx->flags |= DE_QUIET;
2337 
2338  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2339  "(msg:\"http header test\"; "
2340  "content:\"one\"; http_header; content:!\"three\"; http_header; within:10; "
2341  "sid:1;)");
2342  if (de_ctx->sig_list == NULL)
2343  goto end;
2344 
2345  SigGroupBuild(de_ctx);
2346  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2347 
2348  int r = AppLayerParserParse(
2349  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2350  if (r != 0) {
2351  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2352  result = 0;
2353  goto end;
2354  }
2355 
2356  http_state = f.alstate;
2357  if (http_state == NULL) {
2358  printf("no http state: ");
2359  result = 0;
2360  goto end;
2361  }
2362 
2363  /* do detect */
2364  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2365 
2366  if (PacketAlertCheck(p, 1)) {
2367  printf("sid 1 matched but shouldn't have: ");
2368  goto end;
2369  }
2370 
2371  result = 1;
2372 end:
2373  if (alp_tctx != NULL)
2374  AppLayerParserThreadCtxFree(alp_tctx);
2375  if (det_ctx != NULL) {
2376  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2377  }
2378  if (de_ctx != NULL)
2379  DetectEngineCtxFree(de_ctx);
2380 
2381  StreamTcpFreeConfig(true);
2382  FLOW_DESTROY(&f);
2383  UTHFreePackets(&p, 1);
2384  StatsThreadCleanup(&th_v.stats);
2385  return result;
2386 }
2387 
2388 /**
2389  *\test Test that the http_header content matches against a http request
2390  * which holds the content.
2391  */
2392 static int DetectEngineHttpHeaderTest13(void)
2393 {
2394  TcpSession ssn;
2395  Packet *p = NULL;
2396  ThreadVars th_v;
2397  DetectEngineCtx *de_ctx = NULL;
2398  DetectEngineThreadCtx *det_ctx = NULL;
2399  HtpState *http_state = NULL;
2400  Flow f;
2401  uint8_t http_buf[] =
2402  "GET /index.html HTTP/1.0\r\n"
2403  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2404  uint32_t http_len = sizeof(http_buf) - 1;
2405  int result = 0;
2406  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2407 
2408  memset(&th_v, 0, sizeof(th_v));
2409  StatsThreadInit(&th_v.stats);
2410  memset(&f, 0, sizeof(f));
2411  memset(&ssn, 0, sizeof(ssn));
2412 
2413  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2414 
2415  FLOW_INITIALIZE(&f);
2416  f.protoctx = (void *)&ssn;
2417  f.proto = IPPROTO_TCP;
2418  f.flags |= FLOW_IPV4;
2419  p->flow = &f;
2420  p->flowflags |= FLOW_PKT_TOSERVER;
2421  p->flowflags |= FLOW_PKT_ESTABLISHED;
2422  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2423  f.alproto = ALPROTO_HTTP1;
2424 
2425  StreamTcpInitConfig(true);
2426 
2427  de_ctx = DetectEngineCtxInit();
2428  if (de_ctx == NULL)
2429  goto end;
2430 
2431  de_ctx->flags |= DE_QUIET;
2432 
2433  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2434  "(msg:\"http header test\"; "
2435  "content:\"one\"; http_header; content:\"three\"; http_header; within:5; "
2436  "sid:1;)");
2437  if (de_ctx->sig_list == NULL)
2438  goto end;
2439 
2440  SigGroupBuild(de_ctx);
2441  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2442 
2443  int r = AppLayerParserParse(
2444  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2445  if (r != 0) {
2446  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2447  result = 0;
2448  goto end;
2449  }
2450 
2451  http_state = f.alstate;
2452  if (http_state == NULL) {
2453  printf("no http state: ");
2454  result = 0;
2455  goto end;
2456  }
2457 
2458  /* do detect */
2459  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2460 
2461  if (PacketAlertCheck(p, 1)) {
2462  printf("sid 1 matched but shouldn't have: ");
2463  goto end;
2464  }
2465 
2466  result = 1;
2467 end:
2468  if (alp_tctx != NULL)
2469  AppLayerParserThreadCtxFree(alp_tctx);
2470  if (det_ctx != NULL) {
2471  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2472  }
2473  if (de_ctx != NULL)
2474  DetectEngineCtxFree(de_ctx);
2475 
2476  StreamTcpFreeConfig(true);
2477  FLOW_DESTROY(&f);
2478  UTHFreePackets(&p, 1);
2479  StatsThreadCleanup(&th_v.stats);
2480  return result;
2481 }
2482 
2483 /**
2484  *\test Test that the http_header content matches against a http request
2485  * which holds the content.
2486  */
2487 static int DetectEngineHttpHeaderTest14(void)
2488 {
2489  TcpSession ssn;
2490  Packet *p = NULL;
2491  ThreadVars th_v;
2492  DetectEngineCtx *de_ctx = NULL;
2493  DetectEngineThreadCtx *det_ctx = NULL;
2494  HtpState *http_state = NULL;
2495  Flow f;
2496  uint8_t http_buf[] =
2497  "GET /index.html HTTP/1.0\r\n"
2498  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2499  uint32_t http_len = sizeof(http_buf) - 1;
2500  int result = 0;
2501  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2502 
2503  memset(&th_v, 0, sizeof(th_v));
2504  StatsThreadInit(&th_v.stats);
2505  memset(&f, 0, sizeof(f));
2506  memset(&ssn, 0, sizeof(ssn));
2507 
2508  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2509 
2510  FLOW_INITIALIZE(&f);
2511  f.protoctx = (void *)&ssn;
2512  f.proto = IPPROTO_TCP;
2513  f.flags |= FLOW_IPV4;
2514  p->flow = &f;
2515  p->flowflags |= FLOW_PKT_TOSERVER;
2516  p->flowflags |= FLOW_PKT_ESTABLISHED;
2517  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2518  f.alproto = ALPROTO_HTTP1;
2519 
2520  StreamTcpInitConfig(true);
2521 
2522  de_ctx = DetectEngineCtxInit();
2523  if (de_ctx == NULL)
2524  goto end;
2525 
2526  de_ctx->flags |= DE_QUIET;
2527 
2528  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2529  "(msg:\"http header test\"; "
2530  "content:\"one\"; http_header; content:\"five\"; http_header; distance:7; "
2531  "sid:1;)");
2532  if (de_ctx->sig_list == NULL)
2533  goto end;
2534 
2535  SigGroupBuild(de_ctx);
2536  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2537 
2538  int r = AppLayerParserParse(
2539  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2540  if (r != 0) {
2541  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2542  result = 0;
2543  goto end;
2544  }
2545 
2546  http_state = f.alstate;
2547  if (http_state == NULL) {
2548  printf("no http state: ");
2549  result = 0;
2550  goto end;
2551  }
2552 
2553  /* do detect */
2554  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2555 
2556  if (!(PacketAlertCheck(p, 1))) {
2557  printf("sid 1 didn't match but should have: ");
2558  goto end;
2559  }
2560 
2561  result = 1;
2562 end:
2563  if (alp_tctx != NULL)
2564  AppLayerParserThreadCtxFree(alp_tctx);
2565  if (det_ctx != NULL) {
2566  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2567  }
2568  if (de_ctx != NULL)
2569  DetectEngineCtxFree(de_ctx);
2570 
2571  StreamTcpFreeConfig(true);
2572  FLOW_DESTROY(&f);
2573  UTHFreePackets(&p, 1);
2574  StatsThreadCleanup(&th_v.stats);
2575  return result;
2576 }
2577 
2578 /**
2579  *\test Test that the http_header content matches against a http request
2580  * which holds the content.
2581  */
2582 static int DetectEngineHttpHeaderTest15(void)
2583 {
2584  TcpSession ssn;
2585  Packet *p = NULL;
2586  ThreadVars th_v;
2587  DetectEngineCtx *de_ctx = NULL;
2588  DetectEngineThreadCtx *det_ctx = NULL;
2589  HtpState *http_state = NULL;
2590  Flow f;
2591  uint8_t http_buf[] =
2592  "GET /index.html HTTP/1.0\r\n"
2593  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2594  uint32_t http_len = sizeof(http_buf) - 1;
2595  int result = 0;
2596  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2597 
2598  memset(&th_v, 0, sizeof(th_v));
2599  StatsThreadInit(&th_v.stats);
2600  memset(&f, 0, sizeof(f));
2601  memset(&ssn, 0, sizeof(ssn));
2602 
2603  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2604 
2605  FLOW_INITIALIZE(&f);
2606  f.protoctx = (void *)&ssn;
2607  f.proto = IPPROTO_TCP;
2608  f.flags |= FLOW_IPV4;
2609  p->flow = &f;
2610  p->flowflags |= FLOW_PKT_TOSERVER;
2611  p->flowflags |= FLOW_PKT_ESTABLISHED;
2612  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2613  f.alproto = ALPROTO_HTTP1;
2614 
2615  StreamTcpInitConfig(true);
2616 
2617  de_ctx = DetectEngineCtxInit();
2618  if (de_ctx == NULL)
2619  goto end;
2620 
2621  de_ctx->flags |= DE_QUIET;
2622 
2623  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2624  "(msg:\"http header test\"; "
2625  "content:\"one\"; http_header; content:!\"five\"; http_header; distance:15; "
2626  "sid:1;)");
2627  if (de_ctx->sig_list == NULL)
2628  goto end;
2629 
2630  SigGroupBuild(de_ctx);
2631  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2632 
2633  int r = AppLayerParserParse(
2634  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2635  if (r != 0) {
2636  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2637  result = 0;
2638  goto end;
2639  }
2640 
2641  http_state = f.alstate;
2642  if (http_state == NULL) {
2643  printf("no http state: ");
2644  result = 0;
2645  goto end;
2646  }
2647 
2648  /* do detect */
2649  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2650 
2651  if (!(PacketAlertCheck(p, 1))) {
2652  printf("sid 1 didn't match but should have: ");
2653  goto end;
2654  }
2655 
2656  result = 1;
2657 end:
2658  if (alp_tctx != NULL)
2659  AppLayerParserThreadCtxFree(alp_tctx);
2660  if (det_ctx != NULL) {
2661  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2662  }
2663  if (de_ctx != NULL)
2664  DetectEngineCtxFree(de_ctx);
2665 
2666  StreamTcpFreeConfig(true);
2667  FLOW_DESTROY(&f);
2668  UTHFreePackets(&p, 1);
2669  StatsThreadCleanup(&th_v.stats);
2670  return result;
2671 }
2672 
2673 /**
2674  *\test Test that the http_header content matches against a http request
2675  * which holds the content.
