suricata
detect-http-host.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /** \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * \brief Handle HTTP host header.
31  * HHHD - Http Host Header Data
32  *
33  */
34 
35 #include "suricata-common.h"
36 #include "suricata.h"
37 #include "flow-util.h"
38 #include "flow.h"
39 #include "app-layer-parser.h"
40 #include "util-unittest.h"
41 #include "util-unittest-helper.h"
42 #include "app-layer.h"
43 #include "app-layer-htp.h"
44 #include "app-layer-protos.h"
45 #include "detect-engine-build.h"
46 #include "detect-engine-alert.h"
47 
48 /**
49  * \test Test that the http_host content matches against a http request
50  * which holds the content.
51  */
52 static int DetectEngineHttpHHTest01(void)
53 {
54  TcpSession ssn;
55  Packet *p = NULL;
56  ThreadVars th_v;
57  DetectEngineCtx *de_ctx = NULL;
58  DetectEngineThreadCtx *det_ctx = NULL;
59  HtpState *http_state = NULL;
60  Flow f;
61  uint8_t http_buf[] =
62  "GET /index.html HTTP/1.0\r\n"
63  "Host: CONNECT\r\n"
64  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
65  uint32_t http_len = sizeof(http_buf) - 1;
66  int result = 0;
67  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
68 
69  memset(&th_v, 0, sizeof(th_v));
70  memset(&f, 0, sizeof(f));
71  memset(&ssn, 0, sizeof(ssn));
72 
73  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
74 
75  FLOW_INITIALIZE(&f);
76  f.protoctx = (void *)&ssn;
77  f.proto = IPPROTO_TCP;
78  f.flags |= FLOW_IPV4;
79  p->flow = &f;
80  p->flowflags |= FLOW_PKT_TOSERVER;
81  p->flowflags |= FLOW_PKT_ESTABLISHED;
82  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
83  f.alproto = ALPROTO_HTTP1;
84 
85  StreamTcpInitConfig(true);
86 
87  de_ctx = DetectEngineCtxInit();
88  if (de_ctx == NULL)
89  goto end;
90 
91  de_ctx->flags |= DE_QUIET;
92 
93  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
94  "(msg:\"http host header test\"; "
95  "content:\"connect\"; http_host; "
96  "sid:1;)");
97  if (de_ctx->sig_list == NULL)
98  goto end;
99 
100  SigGroupBuild(de_ctx);
101  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
102 
103  int r = AppLayerParserParse(
104  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
105  if (r != 0) {
106  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
107  result = 0;
108  goto end;
109  }
110 
111  http_state = f.alstate;
112  if (http_state == NULL) {
113  printf("no http state: ");
114  result = 0;
115  goto end;
116  }
117 
118  /* do detect */
119  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
120 
121  if (!(PacketAlertCheck(p, 1))) {
122  printf("sid 1 didn't match but should have: ");
123  goto end;
124  }
125 
126  result = 1;
127 
128 end:
129  if (alp_tctx != NULL)
130  AppLayerParserThreadCtxFree(alp_tctx);
131  if (de_ctx != NULL)
132  SigGroupCleanup(de_ctx);
133  if (de_ctx != NULL)
134  SigCleanSignatures(de_ctx);
135  if (de_ctx != NULL)
136  DetectEngineCtxFree(de_ctx);
137 
138  StreamTcpFreeConfig(true);
139  FLOW_DESTROY(&f);
140  UTHFreePackets(&p, 1);
141  return result;
142 }
143 
144 /**
145  * \test Test that the http_host content matches against a http request
146  * which holds the content.
147  */
148 static int DetectEngineHttpHHTest02(void)
149 {
150  TcpSession ssn;
151  Packet *p = NULL;
152  ThreadVars th_v;
153  DetectEngineCtx *de_ctx = NULL;
154  DetectEngineThreadCtx *det_ctx = NULL;
155  HtpState *http_state = NULL;
156  Flow f;
157  uint8_t http_buf[] =
158  "GET /index.html HTTP/1.0\r\n"
159  "Host: CONNECT\r\n"
160  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
161  uint32_t http_len = sizeof(http_buf) - 1;
162  int result = 0;
163  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
164 
165  memset(&th_v, 0, sizeof(th_v));
166  memset(&f, 0, sizeof(f));
167  memset(&ssn, 0, sizeof(ssn));
168 
169  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
170 
171  FLOW_INITIALIZE(&f);
172  f.protoctx = (void *)&ssn;
173  f.proto = IPPROTO_TCP;
174  f.flags |= FLOW_IPV4;
175  p->flow = &f;
176  p->flowflags |= FLOW_PKT_TOSERVER;
177  p->flowflags |= FLOW_PKT_ESTABLISHED;
178  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
179  f.alproto = ALPROTO_HTTP1;
180 
181  StreamTcpInitConfig(true);
182 
183  de_ctx = DetectEngineCtxInit();
184  if (de_ctx == NULL)
185  goto end;
186 
187  de_ctx->flags |= DE_QUIET;
188 
189  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
190  "(msg:\"http host header test\"; "
191  "content:\"co\"; depth:4; http_host; "
192  "sid:1;)");
193  if (de_ctx->sig_list == NULL)
194  goto end;
195 
196  SigGroupBuild(de_ctx);
197  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
198 
199  int r = AppLayerParserParse(
200  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
201  if (r != 0) {
202  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
203  result = 0;
204  goto end;
205  }
206 
207  http_state = f.alstate;
208  if (http_state == NULL) {
209  printf("no http state: ");
210  result = 0;
211  goto end;
212  }
213 
214  /* do detect */
215  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
216 
217  if (!(PacketAlertCheck(p, 1))) {
218  printf("sid 1 didn't match but should have: ");
219  goto end;
220  }
221 
222  result = 1;
223 
224 end:
225  if (alp_tctx != NULL)
226  AppLayerParserThreadCtxFree(alp_tctx);
227  if (de_ctx != NULL)
228  SigGroupCleanup(de_ctx);
229  if (de_ctx != NULL)
230  SigCleanSignatures(de_ctx);
231  if (de_ctx != NULL)
232  DetectEngineCtxFree(de_ctx);
233 
234  StreamTcpFreeConfig(true);
235  FLOW_DESTROY(&f);
236  UTHFreePackets(&p, 1);
237  return result;
238 }
239 
240 /**
241  * \test Test that the http_host content matches against a http request
242  * which holds the content.
243  */
244 static int DetectEngineHttpHHTest03(void)
245 {
246  TcpSession ssn;
247  Packet *p = NULL;
248  ThreadVars th_v;
249  DetectEngineCtx *de_ctx = NULL;
250  DetectEngineThreadCtx *det_ctx = NULL;
251  HtpState *http_state = NULL;
252  Flow f;
253  uint8_t http_buf[] =
254  "GET /index.html HTTP/1.0\r\n"
255  "Host: CONNECT\r\n"
256  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
257  uint32_t http_len = sizeof(http_buf) - 1;
258  int result = 0;
259  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
260 
261  memset(&th_v, 0, sizeof(th_v));
262  memset(&f, 0, sizeof(f));
263  memset(&ssn, 0, sizeof(ssn));
264 
265  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
266 
267  FLOW_INITIALIZE(&f);
268  f.protoctx = (void *)&ssn;
269  f.proto = IPPROTO_TCP;
270  f.flags |= FLOW_IPV4;
271  p->flow = &f;
272  p->flowflags |= FLOW_PKT_TOSERVER;
273  p->flowflags |= FLOW_PKT_ESTABLISHED;
274  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
275  f.alproto = ALPROTO_HTTP1;
276 
277  StreamTcpInitConfig(true);
278 
279  de_ctx = DetectEngineCtxInit();
280  if (de_ctx == NULL)
281  goto end;
282 
283  de_ctx->flags |= DE_QUIET;
284 
285  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
286  "(msg:\"http_host header test\"; "
287  "content:!\"ect\"; depth:4; http_host; "
288  "sid:1;)");
289  if (de_ctx->sig_list == NULL)
290  goto end;
291 
292  SigGroupBuild(de_ctx);
293  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
294 
295  int r = AppLayerParserParse(
296  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
297  if (r != 0) {
298  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
299  result = 0;
300  goto end;
301  }
302 
303  http_state = f.alstate;
304  if (http_state == NULL) {
305  printf("no http state: ");
306  result = 0;
307  goto end;
308  }
309 
310  /* do detect */
311  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
312 
313  if (!(PacketAlertCheck(p, 1))) {
314  printf("sid 1 didn't match but should have: ");
315  goto end;
316  }
317 
318  result = 1;
319 
320 end:
321  if (alp_tctx != NULL)
322  AppLayerParserThreadCtxFree(alp_tctx);
323  if (de_ctx != NULL)
324  SigGroupCleanup(de_ctx);
325  if (de_ctx != NULL)
326  SigCleanSignatures(de_ctx);
327  if (de_ctx != NULL)
328  DetectEngineCtxFree(de_ctx);
329 
330  StreamTcpFreeConfig(true);
331  FLOW_DESTROY(&f);
332  UTHFreePackets(&p, 1);
333  return result;
334 }
335 
336 /**
337  * \test Test that the http_host content matches against a http request
338  * which holds the content.
339  */
340 static int DetectEngineHttpHHTest04(void)
341 {
342  TcpSession ssn;
343  Packet *p = NULL;
344  ThreadVars th_v;
345  DetectEngineCtx *de_ctx = NULL;
346  DetectEngineThreadCtx *det_ctx = NULL;
347  HtpState *http_state = NULL;
348  Flow f;
349  uint8_t http_buf[] =
350  "GET /index.html HTTP/1.0\r\n"
351  "Host: CONNECT\r\n"
352  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
353  uint32_t http_len = sizeof(http_buf) - 1;
354  int result = 0;
355  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
356 
357  memset(&th_v, 0, sizeof(th_v));
358  memset(&f, 0, sizeof(f));
359  memset(&ssn, 0, sizeof(ssn));
360 
361  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
362 
363  FLOW_INITIALIZE(&f);
364  f.protoctx = (void *)&ssn;
365  f.proto = IPPROTO_TCP;
366  f.flags |= FLOW_IPV4;
367  p->flow = &f;
368  p->flowflags |= FLOW_PKT_TOSERVER;
369  p->flowflags |= FLOW_PKT_ESTABLISHED;
370  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
371  f.alproto = ALPROTO_HTTP1;
372 
373  StreamTcpInitConfig(true);
374 
375  de_ctx = DetectEngineCtxInit();
376  if (de_ctx == NULL)
377  goto end;
378 
379  de_ctx->flags |= DE_QUIET;
380 
381  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
382  "(msg:\"http host header test\"; "
383  "content:\"ect\"; depth:4; http_host; "
384  "sid:1;)");
385  if (de_ctx->sig_list == NULL)
386  goto end;
387 
388  SigGroupBuild(de_ctx);
389  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
390 
391  int r = AppLayerParserParse(
392  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
393  if (r != 0) {
394  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
395  result = 0;
396  goto end;
397  }
398 
399  http_state = f.alstate;
400  if (http_state == NULL) {
401  printf("no http state: ");
402  result = 0;
403  goto end;
404  }
405 
406  /* do detect */
407  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
408 
409  if (PacketAlertCheck(p, 1)) {
410  printf("sid 1 matched but shouldn't have: ");
411  goto end;
412  }
413 
414  result = 1;
415 
416 end:
417  if (alp_tctx != NULL)
418  AppLayerParserThreadCtxFree(alp_tctx);
419  if (de_ctx != NULL)
420  SigGroupCleanup(de_ctx);
421  if (de_ctx != NULL)
422  SigCleanSignatures(de_ctx);
423  if (de_ctx != NULL)
424  DetectEngineCtxFree(de_ctx);
425 
426  StreamTcpFreeConfig(true);
427  FLOW_DESTROY(&f);
428  UTHFreePackets(&p, 1);
429  return result;
430 }
431 
432 /**
433  * \test Test that the http_host content matches against a http request
434  * which holds the content.
435  */
436 static int DetectEngineHttpHHTest05(void)
437 {
438  TcpSession ssn;
439  Packet *p = NULL;
440  ThreadVars th_v;
441  DetectEngineCtx *de_ctx = NULL;
442  DetectEngineThreadCtx *det_ctx = NULL;
443  HtpState *http_state = NULL;
444  Flow f;
445  uint8_t http_buf[] =
446  "GET /index.html HTTP/1.0\r\n"
447  "Host: CONNECT\r\n"
448  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
449  uint32_t http_len = sizeof(http_buf) - 1;
450  int result = 0;
451  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
452 
453  memset(&th_v, 0, sizeof(th_v));
454  memset(&f, 0, sizeof(f));
455  memset(&ssn, 0, sizeof(ssn));
456 
457  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
458 
459  FLOW_INITIALIZE(&f);
460  f.protoctx = (void *)&ssn;
461  f.proto = IPPROTO_TCP;
462  f.flags |= FLOW_IPV4;
463  p->flow = &f;
464  p->flowflags |= FLOW_PKT_TOSERVER;
465  p->flowflags |= FLOW_PKT_ESTABLISHED;
466  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
467  f.alproto = ALPROTO_HTTP1;
468 
469  StreamTcpInitConfig(true);
470 
471  de_ctx = DetectEngineCtxInit();
472  if (de_ctx == NULL)
473  goto end;
474 
475  de_ctx->flags |= DE_QUIET;
476 
477  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
478  "(msg:\"http host header test\"; "
479  "content:!\"con\"; depth:4; http_host; "
480  "sid:1;)");
481  if (de_ctx->sig_list == NULL)
482  goto end;
483 
484  SigGroupBuild(de_ctx);
485  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
486 
487  int r = AppLayerParserParse(
488  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
489  if (r != 0) {
490  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
491  result = 0;
492  goto end;
493  }
494 
495  http_state = f.alstate;
496  if (http_state == NULL) {
497  printf("no http state: ");
498  result = 0;
499  goto end;
500  }
501 
502  /* do detect */
503  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
504 
505  if (PacketAlertCheck(p, 1)) {
506  printf("sid 1 matched but shouldn't have: ");
507  goto end;
508  }
509 
510  result = 1;
511 
512 end:
513  if (alp_tctx != NULL)
514  AppLayerParserThreadCtxFree(alp_tctx);
515  if (de_ctx != NULL)
516  SigGroupCleanup(de_ctx);
517  if (de_ctx != NULL)
518  SigCleanSignatures(de_ctx);
519  if (de_ctx != NULL)
520  DetectEngineCtxFree(de_ctx);
521 
522  StreamTcpFreeConfig(true);
523  FLOW_DESTROY(&f);
524  UTHFreePackets(&p, 1);
525  return result;
526 }
527 
528 /**
529  * \test Test that the http_host header content matches against a http request
530  * which holds the content.
