suricata
detect-http-host.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /** \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * \brief Handle HTTP host header.
31  * HHHD - Http Host Header Data
32  *
33  */
34 
35 #include "suricata-common.h"
36 #include "suricata.h"
37 #include "flow-util.h"
38 #include "flow.h"
39 #include "app-layer-parser.h"
40 #include "util-unittest.h"
41 #include "util-unittest-helper.h"
42 #include "app-layer.h"
43 #include "app-layer-htp.h"
44 #include "app-layer-protos.h"
45 #include "detect-engine-build.h"
46 #include "detect-engine-alert.h"
47 
48 static int RunTest(const uint8_t *buf, const uint32_t size, const char *sig_str, const int expect)
49 {
50  TcpSession ssn;
51  ThreadVars th_v;
52  DetectEngineThreadCtx *det_ctx = NULL;
53  Flow f;
54  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
55 
56  memset(&th_v, 0, sizeof(th_v));
57  memset(&f, 0, sizeof(f));
58  memset(&ssn, 0, sizeof(ssn));
59 
60  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
61  FAIL_IF_NULL(p);
62 
63  FLOW_INITIALIZE(&f);
64  f.protoctx = (void *)&ssn;
65  f.proto = IPPROTO_TCP;
66  f.flags |= FLOW_IPV4;
67  p->flow = &f;
68  p->flowflags |= FLOW_PKT_TOSERVER;
69  p->flowflags |= FLOW_PKT_ESTABLISHED;
70  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
71  f.alproto = ALPROTO_HTTP1;
72 
73  StreamTcpInitConfig(true);
74 
75  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
76  FAIL_IF_NULL(de_ctx);
77  de_ctx->flags |= DE_QUIET;
78 
79  Signature *s = DetectEngineAppendSig(de_ctx, sig_str);
80  FAIL_IF_NULL(s);
81 
82  SigGroupBuild(de_ctx);
83  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
84 
85  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, size);
86  FAIL_IF(r != 0);
87 
88  HtpState *http_state = f.alstate;
89  FAIL_IF_NULL(http_state);
90 
91  /* do detect */
92  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
93 
94  FAIL_IF(PacketAlertCheck(p, 1) != expect);
95 
96  AppLayerParserThreadCtxFree(alp_tctx);
97  DetectEngineCtxFree(de_ctx);
98 
99  StreamTcpFreeConfig(true);
100  FLOW_DESTROY(&f);
101  UTHFreePackets(&p, 1);
102  PASS;
103 }
104 /**
105  * \test Test that the http_host content matches against a http request
106  * which holds the content.
107  */
108 static int DetectEngineHttpHHTest01(void)
109 {
110  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
111  "Host: CONNECT\r\n"
112  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
113  uint32_t http_len = sizeof(http_buf) - 1;
114  return RunTest(http_buf, http_len,
115  "alert http any any -> any any "
116  "(msg:\"http host header test\"; "
117  "content:\"connect\"; http_host; "
118  "sid:1;)",
119  1);
120 }
121 
122 /**
123  * \test Test that the http_host content matches against a http request
124  * which holds the content.
125  */
126 static int DetectEngineHttpHHTest02(void)
127 {
128  uint8_t http_buf[] =
129  "GET /index.html HTTP/1.0\r\n"
130  "Host: CONNECT\r\n"
131  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
132  uint32_t http_len = sizeof(http_buf) - 1;
133  return RunTest(http_buf, http_len,
134  "alert http any any -> any any "
135  "(msg:\"http host header test\"; "
136  "content:\"co\"; depth:4; http_host; "
137  "sid:1;)",
138  1);
139 }
140 
141 /**
142  * \test Test that the http_host content matches against a http request
143  * which holds the content.
144  */
145 static int DetectEngineHttpHHTest03(void)
146 {
147  uint8_t http_buf[] =
148  "GET /index.html HTTP/1.0\r\n"
149  "Host: CONNECT\r\n"
150  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
151  uint32_t http_len = sizeof(http_buf) - 1;
152  return RunTest(http_buf, http_len,
153  "alert http any any -> any any "
154  "(msg:\"http_host header test\"; "
155  "content:!\"ect\"; depth:4; http_host; "
156  "sid:1;)",
157  1);
158 }
159 
160 /**
161  * \test Test that the http_host content matches against a http request
162  * which holds the content.
163  */
164 static int DetectEngineHttpHHTest04(void)
165 {
166  uint8_t http_buf[] =
167  "GET /index.html HTTP/1.0\r\n"
168  "Host: CONNECT\r\n"
169  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
170  uint32_t http_len = sizeof(http_buf) - 1;
171  return RunTest(http_buf, http_len,
172  "alert http any any -> any any "
173  "(msg:\"http host header test\"; "
174  "content:\"ect\"; depth:4; http_host; "
175  "sid:1;)",
176  0);
177 }
178 
179 /**
180  * \test Test that the http_host content matches against a http request
181  * which holds the content.
182  */
183 static int DetectEngineHttpHHTest05(void)
184 {
185  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
186  "Host: CONNECT\r\n"
187  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
188  uint32_t http_len = sizeof(http_buf) - 1;
189  return RunTest(http_buf, http_len,
190  "alert http any any -> any any "
191  "(msg:\"http host header test\"; "
192  "content:!\"con\"; depth:4; http_host; "
193  "sid:1;)",
194  0);
195 }
196 
197 /**
198  * \test Test that the http_host header content matches against a http request
199  * which holds the content.
200  */
201 static int DetectEngineHttpHHTest06(void)
202 {
203  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
204  "Host: CONNECT\r\n"
205  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
206  uint32_t http_len = sizeof(http_buf) - 1;
207  return RunTest(http_buf, http_len,
208  "alert http any any -> any any "
209  "(msg:\"http host header test\"; "
210  "content:\"ect\"; offset:3; http_host; "
211  "sid:1;)",
212  1);
213 }
214 
215 /**
216  * \test Test that the http_host content matches against a http request
217  * which holds the content.
218  */
219 static int DetectEngineHttpHHTest07(void)
220 {
221  uint8_t http_buf[] =
222  "GET /index.html HTTP/1.0\r\n"
223  "Host: CONNECT\r\n"
224  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
225  uint32_t http_len = sizeof(http_buf) - 1;
226  return RunTest(http_buf, http_len,
227  "alert http any any -> any any "
228  "(msg:\"http host header test\"; "
229  "content:!\"co\"; offset:3; http_host; "
230  "sid:1;)",
231  1);
232 }
233 
234 /**
235  * \test Test that the http_host header content matches against a http request
236  * which holds the content.
237  */
238 static int DetectEngineHttpHHTest08(void)
239 {
240  uint8_t http_buf[] =
241  "GET /index.html HTTP/1.0\r\n"
242  "Host: CONNECT\r\n"
243  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
244  uint32_t http_len = sizeof(http_buf) - 1;
245  return RunTest(http_buf, http_len,
246  "alert http any any -> any any "
247  "(msg:\"http host header test\"; "
248  "content:!\"ect\"; offset:3; http_host; "
249  "sid:1;)",
250  0);
251 }
252 
253 /**
254  * \test Test that the http_host header content matches against a http request
255  * which holds the content.
256  */
257 static int DetectEngineHttpHHTest09(void)
258 {
259  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
260  "Host: CONNECT\r\n"
261  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
262  uint32_t http_len = sizeof(http_buf) - 1;
263  return RunTest(http_buf, http_len,
264  "alert http any any -> any any "
265  "(msg:\"http host header test\"; "
266  "content:\"con\"; offset:3; http_host; "
267  "sid:1;)",
268  0);
269 }
270 
271 /**
272  * \test Test that the http_host header content matches against a http request
273  * which holds the content.
274  */
275 static int DetectEngineHttpHHTest10(void)
276 {
277  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
278  "Host: CONNECT\r\n"
279  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
280  uint32_t http_len = sizeof(http_buf) - 1;
281  return RunTest(http_buf, http_len,
282  "alert http any any -> any any "
283  "(msg:\"http_host header test\"; "
284  "content:\"co\"; http_host; "
285  "content:\"ec\"; within:4; http_host; "
286  "sid:1;)",
287  1);
288 }
289 
290 /**
291  * \test Test that the http_host header content matches against a http request
292  * which holds the content.
293  */
294 static int DetectEngineHttpHHTest11(void)
295 {
296  uint8_t http_buf[] =
297  "GET /index.html HTTP/1.0\r\n"
298  "Host: CONNECT\r\n"
299  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
300  uint32_t http_len = sizeof(http_buf) - 1;
301  return RunTest(http_buf, http_len,
302  "alert http any any -> any any "
303  "(msg:\"http_host header test\"; "
304  "content:\"co\"; http_host; "
305  "content:!\"ec\"; within:3; http_host; "
306  "sid:1;)",
307  1);
308 }
309 
310 /**
311  * \test Test that the http_host header content matches against a http request
312  * which holds the content.
313  */
314 static int DetectEngineHttpHHTest12(void)
315 {
316  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
317  "Host: CONNECT\r\n"
318  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
319  uint32_t http_len = sizeof(http_buf) - 1;
320  return RunTest(http_buf, http_len,
321  "alert http any any -> any any "
322  "(msg:\"http_host header test\"; "
323  "content:\"co\"; http_host; "
324  "content:\"ec\"; within:3; http_host; "
325  "sid:1;)",
326  0);
327 }
328 
329 /**
330  * \test Test that the http_host header content matches against a http request
331  * which holds the content.
332  */
333 static int DetectEngineHttpHHTest13(void)
334 {
335  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
336  "Host: CONNECT\r\n"
337  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
338  uint32_t http_len = sizeof(http_buf) - 1;
339  return RunTest(http_buf, http_len,
340  "alert http any any -> any any "
341  "(msg:\"http_host header test\"; "
342  "content:\"co\"; http_host; "
343  "content:!\"ec\"; within:4; http_host; "
344  "sid:1;)",
345  0);
346 }
347 
348 /**
349  * \test Test that the http_host header content matches against a http request
350  * which holds the content.
351  */
352 static int DetectEngineHttpHHTest14(void)
353 {
354  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
355  "Host: CONNECT\r\n"
356  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
357  uint32_t http_len = sizeof(http_buf) - 1;
358  return RunTest(http_buf, http_len,
359  "alert http any any -> any any "
360  "(msg:\"http_host header test\"; "
361  "content:\"co\"; http_host; "
362  "content:\"ec\"; distance:2; http_host; "
363  "sid:1;)",
364  1);
365 }
366 
367 /**
368  * \test Test that the http_host header content matches against a http request
369  * which holds the content.
370  */
371 static int DetectEngineHttpHHTest15(void)
372 {
373  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
374  "Host: CONNECT\r\n"
375  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
376  uint32_t http_len = sizeof(http_buf) - 1;
377  return RunTest(http_buf, http_len,
378  "alert http any any -> any any "
379  "(msg:\"http_host header test\"; "
380  "content:\"co\"; http_host; "
381  "content:!\"ec\"; distance:3; http_host; "
382  "sid:1;)",
383  1);
384 }
385 
386 /**
387  * \test Test that the http_host header content matches against a http request
388  * which holds the content.
