suricata
detect-http-host.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /** \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * \brief Handle HTTP host header.
31  * HHHD - Http Host Header Data
32  *
33  */
34 
35 #include "suricata-common.h"
36 #include "suricata.h"
37 #include "flow-util.h"
38 #include "flow.h"
39 #include "app-layer-parser.h"
40 #include "util-unittest.h"
41 #include "util-unittest-helper.h"
42 #include "app-layer.h"
43 #include "app-layer-htp.h"
44 #include "app-layer-protos.h"
45 #include "detect-engine-build.h"
46 #include "detect-engine-alert.h"
47 
48 static int RunTest(const uint8_t *buf, const uint32_t size, const char *sig_str, const int expect)
49 {
50  TcpSession ssn;
51  ThreadVars th_v;
52  DetectEngineThreadCtx *det_ctx = NULL;
53  Flow f;
55 
56  memset(&th_v, 0, sizeof(th_v));
57  memset(&f, 0, sizeof(f));
58  memset(&ssn, 0, sizeof(ssn));
59 
60  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
61  FAIL_IF_NULL(p);
62 
63  FLOW_INITIALIZE(&f);
64  f.protoctx = (void *)&ssn;
65  f.proto = IPPROTO_TCP;
66  f.flags |= FLOW_IPV4;
67  p->flow = &f;
72 
73  StreamTcpInitConfig(true);
74 
77  de_ctx->flags |= DE_QUIET;
78 
79  Signature *s = DetectEngineAppendSig(de_ctx, sig_str);
80  FAIL_IF_NULL(s);
81 
83  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
84 
85  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, size);
86  FAIL_IF(r != 0);
87 
88  HtpState *http_state = f.alstate;
89  FAIL_IF_NULL(http_state);
90 
91  /* do detect */
92  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
93  FAIL_IF(PacketAlertCheck(p, 1) != expect);
94 
95  UTHFreePackets(&p, 1);
96  FLOW_DESTROY(&f);
98  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
100  StreamTcpFreeConfig(true);
101  StatsThreadCleanup(&th_v);
102  PASS;
103 }
104 /**
105  * \test Test that the http_host content matches against a http request
106  * which holds the content.
107  */
108 static int DetectEngineHttpHHTest01(void)
109 {
110  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
111  "Host: CONNECT\r\n"
112  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
113  uint32_t http_len = sizeof(http_buf) - 1;
114  return RunTest(http_buf, http_len,
115  "alert http any any -> any any "
116  "(msg:\"http host header test\"; "
117  "content:\"connect\"; http_host; "
118  "sid:1;)",
119  1);
120 }
121 
122 /**
123  * \test Test that the http_host content matches against a http request
124  * which holds the content.
125  */
126 static int DetectEngineHttpHHTest02(void)
127 {
128  uint8_t http_buf[] =
129  "GET /index.html HTTP/1.0\r\n"
130  "Host: CONNECT\r\n"
131  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
132  uint32_t http_len = sizeof(http_buf) - 1;
133  return RunTest(http_buf, http_len,
134  "alert http any any -> any any "
135  "(msg:\"http host header test\"; "
136  "content:\"co\"; depth:4; http_host; "
137  "sid:1;)",
138  1);
139 }
140 
141 /**
142  * \test Test that the http_host content matches against a http request
143  * which holds the content.
144  */
145 static int DetectEngineHttpHHTest03(void)
146 {
147  uint8_t http_buf[] =
148  "GET /index.html HTTP/1.0\r\n"
149  "Host: CONNECT\r\n"
150  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
151  uint32_t http_len = sizeof(http_buf) - 1;
152  return RunTest(http_buf, http_len,
153  "alert http any any -> any any "
154  "(msg:\"http_host header test\"; "
155  "content:!\"ect\"; depth:4; http_host; "
156  "sid:1;)",
157  1);
158 }
159 
160 /**
161  * \test Test that the http_host content matches against a http request
162  * which holds the content.
163  */
164 static int DetectEngineHttpHHTest04(void)
165 {
166  uint8_t http_buf[] =
167  "GET /index.html HTTP/1.0\r\n"
168  "Host: CONNECT\r\n"
169  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
170  uint32_t http_len = sizeof(http_buf) - 1;
171  return RunTest(http_buf, http_len,
172  "alert http any any -> any any "
173  "(msg:\"http host header test\"; "
174  "content:\"ect\"; depth:4; http_host; "
175  "sid:1;)",
176  0);
177 }
178 
179 /**
180  * \test Test that the http_host content matches against a http request
181  * which holds the content.
182  */
183 static int DetectEngineHttpHHTest05(void)
184 {
185  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
186  "Host: CONNECT\r\n"
187  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
188  uint32_t http_len = sizeof(http_buf) - 1;
189  return RunTest(http_buf, http_len,
190  "alert http any any -> any any "
191  "(msg:\"http host header test\"; "
192  "content:!\"con\"; depth:4; http_host; "
193  "sid:1;)",
194  0);
195 }
196 
197 /**
198  * \test Test that the http_host header content matches against a http request
199  * which holds the content.
200  */
201 static int DetectEngineHttpHHTest06(void)
202 {
203  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
204  "Host: CONNECT\r\n"
205  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
206  uint32_t http_len = sizeof(http_buf) - 1;
207  return RunTest(http_buf, http_len,
208  "alert http any any -> any any "
209  "(msg:\"http host header test\"; "
210  "content:\"ect\"; offset:3; http_host; "
211  "sid:1;)",
212  1);
213 }
214 
215 /**
216  * \test Test that the http_host content matches against a http request
217  * which holds the content.
218  */
219 static int DetectEngineHttpHHTest07(void)
220 {
221  uint8_t http_buf[] =
222  "GET /index.html HTTP/1.0\r\n"
223  "Host: CONNECT\r\n"
224  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
225  uint32_t http_len = sizeof(http_buf) - 1;
226  return RunTest(http_buf, http_len,
227  "alert http any any -> any any "
228  "(msg:\"http host header test\"; "
229  "content:!\"co\"; offset:3; http_host; "
230  "sid:1;)",
231  1);
232 }
233 
234 /**
235  * \test Test that the http_host header content matches against a http request
236  * which holds the content.
237  */
238 static int DetectEngineHttpHHTest08(void)
239 {
240  uint8_t http_buf[] =
241  "GET /index.html HTTP/1.0\r\n"
242  "Host: CONNECT\r\n"
243  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
244  uint32_t http_len = sizeof(http_buf) - 1;
245  return RunTest(http_buf, http_len,
246  "alert http any any -> any any "
247  "(msg:\"http host header test\"; "
248  "content:!\"ect\"; offset:3; http_host; "
249  "sid:1;)",
250  0);
251 }
252 
253 /**
254  * \test Test that the http_host header content matches against a http request
255  * which holds the content.
256  */
257 static int DetectEngineHttpHHTest09(void)
258 {
259  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
260  "Host: CONNECT\r\n"
261  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
262  uint32_t http_len = sizeof(http_buf) - 1;
263  return RunTest(http_buf, http_len,
264  "alert http any any -> any any "
265  "(msg:\"http host header test\"; "
266  "content:\"con\"; offset:3; http_host; "
267  "sid:1;)",
268  0);
269 }
270 
271 /**
272  * \test Test that the http_host header content matches against a http request
273  * which holds the content.
274  */
275 static int DetectEngineHttpHHTest10(void)
276 {
277  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
278  "Host: CONNECT\r\n"
279  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
280  uint32_t http_len = sizeof(http_buf) - 1;
281  return RunTest(http_buf, http_len,
282  "alert http any any -> any any "
283  "(msg:\"http_host header test\"; "
284  "content:\"co\"; http_host; "
285  "content:\"ec\"; within:4; http_host; "
286  "sid:1;)",
287  1);
288 }
289 
290 /**
291  * \test Test that the http_host header content matches against a http request
292  * which holds the content.
293  */
294 static int DetectEngineHttpHHTest11(void)
295 {
296  uint8_t http_buf[] =
297  "GET /index.html HTTP/1.0\r\n"
298  "Host: CONNECT\r\n"
299  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
300  uint32_t http_len = sizeof(http_buf) - 1;
301  return RunTest(http_buf, http_len,
302  "alert http any any -> any any "
303  "(msg:\"http_host header test\"; "
304  "content:\"co\"; http_host; "
305  "content:!\"ec\"; within:3; http_host; "
306  "sid:1;)",
307  1);
308 }
309 
310 /**
311  * \test Test that the http_host header content matches against a http request
312  * which holds the content.
313  */
314 static int DetectEngineHttpHHTest12(void)
315 {
316  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
317  "Host: CONNECT\r\n"
318  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
319  uint32_t http_len = sizeof(http_buf) - 1;
320  return RunTest(http_buf, http_len,
321  "alert http any any -> any any "
322  "(msg:\"http_host header test\"; "
323  "content:\"co\"; http_host; "
324  "content:\"ec\"; within:3; http_host; "
325  "sid:1;)",
326  0);
327 }
328 
329 /**
330  * \test Test that the http_host header content matches against a http request
331  * which holds the content.
332  */
333 static int DetectEngineHttpHHTest13(void)
334 {
335  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
336  "Host: CONNECT\r\n"
337  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
338  uint32_t http_len = sizeof(http_buf) - 1;
339  return RunTest(http_buf, http_len,
340  "alert http any any -> any any "
341  "(msg:\"http_host header test\"; "
342  "content:\"co\"; http_host; "
343  "content:!\"ec\"; within:4; http_host; "
344  "sid:1;)",
345  0);
346 }
347 
348 /**
349  * \test Test that the http_host header content matches against a http request
350  * which holds the content.
351  */
352 static int DetectEngineHttpHHTest14(void)
353 {
354  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
355  "Host: CONNECT\r\n"
356  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
357  uint32_t http_len = sizeof(http_buf) - 1;
358  return RunTest(http_buf, http_len,
359  "alert http any any -> any any "
360  "(msg:\"http_host header test\"; "
361  "content:\"co\"; http_host; "
362  "content:\"ec\"; distance:2; http_host; "
363  "sid:1;)",
364  1);
365 }
366 
367 /**
368  * \test Test that the http_host header content matches against a http request
369  * which holds the content.