2676  */
2677 static int DetectEngineHttpHeaderTest16(void)
2678 {
2679  TcpSession ssn;
2680  Packet *p = NULL;
2681  ThreadVars th_v;
2682  DetectEngineCtx *de_ctx = NULL;
2683  DetectEngineThreadCtx *det_ctx = NULL;
2684  HtpState *http_state = NULL;
2685  Flow f;
2686  uint8_t http_buf[] =
2687  "GET /index.html HTTP/1.0\r\n"
2688  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2689  uint32_t http_len = sizeof(http_buf) - 1;
2690  int result = 0;
2691  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2692 
2693  memset(&th_v, 0, sizeof(th_v));
2694  StatsThreadInit(&th_v.stats);
2695  memset(&f, 0, sizeof(f));
2696  memset(&ssn, 0, sizeof(ssn));
2697 
2698  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2699 
2700  FLOW_INITIALIZE(&f);
2701  f.protoctx = (void *)&ssn;
2702  f.proto = IPPROTO_TCP;
2703  f.flags |= FLOW_IPV4;
2704  p->flow = &f;
2705  p->flowflags |= FLOW_PKT_TOSERVER;
2706  p->flowflags |= FLOW_PKT_ESTABLISHED;
2707  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2708  f.alproto = ALPROTO_HTTP1;
2709 
2710  StreamTcpInitConfig(true);
2711 
2712  de_ctx = DetectEngineCtxInit();
2713  if (de_ctx == NULL)
2714  goto end;
2715 
2716  de_ctx->flags |= DE_QUIET;
2717 
2718  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2719  "(msg:\"http header test\"; "
2720  "content:\"one\"; http_header; content:!\"five\"; http_header; distance:7; "
2721  "sid:1;)");
2722  if (de_ctx->sig_list == NULL)
2723  goto end;
2724 
2725  SigGroupBuild(de_ctx);
2726  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2727 
2728  int r = AppLayerParserParse(
2729  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2730  if (r != 0) {
2731  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2732  result = 0;
2733  goto end;
2734  }
2735 
2736  http_state = f.alstate;
2737  if (http_state == NULL) {
2738  printf("no http state: ");
2739  result = 0;
2740  goto end;
2741  }
2742 
2743  /* do detect */
2744  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2745 
2746  if (PacketAlertCheck(p, 1)) {
2747  printf("sid 1 matched but shouldn't have: ");
2748  goto end;
2749  }
2750 
2751  result = 1;
2752 end:
2753  if (alp_tctx != NULL)
2754  AppLayerParserThreadCtxFree(alp_tctx);
2755  if (det_ctx != NULL) {
2756  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2757  }
2758  if (de_ctx != NULL)
2759  DetectEngineCtxFree(de_ctx);
2760 
2761  StreamTcpFreeConfig(true);
2762  FLOW_DESTROY(&f);
2763  UTHFreePackets(&p, 1);
2764  StatsThreadCleanup(&th_v.stats);
2765  return result;
2766 }
2767 
2768 /**
2769  *\test Test that the http_header content matches against a http request
2770  * which holds the content.
2771  */
2772 static int DetectEngineHttpHeaderTest17(void)
2773 {
2774  TcpSession ssn;
2775  Packet *p = NULL;
2776  ThreadVars th_v;
2777  DetectEngineCtx *de_ctx = NULL;
2778  DetectEngineThreadCtx *det_ctx = NULL;
2779  HtpState *http_state = NULL;
2780  Flow f;
2781  uint8_t http_buf[] =
2782  "GET /index.html HTTP/1.0\r\n"
2783  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2784  uint32_t http_len = sizeof(http_buf) - 1;
2785  int result = 0;
2786  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2787 
2788  memset(&th_v, 0, sizeof(th_v));
2789  StatsThreadInit(&th_v.stats);
2790  memset(&f, 0, sizeof(f));
2791  memset(&ssn, 0, sizeof(ssn));
2792 
2793  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2794 
2795  FLOW_INITIALIZE(&f);
2796  f.protoctx = (void *)&ssn;
2797  f.proto = IPPROTO_TCP;
2798  f.flags |= FLOW_IPV4;
2799  p->flow = &f;
2800  p->flowflags |= FLOW_PKT_TOSERVER;
2801  p->flowflags |= FLOW_PKT_ESTABLISHED;
2802  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2803  f.alproto = ALPROTO_HTTP1;
2804 
2805  StreamTcpInitConfig(true);
2806 
2807  de_ctx = DetectEngineCtxInit();
2808  if (de_ctx == NULL)
2809  goto end;
2810 
2811  de_ctx->flags |= DE_QUIET;
2812 
2813  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2814  "(msg:\"http header test\"; "
2815  "content:\"one\"; http_header; content:\"five\"; http_header; distance:15; "
2816  "sid:1;)");
2817  if (de_ctx->sig_list == NULL)
2818  goto end;
2819 
2820  SigGroupBuild(de_ctx);
2821  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2822 
2823  int r = AppLayerParserParse(
2824  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2825  if (r != 0) {
2826  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2827  result = 0;
2828  goto end;
2829  }
2830 
2831  http_state = f.alstate;
2832  if (http_state == NULL) {
2833  printf("no http state: ");
2834  result = 0;
2835  goto end;
2836  }
2837 
2838  /* do detect */
2839  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2840 
2841  if (PacketAlertCheck(p, 1)) {
2842  printf("sid 1 matched but shouldn't have: ");
2843  goto end;
2844  }
2845 
2846  result = 1;
2847 end:
2848  if (alp_tctx != NULL)
2849  AppLayerParserThreadCtxFree(alp_tctx);
2850  if (det_ctx != NULL) {
2851  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2852  }
2853  if (de_ctx != NULL)
2854  DetectEngineCtxFree(de_ctx);
2855 
2856  StreamTcpFreeConfig(true);
2857  FLOW_DESTROY(&f);
2858  UTHFreePackets(&p, 1);
2859  StatsThreadCleanup(&th_v.stats);
2860  return result;
2861 }
2862 
2863 static int DetectEngineHttpHeaderTest20(void)
2864 {
2865  TcpSession ssn;
2866  Packet *p1 = NULL;
2867  Packet *p2 = NULL;
2868  ThreadVars th_v;
2869  DetectEngineCtx *de_ctx = NULL;
2870  DetectEngineThreadCtx *det_ctx = NULL;
2871  HtpState *http_state = NULL;
2872  Flow f;
2873  uint8_t http1_buf[] =
2874  "GET /index.html HTTP/1.0\r\n"
2875  "Host: This_is_dummy_body1";
2876  uint8_t http2_buf[] =
2877  "This_is_dummy_message_body2\r\n"
2878  "\r\n";
2879  uint32_t http1_len = sizeof(http1_buf) - 1;
2880  uint32_t http2_len = sizeof(http2_buf) - 1;
2881  int result = 0;
2882  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2883 
2884  memset(&th_v, 0, sizeof(th_v));
2885  StatsThreadInit(&th_v.stats);
2886  memset(&f, 0, sizeof(f));
2887  memset(&ssn, 0, sizeof(ssn));
2888 
2889  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2890  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2891 
2892  FLOW_INITIALIZE(&f);
2893  f.protoctx = (void *)&ssn;
2894  f.proto = IPPROTO_TCP;
2895  f.flags |= FLOW_IPV4;
2896 
2897  p1->flow = &f;
2898  p1->flowflags |= FLOW_PKT_TOSERVER;
2899  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2900  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2901  p2->flow = &f;
2902  p2->flowflags |= FLOW_PKT_TOSERVER;
2903  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2904  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2905  f.alproto = ALPROTO_HTTP1;
2906 
2907  StreamTcpInitConfig(true);
2908 
2909  de_ctx = DetectEngineCtxInit();
2910  if (de_ctx == NULL)
2911  goto end;
2912 
2913  de_ctx->flags |= DE_QUIET;
2914 
2915  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2916  "(msg:\"http client body test\"; "
2917  "pcre:/body1/H; "
2918  "content:!\"dummy\"; http_header; within:7; "
2919  "sid:1;)");
2920  if (de_ctx->sig_list == NULL)
2921  goto end;
2922 
2923  SigGroupBuild(de_ctx);
2924  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2925 
2926  int r = AppLayerParserParse(
2927  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2928  if (r != 0) {
2929  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2930  result = 0;
2931  goto end;
2932  }
2933 
2934  http_state = f.alstate;
2935  if (http_state == NULL) {
2936  printf("no http state: \n");
2937  result = 0;
2938  goto end;
2939  }
2940 
2941  /* do detect */
2942  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2943 
2944  if (PacketAlertCheck(p1, 1)) {
2945  printf("sid 1 matched but shouldn't have\n");
2946  goto end;
2947  }
2948 
2949  r = AppLayerParserParse(
2950  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2951  if (r != 0) {
2952  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2953  result = 0;
2954  goto end;
2955  }
2956 
2957  /* do detect */
2958  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2959 
2960  if (!PacketAlertCheck(p2, 1)) {
2961  printf("sid 1 didn't match but shouldn't have");
2962  goto end;
2963  }
2964 
2965  result = 1;
2966 
2967 end:
2968  if (alp_tctx != NULL)
2969  AppLayerParserThreadCtxFree(alp_tctx);
2970  if (det_ctx != NULL) {
2971  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2972  }
2973  if (de_ctx != NULL)
2974  DetectEngineCtxFree(de_ctx);
2975 
2976  StreamTcpFreeConfig(true);
2977  FLOW_DESTROY(&f);
2978  UTHFreePackets(&p1, 1);
2979  UTHFreePackets(&p2, 1);
2980  StatsThreadCleanup(&th_v.stats);
2981  return result;
2982 }
2983 
2984 static int DetectEngineHttpHeaderTest21(void)
2985 {
2986  TcpSession ssn;
2987  Packet *p1 = NULL;
2988  Packet *p2 = NULL;
2989  ThreadVars th_v;
2990  DetectEngineCtx *de_ctx = NULL;
2991  DetectEngineThreadCtx *det_ctx = NULL;
2992  HtpState *http_state = NULL;
2993  Flow f;
2994  uint8_t http1_buf[] =
2995  "GET /index.html HTTP/1.0\r\n"
2996  "Host: This_is_dummy_body1";
2997  uint8_t http2_buf[] =
2998  "This_is_dummy_message_body2\r\n"
2999  "\r\n";
3000  uint32_t http1_len = sizeof(http1_buf) - 1;
3001  uint32_t http2_len = sizeof(http2_buf) - 1;
3002  int result = 0;
3003  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3004 
3005  memset(&th_v, 0, sizeof(th_v));