389  */
390 static int DetectEngineHttpHHTest16(void)
391 {
392  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
393  "Host: CONNECT\r\n"
394  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
395  uint32_t http_len = sizeof(http_buf) - 1;
396  return RunTest(http_buf, http_len,
397  "alert http any any -> any any "
398  "(msg:\"http_host header test\"; "
399  "content:\"co\"; http_host; "
400  "content:\"ec\"; distance:3; http_host; "
401  "sid:1;)",
402  0);
403 }
404 
405 /**
406  * \test Test that the http_host header content matches against a http request
407  * which holds the content.
408  */
409 static int DetectEngineHttpHHTest17(void)
410 {
411  uint8_t http_buf[] =
412  "GET /index.html HTTP/1.0\r\n"
413  "Host: CONNECT\r\n"
414  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
415  uint32_t http_len = sizeof(http_buf) - 1;
416  return RunTest(http_buf, http_len,
417  "alert http any any -> any any "
418  "(msg:\"http_host header test\"; "
419  "content:\"co\"; http_host; "
420  "content:!\"ec\"; distance:2; http_host; "
421  "sid:1;)",
422  0);
423 }
424 
425 static int DetectEngineHttpHHTest18(void)
426 {
427  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
428  "Host: www.kaboom.com\r\n"
429  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
430  uint32_t http_len = sizeof(http_buf) - 1;
431  return RunTest(http_buf, http_len,
432  "alert http any any -> any any "
433  "(msg:\"http_host header test\"; "
434  "content:\"kaboom\"; http_host; "
435  "sid:1;)",
436  1);
437 }
438 
439 static int DetectEngineHttpHHTest19(void)
440 {
441  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
442  "Host: www.kaboom.com:8080\r\n"
443  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
444  uint32_t http_len = sizeof(http_buf) - 1;
445  return RunTest(http_buf, http_len,
446  "alert http any any -> any any "
447  "(msg:\"http_host header test\"; "
448  "content:\"kaboom\"; http_host; "
449  "sid:1;)",
450  1);
451 }
452 
453 static int DetectEngineHttpHHTest20(void)
454 {
455  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
456  "Host: www.kaboom.com:8080\r\n"
457  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
458  uint32_t http_len = sizeof(http_buf) - 1;
459  return RunTest(http_buf, http_len,
460  "alert http any any -> any any "
461  "(msg:\"http_host header test\"; "
462  "content:\"8080\"; http_host; "
463  "sid:1;)",
464  0);
465 }
466 
467 static int DetectEngineHttpHHTest21(void)
468 {
469  uint8_t http_buf[] = "GET http://www.kaboom.com/index.html HTTP/1.0\r\n"
470  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
471  uint32_t http_len = sizeof(http_buf) - 1;
472  return RunTest(http_buf, http_len,
473  "alert http any any -> any any "
474  "(msg:\"http_host header test\"; "
475  "content:\"kaboom\"; http_host; "
476  "sid:1;)",
477  1);
478 }
479 
480 static int DetectEngineHttpHHTest22(void)
481 {
482  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
483  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
484  uint32_t http_len = sizeof(http_buf) - 1;
485  return RunTest(http_buf, http_len,
486  "alert http any any -> any any "
487  "(msg:\"http_host header test\"; "
488  "content:\"kaboom\"; http_host; "
489  "sid:1;)",
490  1);
491 }
492 
493 static int DetectEngineHttpHHTest23(void)
494 {
495  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
496  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
497  uint32_t http_len = sizeof(http_buf) - 1;
498  return RunTest(http_buf, http_len,
499  "alert http any any -> any any "
500  "(msg:\"http_host header test\"; "
501  "content:\"8080\"; http_host; "
502  "sid:1;)",
503  0);
504 }
505 
506 static int DetectEngineHttpHHTest24(void)
507 {
508  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
509  "Host: www.rabbit.com\r\n"
510  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
511  uint32_t http_len = sizeof(http_buf) - 1;
512  return RunTest(http_buf, http_len,
513  "alert http any any -> any any "
514  "(msg:\"http_host header test\"; "
515  "content:\"kaboom\"; http_host; "
516  "sid:1;)",
517  1);
518 }
519 
520 static int DetectEngineHttpHHTest25(void)
521 {
522  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
523  "Host: www.rabbit.com\r\n"
524  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
525  uint32_t http_len = sizeof(http_buf) - 1;
526  return RunTest(http_buf, http_len,
527  "alert http any any -> any any "
528  "(msg:\"http_host header test\"; "
529  "content:\"rabbit\"; http_host; "
530  "sid:1;)",
531  0);
532 }
533 
534 /**
535  * \test Test that a signature containing a http_host is correctly parsed
536  * and the keyword is registered.
537  */
538 static int DetectHttpHHTest01(void)
539 {
540  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
541  FAIL_IF_NULL(de_ctx);
542  de_ctx->flags |= DE_QUIET;
543  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
544  "content:\"one\"; http_host; sid:1;)");
545  FAIL_IF_NULL(s);
546  DetectEngineCtxFree(de_ctx);
547  PASS;
548 }
549 
550 /**
551  * \test Test that an invalid signature containing no content but a
552  * http_host is invalidated.
553  */
554 static int DetectHttpHHTest03(void)
555 {
556  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
557  FAIL_IF_NULL(de_ctx);
558  de_ctx->flags |= DE_QUIET;
559  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
560  "http_host; sid:1;)");
561  FAIL_IF_NOT_NULL(s);
562  DetectEngineCtxFree(de_ctx);
563  PASS;
564 }
565 
566 /**
567  * \test Test that an invalid signature containing a rawbytes along with a
568  * http_host is invalidated.
569  */
570 static int DetectHttpHHTest04(void)
571 {
572  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
573  FAIL_IF_NULL(de_ctx);
574  de_ctx->flags |= DE_QUIET;
575  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
576  "content:\"one\"; rawbytes; http_host; sid:1;)");
577  FAIL_IF_NOT_NULL(s);
578  DetectEngineCtxFree(de_ctx);
579  PASS;
580 }
581 
582 /**
583  * \test Test that a http_host with nocase is parsed.
584  */
585 static int DetectHttpHHTest05(void)
586 {
587  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
588  FAIL_IF_NULL(de_ctx);
589  de_ctx->flags |= DE_QUIET;
590  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
591  "content:\"one\"; http_host; nocase; sid:1;)");
592  FAIL_IF_NOT_NULL(s);
593  DetectEngineCtxFree(de_ctx);
594  PASS;
595 }
596 
597 /** \test invalid sig: uppercase content */
598 static int DetectHttpHHTest05a(void)
599 {
600  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
601  FAIL_IF_NULL(de_ctx);
602  de_ctx->flags |= DE_QUIET;
603 
604  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
605  "(content:\"ABC\"; http_host; sid:1;)");
606  FAIL_IF_NOT_NULL(s);
607 
608  DetectEngineCtxFree(de_ctx);
609  PASS;
610 }
611 
612 /**
613  *\test Test that the http_host content matches against a http request
614  * which holds the content.
615  */
616 static int DetectHttpHHTest06(void)
617 {
618  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
619  "User-Agent: www.openinfosecfoundation.org\r\n"
620  "Host: This is dummy message body\r\n"
621  "Content-Type: text/html\r\n"
622  "\r\n";
623  uint32_t http_len = sizeof(http_buf) - 1;
624  return RunTest(http_buf, http_len,
625  "alert http any any -> any any "
626  "(msg:\"http host test\"; "
627  "content:\"message\"; http_host; "
628  "sid:1;)",
629  1);
630 }
631 
632 /**
633  *\test Test that the http_host content matches against a http request
634  * which holds the content.
635  */
636 static int DetectHttpHHTest07(void)
637 {
638  TcpSession ssn;
639  Packet *p1 = NULL;
640  Packet *p2 = NULL;
641  ThreadVars th_v;
642  DetectEngineThreadCtx *det_ctx = NULL;
643  HtpState *http_state = NULL;
644  Flow f;
645  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
646  "User-Agent: www.openinfosecfoundation.org\r\n"
647  "Host: This is dummy message";
648  uint8_t http2_buf[] = "body1\r\n\r\n";
649  uint32_t http1_len = sizeof(http1_buf) - 1;
650  uint32_t http2_len = sizeof(http2_buf) - 1;
651  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
652 
653  memset(&th_v, 0, sizeof(th_v));
654  memset(&f, 0, sizeof(f));
655  memset(&ssn, 0, sizeof(ssn));
656 
657  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
658  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
659 
660  FLOW_INITIALIZE(&f);
661  f.protoctx = (void *)&ssn;
662  f.proto = IPPROTO_TCP;
663  f.flags |= FLOW_IPV4;
664 
665  p1->flow = &f;
666  p1->flowflags |= FLOW_PKT_TOSERVER;
667  p1->flowflags |= FLOW_PKT_ESTABLISHED;
668  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
669  p2->flow = &f;
670  p2->flowflags |= FLOW_PKT_TOSERVER;
671  p2->flowflags |= FLOW_PKT_ESTABLISHED;
672  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
673  f.alproto = ALPROTO_HTTP1;
674 
675  StreamTcpInitConfig(true);
676 
677  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
678  FAIL_IF_NULL(de_ctx);
679  de_ctx->flags |= DE_QUIET;
680 
681  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
682  "(msg:\"http host test\"; "
683  "content:\"message\"; http_host; "
684  "sid:1;)");
685  FAIL_IF_NULL(s);
686 
687  SigGroupBuild(de_ctx);
688  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
689 
690  int r = AppLayerParserParse(
691  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
692  FAIL_IF(r != 0);
693 
694  http_state = f.alstate;
695  FAIL_IF_NULL(http_state);
696 
697  /* do detect */
698  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
699 
700  FAIL_IF(PacketAlertCheck(p1, 1));
701 
702  r = AppLayerParserParse(
703  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
704  FAIL_IF(r != 0);
705 
706  /* do detect */
707  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
708  FAIL_IF(!(PacketAlertCheck(p2, 1)));
709 
710  AppLayerParserThreadCtxFree(alp_tctx);
711  DetectEngineCtxFree(de_ctx);
712 
713  StreamTcpFreeConfig(true);
714  FLOW_DESTROY(&f);
715  UTHFreePackets(&p1, 1);
716  UTHFreePackets(&p2, 1);
717  PASS;
718 }
719 
720 /**
721  *\test Test that the http_host content matches against a http request
722  * which holds the content.