370  */
371 static int DetectEngineHttpHHTest15(void)
372 {
373  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
374  "Host: CONNECT\r\n"
375  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
376  uint32_t http_len = sizeof(http_buf) - 1;
377  return RunTest(http_buf, http_len,
378  "alert http any any -> any any "
379  "(msg:\"http_host header test\"; "
380  "content:\"co\"; http_host; "
381  "content:!\"ec\"; distance:3; http_host; "
382  "sid:1;)",
383  1);
384 }
385 
386 /**
387  * \test Test that the http_host header content matches against a http request
388  * which holds the content.
389  */
390 static int DetectEngineHttpHHTest16(void)
391 {
392  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
393  "Host: CONNECT\r\n"
394  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
395  uint32_t http_len = sizeof(http_buf) - 1;
396  return RunTest(http_buf, http_len,
397  "alert http any any -> any any "
398  "(msg:\"http_host header test\"; "
399  "content:\"co\"; http_host; "
400  "content:\"ec\"; distance:3; http_host; "
401  "sid:1;)",
402  0);
403 }
404 
405 /**
406  * \test Test that the http_host header content matches against a http request
407  * which holds the content.
408  */
409 static int DetectEngineHttpHHTest17(void)
410 {
411  uint8_t http_buf[] =
412  "GET /index.html HTTP/1.0\r\n"
413  "Host: CONNECT\r\n"
414  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
415  uint32_t http_len = sizeof(http_buf) - 1;
416  return RunTest(http_buf, http_len,
417  "alert http any any -> any any "
418  "(msg:\"http_host header test\"; "
419  "content:\"co\"; http_host; "
420  "content:!\"ec\"; distance:2; http_host; "
421  "sid:1;)",
422  0);
423 }
424 
425 static int DetectEngineHttpHHTest18(void)
426 {
427  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
428  "Host: www.kaboom.com\r\n"
429  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
430  uint32_t http_len = sizeof(http_buf) - 1;
431  return RunTest(http_buf, http_len,
432  "alert http any any -> any any "
433  "(msg:\"http_host header test\"; "
434  "content:\"kaboom\"; http_host; "
435  "sid:1;)",
436  1);
437 }
438 
439 static int DetectEngineHttpHHTest19(void)
440 {
441  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
442  "Host: www.kaboom.com:8080\r\n"
443  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
444  uint32_t http_len = sizeof(http_buf) - 1;
445  return RunTest(http_buf, http_len,
446  "alert http any any -> any any "
447  "(msg:\"http_host header test\"; "
448  "content:\"kaboom\"; http_host; "
449  "sid:1;)",
450  1);
451 }
452 
453 static int DetectEngineHttpHHTest20(void)
454 {
455  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
456  "Host: www.kaboom.com:8080\r\n"
457  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
458  uint32_t http_len = sizeof(http_buf) - 1;
459  return RunTest(http_buf, http_len,
460  "alert http any any -> any any "
461  "(msg:\"http_host header test\"; "
462  "content:\"8080\"; http_host; "
463  "sid:1;)",
464  0);
465 }
466 
467 static int DetectEngineHttpHHTest21(void)
468 {
469  uint8_t http_buf[] = "GET http://www.kaboom.com/index.html HTTP/1.0\r\n"
470  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
471  uint32_t http_len = sizeof(http_buf) - 1;
472  return RunTest(http_buf, http_len,
473  "alert http any any -> any any "
474  "(msg:\"http_host header test\"; "
475  "content:\"kaboom\"; http_host; "
476  "sid:1;)",
477  1);
478 }
479 
480 static int DetectEngineHttpHHTest22(void)
481 {
482  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
483  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
484  uint32_t http_len = sizeof(http_buf) - 1;
485  return RunTest(http_buf, http_len,
486  "alert http any any -> any any "
487  "(msg:\"http_host header test\"; "
488  "content:\"kaboom\"; http_host; "
489  "sid:1;)",
490  1);
491 }
492 
493 static int DetectEngineHttpHHTest23(void)
494 {
495  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
496  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
497  uint32_t http_len = sizeof(http_buf) - 1;
498  return RunTest(http_buf, http_len,
499  "alert http any any -> any any "
500  "(msg:\"http_host header test\"; "
501  "content:\"8080\"; http_host; "
502  "sid:1;)",
503  0);
504 }
505 
506 static int DetectEngineHttpHHTest24(void)
507 {
508  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
509  "Host: www.rabbit.com\r\n"
510  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
511  uint32_t http_len = sizeof(http_buf) - 1;
512  return RunTest(http_buf, http_len,
513  "alert http any any -> any any "
514  "(msg:\"http_host header test\"; "
515  "content:\"kaboom\"; http_host; "
516  "sid:1;)",
517  1);
518 }
519 
520 static int DetectEngineHttpHHTest25(void)
521 {
522  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
523  "Host: www.rabbit.com\r\n"
524  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
525  uint32_t http_len = sizeof(http_buf) - 1;
526  return RunTest(http_buf, http_len,
527  "alert http any any -> any any "
528  "(msg:\"http_host header test\"; "
529  "content:\"rabbit\"; http_host; "
530  "sid:1;)",
531  0);
532 }
533 
534 /**
535  * \test Test that a signature containing a http_host is correctly parsed
536  * and the keyword is registered.
537  */
538 static int DetectHttpHHTest01(void)
539 {
542  de_ctx->flags |= DE_QUIET;
543  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
544  "content:\"one\"; http_host; sid:1;)");
545  FAIL_IF_NULL(s);
547  PASS;
548 }
549 
550 /**
551  * \test Test that an invalid signature containing no content but a
552  * http_host is invalidated.
553  */
554 static int DetectHttpHHTest03(void)
555 {
558  de_ctx->flags |= DE_QUIET;
559  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
560  "http_host; sid:1;)");
561  FAIL_IF_NOT_NULL(s);
563  PASS;
564 }
565 
566 /**
567  * \test Test that an invalid signature containing a rawbytes along with a
568  * http_host is invalidated.
569  */
570 static int DetectHttpHHTest04(void)
571 {
574  de_ctx->flags |= DE_QUIET;
575  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
576  "content:\"one\"; rawbytes; http_host; sid:1;)");
577  FAIL_IF_NOT_NULL(s);
579  PASS;
580 }
581 
582 /**
583  * \test Test that a http_host with nocase is parsed.
584  */
585 static int DetectHttpHHTest05(void)
586 {
589  de_ctx->flags |= DE_QUIET;
590  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
591  "content:\"one\"; http_host; nocase; sid:1;)");
592  FAIL_IF_NOT_NULL(s);
594  PASS;
595 }
596 
597 /** \test invalid sig: uppercase content */
598 static int DetectHttpHHTest05a(void)
599 {
602  de_ctx->flags |= DE_QUIET;
603 
604  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
605  "(content:\"ABC\"; http_host; sid:1;)");
606  FAIL_IF_NOT_NULL(s);
607 
609  PASS;
610 }
611 
612 /**
613  *\test Test that the http_host content matches against a http request
614  * which holds the content.
615  */
616 static int DetectHttpHHTest06(void)
617 {
618  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
619  "User-Agent: www.openinfosecfoundation.org\r\n"
620  "Host: This is dummy message body\r\n"
621  "Content-Type: text/html\r\n"
622  "\r\n";
623  uint32_t http_len = sizeof(http_buf) - 1;
624  return RunTest(http_buf, http_len,
625  "alert http any any -> any any "
626  "(msg:\"http host test\"; "
627  "content:\"message\"; http_host; "
628  "sid:1;)",
629  1);
630 }
631 
632 /**
633  *\test Test that the http_host content matches against a http request
634  * which holds the content.
635  */
636 static int DetectHttpHHTest07(void)
637 {
638  TcpSession ssn;
639  Packet *p1 = NULL;
640  Packet *p2 = NULL;
641  ThreadVars th_v;
642  DetectEngineThreadCtx *det_ctx = NULL;
643  HtpState *http_state = NULL;
644  Flow f;
645  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
646  "User-Agent: www.openinfosecfoundation.org\r\n"
647  "Host: This is dummy message";
648  uint8_t http2_buf[] = "body1\r\n\r\n";
649  uint32_t http1_len = sizeof(http1_buf) - 1;
650  uint32_t http2_len = sizeof(http2_buf) - 1;
652 
653  memset(&th_v, 0, sizeof(th_v));
654  memset(&f, 0, sizeof(f));
655  memset(&ssn, 0, sizeof(ssn));
656 
657  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
658  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
659 
660  FLOW_INITIALIZE(&f);
661  f.protoctx = (void *)&ssn;
662  f.proto = IPPROTO_TCP;
663  f.flags |= FLOW_IPV4;
664 
665  p1->flow = &f;
669  p2->flow = &f;
674 
675  StreamTcpInitConfig(true);
676 
679  de_ctx->flags |= DE_QUIET;
680 
681  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
682  "(msg:\"http host test\"; "
683  "content:\"message\"; http_host; "
684  "sid:1;)");
685  FAIL_IF_NULL(s);
686 
688  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
689 
690  int r = AppLayerParserParse(
691  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
692  FAIL_IF(r != 0);
693 
694  http_state = f.alstate;
695  FAIL_IF_NULL(http_state);
696 
697  /* do detect */
698  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
699 
700  FAIL_IF(PacketAlertCheck(p1, 1));
701 
703  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
704  FAIL_IF(r != 0);
705 
706  /* do detect */
707  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
708  FAIL_IF(!(PacketAlertCheck(p2, 1)));
709 
711  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
713 
714  StreamTcpFreeConfig(true);
715  FLOW_DESTROY(&f);
716  UTHFreePackets(&p1, 1);
717  UTHFreePackets(&p2, 1);
718  StatsThreadCleanup(&th_v);
719  PASS;
720 }
721 
722 /**
723  *\test Test that the http_host content matches against a http request
724  * which holds the content.