531  */
532 static int DetectEngineHttpHHTest06(void)
533 {
534  TcpSession ssn;
535  Packet *p = NULL;
536  ThreadVars th_v;
537  DetectEngineCtx *de_ctx = NULL;
538  DetectEngineThreadCtx *det_ctx = NULL;
539  HtpState *http_state = NULL;
540  Flow f;
541  uint8_t http_buf[] =
542  "GET /index.html HTTP/1.0\r\n"
543  "Host: CONNECT\r\n"
544  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
545  uint32_t http_len = sizeof(http_buf) - 1;
546  int result = 0;
547  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
548 
549  memset(&th_v, 0, sizeof(th_v));
550  memset(&f, 0, sizeof(f));
551  memset(&ssn, 0, sizeof(ssn));
552 
553  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
554 
555  FLOW_INITIALIZE(&f);
556  f.protoctx = (void *)&ssn;
557  f.proto = IPPROTO_TCP;
558  f.flags |= FLOW_IPV4;
559  p->flow = &f;
560  p->flowflags |= FLOW_PKT_TOSERVER;
561  p->flowflags |= FLOW_PKT_ESTABLISHED;
562  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
563  f.alproto = ALPROTO_HTTP1;
564 
565  StreamTcpInitConfig(true);
566 
567  de_ctx = DetectEngineCtxInit();
568  if (de_ctx == NULL)
569  goto end;
570 
571  de_ctx->flags |= DE_QUIET;
572 
573  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
574  "(msg:\"http host header test\"; "
575  "content:\"ect\"; offset:3; http_host; "
576  "sid:1;)");
577  if (de_ctx->sig_list == NULL)
578  goto end;
579 
580  SigGroupBuild(de_ctx);
581  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
582 
583  int r = AppLayerParserParse(
584  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
585  if (r != 0) {
586  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
587  result = 0;
588  goto end;
589  }
590 
591  http_state = f.alstate;
592  if (http_state == NULL) {
593  printf("no http state: ");
594  result = 0;
595  goto end;
596  }
597 
598  /* do detect */
599  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
600 
601  if (!(PacketAlertCheck(p, 1))) {
602  printf("sid 1 didn't match but should have: ");
603  goto end;
604  }
605 
606  result = 1;
607 
608 end:
609  if (alp_tctx != NULL)
610  AppLayerParserThreadCtxFree(alp_tctx);
611  if (de_ctx != NULL)
612  SigGroupCleanup(de_ctx);
613  if (de_ctx != NULL)
614  SigCleanSignatures(de_ctx);
615  if (de_ctx != NULL)
616  DetectEngineCtxFree(de_ctx);
617 
618  StreamTcpFreeConfig(true);
619  FLOW_DESTROY(&f);
620  UTHFreePackets(&p, 1);
621  return result;
622 }
623 
624 /**
625  * \test Test that the http_host content matches against a http request
626  * which holds the content.
627  */
628 static int DetectEngineHttpHHTest07(void)
629 {
630  TcpSession ssn;
631  Packet *p = NULL;
632  ThreadVars th_v;
633  DetectEngineCtx *de_ctx = NULL;
634  DetectEngineThreadCtx *det_ctx = NULL;
635  HtpState *http_state = NULL;
636  Flow f;
637  uint8_t http_buf[] =
638  "GET /index.html HTTP/1.0\r\n"
639  "Host: CONNECT\r\n"
640  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
641  uint32_t http_len = sizeof(http_buf) - 1;
642  int result = 0;
643  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
644 
645  memset(&th_v, 0, sizeof(th_v));
646  memset(&f, 0, sizeof(f));
647  memset(&ssn, 0, sizeof(ssn));
648 
649  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
650 
651  FLOW_INITIALIZE(&f);
652  f.protoctx = (void *)&ssn;
653  f.proto = IPPROTO_TCP;
654  f.flags |= FLOW_IPV4;
655  p->flow = &f;
656  p->flowflags |= FLOW_PKT_TOSERVER;
657  p->flowflags |= FLOW_PKT_ESTABLISHED;
658  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
659  f.alproto = ALPROTO_HTTP1;
660 
661  StreamTcpInitConfig(true);
662 
663  de_ctx = DetectEngineCtxInit();
664  if (de_ctx == NULL)
665  goto end;
666 
667  de_ctx->flags |= DE_QUIET;
668 
669  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
670  "(msg:\"http host header test\"; "
671  "content:!\"co\"; offset:3; http_host; "
672  "sid:1;)");
673  if (de_ctx->sig_list == NULL)
674  goto end;
675 
676  SigGroupBuild(de_ctx);
677  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
678 
679  int r = AppLayerParserParse(
680  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
681  if (r != 0) {
682  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
683  result = 0;
684  goto end;
685  }
686 
687  http_state = f.alstate;
688  if (http_state == NULL) {
689  printf("no http state: ");
690  result = 0;
691  goto end;
692  }
693 
694  /* do detect */
695  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
696 
697  if (!(PacketAlertCheck(p, 1))) {
698  printf("sid 1 didn't match but should have: ");
699  goto end;
700  }
701 
702  result = 1;
703 
704 end:
705  if (alp_tctx != NULL)
706  AppLayerParserThreadCtxFree(alp_tctx);
707  if (de_ctx != NULL)
708  SigGroupCleanup(de_ctx);
709  if (de_ctx != NULL)
710  SigCleanSignatures(de_ctx);
711  if (de_ctx != NULL)
712  DetectEngineCtxFree(de_ctx);
713 
714  StreamTcpFreeConfig(true);
715  FLOW_DESTROY(&f);
716  UTHFreePackets(&p, 1);
717  return result;
718 }
719 
720 /**
721  * \test Test that the http_host header content matches against a http request
722  * which holds the content.
723  */
724 static int DetectEngineHttpHHTest08(void)
725 {
726  TcpSession ssn;
727  Packet *p = NULL;
728  ThreadVars th_v;
729  DetectEngineCtx *de_ctx = NULL;
730  DetectEngineThreadCtx *det_ctx = NULL;
731  HtpState *http_state = NULL;
732  Flow f;
733  uint8_t http_buf[] =
734  "GET /index.html HTTP/1.0\r\n"
735  "Host: CONNECT\r\n"
736  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
737  uint32_t http_len = sizeof(http_buf) - 1;
738  int result = 0;
739  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
740 
741  memset(&th_v, 0, sizeof(th_v));
742  memset(&f, 0, sizeof(f));
743  memset(&ssn, 0, sizeof(ssn));
744 
745  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
746 
747  FLOW_INITIALIZE(&f);
748  f.protoctx = (void *)&ssn;
749  f.proto = IPPROTO_TCP;
750  f.flags |= FLOW_IPV4;
751  p->flow = &f;
752  p->flowflags |= FLOW_PKT_TOSERVER;
753  p->flowflags |= FLOW_PKT_ESTABLISHED;
754  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
755  f.alproto = ALPROTO_HTTP1;
756 
757  StreamTcpInitConfig(true);
758 
759  de_ctx = DetectEngineCtxInit();
760  if (de_ctx == NULL)
761  goto end;
762 
763  de_ctx->flags |= DE_QUIET;
764 
765  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
766  "(msg:\"http host header test\"; "
767  "content:!\"ect\"; offset:3; http_host; "
768  "sid:1;)");
769  if (de_ctx->sig_list == NULL)
770  goto end;
771 
772  SigGroupBuild(de_ctx);
773  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
774 
775  int r = AppLayerParserParse(
776  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
777  if (r != 0) {
778  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
779  result = 0;
780  goto end;
781  }
782 
783  http_state = f.alstate;
784  if (http_state == NULL) {
785  printf("no http state: ");
786  result = 0;
787  goto end;
788  }
789 
790  /* do detect */
791  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
792 
793  if (PacketAlertCheck(p, 1)) {
794  printf("sid 1 matched but shouldn't have: ");
795  goto end;
796  }
797 
798  result = 1;
799 
800 end:
801  if (alp_tctx != NULL)
802  AppLayerParserThreadCtxFree(alp_tctx);
803  if (de_ctx != NULL)
804  SigGroupCleanup(de_ctx);
805  if (de_ctx != NULL)
806  SigCleanSignatures(de_ctx);
807  if (de_ctx != NULL)
808  DetectEngineCtxFree(de_ctx);
809 
810  StreamTcpFreeConfig(true);
811  FLOW_DESTROY(&f);
812  UTHFreePackets(&p, 1);
813  return result;
814 }
815 
816 /**
817  * \test Test that the http_host header content matches against a http request
818  * which holds the content.
819  */
820 static int DetectEngineHttpHHTest09(void)
821 {
822  TcpSession ssn;
823  Packet *p = NULL;
824  ThreadVars th_v;
825  DetectEngineCtx *de_ctx = NULL;
826  DetectEngineThreadCtx *det_ctx = NULL;
827  HtpState *http_state = NULL;
828  Flow f;
829  uint8_t http_buf[] =
830  "GET /index.html HTTP/1.0\r\n"
831  "Host: CONNECT\r\n"
832  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
833  uint32_t http_len = sizeof(http_buf) - 1;
834  int result = 0;
835  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
836 
837  memset(&th_v, 0, sizeof(th_v));
838  memset(&f, 0, sizeof(f));
839  memset(&ssn, 0, sizeof(ssn));
840 
841  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
842 
843  FLOW_INITIALIZE(&f);
844  f.protoctx = (void *)&ssn;
845  f.proto = IPPROTO_TCP;
846  f.flags |= FLOW_IPV4;
847  p->flow = &f;
848  p->flowflags |= FLOW_PKT_TOSERVER;
849  p->flowflags |= FLOW_PKT_ESTABLISHED;
850  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
851  f.alproto = ALPROTO_HTTP1;
852 
853  StreamTcpInitConfig(true);
854 
855  de_ctx = DetectEngineCtxInit();
856  if (de_ctx == NULL)
857  goto end;
858 
859  de_ctx->flags |= DE_QUIET;
860 
861  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
862  "(msg:\"http host header test\"; "
863  "content:\"con\"; offset:3; http_host; "
864  "sid:1;)");
865  if (de_ctx->sig_list == NULL)
866  goto end;
867 
868  SigGroupBuild(de_ctx);
869  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
870 
871  int r = AppLayerParserParse(
872  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
873  if (r != 0) {
874  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
875  result = 0;
876  goto end;
877  }
878 
879  http_state = f.alstate;
880  if (http_state == NULL) {
881  printf("no http state: ");
882  result = 0;
883  goto end;
884  }
885 
886  /* do detect */
887  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
888 
889  if (PacketAlertCheck(p, 1)) {
890  printf("sid 1 matched but shouldn't have: ");
891  goto end;
892  }
893 
894  result = 1;
895 
896 end:
897  if (alp_tctx != NULL)
898  AppLayerParserThreadCtxFree(alp_tctx);
899  if (de_ctx != NULL)
900  SigGroupCleanup(de_ctx);
901  if (de_ctx != NULL)
902  SigCleanSignatures(de_ctx);
903  if (de_ctx != NULL)
904  DetectEngineCtxFree(de_ctx);
905 
906  StreamTcpFreeConfig(true);
907  FLOW_DESTROY(&f);
908  UTHFreePackets(&p, 1);
909  return result;
910 }
911 
912 /**
913  * \test Test that the http_host header content matches against a http request
914  * which holds the content.
915  */
916 static int DetectEngineHttpHHTest10(void)
917 {
918  TcpSession ssn;
919  Packet *p = NULL;
920  ThreadVars th_v;
921  DetectEngineCtx *de_ctx = NULL;
922  DetectEngineThreadCtx *det_ctx = NULL;
923  HtpState *http_state = NULL;
924  Flow f;
925  uint8_t http_buf[] =
926  "GET /index.html HTTP/1.0\r\n"
927  "Host: CONNECT\r\n"
928  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
929  uint32_t http_len = sizeof(http_buf) - 1;
930  int result = 0;
931  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
932 
933  memset(&th_v, 0, sizeof(th_v));
934  memset(&f, 0, sizeof(f));
935  memset(&ssn, 0, sizeof(ssn));
936 
937  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
938 
939  FLOW_INITIALIZE(&f);
940  f.protoctx = (void *)&ssn;
941  f.proto = IPPROTO_TCP;
942  f.flags |= FLOW_IPV4;
943  p->flow = &f;
944  p->flowflags |= FLOW_PKT_TOSERVER;
945  p->flowflags |= FLOW_PKT_ESTABLISHED;
946  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
947  f.alproto = ALPROTO_HTTP1;
948 
949  StreamTcpInitConfig(true);
950 
951  de_ctx = DetectEngineCtxInit();
952  if (de_ctx == NULL)
953  goto end;
954 
955  de_ctx->flags |= DE_QUIET;
956 
957  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
958  "(msg:\"http_host header test\"; "
959  "content:\"co\"; http_host; "
960  "content:\"ec\"; within:4; http_host; "
961  "sid:1;)");
962  if (de_ctx->sig_list == NULL)
963  goto end;
964 
965  SigGroupBuild(de_ctx);
966  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
967 
968  int r = AppLayerParserParse(
969  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
970  if (r != 0) {
971  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
972  result = 0;
973  goto end;
974  }
975 
976  http_state = f.alstate;
977  if (http_state == NULL) {
978  printf("no http state: ");
979  result = 0;
980  goto end;
981  }
982 
983  /* do detect */
984  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
985 
986  if (!PacketAlertCheck(p, 1)) {
987  printf("sid 1 didn't match but should have: ");
988  goto end;
989  }
990 
991  result = 1;
992 
993 end:
994  if (alp_tctx != NULL)
995  AppLayerParserThreadCtxFree(alp_tctx);
996  if (de_ctx != NULL)
997  SigGroupCleanup(de_ctx);
998  if (de_ctx != NULL)
999  SigCleanSignatures(de_ctx);
1000  if (de_ctx != NULL)
1001  DetectEngineCtxFree(de_ctx);
1002 
1003  StreamTcpFreeConfig(true);
1004  FLOW_DESTROY(&f);
1005  UTHFreePackets(&p, 1);
1006  return result;
1007 }
1008 
1009 /**
1010  * \test Test that the http_host header content matches against a http request
1011  * which holds the content.