3006  StatsThreadInit(&th_v.stats);
3007  memset(&f, 0, sizeof(f));
3008  memset(&ssn, 0, sizeof(ssn));
3009 
3010  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3011  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3012 
3013  FLOW_INITIALIZE(&f);
3014  f.protoctx = (void *)&ssn;
3015  f.proto = IPPROTO_TCP;
3016  f.flags |= FLOW_IPV4;
3017 
3018  p1->flow = &f;
3019  p1->flowflags |= FLOW_PKT_TOSERVER;
3020  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3021  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3022  p2->flow = &f;
3023  p2->flowflags |= FLOW_PKT_TOSERVER;
3024  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3025  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3026  f.alproto = ALPROTO_HTTP1;
3027 
3028  StreamTcpInitConfig(true);
3029 
3030  de_ctx = DetectEngineCtxInit();
3031  if (de_ctx == NULL)
3032  goto end;
3033 
3034  de_ctx->flags |= DE_QUIET;
3035 
3036  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3037  "(msg:\"http client body test\"; "
3038  "pcre:/body1/H; "
3039  "content:!\"dummy\"; within:7; http_header; "
3040  "sid:1;)");
3041  if (de_ctx->sig_list == NULL)
3042  goto end;
3043 
3044  SigGroupBuild(de_ctx);
3045  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3046 
3047  int r = AppLayerParserParse(
3048  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3049  if (r != 0) {
3050  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3051  result = 0;
3052  goto end;
3053  }
3054 
3055  http_state = f.alstate;
3056  if (http_state == NULL) {
3057  printf("no http state: \n");
3058  result = 0;
3059  goto end;
3060  }
3061 
3062  /* do detect */
3063  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3064 
3065  if (PacketAlertCheck(p1, 1)) {
3066  printf("sid 1 matched but shouldn't have\n");
3067  goto end;
3068  }
3069 
3070  r = AppLayerParserParse(
3071  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3072  if (r != 0) {
3073  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3074  result = 0;
3075  goto end;
3076  }
3077 
3078  /* do detect */
3079  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3080 
3081  if (!PacketAlertCheck(p2, 1)) {
3082  printf("sid 1 didn't match but shouldn't have");
3083  goto end;
3084  }
3085 
3086  result = 1;
3087 
3088 end:
3089  if (alp_tctx != NULL)
3090  AppLayerParserThreadCtxFree(alp_tctx);
3091  if (det_ctx != NULL) {
3092  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3093  }
3094  if (de_ctx != NULL)
3095  DetectEngineCtxFree(de_ctx);
3096 
3097  StreamTcpFreeConfig(true);
3098  FLOW_DESTROY(&f);
3099  UTHFreePackets(&p1, 1);
3100  UTHFreePackets(&p2, 1);
3101  StatsThreadCleanup(&th_v.stats);
3102  return result;
3103 }
3104 
3105 static int DetectEngineHttpHeaderTest22(void)
3106 {
3107  TcpSession ssn;
3108  Packet *p1 = NULL;
3109  Packet *p2 = NULL;
3110  ThreadVars th_v;
3111  DetectEngineCtx *de_ctx = NULL;
3112  DetectEngineThreadCtx *det_ctx = NULL;
3113  HtpState *http_state = NULL;
3114  Flow f;
3115  uint8_t http1_buf[] =
3116  "GET /index.html HTTP/1.0\r\n"
3117  "Host: This_is_dummy_body1";
3118  uint8_t http2_buf[] =
3119  "This_is_dummy_message_body2\r\n"
3120  "\r\n";
3121  uint32_t http1_len = sizeof(http1_buf) - 1;
3122  uint32_t http2_len = sizeof(http2_buf) - 1;
3123  int result = 0;
3124  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3125 
3126  memset(&th_v, 0, sizeof(th_v));
3127  StatsThreadInit(&th_v.stats);
3128  memset(&f, 0, sizeof(f));
3129  memset(&ssn, 0, sizeof(ssn));
3130 
3131  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3132  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3133 
3134  FLOW_INITIALIZE(&f);
3135  f.protoctx = (void *)&ssn;
3136  f.proto = IPPROTO_TCP;
3137  f.flags |= FLOW_IPV4;
3138 
3139  p1->flow = &f;
3140  p1->flowflags |= FLOW_PKT_TOSERVER;
3141  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3142  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3143  p2->flow = &f;
3144  p2->flowflags |= FLOW_PKT_TOSERVER;
3145  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3146  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3147  f.alproto = ALPROTO_HTTP1;
3148 
3149  StreamTcpInitConfig(true);
3150 
3151  de_ctx = DetectEngineCtxInit();
3152  if (de_ctx == NULL)
3153  goto end;
3154 
3155  de_ctx->flags |= DE_QUIET;
3156 
3157  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3158  "(msg:\"http client body test\"; "
3159  "pcre:/body1/H; "
3160  "content:!\"dummy\"; distance:3; http_header; "
3161  "sid:1;)");
3162  if (de_ctx->sig_list == NULL)
3163  goto end;
3164 
3165  SigGroupBuild(de_ctx);
3166  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3167 
3168  int r = AppLayerParserParse(
3169  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3170  if (r != 0) {
3171  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3172  result = 0;
3173  goto end;
3174  }
3175 
3176  http_state = f.alstate;
3177  if (http_state == NULL) {
3178  printf("no http state: \n");
3179  result = 0;
3180  goto end;
3181  }
3182 
3183  /* do detect */
3184  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3185 
3186  if (PacketAlertCheck(p1, 1)) {
3187  printf("sid 1 matched but shouldn't have\n");
3188  goto end;
3189  }
3190 
3191  r = AppLayerParserParse(
3192  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3193  if (r != 0) {
3194  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3195  result = 0;
3196  goto end;
3197  }
3198 
3199  /* do detect */
3200  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3201 
3202  if (PacketAlertCheck(p2, 1)) {
3203  printf("sid 1 matched but shouldn't have");
3204  goto end;
3205  }
3206 
3207  result = 1;
3208 
3209 end:
3210  if (alp_tctx != NULL)
3211  AppLayerParserThreadCtxFree(alp_tctx);
3212  if (det_ctx != NULL) {
3213  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3214  }
3215  if (de_ctx != NULL)
3216  DetectEngineCtxFree(de_ctx);
3217 
3218  StreamTcpFreeConfig(true);
3219  FLOW_DESTROY(&f);
3220  UTHFreePackets(&p1, 1);
3221  UTHFreePackets(&p2, 1);
3222  StatsThreadCleanup(&th_v.stats);
3223  return result;
3224 }
3225 
3226 static int DetectEngineHttpHeaderTest23(void)
3227 {
3228  TcpSession ssn;
3229  Packet *p1 = NULL;
3230  Packet *p2 = NULL;
3231  ThreadVars th_v;
3232  DetectEngineCtx *de_ctx = NULL;
3233  DetectEngineThreadCtx *det_ctx = NULL;
3234  HtpState *http_state = NULL;
3235  Flow f;
3236  uint8_t http1_buf[] =
3237  "GET /index.html HTTP/1.0\r\n"
3238  "Host: This_is_dummy_body1";
3239  uint8_t http2_buf[] =
3240  "This_is_dummy_message_body2\r\n"
3241  "\r\n";
3242  uint32_t http1_len = sizeof(http1_buf) - 1;
3243  uint32_t http2_len = sizeof(http2_buf) - 1;
3244  int result = 0;
3245  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3246 
3247  memset(&th_v, 0, sizeof(th_v));
3248  StatsThreadInit(&th_v.stats);
3249  memset(&f, 0, sizeof(f));
3250  memset(&ssn, 0, sizeof(ssn));
3251 
3252  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3253  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3254 
3255  FLOW_INITIALIZE(&f);
3256  f.protoctx = (void *)&ssn;
3257  f.proto = IPPROTO_TCP;
3258  f.flags |= FLOW_IPV4;
3259 
3260  p1->flow = &f;
3261  p1->flowflags |= FLOW_PKT_TOSERVER;
3262  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3263  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3264  p2->flow = &f;
3265  p2->flowflags |= FLOW_PKT_TOSERVER;
3266  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3267  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3268  f.alproto = ALPROTO_HTTP1;
3269 
3270  StreamTcpInitConfig(true);
3271 
3272  de_ctx = DetectEngineCtxInit();
3273  if (de_ctx == NULL)
3274  goto end;
3275 
3276  de_ctx->flags |= DE_QUIET;
3277 
3278  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3279  "(msg:\"http client body test\"; "
3280  "pcre:/body1/H; "
3281  "content:!\"dummy\"; distance:13; http_header; "
3282  "sid:1;)");
3283  if (de_ctx->sig_list == NULL)
3284  goto end;
3285 
3286  SigGroupBuild(de_ctx);
3287  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3288 
3289  int r = AppLayerParserParse(
3290  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3291  if (r != 0) {
3292  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3293  result = 0;
3294  goto end;
3295  }
3296 
3297  http_state = f.alstate;
3298  if (http_state == NULL) {
3299  printf("no http state: \n");
3300  result = 0;
3301  goto end;
3302  }
3303 
3304  /* do detect */
3305  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3306 
3307  if (PacketAlertCheck(p1, 1)) {
3308  printf("sid 1 matched but shouldn't have\n");
3309  goto end;
3310  }
3311 
3312  r = AppLayerParserParse(
3313  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3314  if (r != 0) {
3315  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3316  result = 0;
3317  goto end;
3318  }
3319 
3320  /* do detect */
3321  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3322 
3323  if (!PacketAlertCheck(p2, 1)) {
3324  printf("sid 1 didn't match but should have");
3325  goto end;
3326  }
3327 
3328  result = 1;
3329 
3330 end:
3331  if (alp_tctx != NULL)
3332  AppLayerParserThreadCtxFree(alp_tctx);
3333  if (det_ctx != NULL) {
3334  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3335  }
3336  if (de_ctx != NULL)
3337  DetectEngineCtxFree(de_ctx);