723  */
724 static int DetectHttpHHTest08(void)
725 {
726  TcpSession ssn;
727  Packet *p1 = NULL;
728  Packet *p2 = NULL;
729  ThreadVars th_v;
730  DetectEngineThreadCtx *det_ctx = NULL;
731  HtpState *http_state = NULL;
732  Flow f;
733  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
734  "User-Agent: www.openinfosecfoundation.org\r\n"
735  "host: This is dummy mess";
736  uint8_t http2_buf[] = "age body\r\n\r\n";
737  uint32_t http1_len = sizeof(http1_buf) - 1;
738  uint32_t http2_len = sizeof(http2_buf) - 1;
739  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
740 
741  memset(&th_v, 0, sizeof(th_v));
742  memset(&f, 0, sizeof(f));
743  memset(&ssn, 0, sizeof(ssn));
744 
745  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
746  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
747 
748  FLOW_INITIALIZE(&f);
749  f.protoctx = (void *)&ssn;
750  f.proto = IPPROTO_TCP;
751  f.flags |= FLOW_IPV4;
752 
753  p1->flow = &f;
754  p1->flowflags |= FLOW_PKT_TOSERVER;
755  p1->flowflags |= FLOW_PKT_ESTABLISHED;
756  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
757  p2->flow = &f;
758  p2->flowflags |= FLOW_PKT_TOSERVER;
759  p2->flowflags |= FLOW_PKT_ESTABLISHED;
760  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
761  f.alproto = ALPROTO_HTTP1;
762 
763  StreamTcpInitConfig(true);
764 
765  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
766  FAIL_IF_NULL(de_ctx);
767  de_ctx->flags |= DE_QUIET;
768 
769  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
770  "(msg:\"http host test\"; "
771  "content:\"message\"; http_host; "
772  "sid:1;)");
773  FAIL_IF_NULL(s);
774 
775  SigGroupBuild(de_ctx);
776  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
777 
778  int r = AppLayerParserParse(
779  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
780  FAIL_IF(r != 0);
781 
782  http_state = f.alstate;
783  FAIL_IF_NULL(http_state);
784 
785  /* do detect */
786  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
787 
788  FAIL_IF((PacketAlertCheck(p1, 1)));
789 
790  r = AppLayerParserParse(
791  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
792  FAIL_IF(r != 0);
793 
794  /* do detect */
795  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
796 
797  FAIL_IF(!(PacketAlertCheck(p2, 1)));
798 
799  AppLayerParserThreadCtxFree(alp_tctx);
800  DetectEngineCtxFree(de_ctx);
801 
802  StreamTcpFreeConfig(true);
803  FLOW_DESTROY(&f);
804  UTHFreePackets(&p1, 1);
805  UTHFreePackets(&p2, 1);
806  PASS;
807 }
808 
809 /**
810  *\test Test that the http_host content matches against a http request
811  * which holds the content, against a cross boundary present pattern.
812  */
813 static int DetectHttpHHTest09(void)
814 {
815  TcpSession ssn;
816  Packet *p1 = NULL;
817  Packet *p2 = NULL;
818  ThreadVars th_v;
819  DetectEngineThreadCtx *det_ctx = NULL;
820  HtpState *http_state = NULL;
821  Flow f;
822  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
823  "User-Agent: www.openinfosecfoundation.org\r\n"
824  "Host: This is dummy body1";
825  uint8_t http2_buf[] = "This is dummy message body2\r\n"
826  "Content-Type: text/html\r\n"
827  "Content-Length: 46\r\n"
828  "\r\n"
829  "This is dummy body1";
830  uint32_t http1_len = sizeof(http1_buf) - 1;
831  uint32_t http2_len = sizeof(http2_buf) - 1;
832  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
833 
834  memset(&th_v, 0, sizeof(th_v));
835  memset(&f, 0, sizeof(f));
836  memset(&ssn, 0, sizeof(ssn));
837 
838  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
839  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
840 
841  FLOW_INITIALIZE(&f);
842  f.protoctx = (void *)&ssn;
843  f.proto = IPPROTO_TCP;
844  f.flags |= FLOW_IPV4;
845 
846  p1->flow = &f;
847  p1->flowflags |= FLOW_PKT_TOSERVER;
848  p1->flowflags |= FLOW_PKT_ESTABLISHED;
849  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
850  p2->flow = &f;
851  p2->flowflags |= FLOW_PKT_TOSERVER;
852  p2->flowflags |= FLOW_PKT_ESTABLISHED;
853  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
854  f.alproto = ALPROTO_HTTP1;
855 
856  StreamTcpInitConfig(true);
857 
858  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
859  FAIL_IF_NULL(de_ctx);
860  de_ctx->flags |= DE_QUIET;
861 
862  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
863  "(msg:\"http host test\"; "
864  "content:\"body1this\"; http_host; "
865  "sid:1;)");
866  FAIL_IF_NULL(s);
867 
868  SigGroupBuild(de_ctx);
869  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
870 
871  int r = AppLayerParserParse(
872  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
873  FAIL_IF(r != 0);
874 
875  http_state = f.alstate;
876  FAIL_IF_NULL(http_state);
877 
878  /* do detect */
879  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
880 
881  FAIL_IF((PacketAlertCheck(p1, 1)));
882 
883  r = AppLayerParserParse(
884  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
885  FAIL_IF(r != 0);
886 
887  /* do detect */
888  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
889 
890  FAIL_IF(!(PacketAlertCheck(p2, 1)));
891 
892  AppLayerParserThreadCtxFree(alp_tctx);
893  DetectEngineCtxFree(de_ctx);
894 
895  StreamTcpFreeConfig(true);
896  FLOW_DESTROY(&f);
897  UTHFreePackets(&p1, 1);
898  UTHFreePackets(&p2, 1);
899  PASS;
900 }
901 
902 /**
903  *\test Test that the http_host content matches against a http request
904  * against a case insensitive pattern.
905  */
906 static int DetectHttpHHTest10(void)
907 {
908  TcpSession ssn;
909  Packet *p1 = NULL;
910  Packet *p2 = NULL;
911  ThreadVars th_v;
912  DetectEngineCtx *de_ctx = NULL;
913  DetectEngineThreadCtx *det_ctx = NULL;
914  HtpState *http_state = NULL;
915  Flow f;
916  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
917  "User-Agent: www.openinfosecfoundation.org\r\n"
918  "Host: This is dummy bodY1";
919  uint8_t http2_buf[] = "This is dummy message body2\r\n"
920  "Content-Type: text/html\r\n"
921  "Content-Length: 46\r\n"
922  "\r\n"
923  "This is dummy bodY1";
924  uint32_t http1_len = sizeof(http1_buf) - 1;
925  uint32_t http2_len = sizeof(http2_buf) - 1;
926  int result = 0;
927  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
928 
929  memset(&th_v, 0, sizeof(th_v));
930  memset(&f, 0, sizeof(f));
931  memset(&ssn, 0, sizeof(ssn));
932 
933  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
934  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
935 
936  FLOW_INITIALIZE(&f);
937  f.protoctx = (void *)&ssn;
938  f.proto = IPPROTO_TCP;
939  f.flags |= FLOW_IPV4;
940 
941  p1->flow = &f;
942  p1->flowflags |= FLOW_PKT_TOSERVER;
943  p1->flowflags |= FLOW_PKT_ESTABLISHED;
944  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
945  p2->flow = &f;
946  p2->flowflags |= FLOW_PKT_TOSERVER;
947  p2->flowflags |= FLOW_PKT_ESTABLISHED;
948  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
949  f.alproto = ALPROTO_HTTP1;
950 
951  StreamTcpInitConfig(true);
952 
953  de_ctx = DetectEngineCtxInit();
954  if (de_ctx == NULL)
955  goto end;
956 
957  de_ctx->flags |= DE_QUIET;
958 
959  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
960  "(msg:\"http host test\"; "
961  "content:\"body1this\"; http_host; "
962  "sid:1;)");
963  if (de_ctx->sig_list == NULL)
964  goto end;
965 
966  SigGroupBuild(de_ctx);
967  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
968 
969  int r = AppLayerParserParse(
970  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
971  if (r != 0) {
972  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
973  result = 0;
974  goto end;
975  }
976 
977  http_state = f.alstate;
978  if (http_state == NULL) {
979  printf("no http state: \n");
980  result = 0;
981  goto end;
982  }
983 
984  /* do detect */
985  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
986 
987  if ((PacketAlertCheck(p1, 1))) {
988  printf("sid 1 didn't match but should have\n");
989  goto end;
990  }
991 
992  r = AppLayerParserParse(
993  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
994  if (r != 0) {
995  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
996  result = 0;
997  goto end;
998  }
999 
1000  /* do detect */
1001  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1002 
1003  if (!(PacketAlertCheck(p2, 1))) {
1004  printf("sid 1 didn't match but should have");
1005  goto end;
1006  }
1007 
1008  result = 1;
1009 end:
1010  if (alp_tctx != NULL)
1011  AppLayerParserThreadCtxFree(alp_tctx);
1012  if (de_ctx != NULL)
1013  DetectEngineCtxFree(de_ctx);
1014 
1015  StreamTcpFreeConfig(true);
1016  FLOW_DESTROY(&f);
1017  UTHFreePackets(&p1, 1);
1018  UTHFreePackets(&p2, 1);
1019  return result;
1020 }
1021 
1022 /**
1023  *\test Test that the negated http_host content matches against a
1024  * http request which doesn't hold the content.
1025  */
1026 static int DetectHttpHHTest11(void)
1027 {
1028  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1029  "User-Agent: www.openinfosecfoundation.org\r\n"
1030  "Host: This is dummy message body\r\n"
1031  "Content-Type: text/html\r\n"
1032  "\r\n";
1033  uint32_t http_len = sizeof(http_buf) - 1;
1034  return RunTest(http_buf, http_len,
1035  "alert http any any -> any any "
1036  "(msg:\"http host test\"; "
1037  "content:!\"message\"; http_host; "
1038  "sid:1;)",
1039  0);
1040 }
1041 
1042 /**
1043  *\test Negative test that the negated http_host content matches against a
1044  * http request which holds hold the content.
1045  */
1046 static int DetectHttpHHTest12(void)
1047 {
1048  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1049  "User-Agent: www.openinfosecfoundation.org\r\n"
1050  "Host: This is dummy body\r\n"
1051  "\r\n";
1052  uint32_t http_len = sizeof(http_buf) - 1;
1053  return RunTest(http_buf, http_len,
1054  "alert http any any -> any any "
1055  "(msg:\"http host test\"; "
1056  "content:!\"message\"; http_host; "
1057  "sid:1;)",
1058  1);
1059 }
1060 
1061 /**
1062  * \test Test that the http_host content matches against a http request
1063  * which holds the content.