1012  */
1013 static int DetectEngineHttpHHTest11(void)
1014 {
1015  TcpSession ssn;
1016  Packet *p = NULL;
1017  ThreadVars th_v;
1018  DetectEngineCtx *de_ctx = NULL;
1019  DetectEngineThreadCtx *det_ctx = NULL;
1020  HtpState *http_state = NULL;
1021  Flow f;
1022  uint8_t http_buf[] =
1023  "GET /index.html HTTP/1.0\r\n"
1024  "Host: CONNECT\r\n"
1025  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1026  uint32_t http_len = sizeof(http_buf) - 1;
1027  int result = 0;
1028  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1029 
1030  memset(&th_v, 0, sizeof(th_v));
1031  memset(&f, 0, sizeof(f));
1032  memset(&ssn, 0, sizeof(ssn));
1033 
1034  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1035 
1036  FLOW_INITIALIZE(&f);
1037  f.protoctx = (void *)&ssn;
1038  f.proto = IPPROTO_TCP;
1039  f.flags |= FLOW_IPV4;
1040  p->flow = &f;
1041  p->flowflags |= FLOW_PKT_TOSERVER;
1042  p->flowflags |= FLOW_PKT_ESTABLISHED;
1043  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1044  f.alproto = ALPROTO_HTTP1;
1045 
1046  StreamTcpInitConfig(true);
1047 
1048  de_ctx = DetectEngineCtxInit();
1049  if (de_ctx == NULL)
1050  goto end;
1051 
1052  de_ctx->flags |= DE_QUIET;
1053 
1054  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1055  "(msg:\"http_host header test\"; "
1056  "content:\"co\"; http_host; "
1057  "content:!\"ec\"; within:3; http_host; "
1058  "sid:1;)");
1059  if (de_ctx->sig_list == NULL)
1060  goto end;
1061 
1062  SigGroupBuild(de_ctx);
1063  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1064 
1065  int r = AppLayerParserParse(
1066  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1067  if (r != 0) {
1068  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1069  result = 0;
1070  goto end;
1071  }
1072 
1073  http_state = f.alstate;
1074  if (http_state == NULL) {
1075  printf("no http state: ");
1076  result = 0;
1077  goto end;
1078  }
1079 
1080  /* do detect */
1081  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1082 
1083  if (!PacketAlertCheck(p, 1)) {
1084  printf("sid 1 didn't match but should have: ");
1085  goto end;
1086  }
1087 
1088  result = 1;
1089 
1090 end:
1091  if (alp_tctx != NULL)
1092  AppLayerParserThreadCtxFree(alp_tctx);
1093  if (de_ctx != NULL)
1094  SigGroupCleanup(de_ctx);
1095  if (de_ctx != NULL)
1096  SigCleanSignatures(de_ctx);
1097  if (de_ctx != NULL)
1098  DetectEngineCtxFree(de_ctx);
1099 
1100  StreamTcpFreeConfig(true);
1101  FLOW_DESTROY(&f);
1102  UTHFreePackets(&p, 1);
1103  return result;
1104 }
1105 
1106 /**
1107  * \test Test that the http_host header content matches against a http request
1108  * which holds the content.
1109  */
1110 static int DetectEngineHttpHHTest12(void)
1111 {
1112  TcpSession ssn;
1113  Packet *p = NULL;
1114  ThreadVars th_v;
1115  DetectEngineCtx *de_ctx = NULL;
1116  DetectEngineThreadCtx *det_ctx = NULL;
1117  HtpState *http_state = NULL;
1118  Flow f;
1119  uint8_t http_buf[] =
1120  "GET /index.html HTTP/1.0\r\n"
1121  "Host: CONNECT\r\n"
1122  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1123  uint32_t http_len = sizeof(http_buf) - 1;
1124  int result = 0;
1125  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1126 
1127  memset(&th_v, 0, sizeof(th_v));
1128  memset(&f, 0, sizeof(f));
1129  memset(&ssn, 0, sizeof(ssn));
1130 
1131  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1132 
1133  FLOW_INITIALIZE(&f);
1134  f.protoctx = (void *)&ssn;
1135  f.proto = IPPROTO_TCP;
1136  f.flags |= FLOW_IPV4;
1137  p->flow = &f;
1138  p->flowflags |= FLOW_PKT_TOSERVER;
1139  p->flowflags |= FLOW_PKT_ESTABLISHED;
1140  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1141  f.alproto = ALPROTO_HTTP1;
1142 
1143  StreamTcpInitConfig(true);
1144 
1145  de_ctx = DetectEngineCtxInit();
1146  if (de_ctx == NULL)
1147  goto end;
1148 
1149  de_ctx->flags |= DE_QUIET;
1150 
1151  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1152  "(msg:\"http_host header test\"; "
1153  "content:\"co\"; http_host; "
1154  "content:\"ec\"; within:3; http_host; "
1155  "sid:1;)");
1156  if (de_ctx->sig_list == NULL)
1157  goto end;
1158 
1159  SigGroupBuild(de_ctx);
1160  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1161 
1162  int r = AppLayerParserParse(
1163  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1164  if (r != 0) {
1165  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1166  result = 0;
1167  goto end;
1168  }
1169 
1170  http_state = f.alstate;
1171  if (http_state == NULL) {
1172  printf("no http state: ");
1173  result = 0;
1174  goto end;
1175  }
1176 
1177  /* do detect */
1178  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1179 
1180  if (PacketAlertCheck(p, 1)) {
1181  printf("sid 1 matched but shouldn't have: ");
1182  goto end;
1183  }
1184 
1185  result = 1;
1186 
1187 end:
1188  if (alp_tctx != NULL)
1189  AppLayerParserThreadCtxFree(alp_tctx);
1190  if (de_ctx != NULL)
1191  SigGroupCleanup(de_ctx);
1192  if (de_ctx != NULL)
1193  SigCleanSignatures(de_ctx);
1194  if (de_ctx != NULL)
1195  DetectEngineCtxFree(de_ctx);
1196 
1197  StreamTcpFreeConfig(true);
1198  FLOW_DESTROY(&f);
1199  UTHFreePackets(&p, 1);
1200  return result;
1201 }
1202 
1203 /**
1204  * \test Test that the http_host header content matches against a http request
1205  * which holds the content.
1206  */
1207 static int DetectEngineHttpHHTest13(void)
1208 {
1209  TcpSession ssn;
1210  Packet *p = NULL;
1211  ThreadVars th_v;
1212  DetectEngineCtx *de_ctx = NULL;
1213  DetectEngineThreadCtx *det_ctx = NULL;
1214  HtpState *http_state = NULL;
1215  Flow f;
1216  uint8_t http_buf[] =
1217  "GET /index.html HTTP/1.0\r\n"
1218  "Host: CONNECT\r\n"
1219  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1220  uint32_t http_len = sizeof(http_buf) - 1;
1221  int result = 0;
1222  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1223 
1224  memset(&th_v, 0, sizeof(th_v));
1225  memset(&f, 0, sizeof(f));
1226  memset(&ssn, 0, sizeof(ssn));
1227 
1228  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1229 
1230  FLOW_INITIALIZE(&f);
1231  f.protoctx = (void *)&ssn;
1232  f.proto = IPPROTO_TCP;
1233  f.flags |= FLOW_IPV4;
1234  p->flow = &f;
1235  p->flowflags |= FLOW_PKT_TOSERVER;
1236  p->flowflags |= FLOW_PKT_ESTABLISHED;
1237  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1238  f.alproto = ALPROTO_HTTP1;
1239 
1240  StreamTcpInitConfig(true);
1241 
1242  de_ctx = DetectEngineCtxInit();
1243  if (de_ctx == NULL)
1244  goto end;
1245 
1246  de_ctx->flags |= DE_QUIET;
1247 
1248  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1249  "(msg:\"http_host header test\"; "
1250  "content:\"co\"; http_host; "
1251  "content:!\"ec\"; within:4; http_host; "
1252  "sid:1;)");
1253  if (de_ctx->sig_list == NULL)
1254  goto end;
1255 
1256  SigGroupBuild(de_ctx);
1257  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1258 
1259  int r = AppLayerParserParse(
1260  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1261  if (r != 0) {
1262  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1263  result = 0;
1264  goto end;
1265  }
1266 
1267  http_state = f.alstate;
1268  if (http_state == NULL) {
1269  printf("no http state: ");
1270  result = 0;
1271  goto end;
1272  }
1273 
1274  /* do detect */
1275  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1276 
1277  if (PacketAlertCheck(p, 1)) {
1278  printf("sid 1 matched but shouldn't have: ");
1279  goto end;
1280  }
1281 
1282  result = 1;
1283 
1284 end:
1285  if (alp_tctx != NULL)
1286  AppLayerParserThreadCtxFree(alp_tctx);
1287  if (de_ctx != NULL)
1288  SigGroupCleanup(de_ctx);
1289  if (de_ctx != NULL)
1290  SigCleanSignatures(de_ctx);
1291  if (de_ctx != NULL)
1292  DetectEngineCtxFree(de_ctx);
1293 
1294  StreamTcpFreeConfig(true);
1295  FLOW_DESTROY(&f);
1296  UTHFreePackets(&p, 1);
1297  return result;
1298 }
1299 
1300 /**
1301  * \test Test that the http_host header content matches against a http request
1302  * which holds the content.
1303  */
1304 static int DetectEngineHttpHHTest14(void)
1305 {
1306  TcpSession ssn;
1307  Packet *p = NULL;
1308  ThreadVars th_v;
1309  DetectEngineCtx *de_ctx = NULL;
1310  DetectEngineThreadCtx *det_ctx = NULL;
1311  HtpState *http_state = NULL;
1312  Flow f;
1313  uint8_t http_buf[] =
1314  "GET /index.html HTTP/1.0\r\n"
1315  "Host: CONNECT\r\n"
1316  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1317  uint32_t http_len = sizeof(http_buf) - 1;
1318  int result = 0;
1319  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1320 
1321  memset(&th_v, 0, sizeof(th_v));
1322  memset(&f, 0, sizeof(f));
1323  memset(&ssn, 0, sizeof(ssn));
1324 
1325  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1326 
1327  FLOW_INITIALIZE(&f);
1328  f.protoctx = (void *)&ssn;
1329  f.proto = IPPROTO_TCP;
1330  f.flags |= FLOW_IPV4;
1331  p->flow = &f;
1332  p->flowflags |= FLOW_PKT_TOSERVER;
1333  p->flowflags |= FLOW_PKT_ESTABLISHED;
1334  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1335  f.alproto = ALPROTO_HTTP1;
1336 
1337  StreamTcpInitConfig(true);
1338 
1339  de_ctx = DetectEngineCtxInit();
1340  if (de_ctx == NULL)
1341  goto end;
1342 
1343  de_ctx->flags |= DE_QUIET;
1344 
1345  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1346  "(msg:\"http_host header test\"; "
1347  "content:\"co\"; http_host; "
1348  "content:\"ec\"; distance:2; http_host; "
1349  "sid:1;)");
1350  if (de_ctx->sig_list == NULL)
1351  goto end;
1352 
1353  SigGroupBuild(de_ctx);
1354  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1355 
1356  int r = AppLayerParserParse(
1357  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1358  if (r != 0) {
1359  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1360  result = 0;
1361  goto end;
1362  }
1363 
1364  http_state = f.alstate;
1365  if (http_state == NULL) {
1366  printf("no http state: ");
1367  result = 0;
1368  goto end;
1369  }
1370 
1371  /* do detect */
1372  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1373 
1374  if (!PacketAlertCheck(p, 1)) {
1375  printf("sid 1 didn't match but should have: ");
1376  goto end;
1377  }
1378 
1379  result = 1;
1380 
1381 end:
1382  if (alp_tctx != NULL)
1383  AppLayerParserThreadCtxFree(alp_tctx);
1384  if (de_ctx != NULL)
1385  SigGroupCleanup(de_ctx);
1386  if (de_ctx != NULL)
1387  SigCleanSignatures(de_ctx);
1388  if (de_ctx != NULL)
1389  DetectEngineCtxFree(de_ctx);
1390 
1391  StreamTcpFreeConfig(true);
1392  FLOW_DESTROY(&f);
1393  UTHFreePackets(&p, 1);
1394  return result;
1395 }
1396 
1397 /**
1398  * \test Test that the http_host header content matches against a http request
1399  * which holds the content.
1400  */
1401 static int DetectEngineHttpHHTest15(void)
1402 {
1403  TcpSession ssn;
1404  Packet *p = NULL;
1405  ThreadVars th_v;
1406  DetectEngineCtx *de_ctx = NULL;
1407  DetectEngineThreadCtx *det_ctx = NULL;
1408  HtpState *http_state = NULL;
1409  Flow f;
1410  uint8_t http_buf[] =
1411  "GET /index.html HTTP/1.0\r\n"
1412  "Host: CONNECT\r\n"
1413  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1414  uint32_t http_len = sizeof(http_buf) - 1;
1415  int result = 0;
1416  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1417 
1418  memset(&th_v, 0, sizeof(th_v));
1419  memset(&f, 0, sizeof(f));
1420  memset(&ssn, 0, sizeof(ssn));
1421 
1422  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1423 
1424  FLOW_INITIALIZE(&f);
1425  f.protoctx = (void *)&ssn;
1426  f.proto = IPPROTO_TCP;
1427  f.flags |= FLOW_IPV4;
1428  p->flow = &f;
1429  p->flowflags |= FLOW_PKT_TOSERVER;
1430  p->flowflags |= FLOW_PKT_ESTABLISHED;
1431  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1432  f.alproto = ALPROTO_HTTP1;
1433 
1434  StreamTcpInitConfig(true);
1435 
1436  de_ctx = DetectEngineCtxInit();
1437  if (de_ctx == NULL)
1438  goto end;
1439 
1440  de_ctx->flags |= DE_QUIET;
1441 
1442  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1443  "(msg:\"http_host header test\"; "
1444  "content:\"co\"; http_host; "
1445  "content:!\"ec\"; distance:3; http_host; "
1446  "sid:1;)");
1447  if (de_ctx->sig_list == NULL)
1448  goto end;
1449 
1450  SigGroupBuild(de_ctx);
1451  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1452 
1453  int r = AppLayerParserParse(
1454  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1455  if (r != 0) {
1456  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1457  result = 0;
1458  goto end;
1459  }
1460 
1461  http_state = f.alstate;
1462  if (http_state == NULL) {
1463  printf("no http state: ");
1464  result = 0;
1465  goto end;
1466  }
1467 
1468  /* do detect */
1469  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1470 
1471  if (!PacketAlertCheck(p, 1)) {
1472  printf("sid 1 didn't match but should have: ");
1473  goto end;
1474  }
1475 
1476  result = 1;
1477 
1478 end:
1479  if (alp_tctx != NULL)
1480  AppLayerParserThreadCtxFree(alp_tctx);
1481  if (de_ctx != NULL)
1482  SigGroupCleanup(de_ctx);
1483  if (de_ctx != NULL)
1484  SigCleanSignatures(de_ctx);
1485  if (de_ctx != NULL)
1486  DetectEngineCtxFree(de_ctx);
1487 
1488  StreamTcpFreeConfig(true);
1489  FLOW_DESTROY(&f);
1490  UTHFreePackets(&p, 1);
1491  return result;
1492 }
1493 
1494 /**
1495  * \test Test that the http_host header content matches against a http request
1496  * which holds the content.