3338 
3339  StreamTcpFreeConfig(true);
3340  FLOW_DESTROY(&f);
3341  UTHFreePackets(&p1, 1);
3342  UTHFreePackets(&p2, 1);
3343  StatsThreadCleanup(&th_v.stats);
3344  return result;
3345 }
3346 
3347 static int DetectEngineHttpHeaderTest24(void)
3348 {
3349  TcpSession ssn;
3350  Packet *p1 = NULL;
3351  Packet *p2 = NULL;
3352  ThreadVars th_v;
3353  DetectEngineCtx *de_ctx = NULL;
3354  DetectEngineThreadCtx *det_ctx = NULL;
3355  HtpState *http_state = NULL;
3356  Flow f;
3357  uint8_t http1_buf[] =
3358  "GET /index.html HTTP/1.0\r\n"
3359  "Host: This_is_dummy_body1";
3360  uint8_t http2_buf[] =
3361  "This_is_dummy_message_body2\r\n"
3362  "\r\n";
3363  uint32_t http1_len = sizeof(http1_buf) - 1;
3364  uint32_t http2_len = sizeof(http2_buf) - 1;
3365  int result = 0;
3366  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3367 
3368  memset(&th_v, 0, sizeof(th_v));
3369  StatsThreadInit(&th_v.stats);
3370  memset(&f, 0, sizeof(f));
3371  memset(&ssn, 0, sizeof(ssn));
3372 
3373  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3374  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3375 
3376  FLOW_INITIALIZE(&f);
3377  f.protoctx = (void *)&ssn;
3378  f.proto = IPPROTO_TCP;
3379  f.flags |= FLOW_IPV4;
3380 
3381  p1->flow = &f;
3382  p1->flowflags |= FLOW_PKT_TOSERVER;
3383  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3384  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3385  p2->flow = &f;
3386  p2->flowflags |= FLOW_PKT_TOSERVER;
3387  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3388  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3389  f.alproto = ALPROTO_HTTP1;
3390 
3391  StreamTcpInitConfig(true);
3392 
3393  de_ctx = DetectEngineCtxInit();
3394  if (de_ctx == NULL)
3395  goto end;
3396 
3397  de_ctx->flags |= DE_QUIET;
3398 
3399  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3400  "(msg:\"http client body test\"; "
3401  "pcre:/body1/H; "
3402  "content:\"dummy\"; within:15; http_header; "
3403  "sid:1;)");
3404  if (de_ctx->sig_list == NULL)
3405  goto end;
3406 
3407  SigGroupBuild(de_ctx);
3408  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3409 
3410  int r = AppLayerParserParse(
3411  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3412  if (r != 0) {
3413  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3414  result = 0;
3415  goto end;
3416  }
3417 
3418  http_state = f.alstate;
3419  if (http_state == NULL) {
3420  printf("no http state: \n");
3421  result = 0;
3422  goto end;
3423  }
3424 
3425  /* do detect */
3426  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3427 
3428  if (PacketAlertCheck(p1, 1)) {
3429  printf("sid 1 matched but shouldn't have\n");
3430  goto end;
3431  }
3432 
3433  r = AppLayerParserParse(
3434  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3435  if (r != 0) {
3436  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3437  result = 0;
3438  goto end;
3439  }
3440 
3441  /* do detect */
3442  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3443 
3444  if (!PacketAlertCheck(p2, 1)) {
3445  printf("sid 1 didn't match but should have");
3446  goto end;
3447  }
3448 
3449  result = 1;
3450 
3451 end:
3452  if (alp_tctx != NULL)
3453  AppLayerParserThreadCtxFree(alp_tctx);
3454  if (det_ctx != NULL) {
3455  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3456  }
3457  if (de_ctx != NULL)
3458  DetectEngineCtxFree(de_ctx);
3459 
3460  StreamTcpFreeConfig(true);
3461  FLOW_DESTROY(&f);
3462  UTHFreePackets(&p1, 1);
3463  UTHFreePackets(&p2, 1);
3464  StatsThreadCleanup(&th_v.stats);
3465  return result;
3466 }
3467 
3468 static int DetectEngineHttpHeaderTest25(void)
3469 {
3470  TcpSession ssn;
3471  Packet *p1 = NULL;
3472  Packet *p2 = NULL;
3473  ThreadVars th_v;
3474  DetectEngineCtx *de_ctx = NULL;
3475  DetectEngineThreadCtx *det_ctx = NULL;
3476  HtpState *http_state = NULL;
3477  Flow f;
3478  uint8_t http1_buf[] =
3479  "GET /index.html HTTP/1.0\r\n"
3480  "Host: This_is_dummy_body1";
3481  uint8_t http2_buf[] =
3482  "This_is_dummy_message_body2\r\n"
3483  "\r\n";
3484  uint32_t http1_len = sizeof(http1_buf) - 1;
3485  uint32_t http2_len = sizeof(http2_buf) - 1;
3486  int result = 0;
3487  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3488 
3489  memset(&th_v, 0, sizeof(th_v));
3490  StatsThreadInit(&th_v.stats);
3491  memset(&f, 0, sizeof(f));
3492  memset(&ssn, 0, sizeof(ssn));
3493 
3494  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3495  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3496 
3497  FLOW_INITIALIZE(&f);
3498  f.protoctx = (void *)&ssn;
3499  f.proto = IPPROTO_TCP;
3500  f.flags |= FLOW_IPV4;
3501 
3502  p1->flow = &f;
3503  p1->flowflags |= FLOW_PKT_TOSERVER;
3504  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3505  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3506  p2->flow = &f;
3507  p2->flowflags |= FLOW_PKT_TOSERVER;
3508  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3509  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3510  f.alproto = ALPROTO_HTTP1;
3511 
3512  StreamTcpInitConfig(true);
3513 
3514  de_ctx = DetectEngineCtxInit();
3515  if (de_ctx == NULL)
3516  goto end;
3517 
3518  de_ctx->flags |= DE_QUIET;
3519 
3520  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3521  "(msg:\"http client body test\"; "
3522  "pcre:/body1/H; "
3523  "content:\"dummy\"; within:10; http_header; "
3524  "sid:1;)");
3525  if (de_ctx->sig_list == NULL)
3526  goto end;
3527 
3528  SigGroupBuild(de_ctx);
3529  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3530 
3531  int r = AppLayerParserParse(
3532  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3533  if (r != 0) {
3534  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3535  result = 0;
3536  goto end;
3537  }
3538 
3539  http_state = f.alstate;
3540  if (http_state == NULL) {
3541  printf("no http state: \n");
3542  result = 0;
3543  goto end;
3544  }
3545 
3546  /* do detect */
3547  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3548 
3549  if (PacketAlertCheck(p1, 1)) {
3550  printf("sid 1 matched but shouldn't have\n");
3551  goto end;
3552  }
3553 
3554  r = AppLayerParserParse(
3555  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3556  if (r != 0) {
3557  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3558  result = 0;
3559  goto end;
3560  }
3561 
3562  /* do detect */
3563  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3564 
3565  if (PacketAlertCheck(p2, 1)) {
3566  printf("sid 1 matched but shouldn't have");
3567  goto end;
3568  }
3569 
3570  result = 1;
3571 
3572 end:
3573  if (alp_tctx != NULL)
3574  AppLayerParserThreadCtxFree(alp_tctx);
3575  if (det_ctx != NULL) {
3576  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3577  }
3578  if (de_ctx != NULL)
3579  DetectEngineCtxFree(de_ctx);
3580 
3581  StreamTcpFreeConfig(true);
3582  FLOW_DESTROY(&f);
3583  UTHFreePackets(&p1, 1);
3584  UTHFreePackets(&p2, 1);
3585  StatsThreadCleanup(&th_v.stats);
3586  return result;
3587 }
3588 
3589 static int DetectEngineHttpHeaderTest26(void)
3590 {
3591  TcpSession ssn;
3592  Packet *p1 = NULL;
3593  Packet *p2 = NULL;
3594  ThreadVars th_v;
3595  DetectEngineCtx *de_ctx = NULL;
3596  DetectEngineThreadCtx *det_ctx = NULL;
3597  HtpState *http_state = NULL;
3598  Flow f;
3599  uint8_t http1_buf[] =
3600  "GET /index.html HTTP/1.0\r\n"
3601  "Host: This_is_dummy_body1";
3602  uint8_t http2_buf[] =
3603  "This_is_dummy_message_body2\r\n"
3604  "\r\n";
3605  uint32_t http1_len = sizeof(http1_buf) - 1;
3606  uint32_t http2_len = sizeof(http2_buf) - 1;
3607  int result = 0;
3608  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3609 
3610  memset(&th_v, 0, sizeof(th_v));
3611  StatsThreadInit(&th_v.stats);
3612  memset(&f, 0, sizeof(f));
3613  memset(&ssn, 0, sizeof(ssn));
3614 
3615  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3616  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3617 
3618  FLOW_INITIALIZE(&f);
3619  f.protoctx = (void *)&ssn;
3620  f.proto = IPPROTO_TCP;
3621  f.flags |= FLOW_IPV4;
3622 
3623  p1->flow = &f;
3624  p1->flowflags |= FLOW_PKT_TOSERVER;
3625  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3626  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3627  p2->flow = &f;
3628  p2->flowflags |= FLOW_PKT_TOSERVER;
3629  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3630  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3631  f.alproto = ALPROTO_HTTP1;
3632 
3633  StreamTcpInitConfig(true);
3634 
3635  de_ctx = DetectEngineCtxInit();
3636  if (de_ctx == NULL)
3637  goto end;
3638 
3639  de_ctx->flags |= DE_QUIET;
3640 
3641  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3642  "(msg:\"http client body test\"; "
3643  "pcre:/body1/H; "
3644  "content:\"dummy\"; distance:8; http_header; "
3645  "sid:1;)");
3646  if (de_ctx->sig_list == NULL)
3647  goto end;
3648 
3649  SigGroupBuild(de_ctx);
3650  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3651 
3652  int r = AppLayerParserParse(
3653  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3654  if (r != 0) {
3655  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3656  result = 0;
3657  goto end;
3658  }
3659 
3660  http_state = f.alstate;
3661  if (http_state == NULL) {
3662  printf("no http state: \n");
3663  result = 0;
3664  goto end;
3665  }