725  */
726 static int DetectHttpHHTest08(void)
727 {
728  TcpSession ssn;
729  Packet *p1 = NULL;
730  Packet *p2 = NULL;
731  ThreadVars th_v;
732  DetectEngineThreadCtx *det_ctx = NULL;
733  HtpState *http_state = NULL;
734  Flow f;
735  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
736  "User-Agent: www.openinfosecfoundation.org\r\n"
737  "host: This is dummy mess";
738  uint8_t http2_buf[] = "age body\r\n\r\n";
739  uint32_t http1_len = sizeof(http1_buf) - 1;
740  uint32_t http2_len = sizeof(http2_buf) - 1;
742 
743  memset(&th_v, 0, sizeof(th_v));
744  memset(&f, 0, sizeof(f));
745  memset(&ssn, 0, sizeof(ssn));
746 
747  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
748  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
749 
750  FLOW_INITIALIZE(&f);
751  f.protoctx = (void *)&ssn;
752  f.proto = IPPROTO_TCP;
753  f.flags |= FLOW_IPV4;
754 
755  p1->flow = &f;
759  p2->flow = &f;
764 
765  StreamTcpInitConfig(true);
766 
769  de_ctx->flags |= DE_QUIET;
770 
771  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
772  "(msg:\"http host test\"; "
773  "content:\"message\"; http_host; "
774  "sid:1;)");
775  FAIL_IF_NULL(s);
776 
778  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
779 
780  int r = AppLayerParserParse(
781  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
782  FAIL_IF(r != 0);
783 
784  http_state = f.alstate;
785  FAIL_IF_NULL(http_state);
786 
787  /* do detect */
788  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
789 
790  FAIL_IF((PacketAlertCheck(p1, 1)));
791 
793  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
794  FAIL_IF(r != 0);
795 
796  /* do detect */
797  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
798 
799  FAIL_IF(!(PacketAlertCheck(p2, 1)));
800 
802  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
804 
805  StreamTcpFreeConfig(true);
806  FLOW_DESTROY(&f);
807  UTHFreePackets(&p1, 1);
808  UTHFreePackets(&p2, 1);
809  StatsThreadCleanup(&th_v);
810  PASS;
811 }
812 
813 /**
814  *\test Test that the http_host content matches against a http request
815  * which holds the content, against a cross boundary present pattern.
816  */
817 static int DetectHttpHHTest09(void)
818 {
819  TcpSession ssn;
820  Packet *p1 = NULL;
821  Packet *p2 = NULL;
822  ThreadVars th_v;
823  DetectEngineThreadCtx *det_ctx = NULL;
824  HtpState *http_state = NULL;
825  Flow f;
826  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
827  "User-Agent: www.openinfosecfoundation.org\r\n"
828  "Host: This is dummy body1";
829  uint8_t http2_buf[] = "This is dummy message body2\r\n"
830  "Content-Type: text/html\r\n"
831  "Content-Length: 46\r\n"
832  "\r\n"
833  "This is dummy body1";
834  uint32_t http1_len = sizeof(http1_buf) - 1;
835  uint32_t http2_len = sizeof(http2_buf) - 1;
837 
838  memset(&th_v, 0, sizeof(th_v));
839  memset(&f, 0, sizeof(f));
840  memset(&ssn, 0, sizeof(ssn));
841 
842  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
843  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
844 
845  FLOW_INITIALIZE(&f);
846  f.protoctx = (void *)&ssn;
847  f.proto = IPPROTO_TCP;
848  f.flags |= FLOW_IPV4;
849 
850  p1->flow = &f;
854  p2->flow = &f;
859 
860  StreamTcpInitConfig(true);
861 
864  de_ctx->flags |= DE_QUIET;
865 
866  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
867  "(msg:\"http host test\"; "
868  "content:\"body1this\"; http_host; "
869  "sid:1;)");
870  FAIL_IF_NULL(s);
871 
873  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
874 
875  int r = AppLayerParserParse(
876  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
877  FAIL_IF(r != 0);
878 
879  http_state = f.alstate;
880  FAIL_IF_NULL(http_state);
881 
882  /* do detect */
883  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
884 
885  FAIL_IF((PacketAlertCheck(p1, 1)));
886 
888  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
889  FAIL_IF(r != 0);
890 
891  /* do detect */
892  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
893 
894  FAIL_IF(!(PacketAlertCheck(p2, 1)));
895 
897  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
899 
900  StreamTcpFreeConfig(true);
901  FLOW_DESTROY(&f);
902  UTHFreePackets(&p1, 1);
903  UTHFreePackets(&p2, 1);
904  StatsThreadCleanup(&th_v);
905  PASS;
906 }
907 
908 /**
909  *\test Test that the http_host content matches against a http request
910  * against a case insensitive pattern.
911  */
912 static int DetectHttpHHTest10(void)
913 {
914  TcpSession ssn;
915  Packet *p1 = NULL;
916  Packet *p2 = NULL;
917  ThreadVars th_v;
918  DetectEngineCtx *de_ctx = NULL;
919  DetectEngineThreadCtx *det_ctx = NULL;
920  HtpState *http_state = NULL;
921  Flow f;
922  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
923  "User-Agent: www.openinfosecfoundation.org\r\n"
924  "Host: This is dummy bodY1";
925  uint8_t http2_buf[] = "This is dummy message body2\r\n"
926  "Content-Type: text/html\r\n"
927  "Content-Length: 46\r\n"
928  "\r\n"
929  "This is dummy bodY1";
930  uint32_t http1_len = sizeof(http1_buf) - 1;
931  uint32_t http2_len = sizeof(http2_buf) - 1;
932  int result = 0;
934 
935  memset(&th_v, 0, sizeof(th_v));
936  memset(&f, 0, sizeof(f));
937  memset(&ssn, 0, sizeof(ssn));
938 
939  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
940  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
941 
942  FLOW_INITIALIZE(&f);
943  f.protoctx = (void *)&ssn;
944  f.proto = IPPROTO_TCP;
945  f.flags |= FLOW_IPV4;
946 
947  p1->flow = &f;
951  p2->flow = &f;
956 
957  StreamTcpInitConfig(true);
958 
960  if (de_ctx == NULL)
961  goto end;
962 
963  de_ctx->flags |= DE_QUIET;
964 
965  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
966  "(msg:\"http host test\"; "
967  "content:\"body1this\"; http_host; "
968  "sid:1;)");
969  if (de_ctx->sig_list == NULL)
970  goto end;
971 
973  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
974 
975  int r = AppLayerParserParse(
976  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
977  if (r != 0) {
978  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
979  result = 0;
980  goto end;
981  }
982 
983  http_state = f.alstate;
984  if (http_state == NULL) {
985  printf("no http state: \n");
986  result = 0;
987  goto end;
988  }
989 
990  /* do detect */
991  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
992 
993  if ((PacketAlertCheck(p1, 1))) {
994  printf("sid 1 didn't match but should have\n");
995  goto end;
996  }
997 
999  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1000  if (r != 0) {
1001  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1002  result = 0;
1003  goto end;
1004  }
1005 
1006  /* do detect */
1007  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1008 
1009  if (!(PacketAlertCheck(p2, 1))) {
1010  printf("sid 1 didn't match but should have");
1011  goto end;
1012  }
1013 
1014  result = 1;
1015 end:
1016  if (alp_tctx != NULL)
1018  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1019  if (de_ctx != NULL)
1021 
1022  StreamTcpFreeConfig(true);
1023  FLOW_DESTROY(&f);
1024  UTHFreePackets(&p1, 1);
1025  UTHFreePackets(&p2, 1);
1026  StatsThreadCleanup(&th_v);
1027  return result;
1028 }
1029 
1030 /**
1031  *\test Test that the negated http_host content matches against a
1032  * http request which doesn't hold the content.
1033  */
1034 static int DetectHttpHHTest11(void)
1035 {
1036  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1037  "User-Agent: www.openinfosecfoundation.org\r\n"
1038  "Host: This is dummy message body\r\n"
1039  "Content-Type: text/html\r\n"
1040  "\r\n";
1041  uint32_t http_len = sizeof(http_buf) - 1;
1042  return RunTest(http_buf, http_len,
1043  "alert http any any -> any any "
1044  "(msg:\"http host test\"; "
1045  "content:!\"message\"; http_host; "
1046  "sid:1;)",
1047  0);
1048 }
1049 
1050 /**
1051  *\test Negative test that the negated http_host content matches against a
1052  * http request which holds hold the content.
1053  */
1054 static int DetectHttpHHTest12(void)
1055 {
1056  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1057  "User-Agent: www.openinfosecfoundation.org\r\n"
1058  "Host: This is dummy body\r\n"
1059  "\r\n";
1060  uint32_t http_len = sizeof(http_buf) - 1;
1061  return RunTest(http_buf, http_len,
1062  "alert http any any -> any any "
1063  "(msg:\"http host test\"; "
1064  "content:!\"message\"; http_host; "
1065  "sid:1;)",
1066  1);
1067 }
1068 
1069 /**
1070  * \test Test that the http_host content matches against a http request
1071  * which holds the content.
