suricata
detect-http-header.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
29  *
30  * Implements support for http_header keyword.
31  */
32 
33 #include "../suricata-common.h"
34 #include "../flow.h"
35 #include "../flow-var.h"
36 #include "../flow-util.h"
37 
38 #include "../app-layer.h"
39 #include "../app-layer-parser.h"
40 
41 #include "../app-layer-htp.h"
42 #include "../detect-http-header.h"
43 #include "../detect-http-header-common.h"
44 #include "../detect-engine-build.h"
45 #include "../detect-engine-alert.h"
46 
47 #include "../detect-isdataat.h"
48 
49 #include "../stream-tcp.h"
50 
51 #include "../util-unittest.h"
52 #include "../util-unittest-helper.h"
53 
54 /**
55  * \test Test parser accepting valid rules and rejecting invalid rules
56  */
57 static int DetectHttpHeaderParserTest01(void)
58 {
59  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; http_header; sid:1;)", true));
60  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; nocase; http_header; sid:1;)", true));
61  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; endswith; http_header; sid:1;)", true));
62  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; startswith; http_header; sid:1;)", true));
63  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; startswith; endswith; http_header; sid:1;)", true));
64 
65  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; rawbytes; http_header; sid:1;)", false));
66  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (http_header; sid:1;)", false));
67  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (content:\"abc\"; http_header; sid:1;)", false));
68  PASS;
69 }
70 
71 /**
72  * \test Test parser accepting valid rules and rejecting invalid rules
73  */
74 static int DetectHttpHeaderParserTest02(void)
75 {
76  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; sid:1;)", true));
77  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; nocase; sid:1;)", true));
78  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; endswith; sid:1;)", true));
79  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; startswith; sid:1;)", true));
80  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; startswith; endswith; sid:1;)", true));
81  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; bsize:10; sid:1;)", true));
82 
83  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; rawbytes; sid:1;)", false));
84  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (http.header; sid:1;)", false));
85  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (http.header; content:\"abc\"; sid:1;)", false));
86  PASS;
87 }
88 
89 /**
90  *\test Test that the http_header content matches against a http request
91  * which holds the content.
92  */
93 static int DetectHttpHeaderTest06(void)
94 {
95  TcpSession ssn;
96  Packet *p = NULL;
97  ThreadVars th_v;
98  DetectEngineCtx *de_ctx = NULL;
99  DetectEngineThreadCtx *det_ctx = NULL;
100  HtpState *http_state = NULL;
101  Flow f;
102  uint8_t http_buf[] =
103  "GET /index.html HTTP/1.0\r\n"
104  "Host: www.openinfosecfoundation.org\r\n"
105  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
106  "Content-Type: text/html\r\n"
107  "Content-Length: 26\r\n"
108  "\r\n"
109  "This is dummy message body\r\n";
110  uint32_t http_len = sizeof(http_buf) - 1;
111  int result = 0;
112  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
113 
114  memset(&th_v, 0, sizeof(th_v));
115  memset(&f, 0, sizeof(f));
116  memset(&ssn, 0, sizeof(ssn));
117 
118  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
119 
120  FLOW_INITIALIZE(&f);
121  f.protoctx = (void *)&ssn;
122  f.proto = IPPROTO_TCP;
123  f.flags |= FLOW_IPV4;
124  p->flow = &f;
125  p->flowflags |= FLOW_PKT_TOSERVER;
126  p->flowflags |= FLOW_PKT_ESTABLISHED;
127  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
128  f.alproto = ALPROTO_HTTP1;
129 
130  StreamTcpInitConfig(true);
131 
132  de_ctx = DetectEngineCtxInit();
133  if (de_ctx == NULL)
134  goto end;
135 
136  de_ctx->flags |= DE_QUIET;
137 
138  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
139  "(msg:\"http header test\"; "
140  "content:\"Content-Type: text/html\"; http_header; "
141  "sid:1;)");
142  if (de_ctx->sig_list == NULL)
143  goto end;
144 
145  SigGroupBuild(de_ctx);
146  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
147 
148  int r = AppLayerParserParse(
149  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
150  if (r != 0) {
151  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
152  result = 0;
153  goto end;
154  }
155 
156  http_state = f.alstate;
157  if (http_state == NULL) {
158  printf("no http state: ");
159  result = 0;
160  goto end;
161  }
162 
163  /* do detect */
164  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
165 
166  if (!(PacketAlertCheck(p, 1))) {
167  printf("sid 1 didn't match but should have: ");
168  goto end;
169  }
170 
171  result = 1;
172 end:
173  if (alp_tctx != NULL)
174  AppLayerParserThreadCtxFree(alp_tctx);
175  if (det_ctx != NULL) {
176  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
177  }
178  if (de_ctx != NULL)
179  DetectEngineCtxFree(de_ctx);
180 
181  StreamTcpFreeConfig(true);
182  FLOW_DESTROY(&f);
183  UTHFreePackets(&p, 1);
184  StatsThreadCleanup(&th_v);
185  return result;
186 }
187 
188 /**
189  *\test Test that the http_header content matches against a http request
190  * which holds the content.
191  */
192 static int DetectHttpHeaderTest07(void)
193 {
194  TcpSession ssn;
195  Packet *p1 = NULL;
196  Packet *p2 = NULL;
197  ThreadVars th_v;
198  DetectEngineThreadCtx *det_ctx = NULL;
199  Flow f;
200  uint8_t http1_buf[] =
201  "GET /index.html HTTP/1.0\r\n"
202  "Host: www.openinfosecfoundation.org\r\n"
203  "User-Agent: Mozi";
204  uint8_t http2_buf[] =
205  "lla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\nContent-Type: text/html\r\n"
206  "Content-Length: 67\r\n"
207  "\r\n"
208  "This is dummy message body1";
209  uint32_t http1_len = sizeof(http1_buf) - 1;
210  uint32_t http2_len = sizeof(http2_buf) - 1;
211 
212  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
213  FAIL_IF_NULL(alp_tctx);
214 
215  memset(&th_v, 0, sizeof(th_v));
216  memset(&f, 0, sizeof(f));
217  memset(&ssn, 0, sizeof(ssn));
218 
219  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
220  FAIL_IF_NULL(p1);
221  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
222  FAIL_IF_NULL(p2);
223 
224  FLOW_INITIALIZE(&f);
225  f.protoctx = (void *)&ssn;
226  f.proto = IPPROTO_TCP;
227  f.flags |= FLOW_IPV4;
228  p1->flow = &f;
229  p1->flowflags |= FLOW_PKT_TOSERVER;
230  p1->flowflags |= FLOW_PKT_ESTABLISHED;
231  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
232  p2->flow = &f;
233  p2->flowflags |= FLOW_PKT_TOSERVER;
234  p2->flowflags |= FLOW_PKT_ESTABLISHED;
235  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
236  f.alproto = ALPROTO_HTTP1;
237 
238  StreamTcpInitConfig(true);
239 
240  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
241  FAIL_IF_NULL(de_ctx);
242  de_ctx->flags |= DE_QUIET;
243 
244  Signature *s = DetectEngineAppendSig(de_ctx,"alert http any any -> any any "
245  "(msg:\"http header test\"; "
246  "content:\"Mozilla\"; http_header; "
247  "sid:1;)");
248  FAIL_IF_NULL(s);
249 
250  SigGroupBuild(de_ctx);
251  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
252  FAIL_IF_NULL(det_ctx);
253 
254  int r = AppLayerParserParse(
255  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
256  FAIL_IF(r != 0);
257 
258  HtpState *http_state = f.alstate;
259  FAIL_IF_NULL(http_state);
260 
261  /* do detect */
262  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
263  FAIL_IF( (PacketAlertCheck(p1, 1)));
264 
265  r = AppLayerParserParse(
266  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
267  FAIL_IF(r != 0);
268 
269  /* do detect */
270  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
271 
272  FAIL_IF(!(PacketAlertCheck(p2, 1)));
273 
274  AppLayerParserThreadCtxFree(alp_tctx);
275  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
276  DetectEngineCtxFree(de_ctx);
277 
278  StreamTcpFreeConfig(true);
279  FLOW_DESTROY(&f);
280  UTHFreePackets(&p1, 1);
281  UTHFreePackets(&p2, 1);
282  StatsThreadCleanup(&th_v);
283  PASS;
284 }
285 
286 /**
287  *\test Test that the http_header content matches against a http request
288  * which holds the content.
289  */
290 static int DetectHttpHeaderTest08(void)
291 {
292  TcpSession ssn;
293  Packet *p1 = NULL;
294  Packet *p2 = NULL;
295  ThreadVars th_v;
296  DetectEngineCtx *de_ctx = NULL;
297  DetectEngineThreadCtx *det_ctx = NULL;
298  HtpState *http_state = NULL;
299  Flow f;
300  uint8_t http1_buf[] =
301  "GET /index.html HTTP/1.0\r\n"
302  "Host: www.openinfosecfoundation.org\r\n";
303  uint8_t http2_buf[] =
304  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
305  "Content-Type: text/html\r\n"
306  "Content-Length: 67\r\n"
307  "\r\n";
308  uint32_t http1_len = sizeof(http1_buf) - 1;
309  uint32_t http2_len = sizeof(http2_buf) - 1;
310  int result = 0;
311  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
312 
313  memset(&th_v, 0, sizeof(th_v));
314  memset(&f, 0, sizeof(f));
315  memset(&ssn, 0, sizeof(ssn));
316 
317  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
318  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
319 
320  FLOW_INITIALIZE(&f);
321  f.protoctx = (void *)&ssn;
322  f.proto = IPPROTO_TCP;
323  f.flags |= FLOW_IPV4;
324  p1->flow = &f;
325  p1->flowflags |= FLOW_PKT_TOSERVER;
326  p1->flowflags |= FLOW_PKT_ESTABLISHED;
327  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
328  p2->flow = &f;
329  p2->flowflags |= FLOW_PKT_TOSERVER;
330  p2->flowflags |= FLOW_PKT_ESTABLISHED;
331  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
332  f.alproto = ALPROTO_HTTP1;
333 
334  StreamTcpInitConfig(true);
335 
336  de_ctx = DetectEngineCtxInit();
337  if (de_ctx == NULL)
338  goto end;
339 
340  de_ctx->flags |= DE_QUIET;
341 
342  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
343  "(msg:\"http header test\"; "
344  "content:\"Gecko/20091221 Firefox/3.5.7\"; http_header; "
345  "sid:1;)");
346  if (de_ctx->sig_list == NULL)
347  goto end;
348 
349  SigGroupBuild(de_ctx);
350  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
351 
352  int r = AppLayerParserParse(
353  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
354  if (r != 0) {
355  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
356  result = 0;
357  goto end;
358  }
359 
360  http_state = f.alstate;
361  if (http_state == NULL) {
362  printf("no http state: ");
363  result = 0;
364  goto end;
365  }
366 
367  /* do detect */
368  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
369 
370  if ((PacketAlertCheck(p1, 1))) {
371  printf("sid 1 didn't match but should have: ");
372  goto end;
373  }
374 
375  r = AppLayerParserParse(
376  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
377  if (r != 0) {
378  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
379  result = 0;
380  goto end;
381  }
382 
383  /* do detect */
384  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
385 
386  if (!(PacketAlertCheck(p2, 1))) {
387  printf("sid 1 didn't match but should have: ");
388  goto end;
389  }
390 
391  result = 1;
392 end:
393  if (alp_tctx != NULL)
394  AppLayerParserThreadCtxFree(alp_tctx);
395  if (det_ctx != NULL) {
396  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
397  }
398  if (de_ctx != NULL)
399  DetectEngineCtxFree(de_ctx);
400 
401  StreamTcpFreeConfig(true);
402  FLOW_DESTROY(&f);
403  UTHFreePackets(&p1, 1);
404  UTHFreePackets(&p2, 1);
405  StatsThreadCleanup(&th_v);
406  return result;
407 }
408 
409 /**
410  *\test Test that the http_header content matches against a http request
411  * which holds the content, against a cross boundary present pattern.
412  */
413 static int DetectHttpHeaderTest09(void)
414 {
415  TcpSession ssn;
416  Packet *p1 = NULL;
417  Packet *p2 = NULL;
418  ThreadVars th_v;
419  DetectEngineCtx *de_ctx = NULL;
420  DetectEngineThreadCtx *det_ctx = NULL;
421  HtpState *http_state = NULL;
422  Flow f;
423  uint8_t http1_buf[] =
424  "GET /index.html HTTP/1.0\r\n"
425  "Host: www.openinfosecfoundation.org\r\n"
426  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n";
427  uint8_t http2_buf[] =
428  "Content-Type: text/html\r\n"
429  "Content-Length: 67\r\n"
430  "\r\n"
431  "This is dummy body\r\n";
432  uint32_t http1_len = sizeof(http1_buf) - 1;
433  uint32_t http2_len = sizeof(http2_buf) - 1;
434  int result = 0;
435  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
436 
437  memset(&th_v, 0, sizeof(th_v));
438  memset(&f, 0, sizeof(f));
439  memset(&ssn, 0, sizeof(ssn));
440 
441  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
442  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
443 
444  FLOW_INITIALIZE(&f);
445  f.protoctx = (void *)&ssn;
446  f.proto = IPPROTO_TCP;
447  f.flags |= FLOW_IPV4;
448  p1->flow = &f;
449  p1->flowflags |= FLOW_PKT_TOSERVER;
450  p1->flowflags |= FLOW_PKT_ESTABLISHED;
451  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
452  p2->flow = &f;
453  p2->flowflags |= FLOW_PKT_TOSERVER;
454  p2->flowflags |= FLOW_PKT_ESTABLISHED;
455  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
456  f.alproto = ALPROTO_HTTP1;
457 
458  StreamTcpInitConfig(true);
459 
460  de_ctx = DetectEngineCtxInit();
461  if (de_ctx == NULL)
462  goto end;
463 
464  de_ctx->flags |= DE_QUIET;
465  de_ctx->mpm_matcher = mpm_default_matcher;
466 
467  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
468  "(msg:\"http header test\"; "
469  "content:\"Firefox/3.5.7|0D 0A|Content\"; http_header; "
470  "sid:1;)");
471  if (de_ctx->sig_list == NULL)
472  goto end;
473 
474  SigGroupBuild(de_ctx);
475  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
476 
477  int r = AppLayerParserParse(
478  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
479  if (r != 0) {
480  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
481  result = 0;
482  goto end;
483  }
484 
485  http_state = f.alstate;
486  if (http_state == NULL) {
487  printf("no http state: ");
488  result = 0;
489  goto end;
490  }
491 
492  /* do detect */
493  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
494 
495  if ((PacketAlertCheck(p1, 1))) {
496  printf("sid 1 matched but shouldn't have: ");
497  goto end;
498  }
499 
500  r = AppLayerParserParse(
501  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
502  if (r != 0) {
503  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
504  result = 0;
505  goto end;
506  }
507 
508  /* do detect */
509  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
510 
511  if (!(PacketAlertCheck(p2, 1))) {
512  printf("sid 1 didn't match but should have: ");
513  goto end;
514  }
515 
516  result = 1;
517 end:
518  if (alp_tctx != NULL)
519  AppLayerParserThreadCtxFree(alp_tctx);
520  if (det_ctx != NULL) {
521  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
522  }
523  if (de_ctx != NULL)
524  DetectEngineCtxFree(de_ctx);
525 
526  StreamTcpFreeConfig(true);
527  FLOW_DESTROY(&f);
528  UTHFreePackets(&p1, 1);
529  UTHFreePackets(&p2, 1);
530  StatsThreadCleanup(&th_v);
531  return result;
532 }
533 
534 /**
535  *\test Test that the http_header content matches against a http request
536  * against a case insensitive pattern.
537  */
538 static int DetectHttpHeaderTest10(void)
539 {
540  TcpSession ssn;
541  Packet *p1 = NULL;
542  Packet *p2 = NULL;
543  ThreadVars th_v;
544  DetectEngineCtx *de_ctx = NULL;
545  DetectEngineThreadCtx *det_ctx = NULL;
546  HtpState *http_state = NULL;
547  Flow f;
548  uint8_t http1_buf[] =
549  "GET /index.html HTTP/1.0\r\n"
550  "Host: www.openinfosecfoundation.org\r\n"
551  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n";
552  uint8_t http2_buf[] =
553  "Content-Type: text/html\r\n"
554  "Content-Length: 67\r\n"
555  "\r\n"
556  "This is dummy body";
557  uint32_t http1_len = sizeof(http1_buf) - 1;
558  uint32_t http2_len = sizeof(http2_buf) - 1;
559  int result = 0;
560  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
561 
562  memset(&th_v, 0, sizeof(th_v));
563  memset(&f, 0, sizeof(f));
564  memset(&ssn, 0, sizeof(ssn));
565 
566  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
567  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
568 
569  FLOW_INITIALIZE(&f);
570  f.protoctx = (void *)&ssn;
571  f.proto = IPPROTO_TCP;
572  f.flags |= FLOW_IPV4;
573  p1->flow = &f;
574  p1->flowflags |= FLOW_PKT_TOSERVER;
575  p1->flowflags |= FLOW_PKT_ESTABLISHED;
576  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
577  p2->flow = &f;
578  p2->flowflags |= FLOW_PKT_TOSERVER;
579  p2->flowflags |= FLOW_PKT_ESTABLISHED;
580  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
581  f.alproto = ALPROTO_HTTP1;
582 
583  StreamTcpInitConfig(true);
584 
585  de_ctx = DetectEngineCtxInit();
586  if (de_ctx == NULL)
587  goto end;
588 
589  de_ctx->flags |= DE_QUIET;
590 
591  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
592  "(msg:\"http header test\"; "
593  "content:\"firefox/3.5.7|0D 0A|content\"; nocase; http_header;"
594  "sid:1;)");
595  if (de_ctx->sig_list == NULL)
596  goto end;
597 
598  SigGroupBuild(de_ctx);
599  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
600 
601  int r = AppLayerParserParse(
602  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
603  if (r != 0) {
604  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
605  result = 0;
606  goto end;
607  }
608 
609  http_state = f.alstate;
610  if (http_state == NULL) {
611  printf("no http state: ");
612  result = 0;
613  goto end;
614  }
615 
616  /* do detect */
617  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
618 
619  if ((PacketAlertCheck(p1, 1))) {
620  printf("sid 1 didn't match but should have: ");
621  goto end;
622  }
623 
624  r = AppLayerParserParse(
625  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
626  if (r != 0) {
627  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
628  result = 0;
629  goto end;
630  }
631 
632  /* do detect */
633  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
634 
635  if (!(PacketAlertCheck(p2, 1))) {
636  printf("sid 1 didn't match but should have: ");
637  goto end;
638  }
639 
640  result = 1;
641 end:
642  if (alp_tctx != NULL)
643  AppLayerParserThreadCtxFree(alp_tctx);
644  if (det_ctx != NULL) {
645  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
646  }
647  if (de_ctx != NULL)
648  DetectEngineCtxFree(de_ctx);
649 
650  StreamTcpFreeConfig(true);
651  FLOW_DESTROY(&f);
652  UTHFreePackets(&p1, 1);
653  UTHFreePackets(&p2, 1);
654  StatsThreadCleanup(&th_v);
655  return result;
656 }
657 
658 /**
659  *\test Test that the negated http_header content matches against a
660  * http request which doesn't hold the content.