1497  */
1498 static int DetectEngineHttpHHTest16(void)
1499 {
1500  TcpSession ssn;
1501  Packet *p = NULL;
1502  ThreadVars th_v;
1503  DetectEngineCtx *de_ctx = NULL;
1504  DetectEngineThreadCtx *det_ctx = NULL;
1505  HtpState *http_state = NULL;
1506  Flow f;
1507  uint8_t http_buf[] =
1508  "GET /index.html HTTP/1.0\r\n"
1509  "Host: CONNECT\r\n"
1510  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1511  uint32_t http_len = sizeof(http_buf) - 1;
1512  int result = 0;
1513  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1514 
1515  memset(&th_v, 0, sizeof(th_v));
1516  memset(&f, 0, sizeof(f));
1517  memset(&ssn, 0, sizeof(ssn));
1518 
1519  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1520 
1521  FLOW_INITIALIZE(&f);
1522  f.protoctx = (void *)&ssn;
1523  f.proto = IPPROTO_TCP;
1524  f.flags |= FLOW_IPV4;
1525  p->flow = &f;
1526  p->flowflags |= FLOW_PKT_TOSERVER;
1527  p->flowflags |= FLOW_PKT_ESTABLISHED;
1528  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1529  f.alproto = ALPROTO_HTTP1;
1530 
1531  StreamTcpInitConfig(true);
1532 
1533  de_ctx = DetectEngineCtxInit();
1534  if (de_ctx == NULL)
1535  goto end;
1536 
1537  de_ctx->flags |= DE_QUIET;
1538 
1539  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1540  "(msg:\"http_host header test\"; "
1541  "content:\"co\"; http_host; "
1542  "content:\"ec\"; distance:3; http_host; "
1543  "sid:1;)");
1544  if (de_ctx->sig_list == NULL)
1545  goto end;
1546 
1547  SigGroupBuild(de_ctx);
1548  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1549 
1550  int r = AppLayerParserParse(
1551  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1552  if (r != 0) {
1553  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1554  result = 0;
1555  goto end;
1556  }
1557 
1558  http_state = f.alstate;
1559  if (http_state == NULL) {
1560  printf("no http state: ");
1561  result = 0;
1562  goto end;
1563  }
1564 
1565  /* do detect */
1566  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1567 
1568  if (PacketAlertCheck(p, 1)) {
1569  printf("sid 1 matched but shouldn't have: ");
1570  goto end;
1571  }
1572 
1573  result = 1;
1574 
1575 end:
1576  if (alp_tctx != NULL)
1577  AppLayerParserThreadCtxFree(alp_tctx);
1578  if (de_ctx != NULL)
1579  SigGroupCleanup(de_ctx);
1580  if (de_ctx != NULL)
1581  SigCleanSignatures(de_ctx);
1582  if (de_ctx != NULL)
1583  DetectEngineCtxFree(de_ctx);
1584 
1585  StreamTcpFreeConfig(true);
1586  FLOW_DESTROY(&f);
1587  UTHFreePackets(&p, 1);
1588  return result;
1589 }
1590 
1591 /**
1592  * \test Test that the http_host header content matches against a http request
1593  * which holds the content.
1594  */
1595 static int DetectEngineHttpHHTest17(void)
1596 {
1597  TcpSession ssn;
1598  Packet *p = NULL;
1599  ThreadVars th_v;
1600  DetectEngineCtx *de_ctx = NULL;
1601  DetectEngineThreadCtx *det_ctx = NULL;
1602  HtpState *http_state = NULL;
1603  Flow f;
1604  uint8_t http_buf[] =
1605  "GET /index.html HTTP/1.0\r\n"
1606  "Host: CONNECT\r\n"
1607  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1608  uint32_t http_len = sizeof(http_buf) - 1;
1609  int result = 0;
1610  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1611 
1612  memset(&th_v, 0, sizeof(th_v));
1613  memset(&f, 0, sizeof(f));
1614  memset(&ssn, 0, sizeof(ssn));
1615 
1616  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1617 
1618  FLOW_INITIALIZE(&f);
1619  f.protoctx = (void *)&ssn;
1620  f.proto = IPPROTO_TCP;
1621  f.flags |= FLOW_IPV4;
1622  p->flow = &f;
1623  p->flowflags |= FLOW_PKT_TOSERVER;
1624  p->flowflags |= FLOW_PKT_ESTABLISHED;
1625  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1626  f.alproto = ALPROTO_HTTP1;
1627 
1628  StreamTcpInitConfig(true);
1629 
1630  de_ctx = DetectEngineCtxInit();
1631  if (de_ctx == NULL)
1632  goto end;
1633 
1634  de_ctx->flags |= DE_QUIET;
1635 
1636  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1637  "(msg:\"http_host header test\"; "
1638  "content:\"co\"; http_host; "
1639  "content:!\"ec\"; distance:2; http_host; "
1640  "sid:1;)");
1641  if (de_ctx->sig_list == NULL)
1642  goto end;
1643 
1644  SigGroupBuild(de_ctx);
1645  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1646 
1647  int r = AppLayerParserParse(
1648  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1649  if (r != 0) {
1650  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1651  result = 0;
1652  goto end;
1653  }
1654 
1655  http_state = f.alstate;
1656  if (http_state == NULL) {
1657  printf("no http state: ");
1658  result = 0;
1659  goto end;
1660  }
1661 
1662  /* do detect */
1663  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1664 
1665  if (PacketAlertCheck(p, 1)) {
1666  printf("sid 1 matched but shouldn't have: ");
1667  goto end;
1668  }
1669 
1670  result = 1;
1671 
1672 end:
1673  if (alp_tctx != NULL)
1674  AppLayerParserThreadCtxFree(alp_tctx);
1675  if (de_ctx != NULL)
1676  SigGroupCleanup(de_ctx);
1677  if (de_ctx != NULL)
1678  SigCleanSignatures(de_ctx);
1679  if (de_ctx != NULL)
1680  DetectEngineCtxFree(de_ctx);
1681 
1682  StreamTcpFreeConfig(true);
1683  FLOW_DESTROY(&f);
1684  UTHFreePackets(&p, 1);
1685  return result;
1686 }
1687 
1688 static int DetectEngineHttpHHTest18(void)
1689 {
1690  TcpSession ssn;
1691  Packet *p = NULL;
1692  ThreadVars th_v;
1693  DetectEngineCtx *de_ctx = NULL;
1694  DetectEngineThreadCtx *det_ctx = NULL;
1695  HtpState *http_state = NULL;
1696  Flow f;
1697  uint8_t http_buf[] =
1698  "GET /index.html HTTP/1.0\r\n"
1699  "Host: www.kaboom.com\r\n"
1700  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1701  uint32_t http_len = sizeof(http_buf) - 1;
1702  int result = 0;
1703  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1704 
1705  memset(&th_v, 0, sizeof(th_v));
1706  memset(&f, 0, sizeof(f));
1707  memset(&ssn, 0, sizeof(ssn));
1708 
1709  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1710 
1711  FLOW_INITIALIZE(&f);
1712  f.protoctx = (void *)&ssn;
1713  f.proto = IPPROTO_TCP;
1714  f.flags |= FLOW_IPV4;
1715  p->flow = &f;
1716  p->flowflags |= FLOW_PKT_TOSERVER;
1717  p->flowflags |= FLOW_PKT_ESTABLISHED;
1718  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1719  f.alproto = ALPROTO_HTTP1;
1720 
1721  StreamTcpInitConfig(true);
1722 
1723  de_ctx = DetectEngineCtxInit();
1724  if (de_ctx == NULL)
1725  goto end;
1726 
1727  de_ctx->flags |= DE_QUIET;
1728 
1729  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1730  "(msg:\"http_host header test\"; "
1731  "content:\"kaboom\"; http_host; "
1732  "sid:1;)");
1733  if (de_ctx->sig_list == NULL)
1734  goto end;
1735 
1736  SigGroupBuild(de_ctx);
1737  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1738 
1739  int r = AppLayerParserParse(
1740  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1741  if (r != 0) {
1742  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1743  result = 0;
1744  goto end;
1745  }
1746 
1747  http_state = f.alstate;
1748  if (http_state == NULL) {
1749  printf("no http state: ");
1750  result = 0;
1751  goto end;
1752  }
1753 
1754  /* do detect */
1755  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1756 
1757  if (!PacketAlertCheck(p, 1)) {
1758  printf("sid 1 didn't match but should have: ");
1759  goto end;
1760  }
1761 
1762  result = 1;
1763 
1764 end:
1765  if (alp_tctx != NULL)
1766  AppLayerParserThreadCtxFree(alp_tctx);
1767  if (de_ctx != NULL)
1768  SigGroupCleanup(de_ctx);
1769  if (de_ctx != NULL)
1770  SigCleanSignatures(de_ctx);
1771  if (de_ctx != NULL)
1772  DetectEngineCtxFree(de_ctx);
1773 
1774  StreamTcpFreeConfig(true);
1775  FLOW_DESTROY(&f);
1776  UTHFreePackets(&p, 1);
1777  return result;
1778 }
1779 
1780 static int DetectEngineHttpHHTest19(void)
1781 {
1782  TcpSession ssn;
1783  Packet *p = NULL;
1784  ThreadVars th_v;
1785  DetectEngineCtx *de_ctx = NULL;
1786  DetectEngineThreadCtx *det_ctx = NULL;
1787  HtpState *http_state = NULL;
1788  Flow f;
1789  uint8_t http_buf[] =
1790  "GET /index.html HTTP/1.0\r\n"
1791  "Host: www.kaboom.com:8080\r\n"
1792  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1793  uint32_t http_len = sizeof(http_buf) - 1;
1794  int result = 0;
1795  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1796 
1797  memset(&th_v, 0, sizeof(th_v));
1798  memset(&f, 0, sizeof(f));
1799  memset(&ssn, 0, sizeof(ssn));
1800 
1801  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1802 
1803  FLOW_INITIALIZE(&f);
1804  f.protoctx = (void *)&ssn;
1805  f.proto = IPPROTO_TCP;
1806  f.flags |= FLOW_IPV4;
1807  p->flow = &f;
1808  p->flowflags |= FLOW_PKT_TOSERVER;
1809  p->flowflags |= FLOW_PKT_ESTABLISHED;
1810  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1811  f.alproto = ALPROTO_HTTP1;
1812 
1813  StreamTcpInitConfig(true);
1814 
1815  de_ctx = DetectEngineCtxInit();
1816  if (de_ctx == NULL)
1817  goto end;
1818 
1819  de_ctx->flags |= DE_QUIET;
1820 
1821  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1822  "(msg:\"http_host header test\"; "
1823  "content:\"kaboom\"; http_host; "
1824  "sid:1;)");
1825  if (de_ctx->sig_list == NULL)
1826  goto end;
1827 
1828  SigGroupBuild(de_ctx);
1829  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1830 
1831  int r = AppLayerParserParse(
1832  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1833  if (r != 0) {
1834  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1835  result = 0;
1836  goto end;
1837  }
1838 
1839  http_state = f.alstate;
1840  if (http_state == NULL) {
1841  printf("no http state: ");
1842  result = 0;
1843  goto end;
1844  }
1845 
1846  /* do detect */
1847  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1848 
1849  if (!PacketAlertCheck(p, 1)) {
1850  printf("sid 1 didn't match but should have: ");
1851  goto end;
1852  }
1853 
1854  result = 1;
1855 
1856 end:
1857  if (alp_tctx != NULL)
1858  AppLayerParserThreadCtxFree(alp_tctx);
1859  if (de_ctx != NULL)
1860  SigGroupCleanup(de_ctx);
1861  if (de_ctx != NULL)
1862  SigCleanSignatures(de_ctx);
1863  if (de_ctx != NULL)
1864  DetectEngineCtxFree(de_ctx);
1865 
1866  StreamTcpFreeConfig(true);
1867  FLOW_DESTROY(&f);
1868  UTHFreePackets(&p, 1);
1869  return result;
1870 }
1871 
1872 static int DetectEngineHttpHHTest20(void)
1873 {
1874  TcpSession ssn;
1875  Packet *p = NULL;
1876  ThreadVars th_v;
1877  DetectEngineCtx *de_ctx = NULL;
1878  DetectEngineThreadCtx *det_ctx = NULL;
1879  HtpState *http_state = NULL;
1880  Flow f;
1881  uint8_t http_buf[] =
1882  "GET /index.html HTTP/1.0\r\n"
1883  "Host: www.kaboom.com:8080\r\n"
1884  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1885  uint32_t http_len = sizeof(http_buf) - 1;
1886  int result = 0;
1887  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1888 
1889  memset(&th_v, 0, sizeof(th_v));
1890  memset(&f, 0, sizeof(f));
1891  memset(&ssn, 0, sizeof(ssn));
1892 
1893  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1894 
1895  FLOW_INITIALIZE(&f);
1896  f.protoctx = (void *)&ssn;
1897  f.proto = IPPROTO_TCP;
1898  f.flags |= FLOW_IPV4;
1899  p->flow = &f;
1900  p->flowflags |= FLOW_PKT_TOSERVER;
1901  p->flowflags |= FLOW_PKT_ESTABLISHED;
1902  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1903  f.alproto = ALPROTO_HTTP1;
1904 
1905  StreamTcpInitConfig(true);
1906 
1907  de_ctx = DetectEngineCtxInit();
1908  if (de_ctx == NULL)
1909  goto end;
1910 
1911  de_ctx->flags |= DE_QUIET;
1912 
1913  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1914  "(msg:\"http_host header test\"; "
1915  "content:\"8080\"; http_host; "
1916  "sid:1;)");
1917  if (de_ctx->sig_list == NULL)
1918  goto end;
1919 
1920  SigGroupBuild(de_ctx);
1921  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1922 
1923  int r = AppLayerParserParse(
1924  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1925  if (r != 0) {
1926  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1927  result = 0;
1928  goto end;
1929  }
1930 
1931  http_state = f.alstate;
1932  if (http_state == NULL) {
1933  printf("no http state: ");
1934  result = 0;
1935  goto end;
1936  }
1937 
1938  /* do detect */
1939  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1940 
1941  if (PacketAlertCheck(p, 1)) {
1942  printf("sid 1 matched but it shouldn't have: ");
1943  goto end;
1944  }
1945 
1946  result = 1;
1947 
1948 end:
1949  if (alp_tctx != NULL)
1950  AppLayerParserThreadCtxFree(alp_tctx);
1951  if (de_ctx != NULL)
1952  SigGroupCleanup(de_ctx);
1953  if (de_ctx != NULL)
1954  SigCleanSignatures(de_ctx);
1955  if (de_ctx != NULL)
1956  DetectEngineCtxFree(de_ctx);
1957 
1958  StreamTcpFreeConfig(true);
1959  FLOW_DESTROY(&f);
1960  UTHFreePackets(&p, 1);
1961  return result;
1962 }
1963 
1964 static int DetectEngineHttpHHTest21(void)
1965 {
1966  TcpSession ssn;
1967  Packet *p = NULL;
1968  ThreadVars th_v;
1969  DetectEngineCtx *de_ctx = NULL;
1970  DetectEngineThreadCtx *det_ctx = NULL;
1971  HtpState *http_state = NULL;
1972  Flow f;
1973  uint8_t http_buf[] =