1072  */
1073 static int DetectHttpHHTest13(void)
1074 {
1075  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1076  "User-Agent: www.openinfosecfoundation.org\r\n"
1077  "Host: longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n"
1078  "Content-Type: text/html\r\n"
1079  "\r\n";
1080  uint32_t http_len = sizeof(http_buf) - 1;
1081  return RunTest(http_buf, http_len,
1082  "alert http any any -> any any "
1083  "(msg:\"http host test\"; "
1084  "content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_host; "
1085  "sid:1;)",
1086  1);
1087 }
1088 
1089 /**
1090  * \test multiple http transactions and body chunks of request handling
1091  */
1092 static int DetectHttpHHTest14(void)
1093 {
1094  int result = 0;
1095  Signature *s = NULL;
1096  DetectEngineThreadCtx *det_ctx = NULL;
1097  ThreadVars th_v;
1098  Flow f;
1099  TcpSession ssn;
1100  Packet *p = NULL;
1101  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
1102  uint8_t httpbuf2[] = "Cookie: dummy1\r\n";
1103  uint8_t httpbuf3[] = "Host: Body one!!\r\n\r\n";
1104  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1105  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1106  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1107  uint8_t httpbuf4[] = "GET /?var=val HTTP/1.1\r\n";
1108  uint8_t httpbuf5[] = "Cookie: dummy2\r\n";
1109  uint8_t httpbuf6[] = "Host: Body two\r\n\r\n";
1110  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1111  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
1112  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
1114 
1115  memset(&th_v, 0, sizeof(th_v));
1116  memset(&f, 0, sizeof(f));
1117  memset(&ssn, 0, sizeof(ssn));
1118 
1119  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1120 
1121  FLOW_INITIALIZE(&f);
1122  f.protoctx = (void *)&ssn;
1123  f.proto = IPPROTO_TCP;
1124  f.flags |= FLOW_IPV4;
1125 
1126  p->flow = &f;
1130  f.alproto = ALPROTO_HTTP1;
1131 
1132  StreamTcpInitConfig(true);
1133 
1135  if (de_ctx == NULL) {
1136  goto end;
1137  }
1138 
1139  de_ctx->flags |= DE_QUIET;
1140 
1142  "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"dummy1\"; "
1143  "http_cookie; content:\"body one\"; http_host; sid:1; rev:1;)");
1144  if (s == NULL) {
1145  printf("sig parse failed: ");
1146  goto end;
1147  }
1149  "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"dummy2\"; "
1150  "http_cookie; content:\"body two\"; http_host; sid:2; rev:1;)");
1151  if (s == NULL) {
1152  printf("sig2 parse failed: ");
1153  goto end;
1154  }
1155 
1157  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1158 
1159  int r = AppLayerParserParse(
1160  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1161  if (r != 0) {
1162  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1163  goto end;
1164  }
1165 
1166  /* do detect */
1167  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1168  if (PacketAlertCheck(p, 1)) {
1169  printf("sig 1 alerted: ");
1170  goto end;
1171  }
1172  p->alerts.cnt = 0;
1173 
1174  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1175  if (r != 0) {
1176  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
1177  goto end;
1178  }
1179 
1180  /* do detect */
1181  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1182  if (PacketAlertCheck(p, 1)) {
1183  printf("sig 1 alerted (2): ");
1184  goto end;
1185  }
1186  p->alerts.cnt = 0;
1187 
1188  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1189  if (r != 0) {
1190  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
1191  goto end;
1192  }
1193 
1194  /* do detect */
1195  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1196  if (!(PacketAlertCheck(p, 1))) {
1197  printf("sig 1 didn't alert: ");
1198  goto end;
1199  }
1200  p->alerts.cnt = 0;
1201 
1202  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
1203  if (r != 0) {
1204  printf("toserver chunk 5 returned %" PRId32 ", expected 0: ", r);
1205  goto end;
1206  }
1207 
1208  /* do detect */
1209  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1210  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2)) {
1211  printf("sig 1 alerted (4): ");
1212  goto end;
1213  }
1214  p->alerts.cnt = 0;
1215 
1216  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
1217  if (r != 0) {
1218  printf("toserver chunk 6 returned %" PRId32 ", expected 0: ", r);
1219  goto end;
1220  }
1221 
1222  /* do detect */
1223  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1224  if ((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2))) {
1225  printf("sig 1 alerted (request 2, chunk 6): ");
1226  goto end;
1227  }
1228  p->alerts.cnt = 0;
1229 
1230  SCLogDebug("sending data chunk 7");
1231 
1232  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
1233  if (r != 0) {
1234  printf("toserver chunk 7 returned %" PRId32 ", expected 0: ", r);
1235  goto end;
1236  }
1237 
1238  /* do detect */
1239  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1240  if (PacketAlertCheck(p, 1) || !(PacketAlertCheck(p, 2))) {
1241  printf("signature 2 didn't match or sig 1 matched, but shouldn't have: ");
1242  goto end;
1243  }
1244  p->alerts.cnt = 0;
1245 
1246  HtpState *htp_state = f.alstate;
1247  if (htp_state == NULL) {
1248  printf("no http state: ");
1249  result = 0;
1250  goto end;
1251  }
1252 
1253  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
1254  printf("The http app layer doesn't have 2 transactions, but it should: ");
1255  goto end;
1256  }
1257 
1258  result = 1;
1259 end:
1260  if (alp_tctx != NULL)
1262  if (det_ctx != NULL) {
1263  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1264  }
1265  if (de_ctx != NULL) {
1267  }
1268 
1269  StreamTcpFreeConfig(true);
1270  FLOW_DESTROY(&f);
1271  UTHFreePacket(p);
1272  StatsThreadCleanup(&th_v);
1273  return result;
1274 }
1275 
1276 /**
1277  *\test Test that the http_raw_host content matches against a http request
1278  * which holds the content.
1279  */
1280 static int DetectHttpHRHTest06(void)
1281 {
1282  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1283  "User-Agent: www.openinfosecfoundation.org\r\n"
1284  "Host: This is dummy message body\r\n"
1285  "Content-Type: text/html\r\n"
1286  "\r\n";
1287  uint32_t http_len = sizeof(http_buf) - 1;
1288  return RunTest(http_buf, http_len,
1289  "alert http any any -> any any "
1290  "(msg:\"http host test\"; "
1291  "content:\"message\"; http_raw_host; "
1292  "sid:1;)",
1293  1);
1294 }
1295 
1296 /**
1297  *\test Test that the http_raw_host content matches against a http request
1298  * which holds the content.
1299  */
1300 static int DetectHttpHRHTest07(void)
1301 {
1302  TcpSession ssn;
1303  Packet *p1 = NULL;
1304  Packet *p2 = NULL;
1305  ThreadVars th_v;
1306  DetectEngineCtx *de_ctx = NULL;
1307  DetectEngineThreadCtx *det_ctx = NULL;
1308  HtpState *http_state = NULL;
1309  Flow f;
1310  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
1311  "User-Agent: www.openinfosecfoundation.org\r\n"
1312  "Host: This is dummy message";
1313  uint8_t http2_buf[] = "body1\r\n\r\n";
1314  uint32_t http1_len = sizeof(http1_buf) - 1;
1315  uint32_t http2_len = sizeof(http2_buf) - 1;
1316  int result = 0;
1318 
1319  memset(&th_v, 0, sizeof(th_v));
1320  memset(&f, 0, sizeof(f));
1321  memset(&ssn, 0, sizeof(ssn));
1322 
1323  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1324  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1325 
1326  FLOW_INITIALIZE(&f);
1327  f.protoctx = (void *)&ssn;
1328  f.proto = IPPROTO_TCP;
1329  f.flags |= FLOW_IPV4;
1330 
1331  p1->flow = &f;
1335  p2->flow = &f;
1339  f.alproto = ALPROTO_HTTP1;
1340 
1341  StreamTcpInitConfig(true);
1342 
1344  if (de_ctx == NULL)
1345  goto end;
1346 
1347  de_ctx->flags |= DE_QUIET;
1348 
1349  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
1350  "(msg:\"http host test\"; "
1351  "content:\"message\"; http_raw_host; "
1352  "sid:1;)");
1353  if (de_ctx->sig_list == NULL)
1354  goto end;
1355 
1357  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1358 
1359  int r = AppLayerParserParse(
1360  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1361  if (r != 0) {
1362  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1363  result = 0;
1364  goto end;
1365  }
1366 
1367  http_state = f.alstate;
1368  if (http_state == NULL) {
1369  printf("no http state: ");
1370  goto end;
1371  }
1372 
1373  /* do detect */
1374  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1375 
1376  if (PacketAlertCheck(p1, 1)) {
1377  printf("sid 1 matched on p1 but shouldn't have: ");
1378  goto end;
1379  }
1380 
1381  r = AppLayerParserParse(
1382  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1383  if (r != 0) {
1384  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1385  goto end;
1386  }
1387 
1388  /* do detect */
1389  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1390  if (!(PacketAlertCheck(p2, 1))) {
1391  printf("sid 1 didn't match on p2 but should have: ");
1392  goto end;
1393  }
1394 
1395  result = 1;
1396 end:
1397  if (alp_tctx != NULL)
1399  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1400  if (de_ctx != NULL)
1402 
1403  StreamTcpFreeConfig(true);
1404  FLOW_DESTROY(&f);
1405  UTHFreePackets(&p1, 1);
1406  UTHFreePackets(&p2, 1);
1407  StatsThreadCleanup(&th_v);
1408  return result;
1409 }
1410 
1411 /**
1412  *\test Test that the http_raw_host content matches against a http request
1413  * which holds the content.
1414  */
1415 static int DetectHttpHRHTest08(void)
1416 {
1417  TcpSession ssn;
1418  Packet *p1 = NULL;
1419  Packet *p2 = NULL;
1420  ThreadVars th_v;
1421  DetectEngineCtx *de_ctx = NULL;
1422  DetectEngineThreadCtx *det_ctx = NULL;
1423  HtpState *http_state = NULL;
1424  Flow f;
1425  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
1426  "User-Agent: www.openinfosecfoundation.org\r\n"
1427  "host: This is dummy mess";
1428  uint8_t http2_buf[] = "age body\r\n\r\n";
1429  uint32_t http1_len = sizeof(http1_buf) - 1;
1430  uint32_t http2_len = sizeof(http2_buf) - 1;
1431  int result = 0;
1433 
1434  memset(&th_v, 0, sizeof(th_v));
1435  memset(&f, 0, sizeof(f));
1436  memset(&ssn, 0, sizeof(ssn));
1437 
1438  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1439  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1440 
1441  FLOW_INITIALIZE(&f);
1442  f.protoctx = (void *)&ssn;
1443  f.proto = IPPROTO_TCP;
1444  f.flags |= FLOW_IPV4;
1445 
1446  p1->flow = &f;
1450  p2->flow = &f;
1454  f.alproto = ALPROTO_HTTP1;
1455 
1456  StreamTcpInitConfig(true);
1457 
1459  if (de_ctx == NULL)
1460  goto end;
1461 
1462  de_ctx->flags |= DE_QUIET;
1463 
1464  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
1465  "(msg:\"http host test\"; "
1466  "content:\"message\"; http_raw_host; "
1467  "sid:1;)");
1468  if (de_ctx->sig_list == NULL)
1469  goto end;
1470 
1472  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1473 
1474  int r = AppLayerParserParse(
1475  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1476  if (r != 0) {
1477  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1478  result = 0;
1479  goto end;
1480  }
1481 
1482  http_state = f.alstate;
1483  if (http_state == NULL) {
1484  printf("no http state: ");
1485  result = 0;
1486  goto end;
1487  }
1488 
1489  /* do detect */
1490  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1491 
1492  if ((PacketAlertCheck(p1, 1))) {
1493  printf("sid 1 didn't match but should have");
1494  goto end;
1495  }
1496 
1497  r = AppLayerParserParse(
1498  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1499  if (r != 0) {
1500  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1501  result = 0;
1502  goto end;
1503  }
1504 
1505  /* do detect */
1506  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1507 
1508  if (!(PacketAlertCheck(p2, 1))) {
1509  printf("sid 1 didn't match but should have");
1510  goto end;
1511  }
1512 
1513  result = 1;
1514 end:
1515  if (alp_tctx != NULL)
1517  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1518  if (de_ctx != NULL)
1520 
1521  StreamTcpFreeConfig(true);
1522  FLOW_DESTROY(&f);
1523  UTHFreePackets(&p1, 1);
1524  UTHFreePackets(&p2, 1);
1525  StatsThreadCleanup(&th_v);
1526  return result;
1527 }
1528 
1529 /**
1530  *\test Test that the http_raw_host content matches against a http request
1531  * which holds the content, against a cross boundary present pattern.