661  */
662 static int DetectHttpHeaderTest11(void)
663 {
664  TcpSession ssn;
665  Packet *p = NULL;
666  ThreadVars th_v;
667  DetectEngineCtx *de_ctx = NULL;
668  DetectEngineThreadCtx *det_ctx = NULL;
669  HtpState *http_state = NULL;
670  Flow f;
671  uint8_t http_buf[] =
672  "GET /index.html HTTP/1.0\r\n"
673  "Host: www.openinfosecfoundation.org\r\n"
674  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
675  "Content-Type: text/html\r\n"
676  "Content-Length: 26\r\n"
677  "\r\n"
678  "This is dummy message body\r\n";
679  uint32_t http_len = sizeof(http_buf) - 1;
680  int result = 0;
681  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
682 
683  memset(&th_v, 0, sizeof(th_v));
684  memset(&f, 0, sizeof(f));
685  memset(&ssn, 0, sizeof(ssn));
686 
687  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
688 
689  FLOW_INITIALIZE(&f);
690  f.protoctx = (void *)&ssn;
691  f.proto = IPPROTO_TCP;
692  f.flags |= FLOW_IPV4;
693  p->flow = &f;
694  p->flowflags |= FLOW_PKT_TOSERVER;
695  p->flowflags |= FLOW_PKT_ESTABLISHED;
696  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
697  f.alproto = ALPROTO_HTTP1;
698 
699  StreamTcpInitConfig(true);
700 
701  de_ctx = DetectEngineCtxInit();
702  if (de_ctx == NULL)
703  goto end;
704 
705  de_ctx->flags |= DE_QUIET;
706 
707  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
708  "(msg:\"http header test\"; "
709  "content:!\"lalalalala\"; http_header; "
710  "sid:1;)");
711  if (de_ctx->sig_list == NULL)
712  goto end;
713 
714  SigGroupBuild(de_ctx);
715  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
716 
717  int r = AppLayerParserParse(
718  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
719  if (r != 0) {
720  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
721  result = 0;
722  goto end;
723  }
724 
725  http_state = f.alstate;
726  if (http_state == NULL) {
727  printf("no http state: ");
728  result = 0;
729  goto end;
730  }
731 
732  /* do detect */
733  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
734 
735  if (!(PacketAlertCheck(p, 1))) {
736  printf("sid 1 didn't match but should have: ");
737  goto end;
738  }
739 
740  result = 1;
741 end:
742  if (alp_tctx != NULL)
743  AppLayerParserThreadCtxFree(alp_tctx);
744  if (det_ctx != NULL) {
745  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
746  }
747  if (de_ctx != NULL)
748  DetectEngineCtxFree(de_ctx);
749 
750  StreamTcpFreeConfig(true);
751  FLOW_DESTROY(&f);
752  UTHFreePackets(&p, 1);
753  StatsThreadCleanup(&th_v);
754  return result;
755 }
756 
757 /**
758  *\test Negative test that the negated http_header content matches against a
759  * http request which holds hold the content.
760  */
761 static int DetectHttpHeaderTest12(void)
762 {
763  TcpSession ssn;
764  Packet *p = NULL;
765  ThreadVars th_v;
766  DetectEngineCtx *de_ctx = NULL;
767  DetectEngineThreadCtx *det_ctx = NULL;
768  HtpState *http_state = NULL;
769  Flow f;
770  uint8_t http_buf[] =
771  "GET /index.html HTTP/1.0\r\n"
772  "Host: www.openinfosecfoundation.org\r\n"
773  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
774  "Content-Type: text/html\r\n"
775  "Content-Length: 26\r\n"
776  "\r\n"
777  "This is dummy message body\r\n";
778  uint32_t http_len = sizeof(http_buf) - 1;
779  int result = 0;
780  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
781 
782  memset(&th_v, 0, sizeof(th_v));
783  memset(&f, 0, sizeof(f));
784  memset(&ssn, 0, sizeof(ssn));
785 
786  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
787 
788  FLOW_INITIALIZE(&f);
789  f.protoctx = (void *)&ssn;
790  f.proto = IPPROTO_TCP;
791  f.flags |= FLOW_IPV4;
792  p->flow = &f;
793  p->flowflags |= FLOW_PKT_TOSERVER;
794  p->flowflags |= FLOW_PKT_ESTABLISHED;
795  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
796  f.alproto = ALPROTO_HTTP1;
797 
798  StreamTcpInitConfig(true);
799 
800  de_ctx = DetectEngineCtxInit();
801  if (de_ctx == NULL)
802  goto end;
803 
804  de_ctx->flags |= DE_QUIET;
805 
806  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
807  "(msg:\"http header test\"; "
808  "content:!\"User-Agent: Mozilla/5.0 \"; http_header; "
809  "sid:1;)");
810  if (de_ctx->sig_list == NULL)
811  goto end;
812 
813  SigGroupBuild(de_ctx);
814  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
815 
816  int r = AppLayerParserParse(
817  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
818  if (r != 0) {
819  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
820  result = 0;
821  goto end;
822  }
823 
824  http_state = f.alstate;
825  if (http_state == NULL) {
826  printf("no http state: ");
827  result = 0;
828  goto end;
829  }
830 
831  /* do detect */
832  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
833 
834  if ((PacketAlertCheck(p, 1))) {
835  printf("sid 1 didn't match but should have: ");
836  goto end;
837  }
838 
839  result = 1;
840 end:
841  if (alp_tctx != NULL)
842  AppLayerParserThreadCtxFree(alp_tctx);
843  if (det_ctx != NULL) {
844  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
845  }
846  if (de_ctx != NULL)
847  DetectEngineCtxFree(de_ctx);
848 
849  StreamTcpFreeConfig(true);
850  FLOW_DESTROY(&f);
851  UTHFreePackets(&p, 1);
852  StatsThreadCleanup(&th_v);
853  return result;
854 }
855 
856 /**
857  *\test Test that the http_header content matches against a http request
858  * which holds the content.
859  */
860 static int DetectHttpHeaderTest13(void)
861 {
862  TcpSession ssn;
863  Packet *p = NULL;
864  ThreadVars th_v;
865  DetectEngineCtx *de_ctx = NULL;
866  DetectEngineThreadCtx *det_ctx = NULL;
867  HtpState *http_state = NULL;
868  Flow f;
869  uint8_t http_buf[] =
870  "GET /index.html HTTP/1.0\r\n"
871  "Host: www.openinfosecfoundation.org\r\n"
872  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
873  "Content-Type: text/html\r\n"
874  "Content-Length: 100\r\n"
875  "\r\n"
876  "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n";
877  uint32_t http_len = sizeof(http_buf) - 1;
878  int result = 0;
879  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
880 
881  memset(&th_v, 0, sizeof(th_v));
882  memset(&f, 0, sizeof(f));
883  memset(&ssn, 0, sizeof(ssn));
884 
885  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
886 
887  FLOW_INITIALIZE(&f);
888  f.protoctx = (void *)&ssn;
889  f.proto = IPPROTO_TCP;
890  f.flags |= FLOW_IPV4;
891 
892  p->flow = &f;
893  p->flowflags |= FLOW_PKT_TOSERVER;
894  p->flowflags |= FLOW_PKT_ESTABLISHED;
895  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
896  f.alproto = ALPROTO_HTTP1;
897 
898  StreamTcpInitConfig(true);
899 
900  de_ctx = DetectEngineCtxInit();
901  if (de_ctx == NULL)
902  goto end;
903 
904  de_ctx->flags |= DE_QUIET;
905 
906  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
907  "(msg:\"http header test\"; "
908  "content:\"Host: www.openinfosecfoundation.org\"; http_header; "
909  "sid:1;)");
910  if (de_ctx->sig_list == NULL)
911  goto end;
912 
913  SigGroupBuild(de_ctx);
914  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
915 
916  int r = AppLayerParserParse(
917  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
918  if (r != 0) {
919  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
920  result = 0;
921  goto end;
922  }
923 
924  http_state = f.alstate;
925  if (http_state == NULL) {
926  printf("no http state: ");
927  result = 0;
928  goto end;
929  }
930 
931  /* do detect */
932  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
933 
934  if (!(PacketAlertCheck(p, 1))) {
935  printf("sid 1 didn't match but should have: ");
936  goto end;
937  }
938 
939  result = 1;
940 end:
941  if (alp_tctx != NULL)
942  AppLayerParserThreadCtxFree(alp_tctx);
943  if (det_ctx != NULL) {
944  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
945  }
946  if (de_ctx != NULL)
947  DetectEngineCtxFree(de_ctx);
948 
949  StreamTcpFreeConfig(true);
950  FLOW_DESTROY(&f);
951  UTHFreePackets(&p, 1);
952  StatsThreadCleanup(&th_v);
953  return result;
954 }
955 
956 /** \test app-layer-event:http.host_header_ambiguous should not be set
957  * \bug 640*/
958 static int DetectHttpHeaderTest28(void)
959 {
960  TcpSession ssn;
961  Packet *p = NULL;
962  ThreadVars th_v;
963  DetectEngineCtx *de_ctx = NULL;
964  DetectEngineThreadCtx *det_ctx = NULL;
965  Flow f;
966  uint8_t http_buf[] =
967  "POST http://xxx.intranet.local:8000/xxx HTTP/1.1\r\n"
968  "User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29\r\n"
969  "Host: xxx.intranet.local:8000\r\n"
970  "\r\n";
971  uint32_t http_len = sizeof(http_buf) - 1;
972  int result = 0;
973  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
974 
975  memset(&th_v, 0, sizeof(th_v));
976  memset(&f, 0, sizeof(f));
977  memset(&ssn, 0, sizeof(ssn));
978 
979  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
980 
981  FLOW_INITIALIZE(&f);
982  f.protoctx = (void *)&ssn;
983  f.proto = IPPROTO_TCP;
984  f.flags |= FLOW_IPV4;
985  p->flow = &f;
986  p->flowflags |= FLOW_PKT_TOSERVER;
987  p->flowflags |= FLOW_PKT_ESTABLISHED;
988  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
989  f.alproto = ALPROTO_HTTP1;
990 
991  StreamTcpInitConfig(true);
992 
993  de_ctx = DetectEngineCtxInit();
994  if (de_ctx == NULL)
995  goto end;
996 
997  de_ctx->flags |= DE_QUIET;
998 
999  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1000  "(app-layer-event:http.host_header_ambiguous; "
1001  "sid:1;)");
1002  if (de_ctx->sig_list == NULL)
1003  goto end;
1004 
1005  SigGroupBuild(de_ctx);
1006  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1007 
1008  int r = AppLayerParserParse(
1009  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1010  if (r != 0) {
1011  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1012  result = 0;
1013  goto end;
1014  }
1015 
1016  /* do detect */
1017  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1018 
1019  if (PacketAlertCheck(p, 1)) {
1020  printf("sid 1 matched but shouldnt have: ");
1021  goto end;
1022  }
1023 
1024  result = 1;
1025  end:
1026  if (alp_tctx != NULL)
1027  AppLayerParserThreadCtxFree(alp_tctx);
1028  if (det_ctx != NULL) {
1029  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1030  }
1031  if (de_ctx != NULL)
1032  DetectEngineCtxFree(de_ctx);
1033 
1034  StreamTcpFreeConfig(true);
1035  FLOW_DESTROY(&f);
1036  UTHFreePackets(&p, 1);
1037  StatsThreadCleanup(&th_v);
1038  return result;
1039 }
1040 
1041 /** \test app-layer-event:http.host_header_ambiguous should be set
1042  * \bug 640*/
1043 static int DetectHttpHeaderTest29(void)
1044 {
1045  TcpSession ssn;
1046  Packet *p = NULL;
1047  ThreadVars th_v;
1048  DetectEngineCtx *de_ctx = NULL;
1049  DetectEngineThreadCtx *det_ctx = NULL;
1050  Flow f;
1051  uint8_t http_buf[] =
1052  "POST http://xxx.intranet.local:8001/xxx HTTP/1.1\r\n"
1053  "User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29\r\n"
1054  "Host: xxx.intranet.local:8000\r\n"
1055  "\r\n";
1056  uint32_t http_len = sizeof(http_buf) - 1;
1057  int result = 0;
1058  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1059 
1060  memset(&th_v, 0, sizeof(th_v));
1061  memset(&f, 0, sizeof(f));
1062  memset(&ssn, 0, sizeof(ssn));
1063 
1064  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1065 
1066  FLOW_INITIALIZE(&f);
1067  f.protoctx = (void *)&ssn;
1068  f.proto = IPPROTO_TCP;
1069  f.flags |= FLOW_IPV4;
1070  p->flow = &f;
1071  p->flowflags |= FLOW_PKT_TOSERVER;
1072  p->flowflags |= FLOW_PKT_ESTABLISHED;
1073  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1074  f.alproto = ALPROTO_HTTP1;
1075 
1076  StreamTcpInitConfig(true);
1077 
1078  de_ctx = DetectEngineCtxInit();
1079  if (de_ctx == NULL)
1080  goto end;
1081 
1082  de_ctx->flags |= DE_QUIET;
1083 
1084  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1085  "(app-layer-event:http.host_header_ambiguous; "
1086  "sid:1;)");
1087  if (de_ctx->sig_list == NULL)
1088  goto end;
1089 
1090  SigGroupBuild(de_ctx);
1091  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1092 
1093  int r = AppLayerParserParse(
1094  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1095  if (r != 0) {
1096  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1097  result = 0;
1098  goto end;
1099  }
1100 
1101  /* do detect */
1102  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1103 
1104  if (!(PacketAlertCheck(p, 1))) {
1105  printf("sid 1 didn't match but should have: ");
1106  goto end;
1107  }
1108 
1109  result = 1;
1110  end:
1111  if (alp_tctx != NULL)
1112  AppLayerParserThreadCtxFree(alp_tctx);
1113  if (det_ctx != NULL) {
1114  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1115  }
1116  if (de_ctx != NULL)
1117  DetectEngineCtxFree(de_ctx);
1118 
1119  StreamTcpFreeConfig(true);
1120  FLOW_DESTROY(&f);
1121  UTHFreePackets(&p, 1);
1122  StatsThreadCleanup(&th_v);
1123  return result;
1124 }
1125 
1126 /** \test app-layer-event:http.host_header_ambiguous should be set
1127  * \bug 640*/
1128 static int DetectHttpHeaderTest30(void)
1129 {
1130  TcpSession ssn;
1131  Packet *p = NULL;
1132  ThreadVars th_v;
1133  DetectEngineCtx *de_ctx = NULL;
1134  DetectEngineThreadCtx *det_ctx = NULL;
1135  Flow f;
1136  uint8_t http_buf[] =
1137  "POST http://xxx.intranet.local:8000/xxx HTTP/1.1\r\n"
1138  "User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29\r\n"
1139  "Host: xyz.intranet.local:8000\r\n"
1140  "\r\n";
1141  uint32_t http_len = sizeof(http_buf) - 1;
1142  int result = 0;
1143  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1144 
1145  memset(&th_v, 0, sizeof(th_v));
1146  memset(&f, 0, sizeof(f));
1147  memset(&ssn, 0, sizeof(ssn));
1148 
1149  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1150 
1151  FLOW_INITIALIZE(&f);
1152  f.protoctx = (void *)&ssn;
1153  f.proto = IPPROTO_TCP;
1154  f.flags |= FLOW_IPV4;
1155  p->flow = &f;
1156  p->flowflags |= FLOW_PKT_TOSERVER;
1157  p->flowflags |= FLOW_PKT_ESTABLISHED;
1158  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1159  f.alproto = ALPROTO_HTTP1;
1160 
1161  StreamTcpInitConfig(true);
1162 
1163  de_ctx = DetectEngineCtxInit();
1164  if (de_ctx == NULL)
1165  goto end;
1166 
1167  de_ctx->flags |= DE_QUIET;
1168 
1169  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1170  "(app-layer-event:http.host_header_ambiguous; "
1171  "sid:1;)");
1172  if (de_ctx->sig_list == NULL)
1173  goto end;
1174 
1175  SigGroupBuild(de_ctx);
1176  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1177 
1178  int r = AppLayerParserParse(
1179  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1180  if (r != 0) {
1181  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1182  result = 0;
1183  goto end;
1184  }
1185 
1186  /* do detect */
1187  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1188 
1189  if (!(PacketAlertCheck(p, 1))) {
1190  printf("sid 1 didn't match but should have: ");
1191  goto end;
1192  }
1193 
1194  result = 1;
1195  end:
1196  if (alp_tctx != NULL)
1197  AppLayerParserThreadCtxFree(alp_tctx);
1198  if (det_ctx != NULL) {
1199  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1200  }
1201  if (de_ctx != NULL)
1202  DetectEngineCtxFree(de_ctx);
1203 
1204  StreamTcpFreeConfig(true);
1205  FLOW_DESTROY(&f);
1206  UTHFreePackets(&p, 1);
1207  StatsThreadCleanup(&th_v);
1208  return result;
1209 }
1210 
1211 static int DetectHttpHeaderIsdataatParseTest(void)
1212 {
1213  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1214  FAIL_IF_NULL(de_ctx);
1215  de_ctx->flags |= DE_QUIET;
1216 
1217  Signature *s = DetectEngineAppendSig(de_ctx,
1218  "alert tcp any any -> any any ("
1219  "flow:to_server; "
1220  "content:\"one\"; http_header; "
1221  "isdataat:!4,relative; sid:1;)");
1222  FAIL_IF_NULL(s);
1223 
1224  SigMatch *sm = DetectBufferGetLastSigMatch(s, g_http_header_buffer_id);
1225  FAIL_IF_NULL(sm);
1226  FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
1227 
1228  DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
1229  FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
1230  FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
1231  FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
1232 
1233  DetectEngineCtxFree(de_ctx);
1234  PASS;
1235 }
1236 
1237 /**
1238  *\test Test that the http_header content matches against a http request
1239  * which holds the content.