3666 
3667  /* do detect */
3668  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3669 
3670  if (PacketAlertCheck(p1, 1)) {
3671  printf("sid 1 matched but shouldn't have\n");
3672  goto end;
3673  }
3674 
3675  r = AppLayerParserParse(
3676  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3677  if (r != 0) {
3678  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3679  result = 0;
3680  goto end;
3681  }
3682 
3683  /* do detect */
3684  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3685 
3686  if (!PacketAlertCheck(p2, 1)) {
3687  printf("sid 1 didn't match but should have");
3688  goto end;
3689  }
3690 
3691  result = 1;
3692 
3693 end:
3694  if (alp_tctx != NULL)
3695  AppLayerParserThreadCtxFree(alp_tctx);
3696  if (det_ctx != NULL) {
3697  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3698  }
3699  if (de_ctx != NULL)
3700  DetectEngineCtxFree(de_ctx);
3701 
3702  StreamTcpFreeConfig(true);
3703  FLOW_DESTROY(&f);
3704  UTHFreePackets(&p1, 1);
3705  UTHFreePackets(&p2, 1);
3706  StatsThreadCleanup(&th_v.stats);
3707  return result;
3708 }
3709 
3710 static int DetectEngineHttpHeaderTest27(void)
3711 {
3712  TcpSession ssn;
3713  Packet *p1 = NULL;
3714  Packet *p2 = NULL;
3715  ThreadVars th_v;
3716  DetectEngineCtx *de_ctx = NULL;
3717  DetectEngineThreadCtx *det_ctx = NULL;
3718  HtpState *http_state = NULL;
3719  Flow f;
3720  uint8_t http1_buf[] =
3721  "GET /index.html HTTP/1.0\r\n"
3722  "Host: This_is_dummy_body1";
3723  uint8_t http2_buf[] =
3724  "This_is_dummy_message_body2\r\n"
3725  "\r\n";
3726  uint32_t http1_len = sizeof(http1_buf) - 1;
3727  uint32_t http2_len = sizeof(http2_buf) - 1;
3728  int result = 0;
3729  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3730 
3731  memset(&th_v, 0, sizeof(th_v));
3732  StatsThreadInit(&th_v.stats);
3733  memset(&f, 0, sizeof(f));
3734  memset(&ssn, 0, sizeof(ssn));
3735 
3736  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3737  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3738 
3739  FLOW_INITIALIZE(&f);
3740  f.protoctx = (void *)&ssn;
3741  f.proto = IPPROTO_TCP;
3742  f.flags |= FLOW_IPV4;
3743 
3744  p1->flow = &f;
3745  p1->flowflags |= FLOW_PKT_TOSERVER;
3746  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3747  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3748  p2->flow = &f;
3749  p2->flowflags |= FLOW_PKT_TOSERVER;
3750  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3751  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3752  f.alproto = ALPROTO_HTTP1;
3753 
3754  StreamTcpInitConfig(true);
3755 
3756  de_ctx = DetectEngineCtxInit();
3757  if (de_ctx == NULL)
3758  goto end;
3759 
3760  de_ctx->flags |= DE_QUIET;
3761 
3762  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3763  "(msg:\"http client body test\"; "
3764  "pcre:/body1/H; "
3765  "content:\"dummy\"; distance:14; http_header; "
3766  "sid:1;)");
3767  if (de_ctx->sig_list == NULL)
3768  goto end;
3769 
3770  SigGroupBuild(de_ctx);
3771  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3772 
3773  int r = AppLayerParserParse(
3774  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3775  if (r != 0) {
3776  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3777  result = 0;
3778  goto end;
3779  }
3780 
3781  http_state = f.alstate;
3782  if (http_state == NULL) {
3783  printf("no http state: \n");
3784  result = 0;
3785  goto end;
3786  }
3787 
3788  /* do detect */
3789  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3790 
3791  if (PacketAlertCheck(p1, 1)) {
3792  printf("sid 1 matched but shouldn't have\n");
3793  goto end;
3794  }
3795 
3796  r = AppLayerParserParse(
3797  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3798  if (r != 0) {
3799  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3800  result = 0;
3801  goto end;
3802  }
3803 
3804  /* do detect */
3805  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3806 
3807  if (PacketAlertCheck(p2, 1)) {
3808  printf("sid 1 matched but shouldn't have");
3809  goto end;
3810  }
3811 
3812  result = 1;
3813 
3814 end:
3815  if (alp_tctx != NULL)
3816  AppLayerParserThreadCtxFree(alp_tctx);
3817  if (det_ctx != NULL) {
3818  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3819  }
3820  if (de_ctx != NULL)
3821  DetectEngineCtxFree(de_ctx);
3822 
3823  StreamTcpFreeConfig(true);
3824  FLOW_DESTROY(&f);
3825  UTHFreePackets(&p1, 1);
3826  UTHFreePackets(&p2, 1);
3827  StatsThreadCleanup(&th_v.stats);
3828  return result;
3829 }
3830 
3831 static int DetectEngineHttpHeaderTest28(void)
3832 {
3833  TcpSession ssn;
3834  Packet *p1 = NULL;
3835  Packet *p2 = NULL;
3836  ThreadVars th_v;
3837  DetectEngineCtx *de_ctx = NULL;
3838  DetectEngineThreadCtx *det_ctx = NULL;
3839  HtpState *http_state = NULL;
3840  Flow f;
3841  uint8_t http_buf1[] =
3842  "GET /index.html HTTP/1.0\r\n"
3843  "Host: www.openinfosecfoundation.org\r\n"
3844  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3845  "\r\n";
3846  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
3847  uint8_t http_buf2[] =
3848  "HTTP/1.0 200 ok\r\n"
3849  "Content-Type: text/html\r\n"
3850  "Content-Length: 6\r\n"
3851  "\r\n"
3852  "abcdef";
3853  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
3854  int result = 0;
3855  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3856 
3857  memset(&th_v, 0, sizeof(th_v));
3858  StatsThreadInit(&th_v.stats);
3859  memset(&f, 0, sizeof(f));
3860  memset(&ssn, 0, sizeof(ssn));
3861 
3862  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3863  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3864 
3865  FLOW_INITIALIZE(&f);
3866  f.protoctx = (void *)&ssn;
3867  f.proto = IPPROTO_TCP;
3868  f.flags |= FLOW_IPV4;
3869 
3870  p1->flow = &f;
3871  p1->flowflags |= FLOW_PKT_TOSERVER;
3872  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3873  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3874  p2->flow = &f;
3875  p2->flowflags |= FLOW_PKT_TOCLIENT;
3876  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3877  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3878  f.alproto = ALPROTO_HTTP1;
3879 
3880  StreamTcpInitConfig(true);
3881 
3882  de_ctx = DetectEngineCtxInit();
3883  if (de_ctx == NULL)
3884  goto end;
3885 
3886  de_ctx->flags |= DE_QUIET;
3887 
3888  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3889  "(msg:\"http header test\"; "
3890  "content:\"Content-Length: 6\"; http_header; "
3891  "sid:1;)");
3892  if (de_ctx->sig_list == NULL)
3893  goto end;
3894 
3895  SigGroupBuild(de_ctx);
3896  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3897 
3898  int r = AppLayerParserParse(
3899  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
3900  if (r != 0) {
3901  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3902  result = 0;
3903  goto end;
3904  }
3905 
3906  http_state = f.alstate;
3907  if (http_state == NULL) {
3908  printf("no http state: \n");
3909  result = 0;
3910  goto end;
3911  }
3912 
3913  /* do detect */
3914  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3915 
3916  if (PacketAlertCheck(p1, 1)) {
3917  printf("sid 1 matched but shouldn't have\n");
3918  goto end;
3919  }
3920 
3921  r = AppLayerParserParse(
3922  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_buf2_len);
3923  if (r != 0) {
3924  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3925  result = 0;
3926  goto end;
3927  }
3928 
3929  /* do detect */
3930  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3931 
3932  FAIL_IF(!PacketAlertCheck(p2, 1));
3933 
3934  result = 1;
3935 
3936 end:
3937  if (alp_tctx != NULL)
3938  AppLayerParserThreadCtxFree(alp_tctx);
3939  if (det_ctx != NULL) {
3940  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3941  }
3942  if (de_ctx != NULL)
3943  DetectEngineCtxFree(de_ctx);
3944 
3945  StreamTcpFreeConfig(true);
3946  FLOW_DESTROY(&f);
3947  UTHFreePackets(&p1, 1);
3948  UTHFreePackets(&p2, 1);
3949  StatsThreadCleanup(&th_v.stats);
3950  return result;
3951 }
3952 
3953 static int DetectEngineHttpHeaderTest29(void)
3954 {
3955  TcpSession ssn;
3956  Packet *p1 = NULL;
3957  Packet *p2 = NULL;
3958  ThreadVars th_v;
3959  DetectEngineCtx *de_ctx = NULL;
3960  DetectEngineThreadCtx *det_ctx = NULL;
3961  HtpState *http_state = NULL;
3962  Flow f;
3963  uint8_t http_buf1[] =
3964  "GET /index.html HTTP/1.0\r\n"
3965  "Host: www.openinfosecfoundation.org\r\n"
3966  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3967  "\r\n";
3968  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
3969  uint8_t http_buf2[] =
3970  "HTTP/1.0 200 ok\r\n"
3971  "Content-Type: text/html\r\n"
3972  "Content-Length: 6\r\n"
3973  "\r\n"
3974  "abcdef";
3975  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
3976  int result = 0;
3977  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3978 
3979  memset(&th_v, 0, sizeof(th_v));
3980  StatsThreadInit(&th_v.stats);
3981  memset(&f, 0, sizeof(f));
3982  memset(&ssn, 0, sizeof(ssn));
3983 
3984  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3985  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3986 
3987  FLOW_INITIALIZE(&f);
3988  f.protoctx = (void *)&ssn;
3989  f.proto = IPPROTO_TCP;
3990  f.flags |= FLOW_IPV4;
3991 
3992  p1->flow = &f;
3993  p1->flowflags |= FLOW_PKT_TOSERVER;