1532  */
1533 static int DetectHttpHRHTest09(void)
1534 {
1535  TcpSession ssn;
1536  Packet *p1 = NULL;
1537  Packet *p2 = NULL;
1538  ThreadVars th_v;
1539  DetectEngineCtx *de_ctx = NULL;
1540  DetectEngineThreadCtx *det_ctx = NULL;
1541  HtpState *http_state = NULL;
1542  Flow f;
1543  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
1544  "User-Agent: www.openinfosecfoundation.org\r\n"
1545  "Host: This is dummy body1";
1546  uint8_t http2_buf[] = "This is dummy message body2\r\n"
1547  "Content-Type: text/html\r\n"
1548  "Content-Length: 46\r\n"
1549  "\r\n"
1550  "This is dummy body1";
1551  uint32_t http1_len = sizeof(http1_buf) - 1;
1552  uint32_t http2_len = sizeof(http2_buf) - 1;
1553  int result = 0;
1555 
1556  memset(&th_v, 0, sizeof(th_v));
1557  memset(&f, 0, sizeof(f));
1558  memset(&ssn, 0, sizeof(ssn));
1559 
1560  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1561  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1562 
1563  FLOW_INITIALIZE(&f);
1564  f.protoctx = (void *)&ssn;
1565  f.proto = IPPROTO_TCP;
1566  f.flags |= FLOW_IPV4;
1567 
1568  p1->flow = &f;
1572  p2->flow = &f;
1576  f.alproto = ALPROTO_HTTP1;
1577 
1578  StreamTcpInitConfig(true);
1579 
1581  if (de_ctx == NULL)
1582  goto end;
1583 
1584  de_ctx->flags |= DE_QUIET;
1585 
1586  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
1587  "(msg:\"http host test\"; "
1588  "content:\"body1This\"; http_raw_host; "
1589  "sid:1;)");
1590  if (de_ctx->sig_list == NULL)
1591  goto end;
1592 
1594  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1595 
1596  int r = AppLayerParserParse(
1597  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1598  if (r != 0) {
1599  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1600  result = 0;
1601  goto end;
1602  }
1603 
1604  http_state = f.alstate;
1605  if (http_state == NULL) {
1606  printf("no http state: ");
1607  result = 0;
1608  goto end;
1609  }
1610 
1611  /* do detect */
1612  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1613 
1614  if ((PacketAlertCheck(p1, 1))) {
1615  printf("sid 1 didn't match but should have");
1616  goto end;
1617  }
1618 
1619  r = AppLayerParserParse(
1620  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1621  if (r != 0) {
1622  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1623  result = 0;
1624  goto end;
1625  }
1626 
1627  /* do detect */
1628  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1629 
1630  if (!(PacketAlertCheck(p2, 1))) {
1631  printf("sid 1 didn't match but should have");
1632  goto end;
1633  }
1634 
1635  result = 1;
1636 end:
1637  if (alp_tctx != NULL)
1639  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1640  if (de_ctx != NULL)
1642 
1643  StreamTcpFreeConfig(true);
1644  FLOW_DESTROY(&f);
1645  UTHFreePackets(&p1, 1);
1646  UTHFreePackets(&p2, 1);
1647  StatsThreadCleanup(&th_v);
1648  return result;
1649 }
1650 
1651 /**
1652  *\test Test that the http_raw_host content matches against a http request
1653  * against a case insensitive pattern.
1654  */
1655 static int DetectHttpHRHTest10(void)
1656 {
1657  TcpSession ssn;
1658  Packet *p1 = NULL;
1659  Packet *p2 = NULL;
1660  ThreadVars th_v;
1661  DetectEngineCtx *de_ctx = NULL;
1662  DetectEngineThreadCtx *det_ctx = NULL;
1663  HtpState *http_state = NULL;
1664  Flow f;
1665  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
1666  "User-Agent: www.openinfosecfoundation.org\r\n"
1667  "Host: This is dummy bodY1";
1668  uint8_t http2_buf[] = "This is dummy message body2\r\n"
1669  "Content-Type: text/html\r\n"
1670  "Content-Length: 46\r\n"
1671  "\r\n"
1672  "This is dummy bodY1";
1673  uint32_t http1_len = sizeof(http1_buf) - 1;
1674  uint32_t http2_len = sizeof(http2_buf) - 1;
1675  int result = 0;
1677 
1678  memset(&th_v, 0, sizeof(th_v));
1679  memset(&f, 0, sizeof(f));
1680  memset(&ssn, 0, sizeof(ssn));
1681 
1682  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1683  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1684 
1685  FLOW_INITIALIZE(&f);
1686  f.protoctx = (void *)&ssn;
1687  f.proto = IPPROTO_TCP;
1688  f.flags |= FLOW_IPV4;
1689 
1690  p1->flow = &f;
1694  p2->flow = &f;
1698  f.alproto = ALPROTO_HTTP1;
1699 
1700  StreamTcpInitConfig(true);
1701 
1703  if (de_ctx == NULL)
1704  goto end;
1705 
1706  de_ctx->flags |= DE_QUIET;
1707 
1708  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
1709  "(msg:\"http host test\"; "
1710  "content:\"bodY1This\"; http_raw_host; "
1711  "sid:1;)");
1712  if (de_ctx->sig_list == NULL)
1713  goto end;
1714 
1716  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1717 
1718  int r = AppLayerParserParse(
1719  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1720  if (r != 0) {
1721  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1722  result = 0;
1723  goto end;
1724  }
1725 
1726  http_state = f.alstate;
1727  if (http_state == NULL) {
1728  printf("no http state: \n");
1729  result = 0;
1730  goto end;
1731  }
1732 
1733  /* do detect */
1734  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1735 
1736  if ((PacketAlertCheck(p1, 1))) {
1737  printf("sid 1 didn't match but should have\n");
1738  goto end;
1739  }
1740 
1741  r = AppLayerParserParse(
1742  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1743  if (r != 0) {
1744  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1745  result = 0;
1746  goto end;
1747  }
1748 
1749  /* do detect */
1750  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1751 
1752  if (!(PacketAlertCheck(p2, 1))) {
1753  printf("sid 1 didn't match but should have");
1754  goto end;
1755  }
1756 
1757  result = 1;
1758 end:
1759  if (alp_tctx != NULL)
1761  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1762  if (de_ctx != NULL)
1764 
1765  StreamTcpFreeConfig(true);
1766  FLOW_DESTROY(&f);
1767  UTHFreePackets(&p1, 1);
1768  UTHFreePackets(&p2, 1);
1769  StatsThreadCleanup(&th_v);
1770  return result;
1771 }
1772 
1773 /**
1774  *\test Test that the negated http_raw_host content matches against a
1775  * http request which doesn't hold the content.
1776  */
1777 static int DetectHttpHRHTest11(void)
1778 {
1779  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1780  "User-Agent: www.openinfosecfoundation.org\r\n"
1781  "Host: This is dummy message body\r\n"
1782  "Content-Type: text/html\r\n"
1783  "\r\n";
1784  uint32_t http_len = sizeof(http_buf) - 1;
1785  return RunTest(http_buf, http_len,
1786  "alert http any any -> any any "
1787  "(msg:\"http host test\"; "
1788  "content:!\"message\"; http_raw_host; "
1789  "sid:1;)",
1790  0);
1791 }
1792 
1793 /**
1794  *\test Negative test that the negated http_raw_host content matches against a
1795  * http request which holds hold the content.
1796  */
1797 static int DetectHttpHRHTest12(void)
1798 {
1799  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1800  "User-Agent: www.openinfosecfoundation.org\r\n"
1801  "Host: This is dummy body\r\n"
1802  "\r\n";
1803  uint32_t http_len = sizeof(http_buf) - 1;
1804  return RunTest(http_buf, http_len,
1805  "alert http any any -> any any "
1806  "(msg:\"http host test\"; "
1807  "content:!\"message\"; http_raw_host; "
1808  "sid:1;)",
1809  1);
1810 }
1811 
1812 /**
1813  * \test Test that the http_raw_host content matches against a http request
1814  * which holds the content.