1974  "GET http://www.kaboom.com/index.html HTTP/1.0\r\n"
1975  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1976  uint32_t http_len = sizeof(http_buf) - 1;
1977  int result = 0;
1978  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1979 
1980  memset(&th_v, 0, sizeof(th_v));
1981  memset(&f, 0, sizeof(f));
1982  memset(&ssn, 0, sizeof(ssn));
1983 
1984  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1985 
1986  FLOW_INITIALIZE(&f);
1987  f.protoctx = (void *)&ssn;
1988  f.proto = IPPROTO_TCP;
1989  f.flags |= FLOW_IPV4;
1990  p->flow = &f;
1991  p->flowflags |= FLOW_PKT_TOSERVER;
1992  p->flowflags |= FLOW_PKT_ESTABLISHED;
1993  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1994  f.alproto = ALPROTO_HTTP1;
1995 
1996  StreamTcpInitConfig(true);
1997 
1998  de_ctx = DetectEngineCtxInit();
1999  if (de_ctx == NULL)
2000  goto end;
2001 
2002  de_ctx->flags |= DE_QUIET;
2003 
2004  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2005  "(msg:\"http_host header test\"; "
2006  "content:\"kaboom\"; http_host; "
2007  "sid:1;)");
2008  if (de_ctx->sig_list == NULL)
2009  goto end;
2010 
2011  SigGroupBuild(de_ctx);
2012  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2013 
2014  int r = AppLayerParserParse(
2015  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2016  if (r != 0) {
2017  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2018  result = 0;
2019  goto end;
2020  }
2021 
2022  http_state = f.alstate;
2023  if (http_state == NULL) {
2024  printf("no http state: ");
2025  result = 0;
2026  goto end;
2027  }
2028 
2029  /* do detect */
2030  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2031 
2032  if (!PacketAlertCheck(p, 1)) {
2033  printf("sid 1 didn't match but should have: ");
2034  goto end;
2035  }
2036 
2037  result = 1;
2038 
2039 end:
2040  if (alp_tctx != NULL)
2041  AppLayerParserThreadCtxFree(alp_tctx);
2042  if (de_ctx != NULL)
2043  SigGroupCleanup(de_ctx);
2044  if (de_ctx != NULL)
2045  SigCleanSignatures(de_ctx);
2046  if (de_ctx != NULL)
2047  DetectEngineCtxFree(de_ctx);
2048 
2049  StreamTcpFreeConfig(true);
2050  FLOW_DESTROY(&f);
2051  UTHFreePackets(&p, 1);
2052  return result;
2053 }
2054 
2055 static int DetectEngineHttpHHTest22(void)
2056 {
2057  TcpSession ssn;
2058  Packet *p = NULL;
2059  ThreadVars th_v;
2060  DetectEngineCtx *de_ctx = NULL;
2061  DetectEngineThreadCtx *det_ctx = NULL;
2062  HtpState *http_state = NULL;
2063  Flow f;
2064  uint8_t http_buf[] =
2065  "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2066  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2067  uint32_t http_len = sizeof(http_buf) - 1;
2068  int result = 0;
2069  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2070 
2071  memset(&th_v, 0, sizeof(th_v));
2072  memset(&f, 0, sizeof(f));
2073  memset(&ssn, 0, sizeof(ssn));
2074 
2075  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2076 
2077  FLOW_INITIALIZE(&f);
2078  f.protoctx = (void *)&ssn;
2079  f.proto = IPPROTO_TCP;
2080  f.flags |= FLOW_IPV4;
2081  p->flow = &f;
2082  p->flowflags |= FLOW_PKT_TOSERVER;
2083  p->flowflags |= FLOW_PKT_ESTABLISHED;
2084  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2085  f.alproto = ALPROTO_HTTP1;
2086 
2087  StreamTcpInitConfig(true);
2088 
2089  de_ctx = DetectEngineCtxInit();
2090  if (de_ctx == NULL)
2091  goto end;
2092 
2093  de_ctx->flags |= DE_QUIET;
2094 
2095  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2096  "(msg:\"http_host header test\"; "
2097  "content:\"kaboom\"; http_host; "
2098  "sid:1;)");
2099  if (de_ctx->sig_list == NULL)
2100  goto end;
2101 
2102  SigGroupBuild(de_ctx);
2103  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2104 
2105  int r = AppLayerParserParse(
2106  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2107  if (r != 0) {
2108  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2109  result = 0;
2110  goto end;
2111  }
2112 
2113  http_state = f.alstate;
2114  if (http_state == NULL) {
2115  printf("no http state: ");
2116  result = 0;
2117  goto end;
2118  }
2119 
2120  /* do detect */
2121  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2122 
2123  if (!PacketAlertCheck(p, 1)) {
2124  printf("sid 1 didn't match but should have: ");
2125  goto end;
2126  }
2127 
2128  result = 1;
2129 
2130 end:
2131  if (alp_tctx != NULL)
2132  AppLayerParserThreadCtxFree(alp_tctx);
2133  if (de_ctx != NULL)
2134  SigGroupCleanup(de_ctx);
2135  if (de_ctx != NULL)
2136  SigCleanSignatures(de_ctx);
2137  if (de_ctx != NULL)
2138  DetectEngineCtxFree(de_ctx);
2139 
2140  StreamTcpFreeConfig(true);
2141  FLOW_DESTROY(&f);
2142  UTHFreePackets(&p, 1);
2143  return result;
2144 }
2145 
2146 static int DetectEngineHttpHHTest23(void)
2147 {
2148  TcpSession ssn;
2149  Packet *p = NULL;
2150  ThreadVars th_v;
2151  DetectEngineCtx *de_ctx = NULL;
2152  DetectEngineThreadCtx *det_ctx = NULL;
2153  HtpState *http_state = NULL;
2154  Flow f;
2155  uint8_t http_buf[] =
2156  "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2157  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2158  uint32_t http_len = sizeof(http_buf) - 1;
2159  int result = 0;
2160  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2161 
2162  memset(&th_v, 0, sizeof(th_v));
2163  memset(&f, 0, sizeof(f));
2164  memset(&ssn, 0, sizeof(ssn));
2165 
2166  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2167 
2168  FLOW_INITIALIZE(&f);
2169  f.protoctx = (void *)&ssn;
2170  f.proto = IPPROTO_TCP;
2171  f.flags |= FLOW_IPV4;
2172  p->flow = &f;
2173  p->flowflags |= FLOW_PKT_TOSERVER;
2174  p->flowflags |= FLOW_PKT_ESTABLISHED;
2175  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2176  f.alproto = ALPROTO_HTTP1;
2177 
2178  StreamTcpInitConfig(true);
2179 
2180  de_ctx = DetectEngineCtxInit();
2181  if (de_ctx == NULL)
2182  goto end;
2183 
2184  de_ctx->flags |= DE_QUIET;
2185 
2186  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2187  "(msg:\"http_host header test\"; "
2188  "content:\"8080\"; http_host; "
2189  "sid:1;)");
2190  if (de_ctx->sig_list == NULL)
2191  goto end;
2192 
2193  SigGroupBuild(de_ctx);
2194  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2195 
2196  int r = AppLayerParserParse(
2197  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2198  if (r != 0) {
2199  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2200  result = 0;
2201  goto end;
2202  }
2203 
2204  http_state = f.alstate;
2205  if (http_state == NULL) {
2206  printf("no http state: ");
2207  result = 0;
2208  goto end;
2209  }
2210 
2211  /* do detect */
2212  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2213 
2214  if (PacketAlertCheck(p, 1)) {
2215  printf("sid 1 matched but it shouldn't have: ");
2216  goto end;
2217  }
2218 
2219  result = 1;
2220 
2221 end:
2222  if (alp_tctx != NULL)
2223  AppLayerParserThreadCtxFree(alp_tctx);
2224  if (de_ctx != NULL)
2225  SigGroupCleanup(de_ctx);
2226  if (de_ctx != NULL)
2227  SigCleanSignatures(de_ctx);
2228  if (de_ctx != NULL)
2229  DetectEngineCtxFree(de_ctx);
2230 
2231  StreamTcpFreeConfig(true);
2232  FLOW_DESTROY(&f);
2233  UTHFreePackets(&p, 1);
2234  return result;
2235 }
2236 
2237 static int DetectEngineHttpHHTest24(void)
2238 {
2239  TcpSession ssn;
2240  Packet *p = NULL;
2241  ThreadVars th_v;
2242  DetectEngineCtx *de_ctx = NULL;
2243  DetectEngineThreadCtx *det_ctx = NULL;
2244  HtpState *http_state = NULL;
2245  Flow f;
2246  uint8_t http_buf[] =
2247  "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2248  "Host: www.rabbit.com\r\n"
2249  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2250  uint32_t http_len = sizeof(http_buf) - 1;
2251  int result = 0;
2252  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2253 
2254  memset(&th_v, 0, sizeof(th_v));
2255  memset(&f, 0, sizeof(f));
2256  memset(&ssn, 0, sizeof(ssn));
2257 
2258  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2259 
2260  FLOW_INITIALIZE(&f);
2261  f.protoctx = (void *)&ssn;
2262  f.proto = IPPROTO_TCP;
2263  f.flags |= FLOW_IPV4;
2264  p->flow = &f;
2265  p->flowflags |= FLOW_PKT_TOSERVER;
2266  p->flowflags |= FLOW_PKT_ESTABLISHED;
2267  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2268  f.alproto = ALPROTO_HTTP1;
2269 
2270  StreamTcpInitConfig(true);
2271 
2272  de_ctx = DetectEngineCtxInit();
2273  if (de_ctx == NULL)
2274  goto end;
2275 
2276  de_ctx->flags |= DE_QUIET;
2277 
2278  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2279  "(msg:\"http_host header test\"; "
2280  "content:\"kaboom\"; http_host; "
2281  "sid:1;)");
2282  if (de_ctx->sig_list == NULL)
2283  goto end;
2284 
2285  SigGroupBuild(de_ctx);
2286  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2287 
2288  int r = AppLayerParserParse(
2289  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2290  if (r != 0) {
2291  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2292  result = 0;
2293  goto end;
2294  }
2295 
2296  http_state = f.alstate;
2297  if (http_state == NULL) {
2298  printf("no http state: ");
2299  result = 0;
2300  goto end;
2301  }
2302 
2303  /* do detect */
2304  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2305 
2306  if (!PacketAlertCheck(p, 1)) {
2307  printf("sid 1 didn't match but it should have: ");
2308  goto end;
2309  }
2310 
2311  result = 1;
2312 
2313 end:
2314  if (alp_tctx != NULL)
2315  AppLayerParserThreadCtxFree(alp_tctx);
2316  if (de_ctx != NULL)
2317  SigGroupCleanup(de_ctx);
2318  if (de_ctx != NULL)
2319  SigCleanSignatures(de_ctx);
2320  if (de_ctx != NULL)
2321  DetectEngineCtxFree(de_ctx);
2322 
2323  StreamTcpFreeConfig(true);
2324  FLOW_DESTROY(&f);
2325  UTHFreePackets(&p, 1);
2326  return result;
2327 }
2328 
2329 static int DetectEngineHttpHHTest25(void)
2330 {
2331  TcpSession ssn;
2332  Packet *p = NULL;
2333  ThreadVars th_v;
2334  DetectEngineCtx *de_ctx = NULL;
2335  DetectEngineThreadCtx *det_ctx = NULL;
2336  HtpState *http_state = NULL;
2337  Flow f;
2338  uint8_t http_buf[] =
2339  "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2340  "Host: www.rabbit.com\r\n"
2341  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2342  uint32_t http_len = sizeof(http_buf) - 1;
2343  int result = 0;
2344  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2345 
2346  memset(&th_v, 0, sizeof(th_v));
2347  memset(&f, 0, sizeof(f));
2348  memset(&ssn, 0, sizeof(ssn));
2349 
2350  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2351 
2352  FLOW_INITIALIZE(&f);
2353  f.protoctx = (void *)&ssn;
2354  f.proto = IPPROTO_TCP;
2355  f.flags |= FLOW_IPV4;
2356  p->flow = &f;
2357  p->flowflags |= FLOW_PKT_TOSERVER;
2358  p->flowflags |= FLOW_PKT_ESTABLISHED;
2359  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2360  f.alproto = ALPROTO_HTTP1;
2361 
2362  StreamTcpInitConfig(true);
2363 
2364  de_ctx = DetectEngineCtxInit();
2365  if (de_ctx == NULL)
2366  goto end;
2367 
2368  de_ctx->flags |= DE_QUIET;
2369 
2370  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2371  "(msg:\"http_host header test\"; "
2372  "content:\"rabbit\"; http_host; "
2373  "sid:1;)");
2374  if (de_ctx->sig_list == NULL)
2375  goto end;
2376 
2377  SigGroupBuild(de_ctx);
2378  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2379 
2380  int r = AppLayerParserParse(
2381  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2382  if (r != 0) {
2383  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2384  result = 0;
2385  goto end;
2386  }
2387 
2388  http_state = f.alstate;
2389  if (http_state == NULL) {
2390  printf("no http state: ");
2391  result = 0;
2392  goto end;
2393  }
2394 
2395  /* do detect */
2396  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2397 
2398  if (PacketAlertCheck(p, 1)) {
2399  printf("sid 1 matched but it shouldn't have: ");
2400  goto end;
2401  }
2402 
2403  result = 1;
2404 
2405 end:
2406  if (alp_tctx != NULL)
2407  AppLayerParserThreadCtxFree(alp_tctx);
2408  if (de_ctx != NULL)
2409  SigGroupCleanup(de_ctx);
2410  if (de_ctx != NULL)
2411  SigCleanSignatures(de_ctx);
2412  if (de_ctx != NULL)
2413  DetectEngineCtxFree(de_ctx);
2414 
2415  StreamTcpFreeConfig(true);
2416  FLOW_DESTROY(&f);
2417  UTHFreePackets(&p, 1);
2418  return result;
2419 }
2420 
2421 /**
2422  * \test Test that a signature containting a http_host is correctly parsed
2423  * and the keyword is registered.
2424  */
2425 static int DetectHttpHHTest01(void)
2426 {
2427  DetectEngineCtx *de_ctx = NULL;
2428  int result = 0;
2429 
2430  de_ctx = DetectEngineCtxInit();
2431  if (de_ctx == NULL)
2432  goto end;
2433 
2434  de_ctx->flags |= DE_QUIET;
2435  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2436  "(msg:\"Testing http_host\"; "
2437  "content:\"one\"; http_host; sid:1;)");
2438  if (de_ctx->sig_list != NULL) {
2439  result = 1;
2440  } else {
2441  goto end;
2442  }
2443 
2444  end:
2445  DetectEngineCtxFree(de_ctx);
2446 
2447  return result;
2448 }
2449 
2450 /**
2451  * \test Test that a signature containing an valid http_host entry is
2452  * parsed.