1240  */
1241 static int DetectEngineHttpHeaderTest01(void)
1242 {
1243  TcpSession ssn;
1244  Packet *p = NULL;
1245  ThreadVars th_v;
1246  DetectEngineCtx *de_ctx = NULL;
1247  DetectEngineThreadCtx *det_ctx = NULL;
1248  HtpState *http_state = NULL;
1249  Flow f;
1250  uint8_t http_buf[] =
1251  "GET /index.html HTTP/1.0\r\n"
1252  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1253  uint32_t http_len = sizeof(http_buf) - 1;
1254  int result = 0;
1255  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1256 
1257  memset(&th_v, 0, sizeof(th_v));
1258  memset(&f, 0, sizeof(f));
1259  memset(&ssn, 0, sizeof(ssn));
1260 
1261  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1262 
1263  FLOW_INITIALIZE(&f);
1264  f.protoctx = (void *)&ssn;
1265  f.proto = IPPROTO_TCP;
1266  f.flags |= FLOW_IPV4;
1267  p->flow = &f;
1268  p->flowflags |= FLOW_PKT_TOSERVER;
1269  p->flowflags |= FLOW_PKT_ESTABLISHED;
1270  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1271  f.alproto = ALPROTO_HTTP1;
1272 
1273  StreamTcpInitConfig(true);
1274 
1275  de_ctx = DetectEngineCtxInit();
1276  if (de_ctx == NULL)
1277  goto end;
1278 
1279  de_ctx->flags |= DE_QUIET;
1280 
1281  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1282  "(msg:\"http header test\"; "
1283  "content:\"one\"; http_header; "
1284  "sid:1;)");
1285  if (de_ctx->sig_list == NULL)
1286  goto end;
1287 
1288  SigGroupBuild(de_ctx);
1289  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1290 
1291  int r = AppLayerParserParse(
1292  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1293  if (r != 0) {
1294  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1295  result = 0;
1296  goto end;
1297  }
1298 
1299  http_state = f.alstate;
1300  if (http_state == NULL) {
1301  printf("no http state: ");
1302  result = 0;
1303  goto end;
1304  }
1305 
1306  /* do detect */
1307  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1308 
1309  if (!(PacketAlertCheck(p, 1))) {
1310  printf("sid 1 didn't match but should have: ");
1311  goto end;
1312  }
1313 
1314  result = 1;
1315 end:
1316  if (alp_tctx != NULL)
1317  AppLayerParserThreadCtxFree(alp_tctx);
1318  if (det_ctx != NULL) {
1319  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1320  }
1321  if (de_ctx != NULL)
1322  DetectEngineCtxFree(de_ctx);
1323 
1324  StreamTcpFreeConfig(true);
1325  FLOW_DESTROY(&f);
1326  UTHFreePackets(&p, 1);
1327  StatsThreadCleanup(&th_v);
1328  return result;
1329 }
1330 
1331 /**
1332  *\test Test that the http_header content matches against a http request
1333  * which holds the content.
1334  */
1335 static int DetectEngineHttpHeaderTest02(void)
1336 {
1337  TcpSession ssn;
1338  Packet *p = NULL;
1339  ThreadVars th_v;
1340  DetectEngineCtx *de_ctx = NULL;
1341  DetectEngineThreadCtx *det_ctx = NULL;
1342  HtpState *http_state = NULL;
1343  Flow f;
1344  uint8_t http_buf[] =
1345  "GET /index.html HTTP/1.0\r\n"
1346  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1347  uint32_t http_len = sizeof(http_buf) - 1;
1348  int result = 0;
1349  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1350 
1351  memset(&th_v, 0, sizeof(th_v));
1352  memset(&f, 0, sizeof(f));
1353  memset(&ssn, 0, sizeof(ssn));
1354 
1355  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1356 
1357  FLOW_INITIALIZE(&f);
1358  f.protoctx = (void *)&ssn;
1359  f.proto = IPPROTO_TCP;
1360  f.flags |= FLOW_IPV4;
1361  p->flow = &f;
1362  p->flowflags |= FLOW_PKT_TOSERVER;
1363  p->flowflags |= FLOW_PKT_ESTABLISHED;
1364  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1365  f.alproto = ALPROTO_HTTP1;
1366 
1367  StreamTcpInitConfig(true);
1368 
1369  de_ctx = DetectEngineCtxInit();
1370  if (de_ctx == NULL)
1371  goto end;
1372 
1373  de_ctx->flags |= DE_QUIET;
1374 
1375  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1376  "(msg:\"http header test\"; "
1377  "content:\"one\"; depth:15; http_header; "
1378  "sid:1;)");
1379  if (de_ctx->sig_list == NULL)
1380  goto end;
1381 
1382  SigGroupBuild(de_ctx);
1383  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1384 
1385  int r = AppLayerParserParse(
1386  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1387  if (r != 0) {
1388  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1389  result = 0;
1390  goto end;
1391  }
1392 
1393  http_state = f.alstate;
1394  if (http_state == NULL) {
1395  printf("no http state: ");
1396  result = 0;
1397  goto end;
1398  }
1399 
1400  /* do detect */
1401  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1402 
1403  if (!(PacketAlertCheck(p, 1))) {
1404  printf("sid 1 didn't match but should have: ");
1405  goto end;
1406  }
1407 
1408  result = 1;
1409 end:
1410  if (alp_tctx != NULL)
1411  AppLayerParserThreadCtxFree(alp_tctx);
1412  if (det_ctx != NULL) {
1413  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1414  }
1415  if (de_ctx != NULL)
1416  DetectEngineCtxFree(de_ctx);
1417 
1418  StreamTcpFreeConfig(true);
1419  FLOW_DESTROY(&f);
1420  UTHFreePackets(&p, 1);
1421  StatsThreadCleanup(&th_v);
1422  return result;
1423 }
1424 
1425 /**
1426  *\test Test that the http_header content matches against a http request
1427  * which holds the content.
1428  */
1429 static int DetectEngineHttpHeaderTest03(void)
1430 {
1431  TcpSession ssn;
1432  Packet *p = NULL;
1433  ThreadVars th_v;
1434  DetectEngineCtx *de_ctx = NULL;
1435  DetectEngineThreadCtx *det_ctx = NULL;
1436  HtpState *http_state = NULL;
1437  Flow f;
1438  uint8_t http_buf[] =
1439  "GET /index.html HTTP/1.0\r\n"
1440  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1441  uint32_t http_len = sizeof(http_buf) - 1;
1442  int result = 0;
1443  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1444 
1445  memset(&th_v, 0, sizeof(th_v));
1446  memset(&f, 0, sizeof(f));
1447  memset(&ssn, 0, sizeof(ssn));
1448 
1449  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1450 
1451  FLOW_INITIALIZE(&f);
1452  f.protoctx = (void *)&ssn;
1453  f.proto = IPPROTO_TCP;
1454  f.flags |= FLOW_IPV4;
1455  p->flow = &f;
1456  p->flowflags |= FLOW_PKT_TOSERVER;
1457  p->flowflags |= FLOW_PKT_ESTABLISHED;
1458  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1459  f.alproto = ALPROTO_HTTP1;
1460 
1461  StreamTcpInitConfig(true);
1462 
1463  de_ctx = DetectEngineCtxInit();
1464  if (de_ctx == NULL)
1465  goto end;
1466 
1467  de_ctx->flags |= DE_QUIET;
1468 
1469  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1470  "(msg:\"http header test\"; "
1471  "content:!\"one\"; depth:5; http_header; "
1472  "sid:1;)");
1473  if (de_ctx->sig_list == NULL)
1474  goto end;
1475 
1476  SigGroupBuild(de_ctx);
1477  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1478 
1479  int r = AppLayerParserParse(
1480  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1481  if (r != 0) {
1482  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1483  result = 0;
1484  goto end;
1485  }
1486 
1487  http_state = f.alstate;
1488  if (http_state == NULL) {
1489  printf("no http state: ");
1490  result = 0;
1491  goto end;
1492  }
1493 
1494  /* do detect */
1495  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1496 
1497  if (!(PacketAlertCheck(p, 1))) {
1498  printf("sid 1 didn't match but should have: ");
1499  goto end;
1500  }
1501 
1502  result = 1;
1503 end:
1504  if (alp_tctx != NULL)
1505  AppLayerParserThreadCtxFree(alp_tctx);
1506  if (det_ctx != NULL) {
1507  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1508  }
1509  if (de_ctx != NULL)
1510  DetectEngineCtxFree(de_ctx);
1511 
1512  StreamTcpFreeConfig(true);
1513  FLOW_DESTROY(&f);
1514  UTHFreePackets(&p, 1);
1515  StatsThreadCleanup(&th_v);
1516  return result;
1517 }
1518 
1519 /**
1520  *\test Test that the http_header content matches against a http request
1521  * which holds the content.
1522  */
1523 static int DetectEngineHttpHeaderTest04(void)
1524 {
1525  TcpSession ssn;
1526  Packet *p = NULL;
1527  ThreadVars th_v;
1528  DetectEngineCtx *de_ctx = NULL;
1529  DetectEngineThreadCtx *det_ctx = NULL;
1530  HtpState *http_state = NULL;
1531  Flow f;
1532  uint8_t http_buf[] =
1533  "GET /index.html HTTP/1.0\r\n"
1534  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1535  uint32_t http_len = sizeof(http_buf) - 1;
1536  int result = 0;
1537  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1538 
1539  memset(&th_v, 0, sizeof(th_v));
1540  memset(&f, 0, sizeof(f));
1541  memset(&ssn, 0, sizeof(ssn));
1542 
1543  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1544 
1545  FLOW_INITIALIZE(&f);
1546  f.protoctx = (void *)&ssn;
1547  f.proto = IPPROTO_TCP;
1548  f.flags |= FLOW_IPV4;
1549  p->flow = &f;
1550  p->flowflags |= FLOW_PKT_TOSERVER;
1551  p->flowflags |= FLOW_PKT_ESTABLISHED;
1552  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1553  f.alproto = ALPROTO_HTTP1;
1554 
1555  StreamTcpInitConfig(true);
1556 
1557  de_ctx = DetectEngineCtxInit();
1558  if (de_ctx == NULL)
1559  goto end;
1560 
1561  de_ctx->flags |= DE_QUIET;
1562 
1563  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1564  "(msg:\"http header test\"; "
1565  "content:\"one\"; depth:5; http_header; "
1566  "sid:1;)");
1567  if (de_ctx->sig_list == NULL)
1568  goto end;
1569 
1570  SigGroupBuild(de_ctx);
1571  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1572 
1573  int r = AppLayerParserParse(
1574  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1575  if (r != 0) {
1576  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1577  result = 0;
1578  goto end;
1579  }
1580 
1581  http_state = f.alstate;
1582  if (http_state == NULL) {
1583  printf("no http state: ");
1584  result = 0;
1585  goto end;
1586  }
1587 
1588  /* do detect */
1589  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1590 
1591  if (PacketAlertCheck(p, 1)) {
1592  printf("sid 1 matched but shouldn't have: ");
1593  goto end;
1594  }
1595 
1596  result = 1;
1597 end:
1598  if (alp_tctx != NULL)
1599  AppLayerParserThreadCtxFree(alp_tctx);
1600  if (det_ctx != NULL) {
1601  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1602  }
1603  if (de_ctx != NULL)
1604  DetectEngineCtxFree(de_ctx);
1605 
1606  StreamTcpFreeConfig(true);
1607  FLOW_DESTROY(&f);
1608  UTHFreePackets(&p, 1);
1609  StatsThreadCleanup(&th_v);
1610  return result;
1611 }
1612 
1613 /**
1614  *\test Test that the http_header content matches against a http request
1615  * which holds the content.
1616  */
1617 static int DetectEngineHttpHeaderTest05(void)
1618 {
1619  TcpSession ssn;
1620  Packet *p = NULL;
1621  ThreadVars th_v;
1622  DetectEngineCtx *de_ctx = NULL;
1623  DetectEngineThreadCtx *det_ctx = NULL;
1624  HtpState *http_state = NULL;
1625  Flow f;
1626  uint8_t http_buf[] =
1627  "GET /index.html HTTP/1.0\r\n"
1628  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1629  uint32_t http_len = sizeof(http_buf) - 1;
1630  int result = 0;
1631  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1632 
1633  memset(&th_v, 0, sizeof(th_v));
1634  memset(&f, 0, sizeof(f));
1635  memset(&ssn, 0, sizeof(ssn));
1636 
1637  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1638 
1639  FLOW_INITIALIZE(&f);
1640  f.protoctx = (void *)&ssn;
1641  f.proto = IPPROTO_TCP;
1642  f.flags |= FLOW_IPV4;
1643  p->flow = &f;
1644  p->flowflags |= FLOW_PKT_TOSERVER;
1645  p->flowflags |= FLOW_PKT_ESTABLISHED;
1646  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1647  f.alproto = ALPROTO_HTTP1;
1648 
1649  StreamTcpInitConfig(true);
1650 
1651  de_ctx = DetectEngineCtxInit();
1652  if (de_ctx == NULL)
1653  goto end;
1654 
1655  de_ctx->flags |= DE_QUIET;
1656 
1657  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1658  "(msg:\"http header test\"; "
1659  "content:!\"one\"; depth:15; http_header; "
1660  "sid:1;)");
1661  if (de_ctx->sig_list == NULL)
1662  goto end;
1663 
1664  SigGroupBuild(de_ctx);
1665  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1666 
1667  int r = AppLayerParserParse(
1668  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1669  if (r != 0) {
1670  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1671  result = 0;
1672  goto end;
1673  }
1674 
1675  http_state = f.alstate;
1676  if (http_state == NULL) {
1677  printf("no http state: ");
1678  result = 0;
1679  goto end;
1680  }
1681 
1682  /* do detect */
1683  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1684 
1685  if (PacketAlertCheck(p, 1)) {
1686  printf("sid 1 matched but shouldn't have: ");
1687  goto end;
1688  }
1689 
1690  result = 1;
1691 end:
1692  if (alp_tctx != NULL)
1693  AppLayerParserThreadCtxFree(alp_tctx);
1694  if (det_ctx != NULL) {
1695  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1696  }
1697  if (de_ctx != NULL)
1698  DetectEngineCtxFree(de_ctx);
1699 
1700  StreamTcpFreeConfig(true);
1701  FLOW_DESTROY(&f);
1702  UTHFreePackets(&p, 1);
1703  StatsThreadCleanup(&th_v);
1704  return result;
1705 }
1706 
1707 /**
1708  *\test Test that the http_header content matches against a http request
1709  * which holds the content.
1710  */
1711 static int DetectEngineHttpHeaderTest06(void)
1712 {
1713  TcpSession ssn;
1714  Packet *p = NULL;
1715  ThreadVars th_v;
1716  DetectEngineCtx *de_ctx = NULL;
1717  DetectEngineThreadCtx *det_ctx = NULL;
1718  HtpState *http_state = NULL;
1719  Flow f;
1720  uint8_t http_buf[] =
1721  "GET /index.html HTTP/1.0\r\n"
1722  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1723  uint32_t http_len = sizeof(http_buf) - 1;
1724  int result = 0;
1725  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1726 
1727  memset(&th_v, 0, sizeof(th_v));
1728  memset(&f, 0, sizeof(f));
1729  memset(&ssn, 0, sizeof(ssn));
1730 
1731  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1732 
1733  FLOW_INITIALIZE(&f);
1734  f.protoctx = (void *)&ssn;
1735  f.proto = IPPROTO_TCP;
1736  f.flags |= FLOW_IPV4;
1737  p->flow = &f;
1738  p->flowflags |= FLOW_PKT_TOSERVER;
1739  p->flowflags |= FLOW_PKT_ESTABLISHED;
1740  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1741  f.alproto = ALPROTO_HTTP1;
1742 
1743  StreamTcpInitConfig(true);
1744 
1745  de_ctx = DetectEngineCtxInit();
1746  if (de_ctx == NULL)
1747  goto end;
1748 
1749  de_ctx->flags |= DE_QUIET;
1750 
1751  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1752  "(msg:\"http header test\"; "
1753  "content:\"one\"; offset:10; http_header; "
1754  "sid:1;)");
1755  if (de_ctx->sig_list == NULL)
1756  goto end;
1757 
1758  SigGroupBuild(de_ctx);
1759  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1760 
1761  int r = AppLayerParserParse(
1762  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1763  if (r != 0) {
1764  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1765  result = 0;
1766  goto end;
1767  }
1768 
1769  http_state = f.alstate;
1770  if (http_state == NULL) {
1771  printf("no http state: ");
1772  result = 0;
1773  goto end;
1774  }
1775 
1776  /* do detect */
1777  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1778 
1779  if (!(PacketAlertCheck(p, 1))) {
1780  printf("sid 1 didn't match but should have: ");
1781  goto end;
1782  }
1783 
1784  result = 1;
1785 end:
1786  if (alp_tctx != NULL)
1787  AppLayerParserThreadCtxFree(alp_tctx);
1788  if (det_ctx != NULL) {
1789  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1790  }
1791  if (de_ctx != NULL)
1792  DetectEngineCtxFree(de_ctx);
1793 
1794  StreamTcpFreeConfig(true);
1795  FLOW_DESTROY(&f);
1796  UTHFreePackets(&p, 1);
1797  StatsThreadCleanup(&th_v);
1798  return result;
1799 }
1800 
1801 /**
1802  *\test Test that the http_header content matches against a http request
1803  * which holds the content.
1804  */
1805 static int DetectEngineHttpHeaderTest07(void)
1806 {
1807  TcpSession ssn;
1808  Packet *p = NULL;
1809  ThreadVars th_v;
1810  DetectEngineCtx *de_ctx = NULL;
1811  DetectEngineThreadCtx *det_ctx = NULL;
1812  HtpState *http_state = NULL;
1813  Flow f;
1814  uint8_t http_buf[] =
1815  "GET /index.html HTTP/1.0\r\n"
1816  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1817  uint32_t http_len = sizeof(http_buf) - 1;
1818  int result = 0;
1819  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1820 
1821  memset(&th_v, 0, sizeof(th_v));
1822  memset(&f, 0, sizeof(f));
1823  memset(&ssn, 0, sizeof(ssn));
1824 
1825  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1826 
1827  FLOW_INITIALIZE(&f);
1828  f.protoctx = (void *)&ssn;
1829  f.proto = IPPROTO_TCP;
1830  f.flags |= FLOW_IPV4;
1831  p->flow = &f;
1832  p->flowflags |= FLOW_PKT_TOSERVER;
1833  p->flowflags |= FLOW_PKT_ESTABLISHED;
1834  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1835  f.alproto = ALPROTO_HTTP1;
1836 
1837  StreamTcpInitConfig(true);
1838 
1839  de_ctx = DetectEngineCtxInit();
1840  if (de_ctx == NULL)
1841  goto end;
1842 
1843  de_ctx->flags |= DE_QUIET;
1844 
1845  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1846  "(msg:\"http header test\"; "
1847  "content:!\"one\"; offset:15; http_header; "
1848  "sid:1;)");
1849  if (de_ctx->sig_list == NULL)
1850  goto end;
1851 
1852  SigGroupBuild(de_ctx);
1853  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1854 
1855  int r = AppLayerParserParse(
1856  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1857  if (r != 0) {
1858  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1859  result = 0;
1860  goto end;
1861  }
1862 
1863  http_state = f.alstate;
1864  if (http_state == NULL) {
1865  printf("no http state: ");
1866  result = 0;
1867  goto end;
1868  }
1869 
1870  /* do detect */
1871  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1872 
1873  if (!(PacketAlertCheck(p, 1))) {
1874  printf("sid 1 didn't match but should have: ");
1875  goto end;
1876  }
1877 
1878  result = 1;
1879 end:
1880  if (alp_tctx != NULL)
1881  AppLayerParserThreadCtxFree(alp_tctx);
1882  if (det_ctx != NULL) {
1883  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1884  }
1885  if (de_ctx != NULL)
1886  DetectEngineCtxFree(de_ctx);
1887 
1888  StreamTcpFreeConfig(true);
1889  FLOW_DESTROY(&f);
1890  UTHFreePackets(&p, 1);
1891  StatsThreadCleanup(&th_v);
1892  return result;
1893 }
1894 
1895 /**
1896  *\test Test that the http_header content matches against a http request
1897  * which holds the content.