1815  */
1816 static int DetectHttpHRHTest13(void)
1817 {
1818  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1819  "User-Agent: www.openinfosecfoundation.org\r\n"
1820  "Host: longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n"
1821  "Content-Type: text/html\r\n"
1822  "\r\n";
1823  uint32_t http_len = sizeof(http_buf) - 1;
1824  return RunTest(http_buf, http_len,
1825  "alert http any any -> any any "
1826  "(msg:\"http host test\"; "
1827  "content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_raw_host; "
1828  "sid:1;)",
1829  1);
1830 }
1831 
1832 /**
1833  * \test multiple http transactions and body chunks of request handling
1834  */
1835 static int DetectHttpHRHTest14(void)
1836 {
1837  int result = 0;
1838  Signature *s = NULL;
1839  DetectEngineThreadCtx *det_ctx = NULL;
1840  ThreadVars th_v;
1841  Flow f;
1842  TcpSession ssn;
1843  Packet *p = NULL;
1844  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
1845  uint8_t httpbuf2[] = "Cookie: dummy1\r\n";
1846  uint8_t httpbuf3[] = "Host: Body one!!\r\n\r\n";
1847  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1848  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1849  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1850  uint8_t httpbuf4[] = "GET /?var=val HTTP/1.1\r\n";
1851  uint8_t httpbuf5[] = "Cookie: dummy2\r\n";
1852  uint8_t httpbuf6[] = "Host: Body two\r\n\r\n";
1853  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1854  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
1855  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
1857 
1858  memset(&th_v, 0, sizeof(th_v));
1859  memset(&f, 0, sizeof(f));
1860  memset(&ssn, 0, sizeof(ssn));
1861 
1862  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1863 
1864  FLOW_INITIALIZE(&f);
1865  f.protoctx = (void *)&ssn;
1866  f.proto = IPPROTO_TCP;
1867  f.flags |= FLOW_IPV4;
1868 
1869  p->flow = &f;
1873  f.alproto = ALPROTO_HTTP1;
1874 
1875  StreamTcpInitConfig(true);
1876 
1878  if (de_ctx == NULL) {
1879  goto end;
1880  }
1881 
1882  de_ctx->flags |= DE_QUIET;
1883 
1885  "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"dummy1\"; "
1886  "http_cookie; content:\"Body one\"; http_raw_host; sid:1; rev:1;)");
1887  if (s == NULL) {
1888  printf("sig parse failed: ");
1889  goto end;
1890  }
1892  "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"dummy2\"; "
1893  "http_cookie; content:\"Body two\"; http_raw_host; sid:2; rev:1;)");
1894  if (s == NULL) {
1895  printf("sig2 parse failed: ");
1896  goto end;
1897  }
1898 
1900  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1901 
1902  int r = AppLayerParserParse(
1903  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1904  if (r != 0) {
1905  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1906  goto end;
1907  }
1908 
1909  /* do detect */
1910  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1911  if (PacketAlertCheck(p, 1)) {
1912  printf("sig 1 alerted: ");
1913  goto end;
1914  }
1915  p->alerts.cnt = 0;
1916 
1917  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1918  if (r != 0) {
1919  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
1920  goto end;
1921  }
1922 
1923  /* do detect */
1924  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1925  if (PacketAlertCheck(p, 1)) {
1926  printf("sig 1 alerted (2): ");
1927  goto end;
1928  }
1929  p->alerts.cnt = 0;
1930 
1931  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1932  if (r != 0) {
1933  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
1934  goto end;
1935  }
1936 
1937  /* do detect */
1938  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1939  if (!(PacketAlertCheck(p, 1))) {
1940  printf("sig 1 didn't alert: ");
1941  goto end;
1942  }
1943  p->alerts.cnt = 0;
1944 
1945  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
1946  if (r != 0) {
1947  printf("toserver chunk 5 returned %" PRId32 ", expected 0: ", r);
1948  goto end;
1949  }
1950 
1951  /* do detect */
1952  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1953  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2)) {
1954  printf("sig 1 alerted (4): ");
1955  goto end;
1956  }
1957  p->alerts.cnt = 0;
1958 
1959  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
1960  if (r != 0) {
1961  printf("toserver chunk 6 returned %" PRId32 ", expected 0: ", r);
1962  goto end;
1963  }
1964 
1965  /* do detect */
1966  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1967  if ((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2))) {
1968  printf("sig 1 alerted (request 2, chunk 6): ");
1969  goto end;
1970  }
1971  p->alerts.cnt = 0;
1972 
1973  SCLogDebug("sending data chunk 7");
1974 
1975  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
1976  if (r != 0) {
1977  printf("toserver chunk 7 returned %" PRId32 ", expected 0: ", r);
1978  goto end;
1979  }
1980 
1981  /* do detect */
1982  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1983  if (PacketAlertCheck(p, 1) || !(PacketAlertCheck(p, 2))) {
1984  printf("signature 2 didn't match or sig 1 matched, but shouldn't have: ");
1985  goto end;
1986  }
1987  p->alerts.cnt = 0;
1988 
1989  HtpState *htp_state = f.alstate;
1990  if (htp_state == NULL) {
1991  printf("no http state: ");
1992  result = 0;
1993  goto end;
1994  }
1995 
1996  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
1997  printf("The http app layer doesn't have 2 transactions, but it should: ");
1998  goto end;
1999  }
2000 
2001  result = 1;
2002 end:
2003  if (alp_tctx != NULL)
2005  if (det_ctx != NULL) {
2006  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2007  }
2008  if (de_ctx != NULL) {
2010  }
2011 
2012  StreamTcpFreeConfig(true);
2013  FLOW_DESTROY(&f);
2014  UTHFreePacket(p);
2015  StatsThreadCleanup(&th_v);
2016  return result;
2017 }
2018 
2019 /**
2020  *\test Test that the http_raw_host content matches against a http request
2021  * against a case insensitive pattern.
2022  */
2023 static int DetectHttpHRHTest37(void)
2024 {
2025  TcpSession ssn;
2026  Packet *p1 = NULL;
2027  Packet *p2 = NULL;
2028  ThreadVars th_v;
2029  DetectEngineCtx *de_ctx = NULL;
2030  DetectEngineThreadCtx *det_ctx = NULL;
2031  HtpState *http_state = NULL;
2032  Flow f;
2033  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
2034  "User-Agent: www.openinfosecfoundation.org\r\n"
2035  "Host: This is dummy bodY1";
2036  uint8_t http2_buf[] = "This is dummy message body2\r\n"
2037  "Content-Type: text/html\r\n"
2038  "Content-Length: 46\r\n"
2039  "\r\n"
2040  "This is dummy bodY1";
2041  uint32_t http1_len = sizeof(http1_buf) - 1;
2042  uint32_t http2_len = sizeof(http2_buf) - 1;
2043  int result = 0;
2045 
2046  memset(&th_v, 0, sizeof(th_v));
2047  memset(&f, 0, sizeof(f));
2048  memset(&ssn, 0, sizeof(ssn));
2049 
2050  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2051  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2052 
2053  FLOW_INITIALIZE(&f);
2054  f.protoctx = (void *)&ssn;
2055  f.proto = IPPROTO_TCP;
2056  f.flags |= FLOW_IPV4;
2057 
2058  p1->flow = &f;
2062  p2->flow = &f;
2066  f.alproto = ALPROTO_HTTP1;
2067 
2068  StreamTcpInitConfig(true);
2069 
2071  if (de_ctx == NULL)
2072  goto end;
2073 
2074  de_ctx->flags |= DE_QUIET;
2075 
2076  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
2077  "(msg:\"http host test\"; "
2078  "content:\"body1this\"; http_raw_host; nocase; "
2079  "sid:1;)");
2080  if (de_ctx->sig_list == NULL)
2081  goto end;
2082 
2084  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2085 
2086  int r = AppLayerParserParse(
2087  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2088  if (r != 0) {
2089  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2090  result = 0;
2091  goto end;
2092  }
2093 
2094  http_state = f.alstate;
2095  if (http_state == NULL) {
2096  printf("no http state: \n");
2097  result = 0;
2098  goto end;
2099  }
2100 
2101  /* do detect */
2102  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2103 
2104  if ((PacketAlertCheck(p1, 1))) {
2105  printf("sid 1 didn't match but should have\n");
2106  goto end;
2107  }
2108 
2109  r = AppLayerParserParse(
2110  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2111  if (r != 0) {
2112  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2113  result = 0;
2114  goto end;
2115  }
2116 
2117  /* do detect */
2118  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2119 
2120  if (!(PacketAlertCheck(p2, 1))) {
2121  printf("sid 1 didn't match but should have");
2122  goto end;
2123  }
2124 
2125  result = 1;
2126 end:
2127  if (alp_tctx != NULL)
2129  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2130  if (de_ctx != NULL)
2132 
2133  StreamTcpFreeConfig(true);
2134  FLOW_DESTROY(&f);
2135  UTHFreePackets(&p1, 1);
2136  UTHFreePackets(&p2, 1);
2137  StatsThreadCleanup(&th_v);
2138  return result;
2139 }
2140 
2141 /**
2142  * \test Test that the http_raw_host content matches against a http request
2143  * which holds the content.
2144  */
2145 static int DetectEngineHttpHRHTest01(void)
2146 {
2147  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2148  "Host: CONNECT\r\n"
2149  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2150  uint32_t http_len = sizeof(http_buf) - 1;
2151  return RunTest(http_buf, http_len,
2152  "alert http any any -> any any "
2153  "(msg:\"http host header test\"; "
2154  "content:\"CONNECT\"; http_raw_host; "
2155  "sid:1;)",
2156  1);
2157 }
2158 
2159 /**
2160  * \test Test that the http_raw_host content matches against a http request
2161  * which holds the content.
2162  */
2163 static int DetectEngineHttpHRHTest02(void)
2164 {
2165  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2166  "Host: CONNECT\r\n"
2167  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2168  uint32_t http_len = sizeof(http_buf) - 1;
2169  return RunTest(http_buf, http_len,
2170  "alert http any any -> any any "
2171  "(msg:\"http host header test\"; "
2172  "content:\"CO\"; depth:4; http_raw_host; "
2173  "sid:1;)",
2174  1);
2175 }
2176 
2177 /**
2178  * \test Test that the http_raw_host content matches against a http request
2179  * which holds the content.
2180  */
2181 static int DetectEngineHttpHRHTest03(void)
2182 {
2183  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2184  "Host: CONNECT\r\n"
2185  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2186  uint32_t http_len = sizeof(http_buf) - 1;
2187  return RunTest(http_buf, http_len,
2188  "alert http any any -> any any "
2189  "(msg:\"http_raw_host header test\"; "
2190  "content:!\"ECT\"; depth:4; http_raw_host; "
2191  "sid:1;)",
2192  1);
2193 }
2194 
2195 /**
2196  * \test Test that the http_raw_host content matches against a http request
2197  * which holds the content.
2198  */
2199 static int DetectEngineHttpHRHTest04(void)
2200 {
2201  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2202  "Host: CONNECT\r\n"
2203  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2204  uint32_t http_len = sizeof(http_buf) - 1;
2205  return RunTest(http_buf, http_len,
2206  "alert http any any -> any any "
2207  "(msg:\"http host header test\"; "
2208  "content:\"ECT\"; depth:4; http_raw_host; "
2209  "sid:1;)",
2210  0);
2211 }
2212 
2213 /**
2214  * \test Test that the http_raw_host content matches against a http request
2215  * which holds the content.