2453  */
2454 static int DetectHttpHHTest02(void)
2455 {
2456  DetectEngineCtx *de_ctx = NULL;
2457  int result = 0;
2458 
2459  de_ctx = DetectEngineCtxInit();
2460  if (de_ctx == NULL)
2461  goto end;
2462 
2463  de_ctx->flags |= DE_QUIET;
2464  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2465  "(msg:\"Testing http_host\"; "
2466  "content:\"one\"; http_host; sid:1;)");
2467  if (de_ctx->sig_list != NULL)
2468  result = 1;
2469 
2470  end:
2471  DetectEngineCtxFree(de_ctx);
2472 
2473  return result;
2474 }
2475 
2476 /**
2477  * \test Test that an invalid signature containing no content but a
2478  * http_host is invalidated.
2479  */
2480 static int DetectHttpHHTest03(void)
2481 {
2482  DetectEngineCtx *de_ctx = NULL;
2483  int result = 0;
2484 
2485  de_ctx = DetectEngineCtxInit();
2486  if (de_ctx == NULL)
2487  goto end;
2488 
2489  de_ctx->flags |= DE_QUIET;
2490  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2491  "(msg:\"Testing http_host\"; "
2492  "http_host; sid:1;)");
2493  if (de_ctx->sig_list == NULL)
2494  result = 1;
2495 
2496  end:
2497  DetectEngineCtxFree(de_ctx);
2498 
2499  return result;
2500 }
2501 
2502 /**
2503  * \test Test that an invalid signature containing a rawbytes along with a
2504  * http_host is invalidated.
2505  */
2506 static int DetectHttpHHTest04(void)
2507 {
2508  DetectEngineCtx *de_ctx = NULL;
2509  int result = 0;
2510 
2511  de_ctx = DetectEngineCtxInit();
2512  if (de_ctx == NULL)
2513  goto end;
2514 
2515  de_ctx->flags |= DE_QUIET;
2516  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2517  "(msg:\"Testing http_host\"; "
2518  "content:\"one\"; rawbytes; http_host; sid:1;)");
2519  if (de_ctx->sig_list == NULL)
2520  result = 1;
2521 
2522  end:
2523  DetectEngineCtxFree(de_ctx);
2524 
2525  return result;
2526 }
2527 
2528 /**
2529  * \test Test that a http_host with nocase is parsed.
2530  */
2531 static int DetectHttpHHTest05(void)
2532 {
2533  DetectEngineCtx *de_ctx = NULL;
2534  int result = 0;
2535 
2536  de_ctx = DetectEngineCtxInit();
2537  if (de_ctx == NULL)
2538  goto end;
2539 
2540  de_ctx->flags |= DE_QUIET;
2541  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2542  "(msg:\"Testing http_host\"; "
2543  "content:\"one\"; http_host; sid:1;)");
2544  if (de_ctx->sig_list != NULL)
2545  result = 1;
2546 
2547  end:
2548  DetectEngineCtxFree(de_ctx);
2549 
2550  return result;
2551 }
2552 
2553 /** \test invalid sig: uppercase content */
2554 static int DetectHttpHHTest05a(void)
2555 {
2556  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2557  FAIL_IF_NULL(de_ctx);
2558  de_ctx->flags |= DE_QUIET;
2559 
2560  Signature *s = DetectEngineAppendSig(de_ctx,
2561  "alert tcp any any -> any any "
2562  "(content:\"ABC\"; http_host; sid:1;)");
2563  FAIL_IF_NOT_NULL(s);
2564 
2565  DetectEngineCtxFree(de_ctx);
2566  PASS;
2567 }
2568 
2569 /**
2570  *\test Test that the http_host content matches against a http request
2571  * which holds the content.
2572  */
2573 static int DetectHttpHHTest06(void)
2574 {
2575  TcpSession ssn;
2576  Packet *p = NULL;
2577  ThreadVars th_v;
2578  DetectEngineCtx *de_ctx = NULL;
2579  DetectEngineThreadCtx *det_ctx = NULL;
2580  HtpState *http_state = NULL;
2581  Flow f;
2582  uint8_t http_buf[] =
2583  "GET /index.html HTTP/1.0\r\n"
2584  "User-Agent: www.openinfosecfoundation.org\r\n"
2585  "Host: This is dummy message body\r\n"
2586  "Content-Type: text/html\r\n"
2587  "\r\n";
2588  uint32_t http_len = sizeof(http_buf) - 1;
2589  int result = 0;
2590  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2591 
2592  memset(&th_v, 0, sizeof(th_v));
2593  memset(&f, 0, sizeof(f));
2594  memset(&ssn, 0, sizeof(ssn));
2595 
2596  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2597 
2598  FLOW_INITIALIZE(&f);
2599  f.protoctx = (void *)&ssn;
2600  f.proto = IPPROTO_TCP;
2601  f.flags |= FLOW_IPV4;
2602 
2603  p->flow = &f;
2604  p->flowflags |= FLOW_PKT_TOSERVER;
2605  p->flowflags |= FLOW_PKT_ESTABLISHED;
2606  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2607  f.alproto = ALPROTO_HTTP1;
2608 
2609  StreamTcpInitConfig(true);
2610 
2611  de_ctx = DetectEngineCtxInit();
2612  if (de_ctx == NULL)
2613  goto end;
2614 
2615  de_ctx->flags |= DE_QUIET;
2616 
2617  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2618  "(msg:\"http host test\"; "
2619  "content:\"message\"; http_host; "
2620  "sid:1;)");
2621  if (de_ctx->sig_list == NULL)
2622  goto end;
2623 
2624  SigGroupBuild(de_ctx);
2625  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2626 
2627  int r = AppLayerParserParse(
2628  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2629  if (r != 0) {
2630  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2631  result = 0;
2632  goto end;
2633  }
2634 
2635  http_state = f.alstate;
2636  if (http_state == NULL) {
2637  printf("no http state: \n");
2638  result = 0;
2639  goto end;
2640  }
2641 
2642  /* do detect */
2643  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2644 
2645  if (!(PacketAlertCheck(p, 1))) {
2646  printf("sid 1 didn't match but should have\n");
2647  goto end;
2648  }
2649 
2650  result = 1;
2651 end:
2652  if (alp_tctx != NULL)
2653  AppLayerParserThreadCtxFree(alp_tctx);
2654  if (de_ctx != NULL)
2655  DetectEngineCtxFree(de_ctx);
2656 
2657  StreamTcpFreeConfig(true);
2658  FLOW_DESTROY(&f);
2659  UTHFreePackets(&p, 1);
2660  return result;
2661 }
2662 
2663 /**
2664  *\test Test that the http_host content matches against a http request
2665  * which holds the content.
2666  */
2667 static int DetectHttpHHTest07(void)
2668 {
2669  TcpSession ssn;
2670  Packet *p1 = NULL;
2671  Packet *p2 = NULL;
2672  ThreadVars th_v;
2673  DetectEngineCtx *de_ctx = NULL;
2674  DetectEngineThreadCtx *det_ctx = NULL;
2675  HtpState *http_state = NULL;
2676  Flow f;
2677  uint8_t http1_buf[] =
2678  "GET /index.html HTTP/1.0\r\n"
2679  "User-Agent: www.openinfosecfoundation.org\r\n"
2680  "Host: This is dummy message";
2681  uint8_t http2_buf[] =
2682  "body1\r\n\r\n";
2683  uint32_t http1_len = sizeof(http1_buf) - 1;
2684  uint32_t http2_len = sizeof(http2_buf) - 1;
2685  int result = 0;
2686  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2687 
2688  memset(&th_v, 0, sizeof(th_v));
2689  memset(&f, 0, sizeof(f));
2690  memset(&ssn, 0, sizeof(ssn));
2691 
2692  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2693  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2694 
2695  FLOW_INITIALIZE(&f);
2696  f.protoctx = (void *)&ssn;
2697  f.proto = IPPROTO_TCP;
2698  f.flags |= FLOW_IPV4;
2699 
2700  p1->flow = &f;
2701  p1->flowflags |= FLOW_PKT_TOSERVER;
2702  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2703  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2704  p2->flow = &f;
2705  p2->flowflags |= FLOW_PKT_TOSERVER;
2706  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2707  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2708  f.alproto = ALPROTO_HTTP1;
2709 
2710  StreamTcpInitConfig(true);
2711 
2712  de_ctx = DetectEngineCtxInit();
2713  if (de_ctx == NULL)
2714  goto end;
2715 
2716  de_ctx->flags |= DE_QUIET;
2717 
2718  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2719  "(msg:\"http host test\"; "
2720  "content:\"message\"; http_host; "
2721  "sid:1;)");
2722  if (de_ctx->sig_list == NULL)
2723  goto end;
2724 
2725  SigGroupBuild(de_ctx);
2726  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2727 
2728  int r = AppLayerParserParse(
2729  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2730  if (r != 0) {
2731  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2732  result = 0;
2733  goto end;
2734  }
2735 
2736  http_state = f.alstate;
2737  if (http_state == NULL) {
2738  printf("no http state: ");
2739  goto end;
2740  }
2741 
2742  /* do detect */
2743  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2744 
2745  if (PacketAlertCheck(p1, 1)) {
2746  printf("sid 1 matched on p1 but shouldn't have: ");
2747  goto end;
2748  }
2749 
2750  r = AppLayerParserParse(
2751  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2752  if (r != 0) {
2753  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2754  goto end;
2755  }
2756 
2757  /* do detect */
2758  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2759  if (!(PacketAlertCheck(p2, 1))) {
2760  printf("sid 1 didn't match on p2 but should have: ");
2761  goto end;
2762  }
2763 
2764  result = 1;
2765 end:
2766  if (alp_tctx != NULL)
2767  AppLayerParserThreadCtxFree(alp_tctx);
2768  if (de_ctx != NULL)
2769  DetectEngineCtxFree(de_ctx);
2770 
2771  StreamTcpFreeConfig(true);
2772  FLOW_DESTROY(&f);
2773  UTHFreePackets(&p1, 1);
2774  UTHFreePackets(&p2, 1);
2775  return result;
2776 }
2777 
2778 /**
2779  *\test Test that the http_host content matches against a http request
2780  * which holds the content.
2781  */
2782 static int DetectHttpHHTest08(void)
2783 {
2784  TcpSession ssn;
2785  Packet *p1 = NULL;
2786  Packet *p2 = NULL;
2787  ThreadVars th_v;
2788  DetectEngineCtx *de_ctx = NULL;
2789  DetectEngineThreadCtx *det_ctx = NULL;
2790  HtpState *http_state = NULL;
2791  Flow f;
2792  uint8_t http1_buf[] =
2793  "GET /index.html HTTP/1.0\r\n"
2794  "User-Agent: www.openinfosecfoundation.org\r\n"
2795  "host: This is dummy mess";
2796  uint8_t http2_buf[] =
2797  "age body\r\n\r\n";
2798  uint32_t http1_len = sizeof(http1_buf) - 1;
2799  uint32_t http2_len = sizeof(http2_buf) - 1;
2800  int result = 0;
2801  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2802 
2803  memset(&th_v, 0, sizeof(th_v));
2804  memset(&f, 0, sizeof(f));
2805  memset(&ssn, 0, sizeof(ssn));
2806 
2807  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2808  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2809 
2810  FLOW_INITIALIZE(&f);
2811  f.protoctx = (void *)&ssn;
2812  f.proto = IPPROTO_TCP;
2813  f.flags |= FLOW_IPV4;
2814 
2815  p1->flow = &f;
2816  p1->flowflags |= FLOW_PKT_TOSERVER;
2817  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2818  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2819  p2->flow = &f;
2820  p2->flowflags |= FLOW_PKT_TOSERVER;
2821  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2822  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2823  f.alproto = ALPROTO_HTTP1;
2824 
2825  StreamTcpInitConfig(true);
2826 
2827  de_ctx = DetectEngineCtxInit();
2828  if (de_ctx == NULL)
2829  goto end;
2830 
2831  de_ctx->flags |= DE_QUIET;
2832 
2833  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2834  "(msg:\"http host test\"; "
2835  "content:\"message\"; http_host; "
2836  "sid:1;)");
2837  if (de_ctx->sig_list == NULL)
2838  goto end;
2839 
2840  SigGroupBuild(de_ctx);
2841  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2842 
2843  int r = AppLayerParserParse(
2844  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2845  if (r != 0) {
2846  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2847  result = 0;
2848  goto end;
2849  }
2850 
2851  http_state = f.alstate;
2852  if (http_state == NULL) {
2853  printf("no http state: ");
2854  result = 0;
2855  goto end;
2856  }
2857 
2858  /* do detect */
2859  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2860 
2861  if ((PacketAlertCheck(p1, 1))) {
2862  printf("sid 1 didn't match but should have");
2863  goto end;
2864  }
2865 
2866  r = AppLayerParserParse(
2867  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2868  if (r != 0) {
2869  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2870  result = 0;
2871  goto end;
2872  }
2873 
2874  /* do detect */
2875  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2876 
2877  if (!(PacketAlertCheck(p2, 1))) {
2878  printf("sid 1 didn't match but should have");
2879  goto end;
2880  }
2881 
2882  result = 1;
2883 end:
2884  if (alp_tctx != NULL)
2885  AppLayerParserThreadCtxFree(alp_tctx);
2886  if (de_ctx != NULL)
2887  DetectEngineCtxFree(de_ctx);
2888 
2889  StreamTcpFreeConfig(true);
2890  FLOW_DESTROY(&f);
2891  UTHFreePackets(&p1, 1);
2892  UTHFreePackets(&p2, 1);
2893  return result;
2894 }
2895 
2896 /**
2897  *\test Test that the http_host content matches against a http request
2898  * which holds the content, against a cross boundary present pattern.