1898  */
1899 static int DetectEngineHttpHeaderTest08(void)
1900 {
1901  TcpSession ssn;
1902  Packet *p = NULL;
1903  ThreadVars th_v;
1904  DetectEngineCtx *de_ctx = NULL;
1905  DetectEngineThreadCtx *det_ctx = NULL;
1906  HtpState *http_state = NULL;
1907  Flow f;
1908  uint8_t http_buf[] =
1909  "GET /index.html HTTP/1.0\r\n"
1910  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1911  uint32_t http_len = sizeof(http_buf) - 1;
1912  int result = 0;
1913  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1914 
1915  memset(&th_v, 0, sizeof(th_v));
1916  memset(&f, 0, sizeof(f));
1917  memset(&ssn, 0, sizeof(ssn));
1918 
1919  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1920 
1921  FLOW_INITIALIZE(&f);
1922  f.protoctx = (void *)&ssn;
1923  f.proto = IPPROTO_TCP;
1924  f.flags |= FLOW_IPV4;
1925  p->flow = &f;
1926  p->flowflags |= FLOW_PKT_TOSERVER;
1927  p->flowflags |= FLOW_PKT_ESTABLISHED;
1928  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1929  f.alproto = ALPROTO_HTTP1;
1930 
1931  StreamTcpInitConfig(true);
1932 
1933  de_ctx = DetectEngineCtxInit();
1934  if (de_ctx == NULL)
1935  goto end;
1936 
1937  de_ctx->flags |= DE_QUIET;
1938 
1939  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1940  "(msg:\"http header test\"; "
1941  "content:\"one\"; offset:15; http_header; "
1942  "sid:1;)");
1943  if (de_ctx->sig_list == NULL)
1944  goto end;
1945 
1946  SigGroupBuild(de_ctx);
1947  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1948 
1949  int r = AppLayerParserParse(
1950  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1951  if (r != 0) {
1952  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1953  result = 0;
1954  goto end;
1955  }
1956 
1957  http_state = f.alstate;
1958  if (http_state == NULL) {
1959  printf("no http state: ");
1960  result = 0;
1961  goto end;
1962  }
1963 
1964  /* do detect */
1965  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1966 
1967  if (PacketAlertCheck(p, 1)) {
1968  printf("sid 1 matched but shouldn't have: ");
1969  goto end;
1970  }
1971 
1972  result = 1;
1973 end:
1974  if (alp_tctx != NULL)
1975  AppLayerParserThreadCtxFree(alp_tctx);
1976  if (det_ctx != NULL) {
1977  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1978  }
1979  if (de_ctx != NULL)
1980  DetectEngineCtxFree(de_ctx);
1981 
1982  StreamTcpFreeConfig(true);
1983  FLOW_DESTROY(&f);
1984  UTHFreePackets(&p, 1);
1985  StatsThreadCleanup(&th_v);
1986  return result;
1987 }
1988 
1989 /**
1990  *\test Test that the http_header content matches against a http request
1991  * which holds the content.
1992  */
1993 static int DetectEngineHttpHeaderTest09(void)
1994 {
1995  TcpSession ssn;
1996  Packet *p = NULL;
1997  ThreadVars th_v;
1998  DetectEngineCtx *de_ctx = NULL;
1999  DetectEngineThreadCtx *det_ctx = NULL;
2000  HtpState *http_state = NULL;
2001  Flow f;
2002  uint8_t http_buf[] =
2003  "GET /index.html HTTP/1.0\r\n"
2004  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2005  uint32_t http_len = sizeof(http_buf) - 1;
2006  int result = 0;
2007  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2008 
2009  memset(&th_v, 0, sizeof(th_v));
2010  memset(&f, 0, sizeof(f));
2011  memset(&ssn, 0, sizeof(ssn));
2012 
2013  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2014 
2015  FLOW_INITIALIZE(&f);
2016  f.protoctx = (void *)&ssn;
2017  f.proto = IPPROTO_TCP;
2018  f.flags |= FLOW_IPV4;
2019  p->flow = &f;
2020  p->flowflags |= FLOW_PKT_TOSERVER;
2021  p->flowflags |= FLOW_PKT_ESTABLISHED;
2022  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2023  f.alproto = ALPROTO_HTTP1;
2024 
2025  StreamTcpInitConfig(true);
2026 
2027  de_ctx = DetectEngineCtxInit();
2028  if (de_ctx == NULL)
2029  goto end;
2030 
2031  de_ctx->flags |= DE_QUIET;
2032 
2033  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2034  "(msg:\"http header test\"; "
2035  "content:!\"one\"; offset:10; http_header; "
2036  "sid:1;)");
2037  if (de_ctx->sig_list == NULL)
2038  goto end;
2039 
2040  SigGroupBuild(de_ctx);
2041  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2042 
2043  int r = AppLayerParserParse(
2044  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2045  if (r != 0) {
2046  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2047  result = 0;
2048  goto end;
2049  }
2050 
2051  http_state = f.alstate;
2052  if (http_state == NULL) {
2053  printf("no http state: ");
2054  result = 0;
2055  goto end;
2056  }
2057 
2058  /* do detect */
2059  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2060 
2061  if (PacketAlertCheck(p, 1)) {
2062  printf("sid 1 matched but shouldn't have: ");
2063  goto end;
2064  }
2065 
2066  result = 1;
2067 end:
2068  if (alp_tctx != NULL)
2069  AppLayerParserThreadCtxFree(alp_tctx);
2070  if (det_ctx != NULL) {
2071  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2072  }
2073  if (de_ctx != NULL)
2074  DetectEngineCtxFree(de_ctx);
2075 
2076  StreamTcpFreeConfig(true);
2077  FLOW_DESTROY(&f);
2078  UTHFreePackets(&p, 1);
2079  StatsThreadCleanup(&th_v);
2080  return result;
2081 }
2082 
2083 /**
2084  *\test Test that the http_header content matches against a http request
2085  * which holds the content.
2086  */
2087 static int DetectEngineHttpHeaderTest10(void)
2088 {
2089  TcpSession ssn;
2090  Packet *p = NULL;
2091  ThreadVars th_v;
2092  DetectEngineCtx *de_ctx = NULL;
2093  DetectEngineThreadCtx *det_ctx = NULL;
2094  HtpState *http_state = NULL;
2095  Flow f;
2096  uint8_t http_buf[] =
2097  "GET /index.html HTTP/1.0\r\n"
2098  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2099  uint32_t http_len = sizeof(http_buf) - 1;
2100  int result = 0;
2101  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2102 
2103  memset(&th_v, 0, sizeof(th_v));
2104  memset(&f, 0, sizeof(f));
2105  memset(&ssn, 0, sizeof(ssn));
2106 
2107  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2108 
2109  FLOW_INITIALIZE(&f);
2110  f.protoctx = (void *)&ssn;
2111  f.proto = IPPROTO_TCP;
2112  f.flags |= FLOW_IPV4;
2113  p->flow = &f;
2114  p->flowflags |= FLOW_PKT_TOSERVER;
2115  p->flowflags |= FLOW_PKT_ESTABLISHED;
2116  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2117  f.alproto = ALPROTO_HTTP1;
2118 
2119  StreamTcpInitConfig(true);
2120 
2121  de_ctx = DetectEngineCtxInit();
2122  if (de_ctx == NULL)
2123  goto end;
2124 
2125  de_ctx->flags |= DE_QUIET;
2126 
2127  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2128  "(msg:\"http header test\"; "
2129  "content:\"one\"; http_header; content:\"three\"; http_header; within:10; "
2130  "sid:1;)");
2131  if (de_ctx->sig_list == NULL)
2132  goto end;
2133 
2134  SigGroupBuild(de_ctx);
2135  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2136 
2137  int r = AppLayerParserParse(
2138  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2139  if (r != 0) {
2140  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2141  result = 0;
2142  goto end;
2143  }
2144 
2145  http_state = f.alstate;
2146  if (http_state == NULL) {
2147  printf("no http state: ");
2148  result = 0;
2149  goto end;
2150  }
2151 
2152  /* do detect */
2153  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2154 
2155  if (!(PacketAlertCheck(p, 1))) {
2156  printf("sid 1 didn't match but should have: ");
2157  goto end;
2158  }
2159 
2160  result = 1;
2161 end:
2162  if (alp_tctx != NULL)
2163  AppLayerParserThreadCtxFree(alp_tctx);
2164  if (det_ctx != NULL) {
2165  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2166  }
2167  if (de_ctx != NULL)
2168  DetectEngineCtxFree(de_ctx);
2169 
2170  StreamTcpFreeConfig(true);
2171  FLOW_DESTROY(&f);
2172  UTHFreePackets(&p, 1);
2173  StatsThreadCleanup(&th_v);
2174  return result;
2175 }
2176 
2177 /**
2178  *\test Test that the http_header content matches against a http request
2179  * which holds the content.
2180  */
2181 static int DetectEngineHttpHeaderTest11(void)
2182 {
2183  TcpSession ssn;
2184  Packet *p = NULL;
2185  ThreadVars th_v;
2186  DetectEngineCtx *de_ctx = NULL;
2187  DetectEngineThreadCtx *det_ctx = NULL;
2188  HtpState *http_state = NULL;
2189  Flow f;
2190  uint8_t http_buf[] =
2191  "GET /index.html HTTP/1.0\r\n"
2192  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2193  uint32_t http_len = sizeof(http_buf) - 1;
2194  int result = 0;
2195  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2196 
2197  memset(&th_v, 0, sizeof(th_v));
2198  memset(&f, 0, sizeof(f));
2199  memset(&ssn, 0, sizeof(ssn));
2200 
2201  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2202 
2203  FLOW_INITIALIZE(&f);
2204  f.protoctx = (void *)&ssn;
2205  f.proto = IPPROTO_TCP;
2206  f.flags |= FLOW_IPV4;
2207  p->flow = &f;
2208  p->flowflags |= FLOW_PKT_TOSERVER;
2209  p->flowflags |= FLOW_PKT_ESTABLISHED;
2210  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2211  f.alproto = ALPROTO_HTTP1;
2212 
2213  StreamTcpInitConfig(true);
2214 
2215  de_ctx = DetectEngineCtxInit();
2216  if (de_ctx == NULL)
2217  goto end;
2218 
2219  de_ctx->flags |= DE_QUIET;
2220 
2221  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2222  "(msg:\"http header test\"; "
2223  "content:\"one\"; http_header; content:!\"three\"; http_header; within:5; "
2224  "sid:1;)");
2225  if (de_ctx->sig_list == NULL)
2226  goto end;
2227 
2228  SigGroupBuild(de_ctx);
2229  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2230 
2231  int r = AppLayerParserParse(
2232  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2233  if (r != 0) {
2234  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2235  result = 0;
2236  goto end;
2237  }
2238 
2239  http_state = f.alstate;
2240  if (http_state == NULL) {
2241  printf("no http state: ");
2242  result = 0;
2243  goto end;
2244  }
2245 
2246  /* do detect */
2247  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2248 
2249  if (!(PacketAlertCheck(p, 1))) {
2250  printf("sid 1 didn't match but should have: ");
2251  goto end;
2252  }
2253 
2254  result = 1;
2255 end:
2256  if (alp_tctx != NULL)
2257  AppLayerParserThreadCtxFree(alp_tctx);
2258  if (det_ctx != NULL) {
2259  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2260  }
2261  if (de_ctx != NULL)
2262  DetectEngineCtxFree(de_ctx);
2263 
2264  StreamTcpFreeConfig(true);
2265  FLOW_DESTROY(&f);
2266  UTHFreePackets(&p, 1);
2267  StatsThreadCleanup(&th_v);
2268  return result;
2269 }
2270 
2271 /**
2272  *\test Test that the http_header content matches against a http request
2273  * which holds the content.
2274  */
2275 static int DetectEngineHttpHeaderTest12(void)
2276 {
2277  TcpSession ssn;
2278  Packet *p = NULL;
2279  ThreadVars th_v;
2280  DetectEngineCtx *de_ctx = NULL;
2281  DetectEngineThreadCtx *det_ctx = NULL;
2282  HtpState *http_state = NULL;
2283  Flow f;
2284  uint8_t http_buf[] =
2285  "GET /index.html HTTP/1.0\r\n"
2286  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2287  uint32_t http_len = sizeof(http_buf) - 1;
2288  int result = 0;
2289  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2290 
2291  memset(&th_v, 0, sizeof(th_v));
2292  memset(&f, 0, sizeof(f));
2293  memset(&ssn, 0, sizeof(ssn));
2294 
2295  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2296 
2297  FLOW_INITIALIZE(&f);
2298  f.protoctx = (void *)&ssn;
2299  f.proto = IPPROTO_TCP;
2300  f.flags |= FLOW_IPV4;
2301  p->flow = &f;
2302  p->flowflags |= FLOW_PKT_TOSERVER;
2303  p->flowflags |= FLOW_PKT_ESTABLISHED;
2304  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2305  f.alproto = ALPROTO_HTTP1;
2306 
2307  StreamTcpInitConfig(true);
2308 
2309  de_ctx = DetectEngineCtxInit();
2310  if (de_ctx == NULL)
2311  goto end;
2312 
2313  de_ctx->flags |= DE_QUIET;
2314 
2315  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2316  "(msg:\"http header test\"; "
2317  "content:\"one\"; http_header; content:!\"three\"; http_header; within:10; "
2318  "sid:1;)");
2319  if (de_ctx->sig_list == NULL)
2320  goto end;
2321 
2322  SigGroupBuild(de_ctx);
2323  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2324 
2325  int r = AppLayerParserParse(
2326  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2327  if (r != 0) {
2328  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2329  result = 0;
2330  goto end;
2331  }
2332 
2333  http_state = f.alstate;
2334  if (http_state == NULL) {
2335  printf("no http state: ");
2336  result = 0;
2337  goto end;
2338  }
2339 
2340  /* do detect */
2341  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2342 
2343  if (PacketAlertCheck(p, 1)) {
2344  printf("sid 1 matched but shouldn't have: ");
2345  goto end;
2346  }
2347 
2348  result = 1;
2349 end:
2350  if (alp_tctx != NULL)
2351  AppLayerParserThreadCtxFree(alp_tctx);
2352  if (det_ctx != NULL) {
2353  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2354  }
2355  if (de_ctx != NULL)
2356  DetectEngineCtxFree(de_ctx);
2357 
2358  StreamTcpFreeConfig(true);
2359  FLOW_DESTROY(&f);
2360  UTHFreePackets(&p, 1);
2361  StatsThreadCleanup(&th_v);
2362  return result;
2363 }
2364 
2365 /**
2366  *\test Test that the http_header content matches against a http request
2367  * which holds the content.
2368  */
2369 static int DetectEngineHttpHeaderTest13(void)
2370 {
2371  TcpSession ssn;
2372  Packet *p = NULL;
2373  ThreadVars th_v;
2374  DetectEngineCtx *de_ctx = NULL;
2375  DetectEngineThreadCtx *det_ctx = NULL;
2376  HtpState *http_state = NULL;
2377  Flow f;
2378  uint8_t http_buf[] =
2379  "GET /index.html HTTP/1.0\r\n"
2380  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2381  uint32_t http_len = sizeof(http_buf) - 1;
2382  int result = 0;
2383  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2384 
2385  memset(&th_v, 0, sizeof(th_v));
2386  memset(&f, 0, sizeof(f));
2387  memset(&ssn, 0, sizeof(ssn));
2388 
2389  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2390 
2391  FLOW_INITIALIZE(&f);
2392  f.protoctx = (void *)&ssn;
2393  f.proto = IPPROTO_TCP;
2394  f.flags |= FLOW_IPV4;
2395  p->flow = &f;
2396  p->flowflags |= FLOW_PKT_TOSERVER;
2397  p->flowflags |= FLOW_PKT_ESTABLISHED;
2398  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2399  f.alproto = ALPROTO_HTTP1;
2400 
2401  StreamTcpInitConfig(true);
2402 
2403  de_ctx = DetectEngineCtxInit();
2404  if (de_ctx == NULL)
2405  goto end;
2406 
2407  de_ctx->flags |= DE_QUIET;
2408 
2409  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2410  "(msg:\"http header test\"; "
2411  "content:\"one\"; http_header; content:\"three\"; http_header; within:5; "
2412  "sid:1;)");
2413  if (de_ctx->sig_list == NULL)
2414  goto end;
2415 
2416  SigGroupBuild(de_ctx);
2417  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2418 
2419  int r = AppLayerParserParse(
2420  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2421  if (r != 0) {
2422  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2423  result = 0;
2424  goto end;
2425  }
2426 
2427  http_state = f.alstate;
2428  if (http_state == NULL) {
2429  printf("no http state: ");
2430  result = 0;
2431  goto end;
2432  }
2433 
2434  /* do detect */
2435  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2436 
2437  if (PacketAlertCheck(p, 1)) {
2438  printf("sid 1 matched but shouldn't have: ");
2439  goto end;
2440  }
2441 
2442  result = 1;
2443 end:
2444  if (alp_tctx != NULL)
2445  AppLayerParserThreadCtxFree(alp_tctx);
2446  if (det_ctx != NULL) {
2447  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2448  }
2449  if (de_ctx != NULL)
2450  DetectEngineCtxFree(de_ctx);
2451 
2452  StreamTcpFreeConfig(true);
2453  FLOW_DESTROY(&f);
2454  UTHFreePackets(&p, 1);
2455  StatsThreadCleanup(&th_v);
2456  return result;
2457 }
2458 
2459 /**
2460  *\test Test that the http_header content matches against a http request
2461  * which holds the content.