1064  */
1065 static int DetectHttpHHTest13(void)
1066 {
1067  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1068  "User-Agent: www.openinfosecfoundation.org\r\n"
1069  "Host: longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n"
1070  "Content-Type: text/html\r\n"
1071  "\r\n";
1072  uint32_t http_len = sizeof(http_buf) - 1;
1073  return RunTest(http_buf, http_len,
1074  "alert http any any -> any any "
1075  "(msg:\"http host test\"; "
1076  "content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_host; "
1077  "sid:1;)",
1078  1);
1079 }
1080 
1081 /**
1082  * \test multiple http transactions and body chunks of request handling
1083  */
1084 static int DetectHttpHHTest14(void)
1085 {
1086  int result = 0;
1087  Signature *s = NULL;
1088  DetectEngineThreadCtx *det_ctx = NULL;
1089  ThreadVars th_v;
1090  Flow f;
1091  TcpSession ssn;
1092  Packet *p = NULL;
1093  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
1094  uint8_t httpbuf2[] = "Cookie: dummy1\r\n";
1095  uint8_t httpbuf3[] = "Host: Body one!!\r\n\r\n";
1096  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1097  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1098  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1099  uint8_t httpbuf4[] = "GET /?var=val HTTP/1.1\r\n";
1100  uint8_t httpbuf5[] = "Cookie: dummy2\r\n";
1101  uint8_t httpbuf6[] = "Host: Body two\r\n\r\n";
1102  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1103  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
1104  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
1105  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1106 
1107  memset(&th_v, 0, sizeof(th_v));
1108  memset(&f, 0, sizeof(f));
1109  memset(&ssn, 0, sizeof(ssn));
1110 
1111  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1112 
1113  FLOW_INITIALIZE(&f);
1114  f.protoctx = (void *)&ssn;
1115  f.proto = IPPROTO_TCP;
1116  f.flags |= FLOW_IPV4;
1117 
1118  p->flow = &f;
1119  p->flowflags |= FLOW_PKT_TOSERVER;
1120  p->flowflags |= FLOW_PKT_ESTABLISHED;
1121  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1122  f.alproto = ALPROTO_HTTP1;
1123 
1124  StreamTcpInitConfig(true);
1125 
1126  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1127  if (de_ctx == NULL) {
1128  goto end;
1129  }
1130 
1131  de_ctx->flags |= DE_QUIET;
1132 
1133  s = DetectEngineAppendSig(de_ctx,
1134  "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"dummy1\"; "
1135  "http_cookie; content:\"body one\"; http_host; sid:1; rev:1;)");
1136  if (s == NULL) {
1137  printf("sig parse failed: ");
1138  goto end;
1139  }
1140  s = DetectEngineAppendSig(de_ctx,
1141  "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"dummy2\"; "
1142  "http_cookie; content:\"body two\"; http_host; sid:2; rev:1;)");
1143  if (s == NULL) {
1144  printf("sig2 parse failed: ");
1145  goto end;
1146  }
1147 
1148  SigGroupBuild(de_ctx);
1149  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1150 
1151  int r = AppLayerParserParse(
1152  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1153  if (r != 0) {
1154  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1155  goto end;
1156  }
1157 
1158  /* do detect */
1159  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1160  if (PacketAlertCheck(p, 1)) {
1161  printf("sig 1 alerted: ");
1162  goto end;
1163  }
1164  p->alerts.cnt = 0;
1165 
1166  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1167  if (r != 0) {
1168  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
1169  goto end;
1170  }
1171 
1172  /* do detect */
1173  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1174  if (PacketAlertCheck(p, 1)) {
1175  printf("sig 1 alerted (2): ");
1176  goto end;
1177  }
1178  p->alerts.cnt = 0;
1179 
1180  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1181  if (r != 0) {
1182  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
1183  goto end;
1184  }
1185 
1186  /* do detect */
1187  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1188  if (!(PacketAlertCheck(p, 1))) {
1189  printf("sig 1 didn't alert: ");
1190  goto end;
1191  }
1192  p->alerts.cnt = 0;
1193 
1194  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
1195  if (r != 0) {
1196  printf("toserver chunk 5 returned %" PRId32 ", expected 0: ", r);
1197  goto end;
1198  }
1199 
1200  /* do detect */
1201  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1202  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2)) {
1203  printf("sig 1 alerted (4): ");
1204  goto end;
1205  }
1206  p->alerts.cnt = 0;
1207 
1208  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
1209  if (r != 0) {
1210  printf("toserver chunk 6 returned %" PRId32 ", expected 0: ", r);
1211  goto end;
1212  }
1213 
1214  /* do detect */
1215  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1216  if ((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2))) {
1217  printf("sig 1 alerted (request 2, chunk 6): ");
1218  goto end;
1219  }
1220  p->alerts.cnt = 0;
1221 
1222  SCLogDebug("sending data chunk 7");
1223 
1224  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
1225  if (r != 0) {
1226  printf("toserver chunk 7 returned %" PRId32 ", expected 0: ", r);
1227  goto end;
1228  }
1229 
1230  /* do detect */
1231  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1232  if (PacketAlertCheck(p, 1) || !(PacketAlertCheck(p, 2))) {
1233  printf("signature 2 didn't match or sig 1 matched, but shouldn't have: ");
1234  goto end;
1235  }
1236  p->alerts.cnt = 0;
1237 
1238  HtpState *htp_state = f.alstate;
1239  if (htp_state == NULL) {
1240  printf("no http state: ");
1241  result = 0;
1242  goto end;
1243  }
1244 
1245  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
1246  printf("The http app layer doesn't have 2 transactions, but it should: ");
1247  goto end;
1248  }
1249 
1250  result = 1;
1251 end:
1252  if (alp_tctx != NULL)
1253  AppLayerParserThreadCtxFree(alp_tctx);
1254  if (det_ctx != NULL) {
1255  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1256  }
1257  if (de_ctx != NULL) {
1258  DetectEngineCtxFree(de_ctx);
1259  }
1260 
1261  StreamTcpFreeConfig(true);
1262  FLOW_DESTROY(&f);
1263  UTHFreePacket(p);
1264  return result;
1265 }
1266 
1267 /**
1268  *\test Test that the http_raw_host content matches against a http request
1269  * which holds the content.
1270  */
1271 static int DetectHttpHRHTest06(void)
1272 {
1273  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1274  "User-Agent: www.openinfosecfoundation.org\r\n"
1275  "Host: This is dummy message body\r\n"
1276  "Content-Type: text/html\r\n"
1277  "\r\n";
1278  uint32_t http_len = sizeof(http_buf) - 1;
1279  return RunTest(http_buf, http_len,
1280  "alert http any any -> any any "
1281  "(msg:\"http host test\"; "
1282  "content:\"message\"; http_raw_host; "
1283  "sid:1;)",
1284  1);
1285 }
1286 
1287 /**
1288  *\test Test that the http_raw_host content matches against a http request
1289  * which holds the content.
1290  */
1291 static int DetectHttpHRHTest07(void)
1292 {
1293  TcpSession ssn;
1294  Packet *p1 = NULL;
1295  Packet *p2 = NULL;
1296  ThreadVars th_v;
1297  DetectEngineCtx *de_ctx = NULL;
1298  DetectEngineThreadCtx *det_ctx = NULL;
1299  HtpState *http_state = NULL;
1300  Flow f;
1301  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
1302  "User-Agent: www.openinfosecfoundation.org\r\n"
1303  "Host: This is dummy message";
1304  uint8_t http2_buf[] = "body1\r\n\r\n";
1305  uint32_t http1_len = sizeof(http1_buf) - 1;
1306  uint32_t http2_len = sizeof(http2_buf) - 1;
1307  int result = 0;
1308  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1309 
1310  memset(&th_v, 0, sizeof(th_v));
1311  memset(&f, 0, sizeof(f));
1312  memset(&ssn, 0, sizeof(ssn));
1313 
1314  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1315  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1316 
1317  FLOW_INITIALIZE(&f);
1318  f.protoctx = (void *)&ssn;
1319  f.proto = IPPROTO_TCP;
1320  f.flags |= FLOW_IPV4;
1321 
1322  p1->flow = &f;
1323  p1->flowflags |= FLOW_PKT_TOSERVER;
1324  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1325  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1326  p2->flow = &f;
1327  p2->flowflags |= FLOW_PKT_TOSERVER;
1328  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1329  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1330  f.alproto = ALPROTO_HTTP1;
1331 
1332  StreamTcpInitConfig(true);
1333 
1334  de_ctx = DetectEngineCtxInit();
1335  if (de_ctx == NULL)
1336  goto end;
1337 
1338  de_ctx->flags |= DE_QUIET;
1339 
1340  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
1341  "(msg:\"http host test\"; "
1342  "content:\"message\"; http_raw_host; "
1343  "sid:1;)");
1344  if (de_ctx->sig_list == NULL)
1345  goto end;
1346 
1347  SigGroupBuild(de_ctx);
1348  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1349 
1350  int r = AppLayerParserParse(
1351  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1352  if (r != 0) {
1353  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1354  result = 0;
1355  goto end;
1356  }
1357 
1358  http_state = f.alstate;
1359  if (http_state == NULL) {
1360  printf("no http state: ");
1361  goto end;
1362  }
1363 
1364  /* do detect */
1365  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1366 
1367  if (PacketAlertCheck(p1, 1)) {
1368  printf("sid 1 matched on p1 but shouldn't have: ");
1369  goto end;
1370  }
1371 
1372  r = AppLayerParserParse(
1373  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1374  if (r != 0) {
1375  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1376  goto end;
1377  }
1378 
1379  /* do detect */
1380  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1381  if (!(PacketAlertCheck(p2, 1))) {
1382  printf("sid 1 didn't match on p2 but should have: ");
1383  goto end;
1384  }
1385 
1386  result = 1;
1387 end:
1388  if (alp_tctx != NULL)
1389  AppLayerParserThreadCtxFree(alp_tctx);
1390  if (de_ctx != NULL)
1391  DetectEngineCtxFree(de_ctx);
1392 
1393  StreamTcpFreeConfig(true);
1394  FLOW_DESTROY(&f);
1395  UTHFreePackets(&p1, 1);
1396  UTHFreePackets(&p2, 1);
1397  return result;
1398 }
1399 
1400 /**
1401  *\test Test that the http_raw_host content matches against a http request
1402  * which holds the content.