3994  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3995  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3996  p2->flow = &f;
3997  p2->flowflags |= FLOW_PKT_TOCLIENT;
3998  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3999  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
4000  f.alproto = ALPROTO_HTTP1;
4001 
4002  StreamTcpInitConfig(true);
4003 
4004  de_ctx = DetectEngineCtxInit();
4005  if (de_ctx == NULL)
4006  goto end;
4007 
4008  de_ctx->flags |= DE_QUIET;
4009 
4010  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4011  "(msg:\"http header test\"; "
4012  "content:\"Content-Length: 7\"; http_header; "
4013  "sid:1;)");
4014  if (de_ctx->sig_list == NULL)
4015  goto end;
4016 
4017  SigGroupBuild(de_ctx);
4018  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4019 
4020  int r = AppLayerParserParse(
4021  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4022  if (r != 0) {
4023  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4024  result = 0;
4025  goto end;
4026  }
4027 
4028  http_state = f.alstate;
4029  if (http_state == NULL) {
4030  printf("no http state: \n");
4031  result = 0;
4032  goto end;
4033  }
4034 
4035  /* do detect */
4036  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4037 
4038  if (PacketAlertCheck(p1, 1)) {
4039  printf("sid 1 matched but shouldn't have\n");
4040  goto end;
4041  }
4042 
4043  r = AppLayerParserParse(
4044  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_buf2_len);
4045  if (r != 0) {
4046  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
4047  result = 0;
4048  goto end;
4049  }
4050 
4051  /* do detect */
4052  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4053 
4054  if (PacketAlertCheck(p2, 1)) {
4055  printf("sid 1 matched but shouldn't have");
4056  goto end;
4057  }
4058 
4059  result = 1;
4060 
4061 end:
4062  if (alp_tctx != NULL)
4063  AppLayerParserThreadCtxFree(alp_tctx);
4064  if (det_ctx != NULL) {
4065  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4066  }
4067  if (de_ctx != NULL)
4068  DetectEngineCtxFree(de_ctx);
4069 
4070  StreamTcpFreeConfig(true);
4071  FLOW_DESTROY(&f);
4072  UTHFreePackets(&p1, 1);
4073  UTHFreePackets(&p2, 1);
4074  StatsThreadCleanup(&th_v.stats);
4075  return result;
4076 }
4077 
4078 #if 0
4079 
4080 static int DetectEngineHttpHeaderTest30(void)
4081 {
4082  int result = 0;
4083  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4084 
4085  if (de_ctx == NULL) {
4086  goto end;
4087  }
4088 
4089  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
4090  "(msg:\"http header test\"; "
4091  "content:\"Content-Length: 6\"; http_header; "
4092  "content:\"User-Agent: Mozilla\"; http_header; "
4093  "sid:1;)");
4094  if (de_ctx->sig_list != NULL) {
4095  goto end;
4096  }
4097 
4098  result = 1;
4099 
4100  end:
4101  if (de_ctx != NULL)
4102  DetectEngineCtxFree(de_ctx);
4103  return result;
4104 }
4105 
4106 #endif /* #if 0 */
4107 
4108 static int DetectEngineHttpHeaderTest30(void)
4109 {
4110  TcpSession ssn;
4111  Packet *p1 = NULL;
4112  Packet *p2 = NULL;
4113  ThreadVars th_v;
4114  DetectEngineCtx *de_ctx = NULL;
4115  DetectEngineThreadCtx *det_ctx = NULL;
4116  HtpState *http_state = NULL;
4117  Flow f;
4118  uint8_t http_buf1[] =
4119  "GET /index.html HTTP/1.0\r\n"
4120  "Host: www.openinfosecfoundation.org\r\n"
4121  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4122  "\r\n";
4123  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4124  uint8_t http_buf2[] =
4125  "HTTP/1.0 200 ok\r\n"
4126  "Set-Cookie: dummycookieset\r\n"
4127  "Content-Type: text/html\r\n"
4128  "Content-Length: 6\r\n"
4129  "\r\n"
4130  "abcdef";
4131  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
4132  int result = 0;
4133  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4134 
4135  memset(&th_v, 0, sizeof(th_v));
4136  StatsThreadInit(&th_v.stats);
4137  memset(&f, 0, sizeof(f));
4138  memset(&ssn, 0, sizeof(ssn));
4139 
4140  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4141  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4142 
4143  FLOW_INITIALIZE(&f);
4144  f.protoctx = (void *)&ssn;
4145  f.proto = IPPROTO_TCP;
4146  f.flags |= FLOW_IPV4;
4147 
4148  p1->flow = &f;
4149  p1->flowflags |= FLOW_PKT_TOSERVER;
4150  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4151  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
4152  p2->flow = &f;
4153  p2->flowflags |= FLOW_PKT_TOCLIENT;
4154  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4155  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
4156  f.alproto = ALPROTO_HTTP1;
4157 
4158  StreamTcpInitConfig(true);
4159 
4160  de_ctx = DetectEngineCtxInit();
4161  if (de_ctx == NULL)
4162  goto end;
4163 
4164  de_ctx->flags |= DE_QUIET;
4165 
4166  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4167  "(msg:\"http header test\"; "
4168  "content:\"dummycookieset\"; http_header; "
4169  "sid:1;)");
4170  if (de_ctx->sig_list == NULL)
4171  goto end;
4172 
4173  SigGroupBuild(de_ctx);
4174  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4175 
4176  int r = AppLayerParserParse(
4177  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4178  if (r != 0) {
4179  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4180  result = 0;
4181  goto end;
4182  }
4183 
4184  http_state = f.alstate;
4185  if (http_state == NULL) {
4186  printf("no http state: \n");
4187  result = 0;
4188  goto end;
4189  }
4190 
4191  /* do detect */
4192  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4193 
4194  if (PacketAlertCheck(p1, 1)) {
4195  printf("sid 1 matched but shouldn't have\n");
4196  goto end;
4197  }
4198 
4199  r = AppLayerParserParse(
4200  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_buf2_len);
4201  if (r != 0) {
4202  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
4203  result = 0;
4204  goto end;
4205  }
4206 
4207  /* do detect */
4208  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4209 
4210  if (PacketAlertCheck(p2, 1)) {
4211  printf("sid 1 matched but shouldn't have\n");
4212  goto end;
4213  }
4214 
4215  result = 1;
4216 
4217 end:
4218  if (alp_tctx != NULL)
4219  AppLayerParserThreadCtxFree(alp_tctx);
4220  if (det_ctx != NULL) {
4221  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4222  }
4223  if (de_ctx != NULL)
4224  DetectEngineCtxFree(de_ctx);
4225 
4226  StreamTcpFreeConfig(true);
4227  FLOW_DESTROY(&f);
4228  UTHFreePackets(&p1, 1);
4229  UTHFreePackets(&p2, 1);
4230  StatsThreadCleanup(&th_v.stats);
4231  return result;
4232 }
4233 
4234 /** \test reassembly bug where headers with names of length 6 were
4235  * skipped
4236  */
4237 static int DetectEngineHttpHeaderTest31(void)
4238 {
4239  TcpSession ssn;
4240  Packet *p1 = NULL;
4241  ThreadVars th_v;
4242  DetectEngineCtx *de_ctx = NULL;
4243  DetectEngineThreadCtx *det_ctx = NULL;
4244  HtpState *http_state = NULL;
4245  Flow f;
4246  uint8_t http1_buf[] =
4247  "GET /index.html HTTP/1.0\r\n"
4248  "Accept: blah\r\n"
4249  "Cookie: blah\r\n"
4250  "Crazy6: blah\r\n"
4251  "SixZix: blah\r\n\r\n";
4252  uint32_t http1_len = sizeof(http1_buf) - 1;
4253  int result = 0;
4254  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4255 
4256  memset(&th_v, 0, sizeof(th_v));
4257  StatsThreadInit(&th_v.stats);
4258  memset(&f, 0, sizeof(f));
4259  memset(&ssn, 0, sizeof(ssn));
4260 
4261  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4262 
4263  FLOW_INITIALIZE(&f);
4264  f.protoctx = (void *)&ssn;
4265  f.proto = IPPROTO_TCP;
4266  f.flags |= FLOW_IPV4;
4267 
4268  p1->flow = &f;
4269  p1->flowflags |= FLOW_PKT_TOSERVER;
4270  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4271  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4272  f.alproto = ALPROTO_HTTP1;
4273 
4274  StreamTcpInitConfig(true);
4275 
4276  de_ctx = DetectEngineCtxInit();
4277  if (de_ctx == NULL)
4278  goto end;
4279 
4280  de_ctx->flags |= DE_QUIET;
4281 
4282  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4283  "(content:\"Accept|3a|\"; http_header; "
4284  "content:!\"Cookie|3a|\"; http_header; "
4285  "content:\"Crazy6|3a|\"; http_header; "
4286  "content:\"SixZix|3a|\"; http_header; "
4287  "sid:1;)");
4288  if (de_ctx->sig_list == NULL)
4289  goto end;
4290 
4291  SigGroupBuild(de_ctx);
4292  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4293 
4294  int r = AppLayerParserParse(
4295  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4296  if (r != 0) {
4297  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4298  result = 0;
4299  goto end;
4300  }
4301 
4302  http_state = f.alstate;
4303  if (http_state == NULL) {
4304  printf("no http state: \n");
4305  result = 0;
4306  goto end;
4307  }
4308 
4309  /* do detect */
4310  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4311 
4312  if (!(PacketAlertCheck(p1, 1))) {
4313  printf("sid 1 didn't match but should have: ");
4314  goto end;
4315  }
4316 
4317  result = 1;
4318 
4319 end:
4320  if (alp_tctx != NULL)
4321  AppLayerParserThreadCtxFree(alp_tctx);
4322  if (det_ctx != NULL) {
4323  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4324  }
4325  if (de_ctx != NULL)
4326  DetectEngineCtxFree(de_ctx);
4327 
4328  StreamTcpFreeConfig(true);
4329  FLOW_DESTROY(&f);
4330  UTHFreePackets(&p1, 1);
4331  StatsThreadCleanup(&th_v.stats);
4332  return result;
4333 }
4334 
4335 /**
4336  * \test Trailing headers.