2462  */
2463 static int DetectEngineHttpHeaderTest14(void)
2464 {
2465  TcpSession ssn;
2466  Packet *p = NULL;
2467  ThreadVars th_v;
2468  DetectEngineCtx *de_ctx = NULL;
2469  DetectEngineThreadCtx *det_ctx = NULL;
2470  HtpState *http_state = NULL;
2471  Flow f;
2472  uint8_t http_buf[] =
2473  "GET /index.html HTTP/1.0\r\n"
2474  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2475  uint32_t http_len = sizeof(http_buf) - 1;
2476  int result = 0;
2477  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2478 
2479  memset(&th_v, 0, sizeof(th_v));
2480  memset(&f, 0, sizeof(f));
2481  memset(&ssn, 0, sizeof(ssn));
2482 
2483  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2484 
2485  FLOW_INITIALIZE(&f);
2486  f.protoctx = (void *)&ssn;
2487  f.proto = IPPROTO_TCP;
2488  f.flags |= FLOW_IPV4;
2489  p->flow = &f;
2490  p->flowflags |= FLOW_PKT_TOSERVER;
2491  p->flowflags |= FLOW_PKT_ESTABLISHED;
2492  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2493  f.alproto = ALPROTO_HTTP1;
2494 
2495  StreamTcpInitConfig(true);
2496 
2497  de_ctx = DetectEngineCtxInit();
2498  if (de_ctx == NULL)
2499  goto end;
2500 
2501  de_ctx->flags |= DE_QUIET;
2502 
2503  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2504  "(msg:\"http header test\"; "
2505  "content:\"one\"; http_header; content:\"five\"; http_header; distance:7; "
2506  "sid:1;)");
2507  if (de_ctx->sig_list == NULL)
2508  goto end;
2509 
2510  SigGroupBuild(de_ctx);
2511  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2512 
2513  int r = AppLayerParserParse(
2514  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2515  if (r != 0) {
2516  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2517  result = 0;
2518  goto end;
2519  }
2520 
2521  http_state = f.alstate;
2522  if (http_state == NULL) {
2523  printf("no http state: ");
2524  result = 0;
2525  goto end;
2526  }
2527 
2528  /* do detect */
2529  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2530 
2531  if (!(PacketAlertCheck(p, 1))) {
2532  printf("sid 1 didn't match but should have: ");
2533  goto end;
2534  }
2535 
2536  result = 1;
2537 end:
2538  if (alp_tctx != NULL)
2539  AppLayerParserThreadCtxFree(alp_tctx);
2540  if (det_ctx != NULL) {
2541  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2542  }
2543  if (de_ctx != NULL)
2544  DetectEngineCtxFree(de_ctx);
2545 
2546  StreamTcpFreeConfig(true);
2547  FLOW_DESTROY(&f);
2548  UTHFreePackets(&p, 1);
2549  StatsThreadCleanup(&th_v);
2550  return result;
2551 }
2552 
2553 /**
2554  *\test Test that the http_header content matches against a http request
2555  * which holds the content.
2556  */
2557 static int DetectEngineHttpHeaderTest15(void)
2558 {
2559  TcpSession ssn;
2560  Packet *p = NULL;
2561  ThreadVars th_v;
2562  DetectEngineCtx *de_ctx = NULL;
2563  DetectEngineThreadCtx *det_ctx = NULL;
2564  HtpState *http_state = NULL;
2565  Flow f;
2566  uint8_t http_buf[] =
2567  "GET /index.html HTTP/1.0\r\n"
2568  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2569  uint32_t http_len = sizeof(http_buf) - 1;
2570  int result = 0;
2571  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2572 
2573  memset(&th_v, 0, sizeof(th_v));
2574  memset(&f, 0, sizeof(f));
2575  memset(&ssn, 0, sizeof(ssn));
2576 
2577  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2578 
2579  FLOW_INITIALIZE(&f);
2580  f.protoctx = (void *)&ssn;
2581  f.proto = IPPROTO_TCP;
2582  f.flags |= FLOW_IPV4;
2583  p->flow = &f;
2584  p->flowflags |= FLOW_PKT_TOSERVER;
2585  p->flowflags |= FLOW_PKT_ESTABLISHED;
2586  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2587  f.alproto = ALPROTO_HTTP1;
2588 
2589  StreamTcpInitConfig(true);
2590 
2591  de_ctx = DetectEngineCtxInit();
2592  if (de_ctx == NULL)
2593  goto end;
2594 
2595  de_ctx->flags |= DE_QUIET;
2596 
2597  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2598  "(msg:\"http header test\"; "
2599  "content:\"one\"; http_header; content:!\"five\"; http_header; distance:15; "
2600  "sid:1;)");
2601  if (de_ctx->sig_list == NULL)
2602  goto end;
2603 
2604  SigGroupBuild(de_ctx);
2605  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2606 
2607  int r = AppLayerParserParse(
2608  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2609  if (r != 0) {
2610  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2611  result = 0;
2612  goto end;
2613  }
2614 
2615  http_state = f.alstate;
2616  if (http_state == NULL) {
2617  printf("no http state: ");
2618  result = 0;
2619  goto end;
2620  }
2621 
2622  /* do detect */
2623  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2624 
2625  if (!(PacketAlertCheck(p, 1))) {
2626  printf("sid 1 didn't match but should have: ");
2627  goto end;
2628  }
2629 
2630  result = 1;
2631 end:
2632  if (alp_tctx != NULL)
2633  AppLayerParserThreadCtxFree(alp_tctx);
2634  if (det_ctx != NULL) {
2635  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2636  }
2637  if (de_ctx != NULL)
2638  DetectEngineCtxFree(de_ctx);
2639 
2640  StreamTcpFreeConfig(true);
2641  FLOW_DESTROY(&f);
2642  UTHFreePackets(&p, 1);
2643  StatsThreadCleanup(&th_v);
2644  return result;
2645 }
2646 
2647 /**
2648  *\test Test that the http_header content matches against a http request
2649  * which holds the content.
2650  */
2651 static int DetectEngineHttpHeaderTest16(void)
2652 {
2653  TcpSession ssn;
2654  Packet *p = NULL;
2655  ThreadVars th_v;
2656  DetectEngineCtx *de_ctx = NULL;
2657  DetectEngineThreadCtx *det_ctx = NULL;
2658  HtpState *http_state = NULL;
2659  Flow f;
2660  uint8_t http_buf[] =
2661  "GET /index.html HTTP/1.0\r\n"
2662  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2663  uint32_t http_len = sizeof(http_buf) - 1;
2664  int result = 0;
2665  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2666 
2667  memset(&th_v, 0, sizeof(th_v));
2668  memset(&f, 0, sizeof(f));
2669  memset(&ssn, 0, sizeof(ssn));
2670 
2671  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2672 
2673  FLOW_INITIALIZE(&f);
2674  f.protoctx = (void *)&ssn;
2675  f.proto = IPPROTO_TCP;
2676  f.flags |= FLOW_IPV4;
2677  p->flow = &f;
2678  p->flowflags |= FLOW_PKT_TOSERVER;
2679  p->flowflags |= FLOW_PKT_ESTABLISHED;
2680  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2681  f.alproto = ALPROTO_HTTP1;
2682 
2683  StreamTcpInitConfig(true);
2684 
2685  de_ctx = DetectEngineCtxInit();
2686  if (de_ctx == NULL)
2687  goto end;
2688 
2689  de_ctx->flags |= DE_QUIET;
2690 
2691  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2692  "(msg:\"http header test\"; "
2693  "content:\"one\"; http_header; content:!\"five\"; http_header; distance:7; "
2694  "sid:1;)");
2695  if (de_ctx->sig_list == NULL)
2696  goto end;
2697 
2698  SigGroupBuild(de_ctx);
2699  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2700 
2701  int r = AppLayerParserParse(
2702  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2703  if (r != 0) {
2704  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2705  result = 0;
2706  goto end;
2707  }
2708 
2709  http_state = f.alstate;
2710  if (http_state == NULL) {
2711  printf("no http state: ");
2712  result = 0;
2713  goto end;
2714  }
2715 
2716  /* do detect */
2717  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2718 
2719  if (PacketAlertCheck(p, 1)) {
2720  printf("sid 1 matched but shouldn't have: ");
2721  goto end;
2722  }
2723 
2724  result = 1;
2725 end:
2726  if (alp_tctx != NULL)
2727  AppLayerParserThreadCtxFree(alp_tctx);
2728  if (det_ctx != NULL) {
2729  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2730  }
2731  if (de_ctx != NULL)
2732  DetectEngineCtxFree(de_ctx);
2733 
2734  StreamTcpFreeConfig(true);
2735  FLOW_DESTROY(&f);
2736  UTHFreePackets(&p, 1);
2737  StatsThreadCleanup(&th_v);
2738  return result;
2739 }
2740 
2741 /**
2742  *\test Test that the http_header content matches against a http request
2743  * which holds the content.
2744  */
2745 static int DetectEngineHttpHeaderTest17(void)
2746 {
2747  TcpSession ssn;
2748  Packet *p = NULL;
2749  ThreadVars th_v;
2750  DetectEngineCtx *de_ctx = NULL;
2751  DetectEngineThreadCtx *det_ctx = NULL;
2752  HtpState *http_state = NULL;
2753  Flow f;
2754  uint8_t http_buf[] =
2755  "GET /index.html HTTP/1.0\r\n"
2756  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2757  uint32_t http_len = sizeof(http_buf) - 1;
2758  int result = 0;
2759  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2760 
2761  memset(&th_v, 0, sizeof(th_v));
2762  memset(&f, 0, sizeof(f));
2763  memset(&ssn, 0, sizeof(ssn));
2764 
2765  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2766 
2767  FLOW_INITIALIZE(&f);
2768  f.protoctx = (void *)&ssn;
2769  f.proto = IPPROTO_TCP;
2770  f.flags |= FLOW_IPV4;
2771  p->flow = &f;
2772  p->flowflags |= FLOW_PKT_TOSERVER;
2773  p->flowflags |= FLOW_PKT_ESTABLISHED;
2774  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2775  f.alproto = ALPROTO_HTTP1;
2776 
2777  StreamTcpInitConfig(true);
2778 
2779  de_ctx = DetectEngineCtxInit();
2780  if (de_ctx == NULL)
2781  goto end;
2782 
2783  de_ctx->flags |= DE_QUIET;
2784 
2785  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2786  "(msg:\"http header test\"; "
2787  "content:\"one\"; http_header; content:\"five\"; http_header; distance:15; "
2788  "sid:1;)");
2789  if (de_ctx->sig_list == NULL)
2790  goto end;
2791 
2792  SigGroupBuild(de_ctx);
2793  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2794 
2795  int r = AppLayerParserParse(
2796  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2797  if (r != 0) {
2798  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2799  result = 0;
2800  goto end;
2801  }
2802 
2803  http_state = f.alstate;
2804  if (http_state == NULL) {
2805  printf("no http state: ");
2806  result = 0;
2807  goto end;
2808  }
2809 
2810  /* do detect */
2811  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2812 
2813  if (PacketAlertCheck(p, 1)) {
2814  printf("sid 1 matched but shouldn't have: ");
2815  goto end;
2816  }
2817 
2818  result = 1;
2819 end:
2820  if (alp_tctx != NULL)
2821  AppLayerParserThreadCtxFree(alp_tctx);
2822  if (det_ctx != NULL) {
2823  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2824  }
2825  if (de_ctx != NULL)
2826  DetectEngineCtxFree(de_ctx);
2827 
2828  StreamTcpFreeConfig(true);
2829  FLOW_DESTROY(&f);
2830  UTHFreePackets(&p, 1);
2831  StatsThreadCleanup(&th_v);
2832  return result;
2833 }
2834 
2835 static int DetectEngineHttpHeaderTest20(void)
2836 {
2837  TcpSession ssn;
2838  Packet *p1 = NULL;
2839  Packet *p2 = NULL;
2840  ThreadVars th_v;
2841  DetectEngineCtx *de_ctx = NULL;
2842  DetectEngineThreadCtx *det_ctx = NULL;
2843  HtpState *http_state = NULL;
2844  Flow f;
2845  uint8_t http1_buf[] =
2846  "GET /index.html HTTP/1.0\r\n"
2847  "Host: This_is_dummy_body1";
2848  uint8_t http2_buf[] =
2849  "This_is_dummy_message_body2\r\n"
2850  "\r\n";
2851  uint32_t http1_len = sizeof(http1_buf) - 1;
2852  uint32_t http2_len = sizeof(http2_buf) - 1;
2853  int result = 0;
2854  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2855 
2856  memset(&th_v, 0, sizeof(th_v));
2857  memset(&f, 0, sizeof(f));
2858  memset(&ssn, 0, sizeof(ssn));
2859 
2860  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2861  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2862 
2863  FLOW_INITIALIZE(&f);
2864  f.protoctx = (void *)&ssn;
2865  f.proto = IPPROTO_TCP;
2866  f.flags |= FLOW_IPV4;
2867 
2868  p1->flow = &f;
2869  p1->flowflags |= FLOW_PKT_TOSERVER;
2870  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2871  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2872  p2->flow = &f;
2873  p2->flowflags |= FLOW_PKT_TOSERVER;
2874  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2875  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2876  f.alproto = ALPROTO_HTTP1;
2877 
2878  StreamTcpInitConfig(true);
2879 
2880  de_ctx = DetectEngineCtxInit();
2881  if (de_ctx == NULL)
2882  goto end;
2883 
2884  de_ctx->flags |= DE_QUIET;
2885 
2886  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2887  "(msg:\"http client body test\"; "
2888  "pcre:/body1/H; "
2889  "content:!\"dummy\"; http_header; within:7; "
2890  "sid:1;)");
2891  if (de_ctx->sig_list == NULL)
2892  goto end;
2893 
2894  SigGroupBuild(de_ctx);
2895  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2896 
2897  int r = AppLayerParserParse(
2898  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2899  if (r != 0) {
2900  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2901  result = 0;
2902  goto end;
2903  }
2904 
2905  http_state = f.alstate;
2906  if (http_state == NULL) {
2907  printf("no http state: \n");
2908  result = 0;
2909  goto end;
2910  }
2911 
2912  /* do detect */
2913  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2914 
2915  if (PacketAlertCheck(p1, 1)) {
2916  printf("sid 1 matched but shouldn't have\n");
2917  goto end;
2918  }
2919 
2920  r = AppLayerParserParse(
2921  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2922  if (r != 0) {
2923  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2924  result = 0;
2925  goto end;
2926  }
2927 
2928  /* do detect */
2929  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2930 
2931  if (!PacketAlertCheck(p2, 1)) {
2932  printf("sid 1 didn't match but shouldn't have");
2933  goto end;
2934  }
2935 
2936  result = 1;
2937 
2938 end:
2939  if (alp_tctx != NULL)
2940  AppLayerParserThreadCtxFree(alp_tctx);
2941  if (det_ctx != NULL) {
2942  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2943  }
2944  if (de_ctx != NULL)
2945  DetectEngineCtxFree(de_ctx);
2946 
2947  StreamTcpFreeConfig(true);
2948  FLOW_DESTROY(&f);
2949  UTHFreePackets(&p1, 1);
2950  UTHFreePackets(&p2, 1);
2951  StatsThreadCleanup(&th_v);
2952  return result;
2953 }
2954 
2955 static int DetectEngineHttpHeaderTest21(void)
2956 {
2957  TcpSession ssn;
2958  Packet *p1 = NULL;
2959  Packet *p2 = NULL;
2960  ThreadVars th_v;
2961  DetectEngineCtx *de_ctx = NULL;
2962  DetectEngineThreadCtx *det_ctx = NULL;
2963  HtpState *http_state = NULL;
2964  Flow f;
2965  uint8_t http1_buf[] =
2966  "GET /index.html HTTP/1.0\r\n"
2967  "Host: This_is_dummy_body1";
2968  uint8_t http2_buf[] =
2969  "This_is_dummy_message_body2\r\n"
2970  "\r\n";
2971  uint32_t http1_len = sizeof(http1_buf) - 1;
2972  uint32_t http2_len = sizeof(http2_buf) - 1;
2973  int result = 0;
2974  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2975 
2976  memset(&th_v, 0, sizeof(th_v));
2977  memset(&f, 0, sizeof(f));
2978  memset(&ssn, 0, sizeof(ssn));
2979 
2980  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2981  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2982 
2983  FLOW_INITIALIZE(&f);
2984  f.protoctx = (void *)&ssn;
2985  f.proto = IPPROTO_TCP;
2986  f.flags |= FLOW_IPV4;
2987 
2988  p1->flow = &f;
2989  p1->flowflags |= FLOW_PKT_TOSERVER;
2990  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2991  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2992  p2->flow = &f;
2993  p2->flowflags |= FLOW_PKT_TOSERVER;
2994  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2995  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2996  f.alproto = ALPROTO_HTTP1;
2997 
2998  StreamTcpInitConfig(true);
2999 
3000  de_ctx = DetectEngineCtxInit();
3001  if (de_ctx == NULL)
3002  goto end;
3003 
3004  de_ctx->flags |= DE_QUIET;
3005 
3006  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3007  "(msg:\"http client body test\"; "
3008  "pcre:/body1/H; "
3009  "content:!\"dummy\"; within:7; http_header; "
3010  "sid:1;)");
3011  if (de_ctx->sig_list == NULL)
3012  goto end;
3013 
3014  SigGroupBuild(de_ctx);
3015  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3016 
3017  int r = AppLayerParserParse(
3018  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3019  if (r != 0) {
3020  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3021  result = 0;
3022  goto end;
3023  }
3024 
3025  http_state = f.alstate;
3026  if (http_state == NULL) {
3027  printf("no http state: \n");
3028  result = 0;
3029  goto end;
3030  }
3031 
3032  /* do detect */
3033  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3034 
3035  if (PacketAlertCheck(p1, 1)) {
3036  printf("sid 1 matched but shouldn't have\n");
3037  goto end;
3038  }
3039 
3040  r = AppLayerParserParse(
3041  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3042  if (r != 0) {
3043  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3044  result = 0;
3045  goto end;
3046  }
3047 
3048  /* do detect */
3049  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3050 
3051  if (!PacketAlertCheck(p2, 1)) {
3052  printf("sid 1 didn't match but shouldn't have");
3053  goto end;
3054  }
3055 
3056  result = 1;
3057 
3058 end:
3059  if (alp_tctx != NULL)
3060  AppLayerParserThreadCtxFree(alp_tctx);
3061  if (det_ctx != NULL) {
3062  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3063  }
3064  if (de_ctx != NULL)
3065  DetectEngineCtxFree(de_ctx);
3066 
3067  StreamTcpFreeConfig(true);
3068  FLOW_DESTROY(&f);
3069  UTHFreePackets(&p1, 1);
3070  UTHFreePackets(&p2, 1);
3071  StatsThreadCleanup(&th_v);
3072  return result;
3073 }
3074 
3075 static int DetectEngineHttpHeaderTest22(void)
3076 {
3077  TcpSession ssn;
3078  Packet *p1 = NULL;
3079  Packet *p2 = NULL;
3080  ThreadVars th_v;
3081  DetectEngineCtx *de_ctx = NULL;
3082  DetectEngineThreadCtx *det_ctx = NULL;
3083  HtpState *http_state = NULL;
3084  Flow f;
3085  uint8_t http1_buf[] =
3086  "GET /index.html HTTP/1.0\r\n"
3087  "Host: This_is_dummy_body1";
3088  uint8_t http2_buf[] =
3089  "This_is_dummy_message_body2\r\n"
3090  "\r\n";
3091  uint32_t http1_len = sizeof(http1_buf) - 1;
3092  uint32_t http2_len = sizeof(http2_buf) - 1;
3093  int result = 0;
3094  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3095 
3096  memset(&th_v, 0, sizeof(th_v));
3097  memset(&f, 0, sizeof(f));
3098  memset(&ssn, 0, sizeof(ssn));
3099 
3100  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3101  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3102 