1403  */
1404 static int DetectHttpHRHTest08(void)
1405 {
1406  TcpSession ssn;
1407  Packet *p1 = NULL;
1408  Packet *p2 = NULL;
1409  ThreadVars th_v;
1410  DetectEngineCtx *de_ctx = NULL;
1411  DetectEngineThreadCtx *det_ctx = NULL;
1412  HtpState *http_state = NULL;
1413  Flow f;
1414  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
1415  "User-Agent: www.openinfosecfoundation.org\r\n"
1416  "host: This is dummy mess";
1417  uint8_t http2_buf[] = "age body\r\n\r\n";
1418  uint32_t http1_len = sizeof(http1_buf) - 1;
1419  uint32_t http2_len = sizeof(http2_buf) - 1;
1420  int result = 0;
1421  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1422 
1423  memset(&th_v, 0, sizeof(th_v));
1424  memset(&f, 0, sizeof(f));
1425  memset(&ssn, 0, sizeof(ssn));
1426 
1427  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1428  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1429 
1430  FLOW_INITIALIZE(&f);
1431  f.protoctx = (void *)&ssn;
1432  f.proto = IPPROTO_TCP;
1433  f.flags |= FLOW_IPV4;
1434 
1435  p1->flow = &f;
1436  p1->flowflags |= FLOW_PKT_TOSERVER;
1437  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1438  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1439  p2->flow = &f;
1440  p2->flowflags |= FLOW_PKT_TOSERVER;
1441  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1442  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1443  f.alproto = ALPROTO_HTTP1;
1444 
1445  StreamTcpInitConfig(true);
1446 
1447  de_ctx = DetectEngineCtxInit();
1448  if (de_ctx == NULL)
1449  goto end;
1450 
1451  de_ctx->flags |= DE_QUIET;
1452 
1453  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
1454  "(msg:\"http host test\"; "
1455  "content:\"message\"; http_raw_host; "
1456  "sid:1;)");
1457  if (de_ctx->sig_list == NULL)
1458  goto end;
1459 
1460  SigGroupBuild(de_ctx);
1461  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1462 
1463  int r = AppLayerParserParse(
1464  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1465  if (r != 0) {
1466  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1467  result = 0;
1468  goto end;
1469  }
1470 
1471  http_state = f.alstate;
1472  if (http_state == NULL) {
1473  printf("no http state: ");
1474  result = 0;
1475  goto end;
1476  }
1477 
1478  /* do detect */
1479  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1480 
1481  if ((PacketAlertCheck(p1, 1))) {
1482  printf("sid 1 didn't match but should have");
1483  goto end;
1484  }
1485 
1486  r = AppLayerParserParse(
1487  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1488  if (r != 0) {
1489  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1490  result = 0;
1491  goto end;
1492  }
1493 
1494  /* do detect */
1495  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1496 
1497  if (!(PacketAlertCheck(p2, 1))) {
1498  printf("sid 1 didn't match but should have");
1499  goto end;
1500  }
1501 
1502  result = 1;
1503 end:
1504  if (alp_tctx != NULL)
1505  AppLayerParserThreadCtxFree(alp_tctx);
1506  if (de_ctx != NULL)
1507  DetectEngineCtxFree(de_ctx);
1508 
1509  StreamTcpFreeConfig(true);
1510  FLOW_DESTROY(&f);
1511  UTHFreePackets(&p1, 1);
1512  UTHFreePackets(&p2, 1);
1513  return result;
1514 }
1515 
1516 /**
1517  *\test Test that the http_raw_host content matches against a http request
1518  * which holds the content, against a cross boundary present pattern.
1519  */
1520 static int DetectHttpHRHTest09(void)
1521 {
1522  TcpSession ssn;
1523  Packet *p1 = NULL;
1524  Packet *p2 = NULL;
1525  ThreadVars th_v;
1526  DetectEngineCtx *de_ctx = NULL;
1527  DetectEngineThreadCtx *det_ctx = NULL;
1528  HtpState *http_state = NULL;
1529  Flow f;
1530  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
1531  "User-Agent: www.openinfosecfoundation.org\r\n"
1532  "Host: This is dummy body1";
1533  uint8_t http2_buf[] = "This is dummy message body2\r\n"
1534  "Content-Type: text/html\r\n"
1535  "Content-Length: 46\r\n"
1536  "\r\n"
1537  "This is dummy body1";
1538  uint32_t http1_len = sizeof(http1_buf) - 1;
1539  uint32_t http2_len = sizeof(http2_buf) - 1;
1540  int result = 0;
1541  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1542 
1543  memset(&th_v, 0, sizeof(th_v));
1544  memset(&f, 0, sizeof(f));
1545  memset(&ssn, 0, sizeof(ssn));
1546 
1547  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1548  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1549 
1550  FLOW_INITIALIZE(&f);
1551  f.protoctx = (void *)&ssn;
1552  f.proto = IPPROTO_TCP;
1553  f.flags |= FLOW_IPV4;
1554 
1555  p1->flow = &f;
1556  p1->flowflags |= FLOW_PKT_TOSERVER;
1557  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1558  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1559  p2->flow = &f;
1560  p2->flowflags |= FLOW_PKT_TOSERVER;
1561  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1562  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1563  f.alproto = ALPROTO_HTTP1;
1564 
1565  StreamTcpInitConfig(true);
1566 
1567  de_ctx = DetectEngineCtxInit();
1568  if (de_ctx == NULL)
1569  goto end;
1570 
1571  de_ctx->flags |= DE_QUIET;
1572 
1573  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
1574  "(msg:\"http host test\"; "
1575  "content:\"body1This\"; http_raw_host; "
1576  "sid:1;)");
1577  if (de_ctx->sig_list == NULL)
1578  goto end;
1579 
1580  SigGroupBuild(de_ctx);
1581  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1582 
1583  int r = AppLayerParserParse(
1584  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1585  if (r != 0) {
1586  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1587  result = 0;
1588  goto end;
1589  }
1590 
1591  http_state = f.alstate;
1592  if (http_state == NULL) {
1593  printf("no http state: ");
1594  result = 0;
1595  goto end;
1596  }
1597 
1598  /* do detect */
1599  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1600 
1601  if ((PacketAlertCheck(p1, 1))) {
1602  printf("sid 1 didn't match but should have");
1603  goto end;
1604  }
1605 
1606  r = AppLayerParserParse(
1607  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1608  if (r != 0) {
1609  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1610  result = 0;
1611  goto end;
1612  }
1613 
1614  /* do detect */
1615  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1616 
1617  if (!(PacketAlertCheck(p2, 1))) {
1618  printf("sid 1 didn't match but should have");
1619  goto end;
1620  }
1621 
1622  result = 1;
1623 end:
1624  if (alp_tctx != NULL)
1625  AppLayerParserThreadCtxFree(alp_tctx);
1626  if (de_ctx != NULL)
1627  DetectEngineCtxFree(de_ctx);
1628 
1629  StreamTcpFreeConfig(true);
1630  FLOW_DESTROY(&f);
1631  UTHFreePackets(&p1, 1);
1632  UTHFreePackets(&p2, 1);
1633  return result;
1634 }
1635 
1636 /**
1637  *\test Test that the http_raw_host content matches against a http request
1638  * against a case insensitive pattern.
1639  */
1640 static int DetectHttpHRHTest10(void)
1641 {
1642  TcpSession ssn;
1643  Packet *p1 = NULL;
1644  Packet *p2 = NULL;
1645  ThreadVars th_v;
1646  DetectEngineCtx *de_ctx = NULL;
1647  DetectEngineThreadCtx *det_ctx = NULL;
1648  HtpState *http_state = NULL;
1649  Flow f;
1650  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
1651  "User-Agent: www.openinfosecfoundation.org\r\n"
1652  "Host: This is dummy bodY1";
1653  uint8_t http2_buf[] = "This is dummy message body2\r\n"
1654  "Content-Type: text/html\r\n"
1655  "Content-Length: 46\r\n"
1656  "\r\n"
1657  "This is dummy bodY1";
1658  uint32_t http1_len = sizeof(http1_buf) - 1;
1659  uint32_t http2_len = sizeof(http2_buf) - 1;
1660  int result = 0;
1661  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1662 
1663  memset(&th_v, 0, sizeof(th_v));
1664  memset(&f, 0, sizeof(f));
1665  memset(&ssn, 0, sizeof(ssn));
1666 
1667  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1668  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1669 
1670  FLOW_INITIALIZE(&f);
1671  f.protoctx = (void *)&ssn;
1672  f.proto = IPPROTO_TCP;
1673  f.flags |= FLOW_IPV4;
1674 
1675  p1->flow = &f;
1676  p1->flowflags |= FLOW_PKT_TOSERVER;
1677  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1678  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1679  p2->flow = &f;
1680  p2->flowflags |= FLOW_PKT_TOSERVER;
1681  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1682  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1683  f.alproto = ALPROTO_HTTP1;
1684 
1685  StreamTcpInitConfig(true);
1686 
1687  de_ctx = DetectEngineCtxInit();
1688  if (de_ctx == NULL)
1689  goto end;
1690 
1691  de_ctx->flags |= DE_QUIET;
1692 
1693  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
1694  "(msg:\"http host test\"; "
1695  "content:\"bodY1This\"; http_raw_host; "
1696  "sid:1;)");
1697  if (de_ctx->sig_list == NULL)
1698  goto end;
1699 
1700  SigGroupBuild(de_ctx);
1701  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1702 
1703  int r = AppLayerParserParse(
1704  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1705  if (r != 0) {
1706  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1707  result = 0;
1708  goto end;
1709  }
1710 
1711  http_state = f.alstate;
1712  if (http_state == NULL) {
1713  printf("no http state: \n");
1714  result = 0;
1715  goto end;
1716  }
1717 
1718  /* do detect */
1719  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1720 
1721  if ((PacketAlertCheck(p1, 1))) {
1722  printf("sid 1 didn't match but should have\n");
1723  goto end;
1724  }
1725 
1726  r = AppLayerParserParse(
1727  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1728  if (r != 0) {
1729  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1730  result = 0;
1731  goto end;
1732  }
1733 
1734  /* do detect */
1735  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1736 
1737  if (!(PacketAlertCheck(p2, 1))) {
1738  printf("sid 1 didn't match but should have");
1739  goto end;
1740  }
1741 
1742  result = 1;
1743 end:
1744  if (alp_tctx != NULL)
1745  AppLayerParserThreadCtxFree(alp_tctx);
1746  if (de_ctx != NULL)
1747  DetectEngineCtxFree(de_ctx);
1748 
1749  StreamTcpFreeConfig(true);
1750  FLOW_DESTROY(&f);
1751  UTHFreePackets(&p1, 1);
1752  UTHFreePackets(&p2, 1);
1753  return result;
1754 }
1755 
1756 /**
1757  *\test Test that the negated http_raw_host content matches against a
1758  * http request which doesn't hold the content.
1759  */
1760 static int DetectHttpHRHTest11(void)
1761 {
1762  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1763  "User-Agent: www.openinfosecfoundation.org\r\n"
1764  "Host: This is dummy message body\r\n"
1765  "Content-Type: text/html\r\n"
1766  "\r\n";
1767  uint32_t http_len = sizeof(http_buf) - 1;
1768  return RunTest(http_buf, http_len,
1769  "alert http any any -> any any "
1770  "(msg:\"http host test\"; "
1771  "content:!\"message\"; http_raw_host; "
1772  "sid:1;)",
1773  0);
1774 }
1775 
1776 /**
1777  *\test Negative test that the negated http_raw_host content matches against a
1778  * http request which holds hold the content.
1779  */
1780 static int DetectHttpHRHTest12(void)
1781 {
1782  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1783  "User-Agent: www.openinfosecfoundation.org\r\n"
1784  "Host: This is dummy body\r\n"
1785  "\r\n";
1786  uint32_t http_len = sizeof(http_buf) - 1;
1787  return RunTest(http_buf, http_len,
1788  "alert http any any -> any any "
1789  "(msg:\"http host test\"; "
1790  "content:!\"message\"; http_raw_host; "
1791  "sid:1;)",
1792  1);
1793 }
1794 
1795 /**
1796  * \test Test that the http_raw_host content matches against a http request
1797  * which holds the content.