2899  */
2900 static int DetectHttpHHTest09(void)
2901 {
2902  TcpSession ssn;
2903  Packet *p1 = NULL;
2904  Packet *p2 = NULL;
2905  ThreadVars th_v;
2906  DetectEngineCtx *de_ctx = NULL;
2907  DetectEngineThreadCtx *det_ctx = NULL;
2908  HtpState *http_state = NULL;
2909  Flow f;
2910  uint8_t http1_buf[] =
2911  "GET /index.html HTTP/1.0\r\n"
2912  "User-Agent: www.openinfosecfoundation.org\r\n"
2913  "Host: This is dummy body1";
2914  uint8_t http2_buf[] =
2915  "This is dummy message body2\r\n"
2916  "Content-Type: text/html\r\n"
2917  "Content-Length: 46\r\n"
2918  "\r\n"
2919  "This is dummy body1";
2920  uint32_t http1_len = sizeof(http1_buf) - 1;
2921  uint32_t http2_len = sizeof(http2_buf) - 1;
2922  int result = 0;
2923  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2924 
2925  memset(&th_v, 0, sizeof(th_v));
2926  memset(&f, 0, sizeof(f));
2927  memset(&ssn, 0, sizeof(ssn));
2928 
2929  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2930  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2931 
2932  FLOW_INITIALIZE(&f);
2933  f.protoctx = (void *)&ssn;
2934  f.proto = IPPROTO_TCP;
2935  f.flags |= FLOW_IPV4;
2936 
2937  p1->flow = &f;
2938  p1->flowflags |= FLOW_PKT_TOSERVER;
2939  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2940  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2941  p2->flow = &f;
2942  p2->flowflags |= FLOW_PKT_TOSERVER;
2943  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2944  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2945  f.alproto = ALPROTO_HTTP1;
2946 
2947  StreamTcpInitConfig(true);
2948 
2949  de_ctx = DetectEngineCtxInit();
2950  if (de_ctx == NULL)
2951  goto end;
2952 
2953  de_ctx->flags |= DE_QUIET;
2954 
2955  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2956  "(msg:\"http host test\"; "
2957  "content:\"body1this\"; http_host; "
2958  "sid:1;)");
2959  if (de_ctx->sig_list == NULL)
2960  goto end;
2961 
2962  SigGroupBuild(de_ctx);
2963  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2964 
2965  int r = AppLayerParserParse(
2966  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2967  if (r != 0) {
2968  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2969  result = 0;
2970  goto end;
2971  }
2972 
2973  http_state = f.alstate;
2974  if (http_state == NULL) {
2975  printf("no http state: ");
2976  result = 0;
2977  goto end;
2978  }
2979 
2980  /* do detect */
2981  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2982 
2983  if ((PacketAlertCheck(p1, 1))) {
2984  printf("sid 1 didn't match but should have");
2985  goto end;
2986  }
2987 
2988  r = AppLayerParserParse(
2989  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2990  if (r != 0) {
2991  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2992  result = 0;
2993  goto end;
2994  }
2995 
2996  /* do detect */
2997  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2998 
2999  if (!(PacketAlertCheck(p2, 1))) {
3000  printf("sid 1 didn't match but should have");
3001  goto end;
3002  }
3003 
3004  result = 1;
3005 end:
3006  if (alp_tctx != NULL)
3007  AppLayerParserThreadCtxFree(alp_tctx);
3008  if (de_ctx != NULL)
3009  DetectEngineCtxFree(de_ctx);
3010 
3011  StreamTcpFreeConfig(true);
3012  FLOW_DESTROY(&f);
3013  UTHFreePackets(&p1, 1);
3014  UTHFreePackets(&p2, 1);
3015  return result;
3016 }
3017 
3018 /**
3019  *\test Test that the http_host content matches against a http request
3020  * against a case insensitive pattern.
3021  */
3022 static int DetectHttpHHTest10(void)
3023 {
3024  TcpSession ssn;
3025  Packet *p1 = NULL;
3026  Packet *p2 = NULL;
3027  ThreadVars th_v;
3028  DetectEngineCtx *de_ctx = NULL;
3029  DetectEngineThreadCtx *det_ctx = NULL;
3030  HtpState *http_state = NULL;
3031  Flow f;
3032  uint8_t http1_buf[] =
3033  "GET /index.html HTTP/1.0\r\n"
3034  "User-Agent: www.openinfosecfoundation.org\r\n"
3035  "Host: This is dummy bodY1";
3036  uint8_t http2_buf[] =
3037  "This is dummy message body2\r\n"
3038  "Content-Type: text/html\r\n"
3039  "Content-Length: 46\r\n"
3040  "\r\n"
3041  "This is dummy bodY1";
3042  uint32_t http1_len = sizeof(http1_buf) - 1;
3043  uint32_t http2_len = sizeof(http2_buf) - 1;
3044  int result = 0;
3045  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3046 
3047  memset(&th_v, 0, sizeof(th_v));
3048  memset(&f, 0, sizeof(f));
3049  memset(&ssn, 0, sizeof(ssn));
3050 
3051  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3052  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3053 
3054  FLOW_INITIALIZE(&f);
3055  f.protoctx = (void *)&ssn;
3056  f.proto = IPPROTO_TCP;
3057  f.flags |= FLOW_IPV4;
3058 
3059  p1->flow = &f;
3060  p1->flowflags |= FLOW_PKT_TOSERVER;
3061  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3062  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3063  p2->flow = &f;
3064  p2->flowflags |= FLOW_PKT_TOSERVER;
3065  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3066  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3067  f.alproto = ALPROTO_HTTP1;
3068 
3069  StreamTcpInitConfig(true);
3070 
3071  de_ctx = DetectEngineCtxInit();
3072  if (de_ctx == NULL)
3073  goto end;
3074 
3075  de_ctx->flags |= DE_QUIET;
3076 
3077  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3078  "(msg:\"http host test\"; "
3079  "content:\"body1this\"; http_host; "
3080  "sid:1;)");
3081  if (de_ctx->sig_list == NULL)
3082  goto end;
3083 
3084  SigGroupBuild(de_ctx);
3085  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3086 
3087  int r = AppLayerParserParse(
3088  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3089  if (r != 0) {
3090  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3091  result = 0;
3092  goto end;
3093  }
3094 
3095  http_state = f.alstate;
3096  if (http_state == NULL) {
3097  printf("no http state: \n");
3098  result = 0;
3099  goto end;
3100  }
3101 
3102  /* do detect */
3103  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3104 
3105  if ((PacketAlertCheck(p1, 1))) {
3106  printf("sid 1 didn't match but should have\n");
3107  goto end;
3108  }
3109 
3110  r = AppLayerParserParse(
3111  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3112  if (r != 0) {
3113  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3114  result = 0;
3115  goto end;
3116  }
3117 
3118 
3119  /* do detect */
3120  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3121 
3122  if (!(PacketAlertCheck(p2, 1))) {
3123  printf("sid 1 didn't match but should have");
3124  goto end;
3125  }
3126 
3127  result = 1;
3128 end:
3129  if (alp_tctx != NULL)
3130  AppLayerParserThreadCtxFree(alp_tctx);
3131  if (de_ctx != NULL)
3132  DetectEngineCtxFree(de_ctx);
3133 
3134  StreamTcpFreeConfig(true);
3135  FLOW_DESTROY(&f);
3136  UTHFreePackets(&p1, 1);
3137  UTHFreePackets(&p2, 1);
3138  return result;
3139 }
3140 
3141 /**
3142  *\test Test that the negated http_host content matches against a
3143  * http request which doesn't hold the content.
3144  */
3145 static int DetectHttpHHTest11(void)
3146 {
3147  TcpSession ssn;
3148  Packet *p = NULL;
3149  ThreadVars th_v;
3150  DetectEngineCtx *de_ctx = NULL;
3151  DetectEngineThreadCtx *det_ctx = NULL;
3152  HtpState *http_state = NULL;
3153  Flow f;
3154  uint8_t http_buf[] =
3155  "GET /index.html HTTP/1.0\r\n"
3156  "User-Agent: www.openinfosecfoundation.org\r\n"
3157  "Host: This is dummy message body\r\n"
3158  "Content-Type: text/html\r\n"
3159  "\r\n";
3160  uint32_t http_len = sizeof(http_buf) - 1;
3161  int result = 0;
3162  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3163 
3164  memset(&th_v, 0, sizeof(th_v));
3165  memset(&f, 0, sizeof(f));
3166  memset(&ssn, 0, sizeof(ssn));
3167 
3168  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3169 
3170  FLOW_INITIALIZE(&f);
3171  f.protoctx = (void *)&ssn;
3172  f.proto = IPPROTO_TCP;
3173  f.flags |= FLOW_IPV4;
3174 
3175  p->flow = &f;
3176  p->flowflags |= FLOW_PKT_TOSERVER;
3177  p->flowflags |= FLOW_PKT_ESTABLISHED;
3178  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3179  f.alproto = ALPROTO_HTTP1;
3180 
3181  StreamTcpInitConfig(true);
3182 
3183  de_ctx = DetectEngineCtxInit();
3184  if (de_ctx == NULL)
3185  goto end;
3186 
3187  de_ctx->flags |= DE_QUIET;
3188 
3189  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3190  "(msg:\"http host test\"; "
3191  "content:!\"message\"; http_host; "
3192  "sid:1;)");
3193  if (de_ctx->sig_list == NULL)
3194  goto end;
3195 
3196  SigGroupBuild(de_ctx);
3197  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3198 
3199  int r = AppLayerParserParse(
3200  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
3201  if (r != 0) {
3202  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3203  result = 0;
3204  goto end;
3205  }
3206 
3207  http_state = f.alstate;
3208  if (http_state == NULL) {
3209  printf("no http state: ");
3210  result = 0;
3211  goto end;
3212  }
3213 
3214  /* do detect */
3215  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3216 
3217  if (PacketAlertCheck(p, 1)) {
3218  printf("sid 1 matched but shouldn't have");
3219  goto end;
3220  }
3221 
3222  result = 1;
3223 end:
3224  if (alp_tctx != NULL)
3225  AppLayerParserThreadCtxFree(alp_tctx);
3226  if (de_ctx != NULL)
3227  DetectEngineCtxFree(de_ctx);
3228 
3229  StreamTcpFreeConfig(true);
3230  FLOW_DESTROY(&f);
3231  UTHFreePackets(&p, 1);
3232  return result;
3233 }
3234 
3235 /**
3236  *\test Negative test that the negated http_host content matches against a
3237  * http request which holds hold the content.
3238  */
3239 static int DetectHttpHHTest12(void)
3240 {
3241  TcpSession ssn;
3242  Packet *p = NULL;
3243  ThreadVars th_v;
3244  DetectEngineCtx *de_ctx = NULL;
3245  DetectEngineThreadCtx *det_ctx = NULL;
3246  HtpState *http_state = NULL;
3247  Flow f;
3248  uint8_t http_buf[] =
3249  "GET /index.html HTTP/1.0\r\n"
3250  "User-Agent: www.openinfosecfoundation.org\r\n"
3251  "Host: This is dummy body\r\n"
3252  "\r\n";
3253  uint32_t http_len = sizeof(http_buf) - 1;
3254  int result = 0;
3255  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3256 
3257  memset(&th_v, 0, sizeof(th_v));
3258  memset(&f, 0, sizeof(f));
3259  memset(&ssn, 0, sizeof(ssn));
3260 
3261  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3262 
3263  FLOW_INITIALIZE(&f);
3264  f.protoctx = (void *)&ssn;
3265  f.proto = IPPROTO_TCP;
3266  f.flags |= FLOW_IPV4;
3267 
3268  p->flow = &f;
3269  p->flowflags |= FLOW_PKT_TOSERVER;
3270  p->flowflags |= FLOW_PKT_ESTABLISHED;
3271  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3272  f.alproto = ALPROTO_HTTP1;
3273 
3274  StreamTcpInitConfig(true);
3275 
3276  de_ctx = DetectEngineCtxInit();
3277  if (de_ctx == NULL)
3278  goto end;
3279 
3280  de_ctx->flags |= DE_QUIET;
3281 
3282  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3283  "(msg:\"http host test\"; "
3284  "content:!\"message\"; http_host; "
3285  "sid:1;)");
3286  if (de_ctx->sig_list == NULL)
3287  goto end;
3288 
3289  SigGroupBuild(de_ctx);
3290  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3291 
3292  int r = AppLayerParserParse(
3293  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
3294  if (r != 0) {
3295  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3296  result = 0;
3297  goto end;
3298  }
3299 
3300  http_state = f.alstate;
3301  if (http_state == NULL) {
3302  printf("no http state: ");
3303  result = 0;
3304  goto end;
3305  }
3306 
3307  /* do detect */
3308  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3309 
3310  if (!(PacketAlertCheck(p, 1))) {
3311  printf("sid 1 didn't match but should have");
3312  goto end;
3313  }
3314 
3315  result = 1;
3316 end:
3317  if (alp_tctx != NULL)
3318  AppLayerParserThreadCtxFree(alp_tctx);
3319  if (de_ctx != NULL)
3320  DetectEngineCtxFree(de_ctx);
3321 
3322  StreamTcpFreeConfig(true);
3323  FLOW_DESTROY(&f);
3324  UTHFreePackets(&p, 1);
3325  return result;
3326 }
3327 
3328 /**
3329  * \test Test that the http_host content matches against a http request
3330  * which holds the content.