3103  FLOW_INITIALIZE(&f);
3104  f.protoctx = (void *)&ssn;
3105  f.proto = IPPROTO_TCP;
3106  f.flags |= FLOW_IPV4;
3107 
3108  p1->flow = &f;
3109  p1->flowflags |= FLOW_PKT_TOSERVER;
3110  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3111  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3112  p2->flow = &f;
3113  p2->flowflags |= FLOW_PKT_TOSERVER;
3114  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3115  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3116  f.alproto = ALPROTO_HTTP1;
3117 
3118  StreamTcpInitConfig(true);
3119 
3120  de_ctx = DetectEngineCtxInit();
3121  if (de_ctx == NULL)
3122  goto end;
3123 
3124  de_ctx->flags |= DE_QUIET;
3125 
3126  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3127  "(msg:\"http client body test\"; "
3128  "pcre:/body1/H; "
3129  "content:!\"dummy\"; distance:3; http_header; "
3130  "sid:1;)");
3131  if (de_ctx->sig_list == NULL)
3132  goto end;
3133 
3134  SigGroupBuild(de_ctx);
3135  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3136 
3137  int r = AppLayerParserParse(
3138  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3139  if (r != 0) {
3140  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3141  result = 0;
3142  goto end;
3143  }
3144 
3145  http_state = f.alstate;
3146  if (http_state == NULL) {
3147  printf("no http state: \n");
3148  result = 0;
3149  goto end;
3150  }
3151 
3152  /* do detect */
3153  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3154 
3155  if (PacketAlertCheck(p1, 1)) {
3156  printf("sid 1 matched but shouldn't have\n");
3157  goto end;
3158  }
3159 
3160  r = AppLayerParserParse(
3161  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3162  if (r != 0) {
3163  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3164  result = 0;
3165  goto end;
3166  }
3167 
3168  /* do detect */
3169  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3170 
3171  if (PacketAlertCheck(p2, 1)) {
3172  printf("sid 1 matched but shouldn't have");
3173  goto end;
3174  }
3175 
3176  result = 1;
3177 
3178 end:
3179  if (alp_tctx != NULL)
3180  AppLayerParserThreadCtxFree(alp_tctx);
3181  if (det_ctx != NULL) {
3182  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3183  }
3184  if (de_ctx != NULL)
3185  DetectEngineCtxFree(de_ctx);
3186 
3187  StreamTcpFreeConfig(true);
3188  FLOW_DESTROY(&f);
3189  UTHFreePackets(&p1, 1);
3190  UTHFreePackets(&p2, 1);
3191  StatsThreadCleanup(&th_v);
3192  return result;
3193 }
3194 
3195 static int DetectEngineHttpHeaderTest23(void)
3196 {
3197  TcpSession ssn;
3198  Packet *p1 = NULL;
3199  Packet *p2 = NULL;
3200  ThreadVars th_v;
3201  DetectEngineCtx *de_ctx = NULL;
3202  DetectEngineThreadCtx *det_ctx = NULL;
3203  HtpState *http_state = NULL;
3204  Flow f;
3205  uint8_t http1_buf[] =
3206  "GET /index.html HTTP/1.0\r\n"
3207  "Host: This_is_dummy_body1";
3208  uint8_t http2_buf[] =
3209  "This_is_dummy_message_body2\r\n"
3210  "\r\n";
3211  uint32_t http1_len = sizeof(http1_buf) - 1;
3212  uint32_t http2_len = sizeof(http2_buf) - 1;
3213  int result = 0;
3214  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3215 
3216  memset(&th_v, 0, sizeof(th_v));
3217  memset(&f, 0, sizeof(f));
3218  memset(&ssn, 0, sizeof(ssn));
3219 
3220  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3221  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3222 
3223  FLOW_INITIALIZE(&f);
3224  f.protoctx = (void *)&ssn;
3225  f.proto = IPPROTO_TCP;
3226  f.flags |= FLOW_IPV4;
3227 
3228  p1->flow = &f;
3229  p1->flowflags |= FLOW_PKT_TOSERVER;
3230  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3231  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3232  p2->flow = &f;
3233  p2->flowflags |= FLOW_PKT_TOSERVER;
3234  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3235  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3236  f.alproto = ALPROTO_HTTP1;
3237 
3238  StreamTcpInitConfig(true);
3239 
3240  de_ctx = DetectEngineCtxInit();
3241  if (de_ctx == NULL)
3242  goto end;
3243 
3244  de_ctx->flags |= DE_QUIET;
3245 
3246  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3247  "(msg:\"http client body test\"; "
3248  "pcre:/body1/H; "
3249  "content:!\"dummy\"; distance:13; http_header; "
3250  "sid:1;)");
3251  if (de_ctx->sig_list == NULL)
3252  goto end;
3253 
3254  SigGroupBuild(de_ctx);
3255  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3256 
3257  int r = AppLayerParserParse(
3258  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3259  if (r != 0) {
3260  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3261  result = 0;
3262  goto end;
3263  }
3264 
3265  http_state = f.alstate;
3266  if (http_state == NULL) {
3267  printf("no http state: \n");
3268  result = 0;
3269  goto end;
3270  }
3271 
3272  /* do detect */
3273  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3274 
3275  if (PacketAlertCheck(p1, 1)) {
3276  printf("sid 1 matched but shouldn't have\n");
3277  goto end;
3278  }
3279 
3280  r = AppLayerParserParse(
3281  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3282  if (r != 0) {
3283  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3284  result = 0;
3285  goto end;
3286  }
3287 
3288  /* do detect */
3289  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3290 
3291  if (!PacketAlertCheck(p2, 1)) {
3292  printf("sid 1 didn't match but should have");
3293  goto end;
3294  }
3295 
3296  result = 1;
3297 
3298 end:
3299  if (alp_tctx != NULL)
3300  AppLayerParserThreadCtxFree(alp_tctx);
3301  if (det_ctx != NULL) {
3302  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3303  }
3304  if (de_ctx != NULL)
3305  DetectEngineCtxFree(de_ctx);
3306 
3307  StreamTcpFreeConfig(true);
3308  FLOW_DESTROY(&f);
3309  UTHFreePackets(&p1, 1);
3310  UTHFreePackets(&p2, 1);
3311  StatsThreadCleanup(&th_v);
3312  return result;
3313 }
3314 
3315 static int DetectEngineHttpHeaderTest24(void)
3316 {
3317  TcpSession ssn;
3318  Packet *p1 = NULL;
3319  Packet *p2 = NULL;
3320  ThreadVars th_v;
3321  DetectEngineCtx *de_ctx = NULL;
3322  DetectEngineThreadCtx *det_ctx = NULL;
3323  HtpState *http_state = NULL;
3324  Flow f;
3325  uint8_t http1_buf[] =
3326  "GET /index.html HTTP/1.0\r\n"
3327  "Host: This_is_dummy_body1";
3328  uint8_t http2_buf[] =
3329  "This_is_dummy_message_body2\r\n"
3330  "\r\n";
3331  uint32_t http1_len = sizeof(http1_buf) - 1;
3332  uint32_t http2_len = sizeof(http2_buf) - 1;
3333  int result = 0;
3334  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3335 
3336  memset(&th_v, 0, sizeof(th_v));
3337  memset(&f, 0, sizeof(f));
3338  memset(&ssn, 0, sizeof(ssn));
3339 
3340  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3341  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3342 
3343  FLOW_INITIALIZE(&f);
3344  f.protoctx = (void *)&ssn;
3345  f.proto = IPPROTO_TCP;
3346  f.flags |= FLOW_IPV4;
3347 
3348  p1->flow = &f;
3349  p1->flowflags |= FLOW_PKT_TOSERVER;
3350  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3351  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3352  p2->flow = &f;
3353  p2->flowflags |= FLOW_PKT_TOSERVER;
3354  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3355  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3356  f.alproto = ALPROTO_HTTP1;
3357 
3358  StreamTcpInitConfig(true);
3359 
3360  de_ctx = DetectEngineCtxInit();
3361  if (de_ctx == NULL)
3362  goto end;
3363 
3364  de_ctx->flags |= DE_QUIET;
3365 
3366  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3367  "(msg:\"http client body test\"; "
3368  "pcre:/body1/H; "
3369  "content:\"dummy\"; within:15; http_header; "
3370  "sid:1;)");
3371  if (de_ctx->sig_list == NULL)
3372  goto end;
3373 
3374  SigGroupBuild(de_ctx);
3375  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3376 
3377  int r = AppLayerParserParse(
3378  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3379  if (r != 0) {
3380  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3381  result = 0;
3382  goto end;
3383  }
3384 
3385  http_state = f.alstate;
3386  if (http_state == NULL) {
3387  printf("no http state: \n");
3388  result = 0;
3389  goto end;
3390  }
3391 
3392  /* do detect */
3393  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3394 
3395  if (PacketAlertCheck(p1, 1)) {
3396  printf("sid 1 matched but shouldn't have\n");
3397  goto end;
3398  }
3399 
3400  r = AppLayerParserParse(
3401  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3402  if (r != 0) {
3403  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3404  result = 0;
3405  goto end;
3406  }
3407 
3408  /* do detect */
3409  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3410 
3411  if (!PacketAlertCheck(p2, 1)) {
3412  printf("sid 1 didn't match but should have");
3413  goto end;
3414  }
3415 
3416  result = 1;
3417 
3418 end:
3419  if (alp_tctx != NULL)
3420  AppLayerParserThreadCtxFree(alp_tctx);
3421  if (det_ctx != NULL) {
3422  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3423  }
3424  if (de_ctx != NULL)
3425  DetectEngineCtxFree(de_ctx);
3426 
3427  StreamTcpFreeConfig(true);
3428  FLOW_DESTROY(&f);
3429  UTHFreePackets(&p1, 1);
3430  UTHFreePackets(&p2, 1);
3431  StatsThreadCleanup(&th_v);
3432  return result;
3433 }
3434 
3435 static int DetectEngineHttpHeaderTest25(void)
3436 {
3437  TcpSession ssn;
3438  Packet *p1 = NULL;
3439  Packet *p2 = NULL;
3440  ThreadVars th_v;
3441  DetectEngineCtx *de_ctx = NULL;
3442  DetectEngineThreadCtx *det_ctx = NULL;
3443  HtpState *http_state = NULL;
3444  Flow f;
3445  uint8_t http1_buf[] =
3446  "GET /index.html HTTP/1.0\r\n"
3447  "Host: This_is_dummy_body1";
3448  uint8_t http2_buf[] =
3449  "This_is_dummy_message_body2\r\n"
3450  "\r\n";
3451  uint32_t http1_len = sizeof(http1_buf) - 1;
3452  uint32_t http2_len = sizeof(http2_buf) - 1;
3453  int result = 0;
3454  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3455 
3456  memset(&th_v, 0, sizeof(th_v));
3457  memset(&f, 0, sizeof(f));
3458  memset(&ssn, 0, sizeof(ssn));
3459 
3460  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3461  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3462 
3463  FLOW_INITIALIZE(&f);
3464  f.protoctx = (void *)&ssn;
3465  f.proto = IPPROTO_TCP;
3466  f.flags |= FLOW_IPV4;
3467 
3468  p1->flow = &f;
3469  p1->flowflags |= FLOW_PKT_TOSERVER;
3470  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3471  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3472  p2->flow = &f;
3473  p2->flowflags |= FLOW_PKT_TOSERVER;
3474  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3475  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3476  f.alproto = ALPROTO_HTTP1;
3477 
3478  StreamTcpInitConfig(true);
3479 
3480  de_ctx = DetectEngineCtxInit();
3481  if (de_ctx == NULL)
3482  goto end;
3483 
3484  de_ctx->flags |= DE_QUIET;
3485 
3486  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3487  "(msg:\"http client body test\"; "
3488  "pcre:/body1/H; "
3489  "content:\"dummy\"; within:10; http_header; "
3490  "sid:1;)");
3491  if (de_ctx->sig_list == NULL)
3492  goto end;
3493 
3494  SigGroupBuild(de_ctx);
3495  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3496 
3497  int r = AppLayerParserParse(
3498  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3499  if (r != 0) {
3500  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3501  result = 0;
3502  goto end;
3503  }
3504 
3505  http_state = f.alstate;
3506  if (http_state == NULL) {
3507  printf("no http state: \n");
3508  result = 0;
3509  goto end;
3510  }
3511 
3512  /* do detect */
3513  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3514 
3515  if (PacketAlertCheck(p1, 1)) {
3516  printf("sid 1 matched but shouldn't have\n");
3517  goto end;
3518  }
3519 
3520  r = AppLayerParserParse(
3521  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3522  if (r != 0) {
3523  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3524  result = 0;
3525  goto end;
3526  }
3527 
3528  /* do detect */
3529  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3530 
3531  if (PacketAlertCheck(p2, 1)) {
3532  printf("sid 1 matched but shouldn't have");
3533  goto end;
3534  }
3535 
3536  result = 1;
3537 
3538 end:
3539  if (alp_tctx != NULL)
3540  AppLayerParserThreadCtxFree(alp_tctx);
3541  if (det_ctx != NULL) {
3542  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3543  }
3544  if (de_ctx != NULL)
3545  DetectEngineCtxFree(de_ctx);
3546 
3547  StreamTcpFreeConfig(true);
3548  FLOW_DESTROY(&f);
3549  UTHFreePackets(&p1, 1);
3550  UTHFreePackets(&p2, 1);
3551  StatsThreadCleanup(&th_v);
3552  return result;
3553 }
3554 
3555 static int DetectEngineHttpHeaderTest26(void)
3556 {
3557  TcpSession ssn;
3558  Packet *p1 = NULL;
3559  Packet *p2 = NULL;
3560  ThreadVars th_v;
3561  DetectEngineCtx *de_ctx = NULL;
3562  DetectEngineThreadCtx *det_ctx = NULL;
3563  HtpState *http_state = NULL;
3564  Flow f;
3565  uint8_t http1_buf[] =
3566  "GET /index.html HTTP/1.0\r\n"
3567  "Host: This_is_dummy_body1";
3568  uint8_t http2_buf[] =
3569  "This_is_dummy_message_body2\r\n"
3570  "\r\n";
3571  uint32_t http1_len = sizeof(http1_buf) - 1;
3572  uint32_t http2_len = sizeof(http2_buf) - 1;
3573  int result = 0;
3574  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3575 
3576  memset(&th_v, 0, sizeof(th_v));
3577  memset(&f, 0, sizeof(f));
3578  memset(&ssn, 0, sizeof(ssn));
3579 
3580  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3581  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3582 
3583  FLOW_INITIALIZE(&f);
3584  f.protoctx = (void *)&ssn;
3585  f.proto = IPPROTO_TCP;
3586  f.flags |= FLOW_IPV4;
3587 
3588  p1->flow = &f;
3589  p1->flowflags |= FLOW_PKT_TOSERVER;
3590  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3591  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3592  p2->flow = &f;
3593  p2->flowflags |= FLOW_PKT_TOSERVER;
3594  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3595  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3596  f.alproto = ALPROTO_HTTP1;
3597 
3598  StreamTcpInitConfig(true);
3599 
3600  de_ctx = DetectEngineCtxInit();
3601  if (de_ctx == NULL)
3602  goto end;
3603 
3604  de_ctx->flags |= DE_QUIET;
3605 
3606  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3607  "(msg:\"http client body test\"; "
3608  "pcre:/body1/H; "
3609  "content:\"dummy\"; distance:8; http_header; "
3610  "sid:1;)");
3611  if (de_ctx->sig_list == NULL)
3612  goto end;
3613 
3614  SigGroupBuild(de_ctx);
3615  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3616 
3617  int r = AppLayerParserParse(
3618  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3619  if (r != 0) {
3620  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3621  result = 0;
3622  goto end;
3623  }
3624 
3625  http_state = f.alstate;
3626  if (http_state == NULL) {
3627  printf("no http state: \n");
3628  result = 0;
3629  goto end;
3630  }
3631 
3632  /* do detect */
3633  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3634 
3635  if (PacketAlertCheck(p1, 1)) {
3636  printf("sid 1 matched but shouldn't have\n");
3637  goto end;
3638  }
3639 
3640  r = AppLayerParserParse(
3641  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3642  if (r != 0) {
3643  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3644  result = 0;
3645  goto end;
3646  }
3647 
3648  /* do detect */
3649  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3650 
3651  if (!PacketAlertCheck(p2, 1)) {
3652  printf("sid 1 didn't match but should have");
3653  goto end;
3654  }
3655 
3656  result = 1;
3657 
3658 end:
3659  if (alp_tctx != NULL)
3660  AppLayerParserThreadCtxFree(alp_tctx);
3661  if (det_ctx != NULL) {
3662  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3663  }
3664  if (de_ctx != NULL)
3665  DetectEngineCtxFree(de_ctx);
3666 
3667  StreamTcpFreeConfig(true);
3668  FLOW_DESTROY(&f);
3669  UTHFreePackets(&p1, 1);
3670  UTHFreePackets(&p2, 1);
3671  StatsThreadCleanup(&th_v);
3672  return result;
3673 }
3674 
3675 static int DetectEngineHttpHeaderTest27(void)
3676 {
3677  TcpSession ssn;
3678  Packet *p1 = NULL;
3679  Packet *p2 = NULL;
3680  ThreadVars th_v;
3681  DetectEngineCtx *de_ctx = NULL;
3682  DetectEngineThreadCtx *det_ctx = NULL;
3683  HtpState *http_state = NULL;
3684  Flow f;
3685  uint8_t http1_buf[] =
3686  "GET /index.html HTTP/1.0\r\n"
3687  "Host: This_is_dummy_body1";
3688  uint8_t http2_buf[] =
3689  "This_is_dummy_message_body2\r\n"
3690  "\r\n";
3691  uint32_t http1_len = sizeof(http1_buf) - 1;
3692  uint32_t http2_len = sizeof(http2_buf) - 1;
3693  int result = 0;
3694  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3695 
3696  memset(&th_v, 0, sizeof(th_v));
3697  memset(&f, 0, sizeof(f));
3698  memset(&ssn, 0, sizeof(ssn));
3699 
3700  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3701  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3702 
3703  FLOW_INITIALIZE(&f);
3704  f.protoctx = (void *)&ssn;
3705  f.proto = IPPROTO_TCP;
3706  f.flags |= FLOW_IPV4;
3707 
3708  p1->flow = &f;
3709  p1->flowflags |= FLOW_PKT_TOSERVER;
3710  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3711  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3712  p2->flow = &f;
3713  p2->flowflags |= FLOW_PKT_TOSERVER;
3714  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3715  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3716  f.alproto = ALPROTO_HTTP1;
3717 
3718  StreamTcpInitConfig(true);
3719 
3720  de_ctx = DetectEngineCtxInit();
3721  if (de_ctx == NULL)
3722  goto end;
3723 
3724  de_ctx->flags |= DE_QUIET;
3725 
3726  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3727  "(msg:\"http client body test\"; "
3728  "pcre:/body1/H; "
3729  "content:\"dummy\"; distance:14; http_header; "
3730  "sid:1;)");
3731  if (de_ctx->sig_list == NULL)
3732  goto end;
3733 
3734  SigGroupBuild(de_ctx);
3735  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3736 
3737  int r = AppLayerParserParse(
3738  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3739  if (r != 0) {