1798  */
1799 static int DetectHttpHRHTest13(void)
1800 {
1801  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1802  "User-Agent: www.openinfosecfoundation.org\r\n"
1803  "Host: longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n"
1804  "Content-Type: text/html\r\n"
1805  "\r\n";
1806  uint32_t http_len = sizeof(http_buf) - 1;
1807  return RunTest(http_buf, http_len,
1808  "alert http any any -> any any "
1809  "(msg:\"http host test\"; "
1810  "content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_raw_host; "
1811  "sid:1;)",
1812  1);
1813 }
1814 
1815 /**
1816  * \test multiple http transactions and body chunks of request handling
1817  */
1818 static int DetectHttpHRHTest14(void)
1819 {
1820  int result = 0;
1821  Signature *s = NULL;
1822  DetectEngineThreadCtx *det_ctx = NULL;
1823  ThreadVars th_v;
1824  Flow f;
1825  TcpSession ssn;
1826  Packet *p = NULL;
1827  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
1828  uint8_t httpbuf2[] = "Cookie: dummy1\r\n";
1829  uint8_t httpbuf3[] = "Host: Body one!!\r\n\r\n";
1830  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1831  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1832  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1833  uint8_t httpbuf4[] = "GET /?var=val HTTP/1.1\r\n";
1834  uint8_t httpbuf5[] = "Cookie: dummy2\r\n";
1835  uint8_t httpbuf6[] = "Host: Body two\r\n\r\n";
1836  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1837  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
1838  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
1839  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1840 
1841  memset(&th_v, 0, sizeof(th_v));
1842  memset(&f, 0, sizeof(f));
1843  memset(&ssn, 0, sizeof(ssn));
1844 
1845  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1846 
1847  FLOW_INITIALIZE(&f);
1848  f.protoctx = (void *)&ssn;
1849  f.proto = IPPROTO_TCP;
1850  f.flags |= FLOW_IPV4;
1851 
1852  p->flow = &f;
1853  p->flowflags |= FLOW_PKT_TOSERVER;
1854  p->flowflags |= FLOW_PKT_ESTABLISHED;
1855  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1856  f.alproto = ALPROTO_HTTP1;
1857 
1858  StreamTcpInitConfig(true);
1859 
1860  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1861  if (de_ctx == NULL) {
1862  goto end;
1863  }
1864 
1865  de_ctx->flags |= DE_QUIET;
1866 
1867  s = DetectEngineAppendSig(de_ctx,
1868  "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"dummy1\"; "
1869  "http_cookie; content:\"Body one\"; http_raw_host; sid:1; rev:1;)");
1870  if (s == NULL) {
1871  printf("sig parse failed: ");
1872  goto end;
1873  }
1874  s = DetectEngineAppendSig(de_ctx,
1875  "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"dummy2\"; "
1876  "http_cookie; content:\"Body two\"; http_raw_host; sid:2; rev:1;)");
1877  if (s == NULL) {
1878  printf("sig2 parse failed: ");
1879  goto end;
1880  }
1881 
1882  SigGroupBuild(de_ctx);
1883  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1884 
1885  int r = AppLayerParserParse(
1886  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1887  if (r != 0) {
1888  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1889  goto end;
1890  }
1891 
1892  /* do detect */
1893  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1894  if (PacketAlertCheck(p, 1)) {
1895  printf("sig 1 alerted: ");
1896  goto end;
1897  }
1898  p->alerts.cnt = 0;
1899 
1900  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1901  if (r != 0) {
1902  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
1903  goto end;
1904  }
1905 
1906  /* do detect */
1907  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1908  if (PacketAlertCheck(p, 1)) {
1909  printf("sig 1 alerted (2): ");
1910  goto end;
1911  }
1912  p->alerts.cnt = 0;
1913 
1914  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1915  if (r != 0) {
1916  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
1917  goto end;
1918  }
1919 
1920  /* do detect */
1921  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1922  if (!(PacketAlertCheck(p, 1))) {
1923  printf("sig 1 didn't alert: ");
1924  goto end;
1925  }
1926  p->alerts.cnt = 0;
1927 
1928  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
1929  if (r != 0) {
1930  printf("toserver chunk 5 returned %" PRId32 ", expected 0: ", r);
1931  goto end;
1932  }
1933 
1934  /* do detect */
1935  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1936  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2)) {
1937  printf("sig 1 alerted (4): ");
1938  goto end;
1939  }
1940  p->alerts.cnt = 0;
1941 
1942  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
1943  if (r != 0) {
1944  printf("toserver chunk 6 returned %" PRId32 ", expected 0: ", r);
1945  goto end;
1946  }
1947 
1948  /* do detect */
1949  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1950  if ((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2))) {
1951  printf("sig 1 alerted (request 2, chunk 6): ");
1952  goto end;
1953  }
1954  p->alerts.cnt = 0;
1955 
1956  SCLogDebug("sending data chunk 7");
1957 
1958  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
1959  if (r != 0) {
1960  printf("toserver chunk 7 returned %" PRId32 ", expected 0: ", r);
1961  goto end;
1962  }
1963 
1964  /* do detect */
1965  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1966  if (PacketAlertCheck(p, 1) || !(PacketAlertCheck(p, 2))) {
1967  printf("signature 2 didn't match or sig 1 matched, but shouldn't have: ");
1968  goto end;
1969  }
1970  p->alerts.cnt = 0;
1971 
1972  HtpState *htp_state = f.alstate;
1973  if (htp_state == NULL) {
1974  printf("no http state: ");
1975  result = 0;
1976  goto end;
1977  }
1978 
1979  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
1980  printf("The http app layer doesn't have 2 transactions, but it should: ");
1981  goto end;
1982  }
1983 
1984  result = 1;
1985 end:
1986  if (alp_tctx != NULL)
1987  AppLayerParserThreadCtxFree(alp_tctx);
1988  if (det_ctx != NULL) {
1989  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1990  }
1991  if (de_ctx != NULL) {
1992  DetectEngineCtxFree(de_ctx);
1993  }
1994 
1995  StreamTcpFreeConfig(true);
1996  FLOW_DESTROY(&f);
1997  UTHFreePacket(p);
1998  return result;
1999 }
2000 
2001 /**
2002  *\test Test that the http_raw_host content matches against a http request
2003  * against a case insensitive pattern.
2004  */
2005 static int DetectHttpHRHTest37(void)
2006 {
2007  TcpSession ssn;
2008  Packet *p1 = NULL;
2009  Packet *p2 = NULL;
2010  ThreadVars th_v;
2011  DetectEngineCtx *de_ctx = NULL;
2012  DetectEngineThreadCtx *det_ctx = NULL;
2013  HtpState *http_state = NULL;
2014  Flow f;
2015  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
2016  "User-Agent: www.openinfosecfoundation.org\r\n"
2017  "Host: This is dummy bodY1";
2018  uint8_t http2_buf[] = "This is dummy message body2\r\n"
2019  "Content-Type: text/html\r\n"
2020  "Content-Length: 46\r\n"
2021  "\r\n"
2022  "This is dummy bodY1";
2023  uint32_t http1_len = sizeof(http1_buf) - 1;
2024  uint32_t http2_len = sizeof(http2_buf) - 1;
2025  int result = 0;
2026  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2027 
2028  memset(&th_v, 0, sizeof(th_v));
2029  memset(&f, 0, sizeof(f));
2030  memset(&ssn, 0, sizeof(ssn));
2031 
2032  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2033  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2034 
2035  FLOW_INITIALIZE(&f);
2036  f.protoctx = (void *)&ssn;
2037  f.proto = IPPROTO_TCP;
2038  f.flags |= FLOW_IPV4;
2039 
2040  p1->flow = &f;
2041  p1->flowflags |= FLOW_PKT_TOSERVER;
2042  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2043  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2044  p2->flow = &f;
2045  p2->flowflags |= FLOW_PKT_TOSERVER;
2046  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2047  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2048  f.alproto = ALPROTO_HTTP1;
2049 
2050  StreamTcpInitConfig(true);
2051 
2052  de_ctx = DetectEngineCtxInit();
2053  if (de_ctx == NULL)
2054  goto end;
2055 
2056  de_ctx->flags |= DE_QUIET;
2057 
2058  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
2059  "(msg:\"http host test\"; "
2060  "content:\"body1this\"; http_raw_host; nocase; "
2061  "sid:1;)");
2062  if (de_ctx->sig_list == NULL)
2063  goto end;
2064 
2065  SigGroupBuild(de_ctx);
2066  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2067 
2068  int r = AppLayerParserParse(
2069  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2070  if (r != 0) {
2071  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2072  result = 0;
2073  goto end;
2074  }
2075 
2076  http_state = f.alstate;
2077  if (http_state == NULL) {
2078  printf("no http state: \n");
2079  result = 0;
2080  goto end;
2081  }
2082 
2083  /* do detect */
2084  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2085 
2086  if ((PacketAlertCheck(p1, 1))) {
2087  printf("sid 1 didn't match but should have\n");
2088  goto end;
2089  }
2090 
2091  r = AppLayerParserParse(
2092  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2093  if (r != 0) {
2094  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2095  result = 0;
2096  goto end;
2097  }
2098 
2099  /* do detect */
2100  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2101 
2102  if (!(PacketAlertCheck(p2, 1))) {
2103  printf("sid 1 didn't match but should have");
2104  goto end;
2105  }
2106 
2107  result = 1;
2108 end:
2109  if (alp_tctx != NULL)
2110  AppLayerParserThreadCtxFree(alp_tctx);
2111  if (de_ctx != NULL)
2112  DetectEngineCtxFree(de_ctx);
2113 
2114  StreamTcpFreeConfig(true);
2115  FLOW_DESTROY(&f);
2116  UTHFreePackets(&p1, 1);
2117  UTHFreePackets(&p2, 1);
2118  return result;
2119 }
2120 
2121 /**
2122  * \test Test that the http_raw_host content matches against a http request
2123  * which holds the content.
2124  */
2125 static int DetectEngineHttpHRHTest01(void)
2126 {
2127  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2128  "Host: CONNECT\r\n"
2129  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2130  uint32_t http_len = sizeof(http_buf) - 1;
2131  return RunTest(http_buf, http_len,
2132  "alert http any any -> any any "
2133  "(msg:\"http host header test\"; "
2134  "content:\"CONNECT\"; http_raw_host; "
2135  "sid:1;)",
2136  1);
2137 }
2138 
2139 /**
2140  * \test Test that the http_raw_host content matches against a http request
2141  * which holds the content.
2142  */
2143 static int DetectEngineHttpHRHTest02(void)
2144 {
2145  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2146  "Host: CONNECT\r\n"
2147  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2148  uint32_t http_len = sizeof(http_buf) - 1;
2149  return RunTest(http_buf, http_len,
2150  "alert http any any -> any any "
2151  "(msg:\"http host header test\"; "
2152  "content:\"CO\"; depth:4; http_raw_host; "
2153  "sid:1;)",
2154  1);
2155 }
2156 
2157 /**
2158  * \test Test that the http_raw_host content matches against a http request
2159  * which holds the content.