2216  */
2217 static int DetectEngineHttpHRHTest05(void)
2218 {
2219  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2220  "Host: CONNECT\r\n"
2221  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2222  uint32_t http_len = sizeof(http_buf) - 1;
2223  return RunTest(http_buf, http_len,
2224  "alert http any any -> any any "
2225  "(msg:\"http host header test\"; "
2226  "content:!\"CON\"; depth:4; http_raw_host; "
2227  "sid:1;)",
2228  0);
2229 }
2230 
2231 /**
2232  * \test Test that the http_raw_host header content matches against a http request
2233  * which holds the content.
2234  */
2235 static int DetectEngineHttpHRHTest06(void)
2236 {
2237  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2238  "Host: CONNECT\r\n"
2239  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2240  uint32_t http_len = sizeof(http_buf) - 1;
2241  return RunTest(http_buf, http_len,
2242  "alert http any any -> any any "
2243  "(msg:\"http host header test\"; "
2244  "content:\"ECT\"; offset:3; http_raw_host; "
2245  "sid:1;)",
2246  1);
2247 }
2248 
2249 /**
2250  * \test Test that the http_raw_host content matches against a http request
2251  * which holds the content.
2252  */
2253 static int DetectEngineHttpHRHTest07(void)
2254 {
2255  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2256  "Host: CONNECT\r\n"
2257  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2258  uint32_t http_len = sizeof(http_buf) - 1;
2259  return RunTest(http_buf, http_len,
2260  "alert http any any -> any any "
2261  "(msg:\"http host header test\"; "
2262  "content:!\"CO\"; offset:3; http_raw_host; "
2263  "sid:1;)",
2264  1);
2265 }
2266 
2267 /**
2268  * \test Test that the http_raw_host header content matches against a http request
2269  * which holds the content.
2270  */
2271 static int DetectEngineHttpHRHTest08(void)
2272 {
2273  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2274  "Host: CONNECT\r\n"
2275  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2276  uint32_t http_len = sizeof(http_buf) - 1;
2277  return RunTest(http_buf, http_len,
2278  "alert http any any -> any any "
2279  "(msg:\"http host header test\"; "
2280  "content:!\"ECT\"; offset:3; http_raw_host; "
2281  "sid:1;)",
2282  0);
2283 }
2284 
2285 /**
2286  * \test Test that the http_raw_host header content matches against a http request
2287  * which holds the content.
2288  */
2289 static int DetectEngineHttpHRHTest09(void)
2290 {
2291  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2292  "Host: CONNECT\r\n"
2293  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2294  uint32_t http_len = sizeof(http_buf) - 1;
2295  return RunTest(http_buf, http_len,
2296  "alert http any any -> any any "
2297  "(msg:\"http host header test\"; "
2298  "content:\"CON\"; offset:3; http_raw_host; "
2299  "sid:1;)",
2300  0);
2301 }
2302 
2303 /**
2304  * \test Test that the http_raw_host header content matches against a http request
2305  * which holds the content.
2306  */
2307 static int DetectEngineHttpHRHTest10(void)
2308 {
2309  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2310  "Host: CONNECT\r\n"
2311  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2312  uint32_t http_len = sizeof(http_buf) - 1;
2313  return RunTest(http_buf, http_len,
2314  "alert http any any -> any any "
2315  "(msg:\"http_raw_host header test\"; "
2316  "content:\"CO\"; http_raw_host; "
2317  "content:\"EC\"; within:4; http_raw_host; "
2318  "sid:1;)",
2319  1);
2320 }
2321 
2322 /**
2323  * \test Test that the http_raw_host header content matches against a http request
2324  * which holds the content.
2325  */
2326 static int DetectEngineHttpHRHTest11(void)
2327 {
2328  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2329  "Host: CONNECT\r\n"
2330  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2331  uint32_t http_len = sizeof(http_buf) - 1;
2332  return RunTest(http_buf, http_len,
2333  "alert http any any -> any any "
2334  "(msg:\"http_raw_host header test\"; "
2335  "content:\"CO\"; http_raw_host; "
2336  "content:!\"EC\"; within:3; http_raw_host; "
2337  "sid:1;)",
2338  1);
2339 }
2340 
2341 /**
2342  * \test Test that the http_raw_host header content matches against a http request
2343  * which holds the content.
2344  */
2345 static int DetectEngineHttpHRHTest12(void)
2346 {
2347  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2348  "Host: CONNECT\r\n"
2349  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2350  uint32_t http_len = sizeof(http_buf) - 1;
2351  return RunTest(http_buf, http_len,
2352  "alert http any any -> any any "
2353  "(msg:\"http_raw_host header test\"; "
2354  "content:\"CO\"; http_raw_host; "
2355  "content:\"EC\"; within:3; http_raw_host; "
2356  "sid:1;)",
2357  0);
2358 }
2359 
2360 /**
2361  * \test Test that the http_raw_host header content matches against a http request
2362  * which holds the content.
2363  */
2364 static int DetectEngineHttpHRHTest13(void)
2365 {
2366  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2367  "Host: CONNECT\r\n"
2368  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2369  uint32_t http_len = sizeof(http_buf) - 1;
2370  return RunTest(http_buf, http_len,
2371  "alert http any any -> any any "
2372  "(msg:\"http_raw_host header test\"; "
2373  "content:\"CO\"; http_raw_host; "
2374  "content:!\"EC\"; within:4; http_raw_host; "
2375  "sid:1;)",
2376  0);
2377 }
2378 
2379 /**
2380  * \test Test that the http_raw_host header content matches against a http request
2381  * which holds the content.
2382  */
2383 static int DetectEngineHttpHRHTest14(void)
2384 {
2385  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2386  "Host: CONNECT\r\n"
2387  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2388  uint32_t http_len = sizeof(http_buf) - 1;
2389  return RunTest(http_buf, http_len,
2390  "alert http any any -> any any "
2391  "(msg:\"http_raw_host header test\"; "
2392  "content:\"CO\"; http_raw_host; "
2393  "content:\"EC\"; distance:2; http_raw_host; "
2394  "sid:1;)",
2395  1);
2396 }
2397 
2398 /**
2399  * \test Test that the http_raw_host header content matches against a http request
2400  * which holds the content.
2401  */
2402 static int DetectEngineHttpHRHTest15(void)
2403 {
2404  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2405  "Host: CONNECT\r\n"
2406  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2407  uint32_t http_len = sizeof(http_buf) - 1;
2408  return RunTest(http_buf, http_len,
2409  "alert http any any -> any any "
2410  "(msg:\"http_raw_host header test\"; "
2411  "content:\"CO\"; http_raw_host; "
2412  "content:!\"EC\"; distance:3; http_raw_host; "
2413  "sid:1;)",
2414  1);
2415 }
2416 
2417 /**
2418  * \test Test that the http_raw_host header content matches against a http request
2419  * which holds the content.
2420  */
2421 static int DetectEngineHttpHRHTest16(void)
2422 {
2423  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2424  "Host: CONNECT\r\n"
2425  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2426  uint32_t http_len = sizeof(http_buf) - 1;
2427  return RunTest(http_buf, http_len,
2428  "alert http any any -> any any "
2429  "(msg:\"http_raw_host header test\"; "
2430  "content:\"CO\"; http_raw_host; "
2431  "content:\"EC\"; distance:3; http_raw_host; "
2432  "sid:1;)",
2433  0);
2434 }
2435 
2436 /**
2437  * \test Test that the http_raw_host header content matches against a http request
2438  * which holds the content.