3740  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3741  result = 0;
3742  goto end;
3743  }
3744 
3745  http_state = f.alstate;
3746  if (http_state == NULL) {
3747  printf("no http state: \n");
3748  result = 0;
3749  goto end;
3750  }
3751 
3752  /* do detect */
3753  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3754 
3755  if (PacketAlertCheck(p1, 1)) {
3756  printf("sid 1 matched but shouldn't have\n");
3757  goto end;
3758  }
3759 
3760  r = AppLayerParserParse(
3761  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3762  if (r != 0) {
3763  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3764  result = 0;
3765  goto end;
3766  }
3767 
3768  /* do detect */
3769  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3770 
3771  if (PacketAlertCheck(p2, 1)) {
3772  printf("sid 1 matched but shouldn't have");
3773  goto end;
3774  }
3775 
3776  result = 1;
3777 
3778 end:
3779  if (alp_tctx != NULL)
3780  AppLayerParserThreadCtxFree(alp_tctx);
3781  if (det_ctx != NULL) {
3782  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3783  }
3784  if (de_ctx != NULL)
3785  DetectEngineCtxFree(de_ctx);
3786 
3787  StreamTcpFreeConfig(true);
3788  FLOW_DESTROY(&f);
3789  UTHFreePackets(&p1, 1);
3790  UTHFreePackets(&p2, 1);
3791  StatsThreadCleanup(&th_v);
3792  return result;
3793 }
3794 
3795 static int DetectEngineHttpHeaderTest28(void)
3796 {
3797  TcpSession ssn;
3798  Packet *p1 = NULL;
3799  Packet *p2 = NULL;
3800  ThreadVars th_v;
3801  DetectEngineCtx *de_ctx = NULL;
3802  DetectEngineThreadCtx *det_ctx = NULL;
3803  HtpState *http_state = NULL;
3804  Flow f;
3805  uint8_t http_buf1[] =
3806  "GET /index.html HTTP/1.0\r\n"
3807  "Host: www.openinfosecfoundation.org\r\n"
3808  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3809  "\r\n";
3810  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
3811  uint8_t http_buf2[] =
3812  "HTTP/1.0 200 ok\r\n"
3813  "Content-Type: text/html\r\n"
3814  "Content-Length: 6\r\n"
3815  "\r\n"
3816  "abcdef";
3817  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
3818  int result = 0;
3819  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3820 
3821  memset(&th_v, 0, sizeof(th_v));
3822  memset(&f, 0, sizeof(f));
3823  memset(&ssn, 0, sizeof(ssn));
3824 
3825  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3826  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3827 
3828  FLOW_INITIALIZE(&f);
3829  f.protoctx = (void *)&ssn;
3830  f.proto = IPPROTO_TCP;
3831  f.flags |= FLOW_IPV4;
3832 
3833  p1->flow = &f;
3834  p1->flowflags |= FLOW_PKT_TOSERVER;
3835  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3836  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3837  p2->flow = &f;
3838  p2->flowflags |= FLOW_PKT_TOCLIENT;
3839  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3840  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3841  f.alproto = ALPROTO_HTTP1;
3842 
3843  StreamTcpInitConfig(true);
3844 
3845  de_ctx = DetectEngineCtxInit();
3846  if (de_ctx == NULL)
3847  goto end;
3848 
3849  de_ctx->flags |= DE_QUIET;
3850 
3851  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3852  "(msg:\"http header test\"; "
3853  "content:\"Content-Length: 6\"; http_header; "
3854  "sid:1;)");
3855  if (de_ctx->sig_list == NULL)
3856  goto end;
3857 
3858  SigGroupBuild(de_ctx);
3859  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3860 
3861  int r = AppLayerParserParse(
3862  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
3863  if (r != 0) {
3864  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3865  result = 0;
3866  goto end;
3867  }
3868 
3869  http_state = f.alstate;
3870  if (http_state == NULL) {
3871  printf("no http state: \n");
3872  result = 0;
3873  goto end;
3874  }
3875 
3876  /* do detect */
3877  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3878 
3879  if (PacketAlertCheck(p1, 1)) {
3880  printf("sid 1 matched but shouldn't have\n");
3881  goto end;
3882  }
3883 
3884  r = AppLayerParserParse(
3885  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_buf2_len);
3886  if (r != 0) {
3887  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3888  result = 0;
3889  goto end;
3890  }
3891 
3892  /* do detect */
3893  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3894 
3895  FAIL_IF(!PacketAlertCheck(p2, 1));
3896 
3897  result = 1;
3898 
3899 end:
3900  if (alp_tctx != NULL)
3901  AppLayerParserThreadCtxFree(alp_tctx);
3902  if (det_ctx != NULL) {
3903  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3904  }
3905  if (de_ctx != NULL)
3906  DetectEngineCtxFree(de_ctx);
3907 
3908  StreamTcpFreeConfig(true);
3909  FLOW_DESTROY(&f);
3910  UTHFreePackets(&p1, 1);
3911  UTHFreePackets(&p2, 1);
3912  StatsThreadCleanup(&th_v);
3913  return result;
3914 }
3915 
3916 static int DetectEngineHttpHeaderTest29(void)
3917 {
3918  TcpSession ssn;
3919  Packet *p1 = NULL;
3920  Packet *p2 = NULL;
3921  ThreadVars th_v;
3922  DetectEngineCtx *de_ctx = NULL;
3923  DetectEngineThreadCtx *det_ctx = NULL;
3924  HtpState *http_state = NULL;
3925  Flow f;
3926  uint8_t http_buf1[] =
3927  "GET /index.html HTTP/1.0\r\n"
3928  "Host: www.openinfosecfoundation.org\r\n"
3929  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3930  "\r\n";
3931  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
3932  uint8_t http_buf2[] =
3933  "HTTP/1.0 200 ok\r\n"
3934  "Content-Type: text/html\r\n"
3935  "Content-Length: 6\r\n"
3936  "\r\n"
3937  "abcdef";
3938  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
3939  int result = 0;
3940  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3941 
3942  memset(&th_v, 0, sizeof(th_v));
3943  memset(&f, 0, sizeof(f));
3944  memset(&ssn, 0, sizeof(ssn));
3945 
3946  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3947  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3948 
3949  FLOW_INITIALIZE(&f);
3950  f.protoctx = (void *)&ssn;
3951  f.proto = IPPROTO_TCP;
3952  f.flags |= FLOW_IPV4;
3953 
3954  p1->flow = &f;
3955  p1->flowflags |= FLOW_PKT_TOSERVER;
3956  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3957  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3958  p2->flow = &f;
3959  p2->flowflags |= FLOW_PKT_TOCLIENT;
3960  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3961  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3962  f.alproto = ALPROTO_HTTP1;
3963 
3964  StreamTcpInitConfig(true);
3965 
3966  de_ctx = DetectEngineCtxInit();
3967  if (de_ctx == NULL)
3968  goto end;
3969 
3970  de_ctx->flags |= DE_QUIET;
3971 
3972  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3973  "(msg:\"http header test\"; "
3974  "content:\"Content-Length: 7\"; http_header; "
3975  "sid:1;)");
3976  if (de_ctx->sig_list == NULL)
3977  goto end;
3978 
3979  SigGroupBuild(de_ctx);
3980  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3981 
3982  int r = AppLayerParserParse(
3983  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
3984  if (r != 0) {
3985  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3986  result = 0;
3987  goto end;
3988  }
3989 
3990  http_state = f.alstate;
3991  if (http_state == NULL) {
3992  printf("no http state: \n");
3993  result = 0;
3994  goto end;
3995  }
3996 
3997  /* do detect */
3998  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3999 
4000  if (PacketAlertCheck(p1, 1)) {
4001  printf("sid 1 matched but shouldn't have\n");
4002  goto end;
4003  }
4004 
4005  r = AppLayerParserParse(
4006  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_buf2_len);
4007  if (r != 0) {
4008  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
4009  result = 0;
4010  goto end;
4011  }
4012 
4013  /* do detect */
4014  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4015 
4016  if (PacketAlertCheck(p2, 1)) {
4017  printf("sid 1 matched but shouldn't have");
4018  goto end;
4019  }
4020 
4021  result = 1;
4022 
4023 end:
4024  if (alp_tctx != NULL)
4025  AppLayerParserThreadCtxFree(alp_tctx);
4026  if (det_ctx != NULL) {
4027  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4028  }
4029  if (de_ctx != NULL)
4030  DetectEngineCtxFree(de_ctx);
4031 
4032  StreamTcpFreeConfig(true);
4033  FLOW_DESTROY(&f);
4034  UTHFreePackets(&p1, 1);
4035  UTHFreePackets(&p2, 1);
4036  StatsThreadCleanup(&th_v);
4037  return result;
4038 }
4039 
4040 #if 0
4041 
4042 static int DetectEngineHttpHeaderTest30(void)
4043 {
4044  int result = 0;
4045  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4046 
4047  if (de_ctx == NULL) {
4048  goto end;
4049  }
4050 
4051  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
4052  "(msg:\"http header test\"; "
4053  "content:\"Content-Length: 6\"; http_header; "
4054  "content:\"User-Agent: Mozilla\"; http_header; "
4055  "sid:1;)");
4056  if (de_ctx->sig_list != NULL) {
4057  goto end;
4058  }
4059 
4060  result = 1;
4061 
4062  end:
4063  if (de_ctx != NULL)
4064  DetectEngineCtxFree(de_ctx);
4065  return result;
4066 }
4067 
4068 #endif /* #if 0 */
4069 
4070 static int DetectEngineHttpHeaderTest30(void)
4071 {
4072  TcpSession ssn;
4073  Packet *p1 = NULL;
4074  Packet *p2 = NULL;
4075  ThreadVars th_v;
4076  DetectEngineCtx *de_ctx = NULL;
4077  DetectEngineThreadCtx *det_ctx = NULL;
4078  HtpState *http_state = NULL;
4079  Flow f;
4080  uint8_t http_buf1[] =
4081  "GET /index.html HTTP/1.0\r\n"
4082  "Host: www.openinfosecfoundation.org\r\n"
4083  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4084  "\r\n";
4085  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4086  uint8_t http_buf2[] =
4087  "HTTP/1.0 200 ok\r\n"
4088  "Set-Cookie: dummycookieset\r\n"
4089  "Content-Type: text/html\r\n"
4090  "Content-Length: 6\r\n"
4091  "\r\n"
4092  "abcdef";
4093  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
4094  int result = 0;
4095  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4096 
4097  memset(&th_v, 0, sizeof(th_v));
4098  memset(&f, 0, sizeof(f));
4099  memset(&ssn, 0, sizeof(ssn));
4100 
4101  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4102  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4103 
4104  FLOW_INITIALIZE(&f);
4105  f.protoctx = (void *)&ssn;
4106  f.proto = IPPROTO_TCP;
4107  f.flags |= FLOW_IPV4;
4108 
4109  p1->flow = &f;
4110  p1->flowflags |= FLOW_PKT_TOSERVER;
4111  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4112  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
4113  p2->flow = &f;
4114  p2->flowflags |= FLOW_PKT_TOCLIENT;
4115  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4116  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
4117  f.alproto = ALPROTO_HTTP1;
4118 
4119  StreamTcpInitConfig(true);
4120 
4121  de_ctx = DetectEngineCtxInit();
4122  if (de_ctx == NULL)
4123  goto end;
4124 
4125  de_ctx->flags |= DE_QUIET;
4126 
4127  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4128  "(msg:\"http header test\"; "
4129  "content:\"dummycookieset\"; http_header; "
4130  "sid:1;)");
4131  if (de_ctx->sig_list == NULL)
4132  goto end;
4133 
4134  SigGroupBuild(de_ctx);
4135  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4136 
4137  int r = AppLayerParserParse(
4138  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4139  if (r != 0) {
4140  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4141  result = 0;
4142  goto end;
4143  }
4144 
4145  http_state = f.alstate;
4146  if (http_state == NULL) {
4147  printf("no http state: \n");
4148  result = 0;
4149  goto end;
4150  }
4151 
4152  /* do detect */
4153  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4154 
4155  if (PacketAlertCheck(p1, 1)) {
4156  printf("sid 1 matched but shouldn't have\n");
4157  goto end;
4158  }
4159 
4160  r = AppLayerParserParse(
4161  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_buf2_len);
4162  if (r != 0) {
4163  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
4164  result = 0;
4165  goto end;
4166  }
4167 
4168  /* do detect */
4169  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4170 
4171  if (PacketAlertCheck(p2, 1)) {
4172  printf("sid 1 matched but shouldn't have\n");
4173  goto end;
4174  }
4175 
4176  result = 1;
4177 
4178 end:
4179  if (alp_tctx != NULL)
4180  AppLayerParserThreadCtxFree(alp_tctx);
4181  if (det_ctx != NULL) {
4182  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4183  }
4184  if (de_ctx != NULL)
4185  DetectEngineCtxFree(de_ctx);
4186 
4187  StreamTcpFreeConfig(true);
4188  FLOW_DESTROY(&f);
4189  UTHFreePackets(&p1, 1);
4190  UTHFreePackets(&p2, 1);
4191  StatsThreadCleanup(&th_v);
4192  return result;
4193 }
4194 
4195 /** \test reassembly bug where headers with names of length 6 were
4196  * skipped
4197  */
4198 static int DetectEngineHttpHeaderTest31(void)
4199 {
4200  TcpSession ssn;
4201  Packet *p1 = NULL;
4202  ThreadVars th_v;
4203  DetectEngineCtx *de_ctx = NULL;
4204  DetectEngineThreadCtx *det_ctx = NULL;
4205  HtpState *http_state = NULL;
4206  Flow f;
4207  uint8_t http1_buf[] =
4208  "GET /index.html HTTP/1.0\r\n"
4209  "Accept: blah\r\n"
4210  "Cookie: blah\r\n"
4211  "Crazy6: blah\r\n"
4212  "SixZix: blah\r\n\r\n";
4213  uint32_t http1_len = sizeof(http1_buf) - 1;
4214  int result = 0;
4215  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4216 
4217  memset(&th_v, 0, sizeof(th_v));
4218  memset(&f, 0, sizeof(f));
4219  memset(&ssn, 0, sizeof(ssn));
4220 
4221  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4222 
4223  FLOW_INITIALIZE(&f);
4224  f.protoctx = (void *)&ssn;
4225  f.proto = IPPROTO_TCP;
4226  f.flags |= FLOW_IPV4;
4227 
4228  p1->flow = &f;
4229  p1->flowflags |= FLOW_PKT_TOSERVER;
4230  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4231  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4232  f.alproto = ALPROTO_HTTP1;
4233 
4234  StreamTcpInitConfig(true);
4235 
4236  de_ctx = DetectEngineCtxInit();
4237  if (de_ctx == NULL)
4238  goto end;
4239 
4240  de_ctx->flags |= DE_QUIET;
4241 
4242  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4243  "(content:\"Accept|3a|\"; http_header; "
4244  "content:!\"Cookie|3a|\"; http_header; "
4245  "content:\"Crazy6|3a|\"; http_header; "
4246  "content:\"SixZix|3a|\"; http_header; "
4247  "sid:1;)");
4248  if (de_ctx->sig_list == NULL)
4249  goto end;
4250 
4251  SigGroupBuild(de_ctx);
4252  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4253 
4254  int r = AppLayerParserParse(
4255  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4256  if (r != 0) {
4257  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4258  result = 0;
4259  goto end;
4260  }
4261 
4262  http_state = f.alstate;
4263  if (http_state == NULL) {
4264  printf("no http state: \n");
4265  result = 0;
4266  goto end;
4267  }
4268 
4269  /* do detect */
4270  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4271 
4272  if (!(PacketAlertCheck(p1, 1))) {
4273  printf("sid 1 didn't match but should have: ");
4274  goto end;
4275  }
4276 
4277  result = 1;
4278 
4279 end:
4280  if (alp_tctx != NULL)
4281  AppLayerParserThreadCtxFree(alp_tctx);
4282  if (det_ctx != NULL) {
4283  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4284  }
4285  if (de_ctx != NULL)
4286  DetectEngineCtxFree(de_ctx);
4287 
4288  StreamTcpFreeConfig(true);
4289  FLOW_DESTROY(&f);
4290  UTHFreePackets(&p1, 1);
4291  StatsThreadCleanup(&th_v);
4292  return result;
4293 }
4294 
4295 /**
4296  * \test Trailing headers.
4297  */
4298 static int DetectEngineHttpHeaderTest32(void)
4299 {
4300  TcpSession ssn;
4301  Packet *p1 = NULL;
4302  ThreadVars th_v;
4303  DetectEngineCtx *de_ctx = NULL;
4304  DetectEngineThreadCtx *det_ctx = NULL;
4305  HtpState *http_state = NULL;
4306  Flow f;
4307  uint8_t http1_buf[] =
4308  "GET /index.html HTTP/1.0\r\n"
4309  "host: boom\r\n"
4310  "Transfer-Encoding: chunked\r\n"
4311  "\r\n"
4312  "13\r\n"
4313  "This is dummy body1\r\n"
4314  "0\r\n"
4315  "Dummy-Header: kaboom\r\n"
4316  "\r\n";
4317  uint32_t http1_len = sizeof(http1_buf) - 1;
4318  int result = 0;
4319  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4320 
4321  memset(&th_v, 0, sizeof(th_v));
4322  memset(&f, 0, sizeof(f));
4323  memset(&ssn, 0, sizeof(ssn));
4324 
4325  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4326 
4327  FLOW_INITIALIZE(&f);
4328  f.protoctx = (void *)&ssn;
4329  f.proto = IPPROTO_TCP;
4330  f.flags |= FLOW_IPV4;
4331 
4332  p1->flow = &f;
4333  p1->flowflags |= FLOW_PKT_TOSERVER;
4334  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4335  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4336  f.alproto = ALPROTO_HTTP1;
4337 
4338  StreamTcpInitConfig(true);
4339 
4340  de_ctx = DetectEngineCtxInit();
4341  if (de_ctx == NULL)
4342  goto end;
4343 
4344  de_ctx->flags |= DE_QUIET;
4345 
4346  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4347  "(content:\"Dummy\"; http_header; "
4348  "sid:1;)");
4349  if (de_ctx->sig_list == NULL)
4350  goto end;
4351 
4352  SigGroupBuild(de_ctx);
4353  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4354 
4355  int r = AppLayerParserParse(
4356  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4357  if (r != 0) {
4358  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4359  result = 0;
4360  goto end;
4361  }
4362 
4363  http_state = f.alstate;
4364  if (http_state == NULL) {
4365  printf("no http state: \n");
4366  result = 0;
4367  goto end;
4368  }
4369 
4370  /* do detect */
4371  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4372 
4373  if (!(PacketAlertCheck(p1, 1))) {
4374  printf("sid 1 didn't match but should have: ");
4375  goto end;
4376  }
4377 
4378  result = 1;
4379 
4380 end:
4381  if (alp_tctx != NULL)
4382  AppLayerParserThreadCtxFree(alp_tctx);
4383  if (det_ctx != NULL) {
4384  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4385  }
4386  if (de_ctx != NULL)
4387  DetectEngineCtxFree(de_ctx);
4388 
4389  StreamTcpFreeConfig(true);
4390  FLOW_DESTROY(&f);
4391  UTHFreePackets(&p1, 1);
4392  StatsThreadCleanup(&th_v);
4393  return result;
4394 }
4395 
4396 /**
4397  * \test Trailing headers.