2160  */
2161 static int DetectEngineHttpHRHTest03(void)
2162 {
2163  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2164  "Host: CONNECT\r\n"
2165  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2166  uint32_t http_len = sizeof(http_buf) - 1;
2167  return RunTest(http_buf, http_len,
2168  "alert http any any -> any any "
2169  "(msg:\"http_raw_host header test\"; "
2170  "content:!\"ECT\"; depth:4; http_raw_host; "
2171  "sid:1;)",
2172  1);
2173 }
2174 
2175 /**
2176  * \test Test that the http_raw_host content matches against a http request
2177  * which holds the content.
2178  */
2179 static int DetectEngineHttpHRHTest04(void)
2180 {
2181  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2182  "Host: CONNECT\r\n"
2183  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2184  uint32_t http_len = sizeof(http_buf) - 1;
2185  return RunTest(http_buf, http_len,
2186  "alert http any any -> any any "
2187  "(msg:\"http host header test\"; "
2188  "content:\"ECT\"; depth:4; http_raw_host; "
2189  "sid:1;)",
2190  0);
2191 }
2192 
2193 /**
2194  * \test Test that the http_raw_host content matches against a http request
2195  * which holds the content.
2196  */
2197 static int DetectEngineHttpHRHTest05(void)
2198 {
2199  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2200  "Host: CONNECT\r\n"
2201  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2202  uint32_t http_len = sizeof(http_buf) - 1;
2203  return RunTest(http_buf, http_len,
2204  "alert http any any -> any any "
2205  "(msg:\"http host header test\"; "
2206  "content:!\"CON\"; depth:4; http_raw_host; "
2207  "sid:1;)",
2208  0);
2209 }
2210 
2211 /**
2212  * \test Test that the http_raw_host header content matches against a http request
2213  * which holds the content.
2214  */
2215 static int DetectEngineHttpHRHTest06(void)
2216 {
2217  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2218  "Host: CONNECT\r\n"
2219  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2220  uint32_t http_len = sizeof(http_buf) - 1;
2221  return RunTest(http_buf, http_len,
2222  "alert http any any -> any any "
2223  "(msg:\"http host header test\"; "
2224  "content:\"ECT\"; offset:3; http_raw_host; "
2225  "sid:1;)",
2226  1);
2227 }
2228 
2229 /**
2230  * \test Test that the http_raw_host content matches against a http request
2231  * which holds the content.
2232  */
2233 static int DetectEngineHttpHRHTest07(void)
2234 {
2235  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2236  "Host: CONNECT\r\n"
2237  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2238  uint32_t http_len = sizeof(http_buf) - 1;
2239  return RunTest(http_buf, http_len,
2240  "alert http any any -> any any "
2241  "(msg:\"http host header test\"; "
2242  "content:!\"CO\"; offset:3; http_raw_host; "
2243  "sid:1;)",
2244  1);
2245 }
2246 
2247 /**
2248  * \test Test that the http_raw_host header content matches against a http request
2249  * which holds the content.
2250  */
2251 static int DetectEngineHttpHRHTest08(void)
2252 {
2253  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2254  "Host: CONNECT\r\n"
2255  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2256  uint32_t http_len = sizeof(http_buf) - 1;
2257  return RunTest(http_buf, http_len,
2258  "alert http any any -> any any "
2259  "(msg:\"http host header test\"; "
2260  "content:!\"ECT\"; offset:3; http_raw_host; "
2261  "sid:1;)",
2262  0);
2263 }
2264 
2265 /**
2266  * \test Test that the http_raw_host header content matches against a http request
2267  * which holds the content.
2268  */
2269 static int DetectEngineHttpHRHTest09(void)
2270 {
2271  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2272  "Host: CONNECT\r\n"
2273  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2274  uint32_t http_len = sizeof(http_buf) - 1;
2275  return RunTest(http_buf, http_len,
2276  "alert http any any -> any any "
2277  "(msg:\"http host header test\"; "
2278  "content:\"CON\"; offset:3; http_raw_host; "
2279  "sid:1;)",
2280  0);
2281 }
2282 
2283 /**
2284  * \test Test that the http_raw_host header content matches against a http request
2285  * which holds the content.
2286  */
2287 static int DetectEngineHttpHRHTest10(void)
2288 {
2289  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2290  "Host: CONNECT\r\n"
2291  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2292  uint32_t http_len = sizeof(http_buf) - 1;
2293  return RunTest(http_buf, http_len,
2294  "alert http any any -> any any "
2295  "(msg:\"http_raw_host header test\"; "
2296  "content:\"CO\"; http_raw_host; "
2297  "content:\"EC\"; within:4; http_raw_host; "
2298  "sid:1;)",
2299  1);
2300 }
2301 
2302 /**
2303  * \test Test that the http_raw_host header content matches against a http request
2304  * which holds the content.
2305  */
2306 static int DetectEngineHttpHRHTest11(void)
2307 {
2308  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2309  "Host: CONNECT\r\n"
2310  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2311  uint32_t http_len = sizeof(http_buf) - 1;
2312  return RunTest(http_buf, http_len,
2313  "alert http any any -> any any "
2314  "(msg:\"http_raw_host header test\"; "
2315  "content:\"CO\"; http_raw_host; "
2316  "content:!\"EC\"; within:3; http_raw_host; "
2317  "sid:1;)",
2318  1);
2319 }
2320 
2321 /**
2322  * \test Test that the http_raw_host header content matches against a http request
2323  * which holds the content.
2324  */
2325 static int DetectEngineHttpHRHTest12(void)
2326 {
2327  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2328  "Host: CONNECT\r\n"
2329  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2330  uint32_t http_len = sizeof(http_buf) - 1;
2331  return RunTest(http_buf, http_len,
2332  "alert http any any -> any any "
2333  "(msg:\"http_raw_host header test\"; "
2334  "content:\"CO\"; http_raw_host; "
2335  "content:\"EC\"; within:3; http_raw_host; "
2336  "sid:1;)",
2337  0);
2338 }
2339 
2340 /**
2341  * \test Test that the http_raw_host header content matches against a http request
2342  * which holds the content.
2343  */
2344 static int DetectEngineHttpHRHTest13(void)
2345 {
2346  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2347  "Host: CONNECT\r\n"
2348  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2349  uint32_t http_len = sizeof(http_buf) - 1;
2350  return RunTest(http_buf, http_len,
2351  "alert http any any -> any any "
2352  "(msg:\"http_raw_host header test\"; "
2353  "content:\"CO\"; http_raw_host; "
2354  "content:!\"EC\"; within:4; http_raw_host; "
2355  "sid:1;)",
2356  0);
2357 }
2358 
2359 /**
2360  * \test Test that the http_raw_host header content matches against a http request
2361  * which holds the content.
2362  */
2363 static int DetectEngineHttpHRHTest14(void)
2364 {
2365  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2366  "Host: CONNECT\r\n"
2367  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2368  uint32_t http_len = sizeof(http_buf) - 1;
2369  return RunTest(http_buf, http_len,
2370  "alert http any any -> any any "
2371  "(msg:\"http_raw_host header test\"; "
2372  "content:\"CO\"; http_raw_host; "
2373  "content:\"EC\"; distance:2; http_raw_host; "
2374  "sid:1;)",
2375  1);
2376 }
2377 
2378 /**
2379  * \test Test that the http_raw_host header content matches against a http request
2380  * which holds the content.
2381  */
2382 static int DetectEngineHttpHRHTest15(void)
2383 {
2384  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2385  "Host: CONNECT\r\n"
2386  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2387  uint32_t http_len = sizeof(http_buf) - 1;
2388  return RunTest(http_buf, http_len,
2389  "alert http any any -> any any "
2390  "(msg:\"http_raw_host header test\"; "
2391  "content:\"CO\"; http_raw_host; "
2392  "content:!\"EC\"; distance:3; http_raw_host; "
2393  "sid:1;)",
2394  1);
2395 }
2396 
2397 /**
2398  * \test Test that the http_raw_host header content matches against a http request
2399  * which holds the content.
2400  */
2401 static int DetectEngineHttpHRHTest16(void)
2402 {
2403  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2404  "Host: CONNECT\r\n"
2405  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2406  uint32_t http_len = sizeof(http_buf) - 1;
2407  return RunTest(http_buf, http_len,
2408  "alert http any any -> any any "
2409  "(msg:\"http_raw_host header test\"; "
2410  "content:\"CO\"; http_raw_host; "
2411  "content:\"EC\"; distance:3; http_raw_host; "
2412  "sid:1;)",
2413  0);
2414 }
2415 
2416 /**
2417  * \test Test that the http_raw_host header content matches against a http request
2418  * which holds the content.