2439  */
2440 static int DetectEngineHttpHRHTest17(void)
2441 {
2442  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2443  "Host: CONNECT\r\n"
2444  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2445  uint32_t http_len = sizeof(http_buf) - 1;
2446  return RunTest(http_buf, http_len,
2447  "alert http any any -> any any "
2448  "(msg:\"http_raw_host header test\"; "
2449  "content:\"CO\"; http_raw_host; "
2450  "content:!\"EC\"; distance:2; http_raw_host; "
2451  "sid:1;)",
2452  0);
2453 }
2454 
2455 static int DetectEngineHttpHRHTest18(void)
2456 {
2457  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2458  "Host: www.kaboom.com:8080\r\n"
2459  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2460  uint32_t http_len = sizeof(http_buf) - 1;
2461  return RunTest(http_buf, http_len,
2462  "alert http any any -> any any "
2463  "(msg:\"http_raw_host header test\"; "
2464  "content:\"kaboom\"; http_raw_host; nocase; "
2465  "sid:1;)",
2466  1);
2467 }
2468 
2469 static int DetectEngineHttpHRHTest19(void)
2470 {
2471  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2472  "Host: www.kaboom.com:8080\r\n"
2473  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2474  uint32_t http_len = sizeof(http_buf) - 1;
2475  return RunTest(http_buf, http_len,
2476  "alert http any any -> any any "
2477  "(msg:\"http_raw_host header test\"; "
2478  "content:\"kaboom\"; http_raw_host; nocase; "
2479  "sid:1;)",
2480  1);
2481 }
2482 
2483 static int DetectEngineHttpHRHTest20(void)
2484 {
2485  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2486  "Host: www.kaboom.com:8080\r\n"
2487  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2488  uint32_t http_len = sizeof(http_buf) - 1;
2489  return RunTest(http_buf, http_len,
2490  "alert http any any -> any any "
2491  "(msg:\"http_raw_host header test\"; "
2492  "content:\"8080\"; http_raw_host; nocase; "
2493  "sid:1;)",
2494  1);
2495 }
2496 
2497 static int DetectEngineHttpHRHTest21(void)
2498 {
2499  uint8_t http_buf[] = "GET http://www.kaboom.com/index.html HTTP/1.0\r\n"
2500  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2501  uint32_t http_len = sizeof(http_buf) - 1;
2502  return RunTest(http_buf, http_len,
2503  "alert http any any -> any any "
2504  "(msg:\"http_raw_host header test\"; "
2505  "content:\"kaboom\"; http_raw_host; nocase; "
2506  "sid:1;)",
2507  1);
2508 }
2509 
2510 static int DetectEngineHttpHRHTest22(void)
2511 {
2512  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2513  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2514  uint32_t http_len = sizeof(http_buf) - 1;
2515  return RunTest(http_buf, http_len,
2516  "alert http any any -> any any "
2517  "(msg:\"http_raw_host header test\"; "
2518  "content:\"kaboom\"; http_raw_host; nocase; "
2519  "sid:1;)",
2520  1);
2521 }
2522 
2523 static int DetectEngineHttpHRHTest23(void)
2524 {
2525  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2526  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2527  uint32_t http_len = sizeof(http_buf) - 1;
2528  return RunTest(http_buf, http_len,
2529  "alert http any any -> any any "
2530  "(msg:\"http_raw_host header test\"; "
2531  "content:\"8080\"; http_raw_host; nocase; "
2532  "sid:1;)",
2533  0);
2534 }
2535 
2536 static int DetectEngineHttpHRHTest24(void)
2537 {
2538  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2539  "Host: www.rabbit.com\r\n"
2540  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2541  uint32_t http_len = sizeof(http_buf) - 1;
2542  return RunTest(http_buf, http_len,
2543  "alert http any any -> any any "
2544  "(msg:\"http_raw_host header test\"; "
2545  "content:\"kaboom\"; http_raw_host; nocase; "
2546  "sid:1;)",
2547  1);
2548 }
2549 
2550 static int DetectEngineHttpHRHTest25(void)
2551 {
2552  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2553  "Host: www.rabbit.com\r\n"
2554  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2555  uint32_t http_len = sizeof(http_buf) - 1;
2556  return RunTest(http_buf, http_len,
2557  "alert http any any -> any any "
2558  "(msg:\"http_raw_host header test\"; "
2559  "content:\"rabbit\"; http_raw_host; nocase; "
2560  "sid:1;)",
2561  0);
2562 }
2563 
2565 {
2566  UtRegisterTest("DetectHttpHHTest01", DetectHttpHHTest01);
2567  UtRegisterTest("DetectHttpHHTest03", DetectHttpHHTest03);
2568  UtRegisterTest("DetectHttpHHTest04", DetectHttpHHTest04);
2569  UtRegisterTest("DetectHttpHHTest05", DetectHttpHHTest05);
2570  UtRegisterTest("DetectHttpHHTest05a", DetectHttpHHTest05a);
2571  UtRegisterTest("DetectHttpHHTest06", DetectHttpHHTest06);
2572  UtRegisterTest("DetectHttpHHTest07", DetectHttpHHTest07);
2573  UtRegisterTest("DetectHttpHHTest08", DetectHttpHHTest08);
2574  UtRegisterTest("DetectHttpHHTest09", DetectHttpHHTest09);
2575  UtRegisterTest("DetectHttpHHTest10", DetectHttpHHTest10);
2576  UtRegisterTest("DetectHttpHHTest11", DetectHttpHHTest11);
2577  UtRegisterTest("DetectHttpHHTest12", DetectHttpHHTest12);
2578  UtRegisterTest("DetectHttpHHTest13", DetectHttpHHTest13);
2579  UtRegisterTest("DetectHttpHHTest14", DetectHttpHHTest14);
2580 
2581  UtRegisterTest("DetectEngineHttpHHTest01", DetectEngineHttpHHTest01);
2582  UtRegisterTest("DetectEngineHttpHHTest02", DetectEngineHttpHHTest02);
2583  UtRegisterTest("DetectEngineHttpHHTest03", DetectEngineHttpHHTest03);
2584  UtRegisterTest("DetectEngineHttpHHTest04", DetectEngineHttpHHTest04);
2585  UtRegisterTest("DetectEngineHttpHHTest05", DetectEngineHttpHHTest05);
2586  UtRegisterTest("DetectEngineHttpHHTest06", DetectEngineHttpHHTest06);
2587  UtRegisterTest("DetectEngineHttpHHTest07", DetectEngineHttpHHTest07);
2588  UtRegisterTest("DetectEngineHttpHHTest08", DetectEngineHttpHHTest08);
2589  UtRegisterTest("DetectEngineHttpHHTest09", DetectEngineHttpHHTest09);
2590  UtRegisterTest("DetectEngineHttpHHTest10", DetectEngineHttpHHTest10);
2591  UtRegisterTest("DetectEngineHttpHHTest11", DetectEngineHttpHHTest11);
2592  UtRegisterTest("DetectEngineHttpHHTest12", DetectEngineHttpHHTest12);
2593  UtRegisterTest("DetectEngineHttpHHTest13", DetectEngineHttpHHTest13);
2594  UtRegisterTest("DetectEngineHttpHHTest14", DetectEngineHttpHHTest14);
2595  UtRegisterTest("DetectEngineHttpHHTest15", DetectEngineHttpHHTest15);
2596  UtRegisterTest("DetectEngineHttpHHTest16", DetectEngineHttpHHTest16);
2597  UtRegisterTest("DetectEngineHttpHHTest17", DetectEngineHttpHHTest17);
2598  UtRegisterTest("DetectEngineHttpHHTest18", DetectEngineHttpHHTest18);
2599  UtRegisterTest("DetectEngineHttpHHTest19", DetectEngineHttpHHTest19);
2600  UtRegisterTest("DetectEngineHttpHHTest20", DetectEngineHttpHHTest20);
2601  UtRegisterTest("DetectEngineHttpHHTest21", DetectEngineHttpHHTest21);
2602  UtRegisterTest("DetectEngineHttpHHTest22", DetectEngineHttpHHTest22);
2603  UtRegisterTest("DetectEngineHttpHHTest23", DetectEngineHttpHHTest23);
2604  UtRegisterTest("DetectEngineHttpHHTest24", DetectEngineHttpHHTest24);
2605  UtRegisterTest("DetectEngineHttpHHTest25", DetectEngineHttpHHTest25);
2606 
2607  UtRegisterTest("DetectHttpHRHTest06", DetectHttpHRHTest06);
2608  UtRegisterTest("DetectHttpHRHTest07", DetectHttpHRHTest07);
2609  UtRegisterTest("DetectHttpHRHTest08", DetectHttpHRHTest08);
2610  UtRegisterTest("DetectHttpHRHTest09", DetectHttpHRHTest09);
2611  UtRegisterTest("DetectHttpHRHTest10", DetectHttpHRHTest10);
2612  UtRegisterTest("DetectHttpHRHTest11", DetectHttpHRHTest11);
2613  UtRegisterTest("DetectHttpHRHTest12", DetectHttpHRHTest12);
2614  UtRegisterTest("DetectHttpHRHTest13", DetectHttpHRHTest13);
2615  UtRegisterTest("DetectHttpHRHTest14", DetectHttpHRHTest14);
2616 
2617  UtRegisterTest("DetectHttpHRHTest37", DetectHttpHRHTest37);
2618 
2619  UtRegisterTest("DetectEngineHttpHRHTest01", DetectEngineHttpHRHTest01);
2620  UtRegisterTest("DetectEngineHttpHRHTest02", DetectEngineHttpHRHTest02);
2621  UtRegisterTest("DetectEngineHttpHRHTest03", DetectEngineHttpHRHTest03);
2622  UtRegisterTest("DetectEngineHttpHRHTest04", DetectEngineHttpHRHTest04);
2623  UtRegisterTest("DetectEngineHttpHRHTest05", DetectEngineHttpHRHTest05);
2624  UtRegisterTest("DetectEngineHttpHRHTest06", DetectEngineHttpHRHTest06);
2625  UtRegisterTest("DetectEngineHttpHRHTest07", DetectEngineHttpHRHTest07);
2626  UtRegisterTest("DetectEngineHttpHRHTest08", DetectEngineHttpHRHTest08);
2627  UtRegisterTest("DetectEngineHttpHRHTest09", DetectEngineHttpHRHTest09);
2628  UtRegisterTest("DetectEngineHttpHRHTest10", DetectEngineHttpHRHTest10);
2629  UtRegisterTest("DetectEngineHttpHRHTest11", DetectEngineHttpHRHTest11);
2630  UtRegisterTest("DetectEngineHttpHRHTest12", DetectEngineHttpHRHTest12);
2631  UtRegisterTest("DetectEngineHttpHRHTest13", DetectEngineHttpHRHTest13);
2632  UtRegisterTest("DetectEngineHttpHRHTest14", DetectEngineHttpHRHTest14);
2633  UtRegisterTest("DetectEngineHttpHRHTest15", DetectEngineHttpHRHTest15);
2634  UtRegisterTest("DetectEngineHttpHRHTest16", DetectEngineHttpHRHTest16);
2635  UtRegisterTest("DetectEngineHttpHRHTest17", DetectEngineHttpHRHTest17);
2636  UtRegisterTest("DetectEngineHttpHRHTest18", DetectEngineHttpHRHTest18);
2637  UtRegisterTest("DetectEngineHttpHRHTest19", DetectEngineHttpHRHTest19);
2638  UtRegisterTest("DetectEngineHttpHRHTest20", DetectEngineHttpHRHTest20);
2639  UtRegisterTest("DetectEngineHttpHRHTest21", DetectEngineHttpHRHTest21);
2640  UtRegisterTest("DetectEngineHttpHRHTest22", DetectEngineHttpHRHTest22);
2641  UtRegisterTest("DetectEngineHttpHRHTest23", DetectEngineHttpHRHTest23);
2642  UtRegisterTest("DetectEngineHttpHRHTest24", DetectEngineHttpHRHTest24);
2643  UtRegisterTest("DetectEngineHttpHRHTest25", DetectEngineHttpHRHTest25);
2644 }
2645 
2646 /**
2647  * @}
2648  */
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
flow-util.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
Flow_::proto
uint8_t proto
Definition: flow.h:370
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:287
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
Flow_
Flow data structure.
Definition: flow.h:348
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2633
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2416
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3439
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
Flow_::protoctx
void * protoctx
Definition: flow.h:433
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:620
util-unittest.h
HtpState_
Definition: app-layer-htp.h:181
util-unittest-helper.h
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
app-layer-htp.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
DetectHttpHHRegisterTests
void DetectHttpHHRegisterTests(void)
Definition: detect-http-host.c:2564
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3360
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3097
app-layer-parser.h
Packet_
Definition: decode.h:501
detect-engine-build.h
detect-engine-alert.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2185
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1291
suricata-common.h
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3592
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:941
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:473
Flow_::alstate
void * alstate
Definition: flow.h:471
Flow_::flags
uint32_t flags
Definition: flow.h:413
Signature_
Signature container.
Definition: detect.h:668
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2594
app-layer-protos.h
suricata.h
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
StatsThreadCleanup
void StatsThreadCleanup(ThreadVars *tv)
Definition: counters.c:1324
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1102
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456