4398  */
4399 static int DetectEngineHttpHeaderTest33(void)
4400 {
4401  TcpSession ssn;
4402  Packet *p1 = NULL;
4403  Packet *p2 = NULL;
4404  ThreadVars th_v;
4405  DetectEngineCtx *de_ctx = NULL;
4406  DetectEngineThreadCtx *det_ctx = NULL;
4407  HtpState *http_state = NULL;
4408  Flow f;
4409  uint8_t http1_buf[] =
4410  "GET /index.html HTTP/1.0\r\n"
4411  "host: boom\r\n"
4412  "Transfer-Encoding: chunked\r\n"
4413  "\r\n"
4414  "13\r\n"
4415  "This is dummy body1\r\n"
4416  "0\r\n";
4417  uint8_t http2_buf[] =
4418  "Dummy-Header: kaboom\r\n"
4419  "\r\n";
4420  uint32_t http1_len = sizeof(http1_buf) - 1;
4421  uint32_t http2_len = sizeof(http2_buf) - 1;
4422 
4423  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4424  FAIL_IF_NULL(alp_tctx);
4425 
4426  memset(&th_v, 0, sizeof(th_v));
4427  memset(&f, 0, sizeof(f));
4428  memset(&ssn, 0, sizeof(ssn));
4429 
4430  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4431  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4432 
4433  FLOW_INITIALIZE(&f);
4434  f.protoctx = (void *)&ssn;
4435  f.proto = IPPROTO_TCP;
4436  f.flags |= FLOW_IPV4;
4437 
4438  p1->flow = &f;
4439  p1->flowflags |= FLOW_PKT_TOSERVER;
4440  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4441  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4442  p2->flow = &f;
4443  p2->flowflags |= FLOW_PKT_TOSERVER;
4444  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4445  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4446  f.alproto = ALPROTO_HTTP1;
4447 
4448  StreamTcpInitConfig(true);
4449 
4450  de_ctx = DetectEngineCtxInit();
4451  FAIL_IF(de_ctx == NULL);
4452  de_ctx->flags |= DE_QUIET;
4453 
4454  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4455  "(content:\"Dummy\"; http_header; "
4456  "sid:1;)");
4457  FAIL_IF(de_ctx->sig_list == NULL);
4458 
4459  SigGroupBuild(de_ctx);
4460  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4461 
4462  int r = AppLayerParserParse(
4463  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4464  FAIL_IF_NOT(r == 0);
4465 
4466  http_state = f.alstate;
4467  FAIL_IF(http_state == NULL);
4468 
4469  /* do detect */
4470  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4471 
4472  FAIL_IF(PacketAlertCheck(p1, 1));
4473 
4474  r = AppLayerParserParse(
4475  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4476  FAIL_IF_NOT(r == 0);
4477 
4478  /* do detect */
4479  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4480 
4481  FAIL_IF(!PacketAlertCheck(p2, 1));
4482 
4483  AppLayerParserThreadCtxFree(alp_tctx);
4484  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4485  DetectEngineCtxFree(de_ctx);
4486 
4487  StreamTcpFreeConfig(true);
4488  FLOW_DESTROY(&f);
4489  UTHFreePackets(&p1, 1);
4490  UTHFreePackets(&p2, 1);
4491  StatsThreadCleanup(&th_v);
4492  PASS;
4493 }
4494 
4495 /**
4496  * \test Trailing headers.
4497  */
4498 static int DetectEngineHttpHeaderTest34(void)
4499 {
4500  TcpSession ssn;
4501  ThreadVars th_v;
4502  DetectEngineCtx *de_ctx = NULL;
4503  DetectEngineThreadCtx *det_ctx = NULL;
4504  HtpState *http_state = NULL;
4505  Flow f;
4506  uint8_t http1_buf[] =
4507  "GET /index.html HTTP/1.0\r\n"
4508  "host: boom\r\n"
4509  "Dummy-Header1: blah\r\n"
4510  "Transfer-Encoding: chunked\r\n"
4511  "\r\n";
4512  uint8_t http2_buf[] =
4513  "13\r\n"
4514  "This is dummy body1\r\n"
4515  "0\r\n";
4516  uint8_t http3_buf[] =
4517  "Dummy-Header2: kaboom\r\n"
4518  "\r\n";
4519  uint32_t http1_len = sizeof(http1_buf) - 1;
4520  uint32_t http2_len = sizeof(http2_buf) - 1;
4521  uint32_t http3_len = sizeof(http3_buf) - 1;
4522 
4523  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4524  FAIL_IF_NULL(alp_tctx);
4525 
4526  memset(&th_v, 0, sizeof(th_v));
4527  memset(&f, 0, sizeof(f));
4528  memset(&ssn, 0, sizeof(ssn));
4529 
4530  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4531  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4532  Packet *p3 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4533 
4534  FLOW_INITIALIZE(&f);
4535  f.protoctx = (void *)&ssn;
4536  f.proto = IPPROTO_TCP;
4537  f.flags |= FLOW_IPV4;
4538 
4539  p1->flow = &f;
4540  p1->flowflags |= FLOW_PKT_TOSERVER;
4541  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4542  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4543  p1->pcap_cnt = 1;
4544  p2->flow = &f;
4545  p2->flowflags |= FLOW_PKT_TOSERVER;
4546  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4547  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4548  p2->pcap_cnt = 2;
4549  p3->flow = &f;
4550  p3->flowflags |= FLOW_PKT_TOSERVER;
4551  p3->flowflags |= FLOW_PKT_ESTABLISHED;
4552  p3->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4553  p3->pcap_cnt = 3;
4554  f.alproto = ALPROTO_HTTP1;
4555 
4556  StreamTcpInitConfig(true);
4557 
4558  de_ctx = DetectEngineCtxInit();
4559  FAIL_IF(de_ctx == NULL);
4560  de_ctx->flags |= DE_QUIET;
4561 
4562  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4563  "(content:\"Dummy\"; http_header; content:\"Header2\"; http_header; within:8; "
4564  "sid:1;)");
4565  FAIL_IF(de_ctx->sig_list == NULL);
4566 
4567  SigGroupBuild(de_ctx);
4568  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4569 
4570  int r = AppLayerParserParse(
4571  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4572  FAIL_IF_NOT(r == 0);
4573 
4574  http_state = f.alstate;
4575  FAIL_IF(http_state == NULL);
4576 
4577  /* do detect */
4578  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4579  FAIL_IF(PacketAlertCheck(p1, 1));
4580 
4581  r = AppLayerParserParse(
4582  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4583  FAIL_IF_NOT(r == 0);
4584 
4585  /* do detect */
4586  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4587  FAIL_IF(PacketAlertCheck(p2, 1));
4588 
4589  r = AppLayerParserParse(
4590  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http3_buf, http3_len);
4591  FAIL_IF_NOT(r == 0);
4592 
4593  /* do detect */
4594  SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
4595  FAIL_IF(!PacketAlertCheck(p3, 1)); /* should match in trailer */
4596 
4597  AppLayerParserThreadCtxFree(alp_tctx);
4598  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4599  DetectEngineCtxFree(de_ctx);
4600 
4601  StreamTcpFreeConfig(true);
4602  FLOW_DESTROY(&f);
4603  UTHFreePackets(&p1, 1);
4604  UTHFreePackets(&p2, 1);
4605  UTHFreePackets(&p3, 1);
4606  StatsThreadCleanup(&th_v);
4607  PASS;
4608 }
4609 
4610 /**
4611  * \test Trailing headers.
4612  */
4613 static int DetectEngineHttpHeaderTest35(void)
4614 {
4615  TcpSession ssn;
4616  ThreadVars th_v;
4617  DetectEngineCtx *de_ctx = NULL;
4618  DetectEngineThreadCtx *det_ctx = NULL;
4619  HtpState *http_state = NULL;
4620  Flow f;
4621  uint8_t http1_buf[] =
4622  "GET /index.html HTTP/1.0\r\n"
4623  "host: boom\r\n"
4624  "Dummy-Header1: blah\r\n"
4625  "Transfer-Encoding: chunked\r\n"
4626  "\r\n";
4627  uint8_t http2_buf[] =
4628  "13\r\n"
4629  "This is dummy body1\r\n"
4630  "0\r\n";
4631  uint8_t http3_buf[] =
4632  "Dummy-Header2: kaboom\r\n"
4633  "\r\n";
4634  uint32_t http1_len = sizeof(http1_buf) - 1;
4635  uint32_t http2_len = sizeof(http2_buf) - 1;
4636  uint32_t http3_len = sizeof(http3_buf) - 1;
4637 
4638  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4639  FAIL_IF_NULL(alp_tctx);
4640 
4641  memset(&th_v, 0, sizeof(th_v));
4642  memset(&f, 0, sizeof(f));
4643  memset(&ssn, 0, sizeof(ssn));
4644 
4645  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4646  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4647  Packet *p3 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4648 
4649  FLOW_INITIALIZE(&f);
4650  f.protoctx = (void *)&ssn;
4651  f.proto = IPPROTO_TCP;
4652  f.flags |= FLOW_IPV4;
4653 
4654  p1->flow = &f;
4655  p1->flowflags |= FLOW_PKT_TOSERVER;
4656  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4657  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4658  p1->pcap_cnt = 1;
4659  p2->flow = &f;
4660  p2->flowflags |= FLOW_PKT_TOSERVER;
4661  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4662  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4663  p2->pcap_cnt = 2;
4664  p3->flow = &f;
4665  p3->flowflags |= FLOW_PKT_TOSERVER;
4666  p3->flowflags |= FLOW_PKT_ESTABLISHED;
4667  p3->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4668  p3->pcap_cnt = 3;
4669  f.alproto = ALPROTO_HTTP1;
4670 
4671  StreamTcpInitConfig(true);
4672 
4673  de_ctx = DetectEngineCtxInit();
4674  FAIL_IF(de_ctx == NULL);
4675  de_ctx->flags |= DE_QUIET;
4676 
4677  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4678  "(content:\"Dummy\"; http_header; fast_pattern; content:\"Header2\"; http_header; within:8; "
4679  "sid:1;)");
4680  FAIL_IF(de_ctx->sig_list == NULL);
4681 
4682  SigGroupBuild(de_ctx);
4683  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4684 
4685  int r = AppLayerParserParse(
4686  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4687  FAIL_IF_NOT(r == 0);
4688 
4689  http_state = f.alstate;
4690  FAIL_IF(http_state == NULL);
4691 
4692  /* do detect */
4693  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4694  FAIL_IF(PacketAlertCheck(p1, 1));
4695 
4696  r = AppLayerParserParse(
4697  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4698  FAIL_IF_NOT(r == 0);
4699 
4700  /* do detect */
4701  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4702  FAIL_IF(PacketAlertCheck(p2, 1));
4703 
4704  r = AppLayerParserParse(
4705  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http3_buf, http3_len);
4706  FAIL_IF_NOT(r == 0);
4707 
4708  /* do detect */
4709  SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
4710  FAIL_IF(!PacketAlertCheck(p3, 1)); /* should match in trailer */
4711 
4712  AppLayerParserThreadCtxFree(alp_tctx);
4713  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4714  DetectEngineCtxFree(de_ctx);
4715 
4716  StreamTcpFreeConfig(true);
4717  FLOW_DESTROY(&f);
4718  UTHFreePackets(&p1, 1);
4719  UTHFreePackets(&p2, 1);
4720  UTHFreePackets(&p3, 1);
4721  StatsThreadCleanup(&th_v);
4722  PASS;
4723 }
4724 
4725 void DetectHttpHeaderRegisterTests(void)
4726 {
4727  UtRegisterTest("DetectHttpHeaderParserTest01", DetectHttpHeaderParserTest01);
4728  UtRegisterTest("DetectHttpHeaderParserTest02", DetectHttpHeaderParserTest02);
4729 
4730  UtRegisterTest("DetectHttpHeaderTest06", DetectHttpHeaderTest06);
4731  UtRegisterTest("DetectHttpHeaderTest07", DetectHttpHeaderTest07);
4732  UtRegisterTest("DetectHttpHeaderTest08", DetectHttpHeaderTest08);
4733  UtRegisterTest("DetectHttpHeaderTest09", DetectHttpHeaderTest09);
4734  UtRegisterTest("DetectHttpHeaderTest10", DetectHttpHeaderTest10);
4735  UtRegisterTest("DetectHttpHeaderTest11", DetectHttpHeaderTest11);
4736  UtRegisterTest("DetectHttpHeaderTest12", DetectHttpHeaderTest12);
4737  UtRegisterTest("DetectHttpHeaderTest13", DetectHttpHeaderTest13);
4738  UtRegisterTest("DetectHttpHeaderTest28", DetectHttpHeaderTest28);
4739  UtRegisterTest("DetectHttpHeaderTest29", DetectHttpHeaderTest29);
4740  UtRegisterTest("DetectHttpHeaderTest30", DetectHttpHeaderTest30);
4741 
4742  UtRegisterTest("DetectHttpHeaderIsdataatParseTest",
4743  DetectHttpHeaderIsdataatParseTest);
4744 
4745  UtRegisterTest("DetectEngineHttpHeaderTest01",
4746  DetectEngineHttpHeaderTest01);
4747  UtRegisterTest("DetectEngineHttpHeaderTest02",
4748  DetectEngineHttpHeaderTest02);
4749  UtRegisterTest("DetectEngineHttpHeaderTest03",
4750  DetectEngineHttpHeaderTest03);
4751  UtRegisterTest("DetectEngineHttpHeaderTest04",
4752  DetectEngineHttpHeaderTest04);
4753  UtRegisterTest("DetectEngineHttpHeaderTest05",
4754  DetectEngineHttpHeaderTest05);
4755  UtRegisterTest("DetectEngineHttpHeaderTest06",
4756  DetectEngineHttpHeaderTest06);
4757  UtRegisterTest("DetectEngineHttpHeaderTest07",
4758  DetectEngineHttpHeaderTest07);
4759  UtRegisterTest("DetectEngineHttpHeaderTest08",
4760  DetectEngineHttpHeaderTest08);
4761  UtRegisterTest("DetectEngineHttpHeaderTest09",
4762  DetectEngineHttpHeaderTest09);
4763  UtRegisterTest("DetectEngineHttpHeaderTest10",
4764  DetectEngineHttpHeaderTest10);
4765  UtRegisterTest("DetectEngineHttpHeaderTest11",
4766  DetectEngineHttpHeaderTest11);
4767  UtRegisterTest("DetectEngineHttpHeaderTest12",
4768  DetectEngineHttpHeaderTest12);
4769  UtRegisterTest("DetectEngineHttpHeaderTest13",
4770  DetectEngineHttpHeaderTest13);
4771  UtRegisterTest("DetectEngineHttpHeaderTest14",
4772  DetectEngineHttpHeaderTest14);
4773  UtRegisterTest("DetectEngineHttpHeaderTest15",
4774  DetectEngineHttpHeaderTest15);
4775  UtRegisterTest("DetectEngineHttpHeaderTest16",
4776  DetectEngineHttpHeaderTest16);
4777  UtRegisterTest("DetectEngineHttpHeaderTest17",
4778  DetectEngineHttpHeaderTest17);
4779  UtRegisterTest("DetectEngineHttpHeaderTest20",
4780  DetectEngineHttpHeaderTest20);
4781  UtRegisterTest("DetectEngineHttpHeaderTest21",
4782  DetectEngineHttpHeaderTest21);
4783  UtRegisterTest("DetectEngineHttpHeaderTest22",
4784  DetectEngineHttpHeaderTest22);
4785  UtRegisterTest("DetectEngineHttpHeaderTest23",
4786  DetectEngineHttpHeaderTest23);
4787  UtRegisterTest("DetectEngineHttpHeaderTest24",
4788  DetectEngineHttpHeaderTest24);
4789  UtRegisterTest("DetectEngineHttpHeaderTest25",
4790  DetectEngineHttpHeaderTest25);
4791  UtRegisterTest("DetectEngineHttpHeaderTest26",
4792  DetectEngineHttpHeaderTest26);
4793  UtRegisterTest("DetectEngineHttpHeaderTest27",
4794  DetectEngineHttpHeaderTest27);
4795  UtRegisterTest("DetectEngineHttpHeaderTest28",
4796  DetectEngineHttpHeaderTest28);
4797  UtRegisterTest("DetectEngineHttpHeaderTest29",
4798  DetectEngineHttpHeaderTest29);
4799  UtRegisterTest("DetectEngineHttpHeaderTest30",
4800  DetectEngineHttpHeaderTest30);
4801  UtRegisterTest("DetectEngineHttpHeaderTest31",
4802  DetectEngineHttpHeaderTest31);
4803 #if 0
4804  UtRegisterTest("DetectEngineHttpHeaderTest30",
4805  DetectEngineHttpHeaderTest30, 1);
4806 #endif
4807  UtRegisterTest("DetectEngineHttpHeaderTest32",
4808  DetectEngineHttpHeaderTest32);
4809  UtRegisterTest("DetectEngineHttpHeaderTest33 -- Trailer",
4810  DetectEngineHttpHeaderTest33);
4811  UtRegisterTest("DetectEngineHttpHeaderTest34 -- Trailer",
4812  DetectEngineHttpHeaderTest34);
4813  UtRegisterTest("DetectEngineHttpHeaderTest35 -- Trailer",
4814  DetectEngineHttpHeaderTest35);
4815 }
4816 
4817 /**
4818  * @}
4819  */
UTHParseSignature
int UTHParseSignature(const char *str, bool expect)
parser a sig and see if the expected result is correct
Definition: util-unittest-helper.c:913
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:34
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:626
Flow_::proto
uint8_t proto
Definition: flow.h:370
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
Flow_
Flow data structure.
Definition: flow.h:348
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:48
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2416
DetectIsdataatData_
Definition: detect-isdataat.h:32
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3439
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
Flow_::protoctx
void * protoctx
Definition: flow.h:433
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
HtpState_
Definition: app-layer-htp.h:181
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectBufferGetLastSigMatch
SigMatch * DetectBufferGetLastSigMatch(const Signature *s, const uint32_t buf_id)
Definition: detect-engine-buffer.c:167
DetectEngineThreadCtx_
Definition: detect.h:1244
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3364
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:935
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3097
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
Packet_
Definition: decode.h:501
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2194
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1291
SigMatch_::type
uint16_t type
Definition: detect.h:357
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3596
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:941
ISDATAAT_NEGATED
#define ISDATAAT_NEGATED
Definition: detect-isdataat.h:29
Flow_::alstate
void * alstate
Definition: flow.h:471
Flow_::flags
uint32_t flags
Definition: flow.h:413
Signature_
Signature container.
Definition: detect.h:668
SigMatch_
a single match condition for a signature
Definition: detect.h:356
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:93
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
StatsThreadCleanup
void StatsThreadCleanup(ThreadVars *tv)
Definition: counters.c:1324
DetectHttpHeaderRegisterTests
void DetectHttpHeaderRegisterTests(void)
Definition: detect-http-header.c:4725
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456