2419  */
2420 static int DetectEngineHttpHRHTest17(void)
2421 {
2422  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2423  "Host: CONNECT\r\n"
2424  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2425  uint32_t http_len = sizeof(http_buf) - 1;
2426  return RunTest(http_buf, http_len,
2427  "alert http any any -> any any "
2428  "(msg:\"http_raw_host header test\"; "
2429  "content:\"CO\"; http_raw_host; "
2430  "content:!\"EC\"; distance:2; http_raw_host; "
2431  "sid:1;)",
2432  0);
2433 }
2434 
2435 static int DetectEngineHttpHRHTest18(void)
2436 {
2437  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2438  "Host: www.kaboom.com:8080\r\n"
2439  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2440  uint32_t http_len = sizeof(http_buf) - 1;
2441  return RunTest(http_buf, http_len,
2442  "alert http any any -> any any "
2443  "(msg:\"http_raw_host header test\"; "
2444  "content:\"kaboom\"; http_raw_host; nocase; "
2445  "sid:1;)",
2446  1);
2447 }
2448 
2449 static int DetectEngineHttpHRHTest19(void)
2450 {
2451  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2452  "Host: www.kaboom.com:8080\r\n"
2453  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2454  uint32_t http_len = sizeof(http_buf) - 1;
2455  return RunTest(http_buf, http_len,
2456  "alert http any any -> any any "
2457  "(msg:\"http_raw_host header test\"; "
2458  "content:\"kaboom\"; http_raw_host; nocase; "
2459  "sid:1;)",
2460  1);
2461 }
2462 
2463 static int DetectEngineHttpHRHTest20(void)
2464 {
2465  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2466  "Host: www.kaboom.com:8080\r\n"
2467  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2468  uint32_t http_len = sizeof(http_buf) - 1;
2469  return RunTest(http_buf, http_len,
2470  "alert http any any -> any any "
2471  "(msg:\"http_raw_host header test\"; "
2472  "content:\"8080\"; http_raw_host; nocase; "
2473  "sid:1;)",
2474  1);
2475 }
2476 
2477 static int DetectEngineHttpHRHTest21(void)
2478 {
2479  uint8_t http_buf[] = "GET http://www.kaboom.com/index.html HTTP/1.0\r\n"
2480  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2481  uint32_t http_len = sizeof(http_buf) - 1;
2482  return RunTest(http_buf, http_len,
2483  "alert http any any -> any any "
2484  "(msg:\"http_raw_host header test\"; "
2485  "content:\"kaboom\"; http_raw_host; nocase; "
2486  "sid:1;)",
2487  1);
2488 }
2489 
2490 static int DetectEngineHttpHRHTest22(void)
2491 {
2492  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2493  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2494  uint32_t http_len = sizeof(http_buf) - 1;
2495  return RunTest(http_buf, http_len,
2496  "alert http any any -> any any "
2497  "(msg:\"http_raw_host header test\"; "
2498  "content:\"kaboom\"; http_raw_host; nocase; "
2499  "sid:1;)",
2500  1);
2501 }
2502 
2503 static int DetectEngineHttpHRHTest23(void)
2504 {
2505  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2506  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2507  uint32_t http_len = sizeof(http_buf) - 1;
2508  return RunTest(http_buf, http_len,
2509  "alert http any any -> any any "
2510  "(msg:\"http_raw_host header test\"; "
2511  "content:\"8080\"; http_raw_host; nocase; "
2512  "sid:1;)",
2513  0);
2514 }
2515 
2516 static int DetectEngineHttpHRHTest24(void)
2517 {
2518  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2519  "Host: www.rabbit.com\r\n"
2520  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2521  uint32_t http_len = sizeof(http_buf) - 1;
2522  return RunTest(http_buf, http_len,
2523  "alert http any any -> any any "
2524  "(msg:\"http_raw_host header test\"; "
2525  "content:\"kaboom\"; http_raw_host; nocase; "
2526  "sid:1;)",
2527  1);
2528 }
2529 
2530 static int DetectEngineHttpHRHTest25(void)
2531 {
2532  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2533  "Host: www.rabbit.com\r\n"
2534  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2535  uint32_t http_len = sizeof(http_buf) - 1;
2536  return RunTest(http_buf, http_len,
2537  "alert http any any -> any any "
2538  "(msg:\"http_raw_host header test\"; "
2539  "content:\"rabbit\"; http_raw_host; nocase; "
2540  "sid:1;)",
2541  0);
2542 }
2543 
2544 void DetectHttpHHRegisterTests(void)
2545 {
2546  UtRegisterTest("DetectHttpHHTest01", DetectHttpHHTest01);
2547  UtRegisterTest("DetectHttpHHTest03", DetectHttpHHTest03);
2548  UtRegisterTest("DetectHttpHHTest04", DetectHttpHHTest04);
2549  UtRegisterTest("DetectHttpHHTest05", DetectHttpHHTest05);
2550  UtRegisterTest("DetectHttpHHTest05a", DetectHttpHHTest05a);
2551  UtRegisterTest("DetectHttpHHTest06", DetectHttpHHTest06);
2552  UtRegisterTest("DetectHttpHHTest07", DetectHttpHHTest07);
2553  UtRegisterTest("DetectHttpHHTest08", DetectHttpHHTest08);
2554  UtRegisterTest("DetectHttpHHTest09", DetectHttpHHTest09);
2555  UtRegisterTest("DetectHttpHHTest10", DetectHttpHHTest10);
2556  UtRegisterTest("DetectHttpHHTest11", DetectHttpHHTest11);
2557  UtRegisterTest("DetectHttpHHTest12", DetectHttpHHTest12);
2558  UtRegisterTest("DetectHttpHHTest13", DetectHttpHHTest13);
2559  UtRegisterTest("DetectHttpHHTest14", DetectHttpHHTest14);
2560 
2561  UtRegisterTest("DetectEngineHttpHHTest01", DetectEngineHttpHHTest01);
2562  UtRegisterTest("DetectEngineHttpHHTest02", DetectEngineHttpHHTest02);
2563  UtRegisterTest("DetectEngineHttpHHTest03", DetectEngineHttpHHTest03);
2564  UtRegisterTest("DetectEngineHttpHHTest04", DetectEngineHttpHHTest04);
2565  UtRegisterTest("DetectEngineHttpHHTest05", DetectEngineHttpHHTest05);
2566  UtRegisterTest("DetectEngineHttpHHTest06", DetectEngineHttpHHTest06);
2567  UtRegisterTest("DetectEngineHttpHHTest07", DetectEngineHttpHHTest07);
2568  UtRegisterTest("DetectEngineHttpHHTest08", DetectEngineHttpHHTest08);
2569  UtRegisterTest("DetectEngineHttpHHTest09", DetectEngineHttpHHTest09);
2570  UtRegisterTest("DetectEngineHttpHHTest10", DetectEngineHttpHHTest10);
2571  UtRegisterTest("DetectEngineHttpHHTest11", DetectEngineHttpHHTest11);
2572  UtRegisterTest("DetectEngineHttpHHTest12", DetectEngineHttpHHTest12);
2573  UtRegisterTest("DetectEngineHttpHHTest13", DetectEngineHttpHHTest13);
2574  UtRegisterTest("DetectEngineHttpHHTest14", DetectEngineHttpHHTest14);
2575  UtRegisterTest("DetectEngineHttpHHTest15", DetectEngineHttpHHTest15);
2576  UtRegisterTest("DetectEngineHttpHHTest16", DetectEngineHttpHHTest16);
2577  UtRegisterTest("DetectEngineHttpHHTest17", DetectEngineHttpHHTest17);
2578  UtRegisterTest("DetectEngineHttpHHTest18", DetectEngineHttpHHTest18);
2579  UtRegisterTest("DetectEngineHttpHHTest19", DetectEngineHttpHHTest19);
2580  UtRegisterTest("DetectEngineHttpHHTest20", DetectEngineHttpHHTest20);
2581  UtRegisterTest("DetectEngineHttpHHTest21", DetectEngineHttpHHTest21);
2582  UtRegisterTest("DetectEngineHttpHHTest22", DetectEngineHttpHHTest22);
2583  UtRegisterTest("DetectEngineHttpHHTest23", DetectEngineHttpHHTest23);
2584  UtRegisterTest("DetectEngineHttpHHTest24", DetectEngineHttpHHTest24);
2585  UtRegisterTest("DetectEngineHttpHHTest25", DetectEngineHttpHHTest25);
2586 
2587  UtRegisterTest("DetectHttpHRHTest06", DetectHttpHRHTest06);
2588  UtRegisterTest("DetectHttpHRHTest07", DetectHttpHRHTest07);
2589  UtRegisterTest("DetectHttpHRHTest08", DetectHttpHRHTest08);
2590  UtRegisterTest("DetectHttpHRHTest09", DetectHttpHRHTest09);
2591  UtRegisterTest("DetectHttpHRHTest10", DetectHttpHRHTest10);
2592  UtRegisterTest("DetectHttpHRHTest11", DetectHttpHRHTest11);
2593  UtRegisterTest("DetectHttpHRHTest12", DetectHttpHRHTest12);
2594  UtRegisterTest("DetectHttpHRHTest13", DetectHttpHRHTest13);
2595  UtRegisterTest("DetectHttpHRHTest14", DetectHttpHRHTest14);
2596 
2597  UtRegisterTest("DetectHttpHRHTest37", DetectHttpHRHTest37);
2598 
2599  UtRegisterTest("DetectEngineHttpHRHTest01", DetectEngineHttpHRHTest01);
2600  UtRegisterTest("DetectEngineHttpHRHTest02", DetectEngineHttpHRHTest02);
2601  UtRegisterTest("DetectEngineHttpHRHTest03", DetectEngineHttpHRHTest03);
2602  UtRegisterTest("DetectEngineHttpHRHTest04", DetectEngineHttpHRHTest04);
2603  UtRegisterTest("DetectEngineHttpHRHTest05", DetectEngineHttpHRHTest05);
2604  UtRegisterTest("DetectEngineHttpHRHTest06", DetectEngineHttpHRHTest06);
2605  UtRegisterTest("DetectEngineHttpHRHTest07", DetectEngineHttpHRHTest07);
2606  UtRegisterTest("DetectEngineHttpHRHTest08", DetectEngineHttpHRHTest08);
2607  UtRegisterTest("DetectEngineHttpHRHTest09", DetectEngineHttpHRHTest09);
2608  UtRegisterTest("DetectEngineHttpHRHTest10", DetectEngineHttpHRHTest10);
2609  UtRegisterTest("DetectEngineHttpHRHTest11", DetectEngineHttpHRHTest11);
2610  UtRegisterTest("DetectEngineHttpHRHTest12", DetectEngineHttpHRHTest12);
2611  UtRegisterTest("DetectEngineHttpHRHTest13", DetectEngineHttpHRHTest13);
2612  UtRegisterTest("DetectEngineHttpHRHTest14", DetectEngineHttpHRHTest14);
2613  UtRegisterTest("DetectEngineHttpHRHTest15", DetectEngineHttpHRHTest15);
2614  UtRegisterTest("DetectEngineHttpHRHTest16", DetectEngineHttpHRHTest16);
2615  UtRegisterTest("DetectEngineHttpHRHTest17", DetectEngineHttpHRHTest17);
2616  UtRegisterTest("DetectEngineHttpHRHTest18", DetectEngineHttpHRHTest18);
2617  UtRegisterTest("DetectEngineHttpHRHTest19", DetectEngineHttpHRHTest19);
2618  UtRegisterTest("DetectEngineHttpHRHTest20", DetectEngineHttpHRHTest20);
2619  UtRegisterTest("DetectEngineHttpHRHTest21", DetectEngineHttpHRHTest21);
2620  UtRegisterTest("DetectEngineHttpHRHTest22", DetectEngineHttpHRHTest22);
2621  UtRegisterTest("DetectEngineHttpHRHTest23", DetectEngineHttpHRHTest23);
2622  UtRegisterTest("DetectEngineHttpHRHTest24", DetectEngineHttpHRHTest24);
2623  UtRegisterTest("DetectEngineHttpHRHTest25", DetectEngineHttpHRHTest25);
2624 }
2625 
2626 /**
2627  * @}
2628  */
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1266
flow-util.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Flow_::proto
uint8_t proto
Definition: flow.h:378
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:267
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:512
Flow_
Flow data structure.
Definition: flow.h:356
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:841
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2597
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:300
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:232
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:359
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1938
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2587
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:506
Flow_::protoctx
void * protoctx
Definition: flow.h:446
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:588
util-unittest.h
HtpState_
Definition: app-layer-htp.h:238
util-unittest-helper.h
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:461
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
app-layer-htp.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1093
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
DetectHttpHHRegisterTests
void DetectHttpHHRegisterTests(void)
Definition: detect-http-host.c:2544
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2285
app-layer-parser.h
Packet_
Definition: decode.h:475
detect-engine-build.h
detect-engine-alert.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2144
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:279
Packet_::flow
struct Flow_ * flow
Definition: decode.h:514
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3333
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:792
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1265
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3560
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:849
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:467
Flow_::alstate
void * alstate
Definition: flow.h:481
Flow_::flags
uint32_t flags
Definition: flow.h:426
Signature_
Signature container.
Definition: detect.h:601
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:234
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2558
app-layer-protos.h
suricata.h
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:843
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:58
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:455
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1080
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1263
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:450