4337  */
4338 static int DetectEngineHttpHeaderTest32(void)
4339 {
4340  TcpSession ssn;
4341  Packet *p1 = NULL;
4342  ThreadVars th_v;
4343  DetectEngineCtx *de_ctx = NULL;
4344  DetectEngineThreadCtx *det_ctx = NULL;
4345  HtpState *http_state = NULL;
4346  Flow f;
4347  uint8_t http1_buf[] =
4348  "GET /index.html HTTP/1.0\r\n"
4349  "host: boom\r\n"
4350  "Transfer-Encoding: chunked\r\n"
4351  "\r\n"
4352  "13\r\n"
4353  "This is dummy body1\r\n"
4354  "0\r\n"
4355  "Dummy-Header: kaboom\r\n"
4356  "\r\n";
4357  uint32_t http1_len = sizeof(http1_buf) - 1;
4358  int result = 0;
4359  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4360 
4361  memset(&th_v, 0, sizeof(th_v));
4362  StatsThreadInit(&th_v.stats);
4363  memset(&f, 0, sizeof(f));
4364  memset(&ssn, 0, sizeof(ssn));
4365 
4366  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4367 
4368  FLOW_INITIALIZE(&f);
4369  f.protoctx = (void *)&ssn;
4370  f.proto = IPPROTO_TCP;
4371  f.flags |= FLOW_IPV4;
4372 
4373  p1->flow = &f;
4374  p1->flowflags |= FLOW_PKT_TOSERVER;
4375  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4376  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4377  f.alproto = ALPROTO_HTTP1;
4378 
4379  StreamTcpInitConfig(true);
4380 
4381  de_ctx = DetectEngineCtxInit();
4382  if (de_ctx == NULL)
4383  goto end;
4384 
4385  de_ctx->flags |= DE_QUIET;
4386 
4387  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4388  "(content:\"Dummy\"; http_header; "
4389  "sid:1;)");
4390  if (de_ctx->sig_list == NULL)
4391  goto end;
4392 
4393  SigGroupBuild(de_ctx);
4394  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4395 
4396  int r = AppLayerParserParse(
4397  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4398  if (r != 0) {
4399  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4400  result = 0;
4401  goto end;
4402  }
4403 
4404  http_state = f.alstate;
4405  if (http_state == NULL) {
4406  printf("no http state: \n");
4407  result = 0;
4408  goto end;
4409  }
4410 
4411  /* do detect */
4412  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4413 
4414  if (!(PacketAlertCheck(p1, 1))) {
4415  printf("sid 1 didn't match but should have: ");
4416  goto end;
4417  }
4418 
4419  result = 1;
4420 
4421 end:
4422  if (alp_tctx != NULL)
4423  AppLayerParserThreadCtxFree(alp_tctx);
4424  if (det_ctx != NULL) {
4425  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4426  }
4427  if (de_ctx != NULL)
4428  DetectEngineCtxFree(de_ctx);
4429 
4430  StreamTcpFreeConfig(true);
4431  FLOW_DESTROY(&f);
4432  UTHFreePackets(&p1, 1);
4433  StatsThreadCleanup(&th_v.stats);
4434  return result;
4435 }
4436 
4437 /**
4438  * \test Trailing headers.
4439  */
4440 static int DetectEngineHttpHeaderTest33(void)
4441 {
4442  TcpSession ssn;
4443  Packet *p1 = NULL;
4444  Packet *p2 = NULL;
4445  ThreadVars th_v;
4446  DetectEngineCtx *de_ctx = NULL;
4447  DetectEngineThreadCtx *det_ctx = NULL;
4448  HtpState *http_state = NULL;
4449  Flow f;
4450  uint8_t http1_buf[] =
4451  "GET /index.html HTTP/1.0\r\n"
4452  "host: boom\r\n"
4453  "Transfer-Encoding: chunked\r\n"
4454  "\r\n"
4455  "13\r\n"
4456  "This is dummy body1\r\n"
4457  "0\r\n";
4458  uint8_t http2_buf[] =
4459  "Dummy-Header: kaboom\r\n"
4460  "\r\n";
4461  uint32_t http1_len = sizeof(http1_buf) - 1;
4462  uint32_t http2_len = sizeof(http2_buf) - 1;
4463 
4464  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4465  FAIL_IF_NULL(alp_tctx);
4466 
4467  memset(&th_v, 0, sizeof(th_v));
4468  StatsThreadInit(&th_v.stats);
4469  memset(&f, 0, sizeof(f));
4470  memset(&ssn, 0, sizeof(ssn));
4471 
4472  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4473  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4474 
4475  FLOW_INITIALIZE(&f);
4476  f.protoctx = (void *)&ssn;
4477  f.proto = IPPROTO_TCP;
4478  f.flags |= FLOW_IPV4;
4479 
4480  p1->flow = &f;
4481  p1->flowflags |= FLOW_PKT_TOSERVER;
4482  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4483  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4484  p2->flow = &f;
4485  p2->flowflags |= FLOW_PKT_TOSERVER;
4486  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4487  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4488  f.alproto = ALPROTO_HTTP1;
4489 
4490  StreamTcpInitConfig(true);
4491 
4492  de_ctx = DetectEngineCtxInit();
4493  FAIL_IF(de_ctx == NULL);
4494  de_ctx->flags |= DE_QUIET;
4495 
4496  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4497  "(content:\"Dummy\"; http_header; "
4498  "sid:1;)");
4499  FAIL_IF(de_ctx->sig_list == NULL);
4500 
4501  SigGroupBuild(de_ctx);
4502  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4503 
4504  int r = AppLayerParserParse(
4505  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4506  FAIL_IF_NOT(r == 0);
4507 
4508  http_state = f.alstate;
4509  FAIL_IF(http_state == NULL);
4510 
4511  /* do detect */
4512  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4513 
4514  FAIL_IF(PacketAlertCheck(p1, 1));
4515 
4516  r = AppLayerParserParse(
4517  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4518  FAIL_IF_NOT(r == 0);
4519 
4520  /* do detect */
4521  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4522 
4523  FAIL_IF(!PacketAlertCheck(p2, 1));
4524 
4525  AppLayerParserThreadCtxFree(alp_tctx);
4526  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4527  DetectEngineCtxFree(de_ctx);
4528 
4529  StreamTcpFreeConfig(true);
4530  FLOW_DESTROY(&f);
4531  UTHFreePackets(&p1, 1);
4532  UTHFreePackets(&p2, 1);
4533  StatsThreadCleanup(&th_v.stats);
4534  PASS;
4535 }
4536 
4537 /**
4538  * \test Trailing headers.
4539  */
4540 static int DetectEngineHttpHeaderTest34(void)
4541 {
4542  TcpSession ssn;
4543  ThreadVars th_v;
4544  DetectEngineCtx *de_ctx = NULL;
4545  DetectEngineThreadCtx *det_ctx = NULL;
4546  HtpState *http_state = NULL;
4547  Flow f;
4548  uint8_t http1_buf[] =
4549  "GET /index.html HTTP/1.0\r\n"
4550  "host: boom\r\n"
4551  "Dummy-Header1: blah\r\n"
4552  "Transfer-Encoding: chunked\r\n"
4553  "\r\n";
4554  uint8_t http2_buf[] =
4555  "13\r\n"
4556  "This is dummy body1\r\n"
4557  "0\r\n";
4558  uint8_t http3_buf[] =
4559  "Dummy-Header2: kaboom\r\n"
4560  "\r\n";
4561  uint32_t http1_len = sizeof(http1_buf) - 1;
4562  uint32_t http2_len = sizeof(http2_buf) - 1;
4563  uint32_t http3_len = sizeof(http3_buf) - 1;
4564 
4565  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4566  FAIL_IF_NULL(alp_tctx);
4567 
4568  memset(&th_v, 0, sizeof(th_v));
4569  StatsThreadInit(&th_v.stats);
4570  memset(&f, 0, sizeof(f));
4571  memset(&ssn, 0, sizeof(ssn));
4572 
4573  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4574  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4575  Packet *p3 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4576 
4577  FLOW_INITIALIZE(&f);
4578  f.protoctx = (void *)&ssn;
4579  f.proto = IPPROTO_TCP;
4580  f.flags |= FLOW_IPV4;
4581 
4582  p1->flow = &f;
4583  p1->flowflags |= FLOW_PKT_TOSERVER;
4584  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4585  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4586  p1->pcap_cnt = 1;
4587  p2->flow = &f;
4588  p2->flowflags |= FLOW_PKT_TOSERVER;
4589  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4590  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4591  p2->pcap_cnt = 2;
4592  p3->flow = &f;
4593  p3->flowflags |= FLOW_PKT_TOSERVER;
4594  p3->flowflags |= FLOW_PKT_ESTABLISHED;
4595  p3->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4596  p3->pcap_cnt = 3;
4597  f.alproto = ALPROTO_HTTP1;
4598 
4599  StreamTcpInitConfig(true);
4600 
4601  de_ctx = DetectEngineCtxInit();
4602  FAIL_IF(de_ctx == NULL);
4603  de_ctx->flags |= DE_QUIET;
4604 
4605  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4606  "(content:\"Dummy\"; http_header; content:\"Header2\"; http_header; within:8; "
4607  "sid:1;)");
4608  FAIL_IF(de_ctx->sig_list == NULL);
4609 
4610  SigGroupBuild(de_ctx);
4611  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4612 
4613  int r = AppLayerParserParse(
4614  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4615  FAIL_IF_NOT(r == 0);
4616 
4617  http_state = f.alstate;
4618  FAIL_IF(http_state == NULL);
4619 
4620  /* do detect */
4621  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4622  FAIL_IF(PacketAlertCheck(p1, 1));
4623 
4624  r = AppLayerParserParse(
4625  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4626  FAIL_IF_NOT(r == 0);
4627 
4628  /* do detect */
4629  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4630  FAIL_IF(PacketAlertCheck(p2, 1));
4631 
4632  r = AppLayerParserParse(
4633  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http3_buf, http3_len);
4634  FAIL_IF_NOT(r == 0);
4635 
4636  /* do detect */
4637  SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
4638  FAIL_IF(!PacketAlertCheck(p3, 1)); /* should match in trailer */
4639 
4640  AppLayerParserThreadCtxFree(alp_tctx);
4641  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4642  DetectEngineCtxFree(de_ctx);
4643 
4644  StreamTcpFreeConfig(true);
4645  FLOW_DESTROY(&f);
4646  UTHFreePackets(&p1, 1);
4647  UTHFreePackets(&p2, 1);
4648  UTHFreePackets(&p3, 1);
4649  StatsThreadCleanup(&th_v.stats);
4650  PASS;
4651 }
4652 
4653 /**
4654  * \test Trailing headers.
4655  */
4656 static int DetectEngineHttpHeaderTest35(void)
4657 {
4658  TcpSession ssn;
4659  ThreadVars th_v;
4660  DetectEngineCtx *de_ctx = NULL;
4661  DetectEngineThreadCtx *det_ctx = NULL;
4662  HtpState *http_state = NULL;
4663  Flow f;
4664  uint8_t http1_buf[] =
4665  "GET /index.html HTTP/1.0\r\n"
4666  "host: boom\r\n"
4667  "Dummy-Header1: blah\r\n"
4668  "Transfer-Encoding: chunked\r\n"
4669  "\r\n";
4670  uint8_t http2_buf[] =
4671  "13\r\n"
4672  "This is dummy body1\r\n"
4673  "0\r\n";
4674  uint8_t http3_buf[] =
4675  "Dummy-Header2: kaboom\r\n"
4676  "\r\n";
4677  uint32_t http1_len = sizeof(http1_buf) - 1;
4678  uint32_t http2_len = sizeof(http2_buf) - 1;
4679  uint32_t http3_len = sizeof(http3_buf) - 1;
4680 
4681  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4682  FAIL_IF_NULL(alp_tctx);
4683 
4684  memset(&th_v, 0, sizeof(th_v));
4685  StatsThreadInit(&th_v.stats);
4686  memset(&f, 0, sizeof(f));
4687  memset(&ssn, 0, sizeof(ssn));
4688 
4689  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4690  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4691  Packet *p3 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4692 
4693  FLOW_INITIALIZE(&f);
4694  f.protoctx = (void *)&ssn;
4695  f.proto = IPPROTO_TCP;
4696  f.flags |= FLOW_IPV4;
4697 
4698  p1->flow = &f;
4699  p1->flowflags |= FLOW_PKT_TOSERVER;
4700  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4701  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4702  p1->pcap_cnt = 1;
4703  p2->flow = &f;
4704  p2->flowflags |= FLOW_PKT_TOSERVER;
4705  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4706  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4707  p2->pcap_cnt = 2;
4708  p3->flow = &f;
4709  p3->flowflags |= FLOW_PKT_TOSERVER;
4710  p3->flowflags |= FLOW_PKT_ESTABLISHED;
4711  p3->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4712  p3->pcap_cnt = 3;
4713  f.alproto = ALPROTO_HTTP1;
4714 
4715  StreamTcpInitConfig(true);
4716 
4717  de_ctx = DetectEngineCtxInit();
4718  FAIL_IF(de_ctx == NULL);
4719  de_ctx->flags |= DE_QUIET;
4720 
4721  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4722  "(content:\"Dummy\"; http_header; fast_pattern; content:\"Header2\"; http_header; within:8; "
4723  "sid:1;)");
4724  FAIL_IF(de_ctx->sig_list == NULL);
4725 
4726  SigGroupBuild(de_ctx);
4727  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4728 
4729  int r = AppLayerParserParse(
4730  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4731  FAIL_IF_NOT(r == 0);
4732 
4733  http_state = f.alstate;
4734  FAIL_IF(http_state == NULL);
4735 
4736  /* do detect */
4737  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4738  FAIL_IF(PacketAlertCheck(p1, 1));
4739 
4740  r = AppLayerParserParse(
4741  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4742  FAIL_IF_NOT(r == 0);
4743 
4744  /* do detect */
4745  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4746  FAIL_IF(PacketAlertCheck(p2, 1));
4747 
4748  r = AppLayerParserParse(
4749  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http3_buf, http3_len);
4750  FAIL_IF_NOT(r == 0);
4751 
4752  /* do detect */
4753  SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
4754  FAIL_IF(!PacketAlertCheck(p3, 1)); /* should match in trailer */
4755 
4756  AppLayerParserThreadCtxFree(alp_tctx);
4757  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4758  DetectEngineCtxFree(de_ctx);
4759 
4760  StreamTcpFreeConfig(true);
4761  FLOW_DESTROY(&f);
4762  UTHFreePackets(&p1, 1);
4763  UTHFreePackets(&p2, 1);
4764  UTHFreePackets(&p3, 1);
4765  StatsThreadCleanup(&th_v.stats);
4766  PASS;
4767 }
4768 
4769 void DetectHttpHeaderRegisterTests(void)
4770 {
4771  UtRegisterTest("DetectHttpHeaderParserTest01", DetectHttpHeaderParserTest01);
4772  UtRegisterTest("DetectHttpHeaderParserTest02", DetectHttpHeaderParserTest02);
4773 
4774  UtRegisterTest("DetectHttpHeaderTest06", DetectHttpHeaderTest06);
4775  UtRegisterTest("DetectHttpHeaderTest07", DetectHttpHeaderTest07);
4776  UtRegisterTest("DetectHttpHeaderTest08", DetectHttpHeaderTest08);
4777  UtRegisterTest("DetectHttpHeaderTest09", DetectHttpHeaderTest09);
4778  UtRegisterTest("DetectHttpHeaderTest10", DetectHttpHeaderTest10);
4779  UtRegisterTest("DetectHttpHeaderTest11", DetectHttpHeaderTest11);
4780  UtRegisterTest("DetectHttpHeaderTest12", DetectHttpHeaderTest12);
4781  UtRegisterTest("DetectHttpHeaderTest13", DetectHttpHeaderTest13);
4782  UtRegisterTest("DetectHttpHeaderTest28", DetectHttpHeaderTest28);
4783  UtRegisterTest("DetectHttpHeaderTest29", DetectHttpHeaderTest29);
4784  UtRegisterTest("DetectHttpHeaderTest30", DetectHttpHeaderTest30);
4785 
4786  UtRegisterTest("DetectHttpHeaderIsdataatParseTest",
4787  DetectHttpHeaderIsdataatParseTest);
4788 
4789  UtRegisterTest("DetectEngineHttpHeaderTest01",
4790  DetectEngineHttpHeaderTest01);
4791  UtRegisterTest("DetectEngineHttpHeaderTest02",
4792  DetectEngineHttpHeaderTest02);
4793  UtRegisterTest("DetectEngineHttpHeaderTest03",
4794  DetectEngineHttpHeaderTest03);
4795  UtRegisterTest("DetectEngineHttpHeaderTest04",
4796  DetectEngineHttpHeaderTest04);
4797  UtRegisterTest("DetectEngineHttpHeaderTest05",
4798  DetectEngineHttpHeaderTest05);
4799  UtRegisterTest("DetectEngineHttpHeaderTest06",
4800  DetectEngineHttpHeaderTest06);
4801  UtRegisterTest("DetectEngineHttpHeaderTest07",
4802  DetectEngineHttpHeaderTest07);
4803  UtRegisterTest("DetectEngineHttpHeaderTest08",
4804  DetectEngineHttpHeaderTest08);
4805  UtRegisterTest("DetectEngineHttpHeaderTest09",
4806  DetectEngineHttpHeaderTest09);
4807  UtRegisterTest("DetectEngineHttpHeaderTest10",
4808  DetectEngineHttpHeaderTest10);
4809  UtRegisterTest("DetectEngineHttpHeaderTest11",
4810  DetectEngineHttpHeaderTest11);
4811  UtRegisterTest("DetectEngineHttpHeaderTest12",
4812  DetectEngineHttpHeaderTest12);
4813  UtRegisterTest("DetectEngineHttpHeaderTest13",
4814  DetectEngineHttpHeaderTest13);
4815  UtRegisterTest("DetectEngineHttpHeaderTest14",
4816  DetectEngineHttpHeaderTest14);
4817  UtRegisterTest("DetectEngineHttpHeaderTest15",
4818  DetectEngineHttpHeaderTest15);
4819  UtRegisterTest("DetectEngineHttpHeaderTest16",
4820  DetectEngineHttpHeaderTest16);
4821  UtRegisterTest("DetectEngineHttpHeaderTest17",
4822  DetectEngineHttpHeaderTest17);
4823  UtRegisterTest("DetectEngineHttpHeaderTest20",
4824  DetectEngineHttpHeaderTest20);
4825  UtRegisterTest("DetectEngineHttpHeaderTest21",
4826  DetectEngineHttpHeaderTest21);
4827  UtRegisterTest("DetectEngineHttpHeaderTest22",
4828  DetectEngineHttpHeaderTest22);
4829  UtRegisterTest("DetectEngineHttpHeaderTest23",
4830  DetectEngineHttpHeaderTest23);
4831  UtRegisterTest("DetectEngineHttpHeaderTest24",
4832  DetectEngineHttpHeaderTest24);
4833  UtRegisterTest("DetectEngineHttpHeaderTest25",
4834  DetectEngineHttpHeaderTest25);
4835  UtRegisterTest("DetectEngineHttpHeaderTest26",
4836  DetectEngineHttpHeaderTest26);
4837  UtRegisterTest("DetectEngineHttpHeaderTest27",
4838  DetectEngineHttpHeaderTest27);
4839  UtRegisterTest("DetectEngineHttpHeaderTest28",
4840  DetectEngineHttpHeaderTest28);
4841  UtRegisterTest("DetectEngineHttpHeaderTest29",
4842  DetectEngineHttpHeaderTest29);
4843  UtRegisterTest("DetectEngineHttpHeaderTest30",
4844  DetectEngineHttpHeaderTest30);
4845  UtRegisterTest("DetectEngineHttpHeaderTest31",
4846  DetectEngineHttpHeaderTest31);
4847 #if 0
4848  UtRegisterTest("DetectEngineHttpHeaderTest30",
4849  DetectEngineHttpHeaderTest30, 1);
4850 #endif
4851  UtRegisterTest("DetectEngineHttpHeaderTest32",
4852  DetectEngineHttpHeaderTest32);
4853  UtRegisterTest("DetectEngineHttpHeaderTest33 -- Trailer",
4854  DetectEngineHttpHeaderTest33);
4855  UtRegisterTest("DetectEngineHttpHeaderTest34 -- Trailer",
4856  DetectEngineHttpHeaderTest34);
4857  UtRegisterTest("DetectEngineHttpHeaderTest35 -- Trailer",
4858  DetectEngineHttpHeaderTest35);
4859 }
4860 
4861 /**
4862  * @}
4863  */
UTHParseSignature
int UTHParseSignature(const char *str, bool expect)
parser a sig and see if the expected result is correct
Definition: util-unittest-helper.c:917
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:34
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:626
Flow_::proto
uint8_t proto
Definition: flow.h:370
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
Flow_
Flow data structure.
Definition: flow.h:348
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:933
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:48
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2418
DetectIsdataatData_
Definition: detect-isdataat.h:32
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3447
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
Flow_::protoctx
void * protoctx
Definition: flow.h:433
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
HtpState_
Definition: app-layer-htp.h:181
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:496
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectBufferGetLastSigMatch
SigMatch * DetectBufferGetLastSigMatch(const Signature *s, const uint32_t buf_id)
Definition: detect-engine-buffer.c:167
DetectEngineThreadCtx_
Definition: detect.h:1245
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3364
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:936
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3105
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
Packet_
Definition: decode.h:501
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2194
StatsThreadInit
void StatsThreadInit(StatsThreadContext *stats)
Definition: counters.c:1258
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:867
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1277
SigMatch_::type
uint16_t type
Definition: detect.h:357
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3601
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:942
ISDATAAT_NEGATED
#define ISDATAAT_NEGATED
Definition: detect-isdataat.h:29
Flow_::alstate
void * alstate
Definition: flow.h:471
Flow_::flags
uint32_t flags
Definition: flow.h:413
Signature_
Signature container.
Definition: detect.h:668
SigMatch_
a single match condition for a signature
Definition: detect.h:356
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:93
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:935
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
StatsThreadCleanup
void StatsThreadCleanup(StatsThreadContext *stats)
Definition: counters.c:1354
DetectHttpHeaderRegisterTests
void DetectHttpHeaderRegisterTests(void)
Definition: detect-http-header.c:4769
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456