3331  */
3332 static int DetectHttpHHTest13(void)
3333 {
3334  TcpSession ssn;
3335  Packet *p = NULL;
3336  ThreadVars th_v;
3337  DetectEngineCtx *de_ctx = NULL;
3338  DetectEngineThreadCtx *det_ctx = NULL;
3339  HtpState *http_state = NULL;
3340  Flow f;
3341  uint8_t http_buf[] =
3342  "GET /index.html HTTP/1.0\r\n"
3343  "User-Agent: www.openinfosecfoundation.org\r\n"
3344  "Host: longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n"
3345  "Content-Type: text/html\r\n"
3346  "\r\n";
3347  uint32_t http_len = sizeof(http_buf) - 1;
3348  int result = 0;
3349  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3350 
3351  memset(&th_v, 0, sizeof(th_v));
3352  memset(&f, 0, sizeof(f));
3353  memset(&ssn, 0, sizeof(ssn));
3354 
3355  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3356 
3357  FLOW_INITIALIZE(&f);
3358  f.protoctx = (void *)&ssn;
3359  f.proto = IPPROTO_TCP;
3360  f.flags |= FLOW_IPV4;
3361 
3362  p->flow = &f;
3363  p->flowflags |= FLOW_PKT_TOSERVER;
3364  p->flowflags |= FLOW_PKT_ESTABLISHED;
3365  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3366  f.alproto = ALPROTO_HTTP1;
3367 
3368  StreamTcpInitConfig(true);
3369 
3370  de_ctx = DetectEngineCtxInit();
3371  if (de_ctx == NULL)
3372  goto end;
3373 
3374  de_ctx->flags |= DE_QUIET;
3375 
3376  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3377  "(msg:\"http host test\"; "
3378  "content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_host; "
3379  "sid:1;)");
3380  if (de_ctx->sig_list == NULL)
3381  goto end;
3382 
3383  SigGroupBuild(de_ctx);
3384  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3385 
3386  int r = AppLayerParserParse(
3387  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
3388  if (r != 0) {
3389  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3390  result = 0;
3391  goto end;
3392  }
3393 
3394  http_state = f.alstate;
3395  if (http_state == NULL) {
3396  printf("no http state: ");
3397  result = 0;
3398  goto end;
3399  }
3400 
3401  /* do detect */
3402  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3403 
3404  if (!(PacketAlertCheck(p, 1))) {
3405  printf("sid 1 didn't match but should have");
3406  goto end;
3407  }
3408 
3409  result = 1;
3410 end:
3411  if (alp_tctx != NULL)
3412  AppLayerParserThreadCtxFree(alp_tctx);
3413  if (de_ctx != NULL)
3414  DetectEngineCtxFree(de_ctx);
3415 
3416  StreamTcpFreeConfig(true);
3417  FLOW_DESTROY(&f);
3418  UTHFreePackets(&p, 1);
3419  return result;
3420 }
3421 
3422 /**
3423  * \test multiple http transactions and body chunks of request handling
3424  */
3425 static int DetectHttpHHTest14(void)
3426 {
3427  int result = 0;
3428  Signature *s = NULL;
3429  DetectEngineThreadCtx *det_ctx = NULL;
3430  ThreadVars th_v;
3431  Flow f;
3432  TcpSession ssn;
3433  Packet *p = NULL;
3434  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
3435  uint8_t httpbuf2[] = "Cookie: dummy1\r\n";
3436  uint8_t httpbuf3[] = "Host: Body one!!\r\n\r\n";
3437  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
3438  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
3439  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
3440  uint8_t httpbuf4[] = "GET /?var=val HTTP/1.1\r\n";
3441  uint8_t httpbuf5[] = "Cookie: dummy2\r\n";
3442  uint8_t httpbuf6[] = "Host: Body two\r\n\r\n";
3443  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
3444  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
3445  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
3446  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3447 
3448  memset(&th_v, 0, sizeof(th_v));
3449  memset(&f, 0, sizeof(f));
3450  memset(&ssn, 0, sizeof(ssn));
3451 
3452  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3453 
3454  FLOW_INITIALIZE(&f);
3455  f.protoctx = (void *)&ssn;
3456  f.proto = IPPROTO_TCP;
3457  f.flags |= FLOW_IPV4;
3458 
3459  p->flow = &f;
3460  p->flowflags |= FLOW_PKT_TOSERVER;
3461  p->flowflags |= FLOW_PKT_ESTABLISHED;
3462  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3463  f.alproto = ALPROTO_HTTP1;
3464 
3465  StreamTcpInitConfig(true);
3466 
3467  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3468  if (de_ctx == NULL) {
3469  goto end;
3470  }
3471 
3472  de_ctx->flags |= DE_QUIET;
3473 
3474  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"dummy1\"; http_cookie; content:\"body one\"; http_host; sid:1; rev:1;)");
3475  if (s == NULL) {
3476  printf("sig parse failed: ");
3477  goto end;
3478  }
3479  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"dummy2\"; http_cookie; content:\"body two\"; http_host; sid:2; rev:1;)");
3480  if (s == NULL) {
3481  printf("sig2 parse failed: ");
3482  goto end;
3483  }
3484 
3485  SigGroupBuild(de_ctx);
3486  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3487 
3488  int r = AppLayerParserParse(
3489  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
3490  if (r != 0) {
3491  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3492  goto end;
3493  }
3494 
3495  /* do detect */
3496  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3497  if (PacketAlertCheck(p, 1)) {
3498  printf("sig 1 alerted: ");
3499  goto end;
3500  }
3501  p->alerts.cnt = 0;
3502 
3503  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
3504  if (r != 0) {
3505  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
3506  goto end;
3507  }
3508 
3509  /* do detect */
3510  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3511  if (PacketAlertCheck(p, 1)) {
3512  printf("sig 1 alerted (2): ");
3513  goto end;
3514  }
3515  p->alerts.cnt = 0;
3516 
3517  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
3518  if (r != 0) {
3519  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
3520  goto end;
3521  }
3522 
3523  /* do detect */
3524  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3525  if (!(PacketAlertCheck(p, 1))) {
3526  printf("sig 1 didn't alert: ");
3527  goto end;
3528  }
3529  p->alerts.cnt = 0;
3530 
3531  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
3532  if (r != 0) {
3533  printf("toserver chunk 5 returned %" PRId32 ", expected 0: ", r);
3534  goto end;
3535  }
3536 
3537  /* do detect */
3538  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3539  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2)) {
3540  printf("sig 1 alerted (4): ");
3541  goto end;
3542  }
3543  p->alerts.cnt = 0;
3544 
3545  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
3546  if (r != 0) {
3547  printf("toserver chunk 6 returned %" PRId32 ", expected 0: ", r);
3548  goto end;
3549  }
3550 
3551  /* do detect */
3552  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3553  if ((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2))) {
3554  printf("sig 1 alerted (request 2, chunk 6): ");
3555  goto end;
3556  }
3557  p->alerts.cnt = 0;
3558 
3559  SCLogDebug("sending data chunk 7");
3560 
3561  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
3562  if (r != 0) {
3563  printf("toserver chunk 7 returned %" PRId32 ", expected 0: ", r);
3564  goto end;
3565  }
3566 
3567  /* do detect */
3568  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3569  if (PacketAlertCheck(p, 1) || !(PacketAlertCheck(p, 2))) {
3570  printf("signature 2 didn't match or sig 1 matched, but shouldn't have: ");
3571  goto end;
3572  }
3573  p->alerts.cnt = 0;
3574 
3575  HtpState *htp_state = f.alstate;
3576  if (htp_state == NULL) {
3577  printf("no http state: ");
3578  result = 0;
3579  goto end;
3580  }
3581 
3582  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
3583  printf("The http app layer doesn't have 2 transactions, but it should: ");
3584  goto end;
3585  }
3586 
3587  result = 1;
3588 end:
3589  if (alp_tctx != NULL)
3590  AppLayerParserThreadCtxFree(alp_tctx);
3591  if (det_ctx != NULL) {
3592  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3593  }
3594  if (de_ctx != NULL) {
3595  DetectEngineCtxFree(de_ctx);
3596  }
3597 
3598  StreamTcpFreeConfig(true);
3599  FLOW_DESTROY(&f);
3600  UTHFreePacket(p);
3601  return result;
3602 }
3603 
3604 static int DetectHttpHHTest22(void)
3605 {
3606  DetectEngineCtx *de_ctx = NULL;
3607  int result = 0;
3608 
3609  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3610  goto end;
3611 
3612  de_ctx->flags |= DE_QUIET;
3613  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3614  "(content:\"one\"; content:\"two\"; http_host; "
3615  "content:\"three\"; distance:10; http_host; content:\"four\"; sid:1;)");
3616  if (de_ctx->sig_list == NULL) {
3617  printf("de_ctx->sig_list == NULL\n");
3618  goto end;
3619  }
3620 
3621  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
3622  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
3623  goto end;
3624  }
3625 
3626  if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
3627  printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
3628  goto end;
3629  }
3630 
3631  DetectContentData *cd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
3632  DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
3633  DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
3634  DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
3635  if (cd1->flags != 0 || memcmp(cd1->content, "one", cd1->content_len) != 0 ||
3636  cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
3637  hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
3638  memcmp(hhhd1->content, "two", hhhd1->content_len) != 0 ||
3639  hhhd2->flags != (DETECT_CONTENT_DISTANCE) ||
3640  memcmp(hhhd2->content, "three", hhhd1->content_len) != 0) {
3641  goto end;
3642  }
3643 
3644  if (!DETECT_CONTENT_IS_SINGLE(cd1) ||
3645  !DETECT_CONTENT_IS_SINGLE(cd2) ||
3646  DETECT_CONTENT_IS_SINGLE(hhhd1) ||
3647  DETECT_CONTENT_IS_SINGLE(hhhd2)) {
3648  goto end;
3649  }
3650 
3651  result = 1;
3652 
3653  end:
3654  DetectEngineCtxFree(de_ctx);
3655  return result;
3656 }
3657 
3658 static int DetectHttpHHTest23(void)
3659 {
3660  DetectEngineCtx *de_ctx = NULL;
3661  int result = 0;
3662 
3663  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3664  goto end;
3665 
3666  de_ctx->flags |= DE_QUIET;
3667  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3668  "(content:\"one\"; http_host; pcre:/two/; "
3669  "content:\"three\"; distance:10; http_host; content:\"four\"; sid:1;)");
3670  if (de_ctx->sig_list == NULL) {
3671  printf("de_ctx->sig_list == NULL\n");
3672  goto end;
3673  }
3674 
3675  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
3676  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
3677  goto end;
3678  }
3679 
3680  if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
3681  printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
3682  goto end;
3683  }
3684 
3685  DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
3686  DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
3687  DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
3688  DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
3689  if (pd1->flags != 0 ||
3690  cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
3691  hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
3692  memcmp(hhhd1->content, "one", hhhd1->content_len) != 0 ||
3693  hhhd2->flags != (DETECT_CONTENT_DISTANCE) ||
3694  memcmp(hhhd2->content, "three", hhhd1->content_len) != 0) {
3695  goto end;
3696  }
3697 
3698  if (!DETECT_CONTENT_IS_SINGLE(cd2) ||
3699  DETECT_CONTENT_IS_SINGLE(hhhd1) ||
3700  DETECT_CONTENT_IS_SINGLE(hhhd2)) {
3701  goto end;
3702  }
3703 
3704  result = 1;
3705 
3706  end:
3707  DetectEngineCtxFree(de_ctx);
3708  return result;
3709 }
3710 
3711 static int DetectHttpHHTest24(void)
3712 {
3713  DetectEngineCtx *de_ctx = NULL;
3714  int result = 0;
3715 
3716  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3717  goto end;
3718 
3719  de_ctx->flags |= DE_QUIET;
3720  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3721  "(content:\"one\"; http_host; pcre:/two/; "
3722  "content:\"three\"; distance:10; within:15; http_host; content:\"four\"; sid:1;)");
3723  if (de_ctx->sig_list == NULL) {
3724  printf("de_ctx->sig_list == NULL\n");
3725  goto end;
3726  }
3727 
3728  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
3729  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
3730  goto end;
3731  }
3732 
3733  if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
3734  printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
3735  goto end;
3736  }
3737 
3738  DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
3739  DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
3740  DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
3741  DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
3742  if (pd1->flags != 0 ||
3743  cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
3744  hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
3745  memcmp(hhhd1->content, "one", hhhd1->content_len) != 0 ||
3746  hhhd2->flags != (DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN) ||
3747  memcmp(hhhd2->content, "three", hhhd1->content_len) != 0) {
3748  goto end;
3749  }
3750 
3751  if (!DETECT_CONTENT_IS_SINGLE(cd2) ||
3752  DETECT_CONTENT_IS_SINGLE(hhhd1) ||
3753  DETECT_CONTENT_IS_SINGLE(hhhd2)) {
3754  goto end;
3755  }
3756 
3757  result = 1;
3758 
3759  end:
3760  DetectEngineCtxFree(de_ctx);
3761  return result;
3762 }
3763 
3764 static int DetectHttpHHTest25(void)
3765 {
3766  DetectEngineCtx *de_ctx = NULL;
3767  int result = 0;
3768 
3769  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3770  goto end;
3771 
3772  de_ctx->flags |= DE_QUIET;
3773  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3774  "(content:\"one\"; http_host; pcre:/two/; "
3775  "content:\"three\"; distance:10; http_host; "
3776  "content:\"four\"; distance:10; sid:1;)");
3777  if (de_ctx->sig_list == NULL) {
3778  printf("de_ctx->sig_list == NULL\n");
3779  goto end;
3780  }
3781 
3782  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
3783  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
3784  goto end;
3785  }
3786 
3787  if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
3788  printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
3789  goto end;
3790  }
3791 
3792  DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
3793  DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
3794  DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
3795  DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
3796  if (pd1->flags != DETECT_PCRE_RELATIVE_NEXT ||
3797  cd2->flags != DETECT_CONTENT_DISTANCE ||
3798  memcmp(cd2->content, "four", cd2->content_len) != 0 ||
3799  hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
3800  memcmp(hhhd1->content, "one", hhhd1->content_len) != 0 ||
3801  hhhd2->flags != (DETECT_CONTENT_DISTANCE) ||
3802  memcmp(hhhd2->content, "three", hhhd1->content_len) != 0) {
3803  goto end;
3804  }
3805 
3806  if (DETECT_CONTENT_IS_SINGLE(cd2) ||
3807  DETECT_CONTENT_IS_SINGLE(hhhd1) ||
3808  DETECT_CONTENT_IS_SINGLE(hhhd2)) {
3809  goto end;
3810  }
3811 
3812  result = 1;
3813 
3814  end:
3815  DetectEngineCtxFree(de_ctx);
3816  return result;
3817 }
3818 
3819 static int DetectHttpHHTest26(void)
3820 {
3821  DetectEngineCtx *de_ctx = NULL;
3822  int result = 0;
3823 
3824  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3825  goto end;
3826 
3827  de_ctx->flags |= DE_QUIET;
3828  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3829  "(content:\"one\"; offset:10; http_host; pcre:/two/; "
3830  "content:\"three\"; distance:10; http_host; within:10; "
3831  "content:\"four\"; distance:10; sid:1;)");
3832  if (de_ctx->sig_list == NULL) {
3833  printf("de_ctx->sig_list == NULL\n");
3834  goto end;
3835  }
3836 
3837  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
3838  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
3839  goto end;
3840  }
3841 
3842  if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
3843  printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
3844  goto end;
3845  }
3846 
3847  DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
3848  DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
3849  DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
3850  DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
3851  if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
3852  cd2->flags != DETECT_CONTENT_DISTANCE ||
3853  memcmp(cd2->content, "four", cd2->content_len) != 0 ||
3854  hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT | DETECT_CONTENT_OFFSET) ||
3855  memcmp(hhhd1->content, "one", hhhd1->content_len) != 0 ||
3856  hhhd2->flags != (DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN) ||
3857  memcmp(hhhd2->content, "three", hhhd1->content_len) != 0) {
3858  printf ("failed: http_host incorrect flags");
3859  goto end;
3860  }
3861 
3862  if (DETECT_CONTENT_IS_SINGLE(cd2) ||
3863  DETECT_CONTENT_IS_SINGLE(hhhd1) ||
3864  DETECT_CONTENT_IS_SINGLE(hhhd2)) {
3865  goto end;
3866  }
3867 
3868  result = 1;
3869 
3870  end:
3871  DetectEngineCtxFree(de_ctx);
3872  return result;
3873 }
3874 
3875 static int DetectHttpHHTest27(void)
3876 {
3877  DetectEngineCtx *de_ctx = NULL;
3878  int result = 0;
3879 
3880  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3881  goto end;
3882 
3883  de_ctx->flags |= DE_QUIET;
3884  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3885  "(content:\"one\"; offset:10; http_host; pcre:/two/; "
3886  "content:\"three\"; distance:10; http_host; within:10; "
3887  "content:\"four\"; distance:10; sid:1;)");
3888  if (de_ctx->sig_list == NULL) {
3889  printf("de_ctx->sig_list == NULL\n");
3890  goto end;
3891  }
3892 
3893  result = 1;
3894 
3895  end:
3896  DetectEngineCtxFree(de_ctx);
3897  return result;
3898 }
3899 
3900 static int DetectHttpHHTest28(void)
3901 {
3902  DetectEngineCtx *de_ctx = NULL;
3903  int result = 0;
3904 
3905  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3906  goto end;
3907 
3908  de_ctx->flags |= DE_QUIET;
3909  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3910  "(content:\"one\"; http_host; pcre:/two/; "
3911  "content:\"three\"; http_host; depth:10; "
3912  "content:\"four\"; distance:10; sid:1;)");
3913  if (de_ctx->sig_list == NULL) {
3914  printf("de_ctx->sig_list == NULL\n");
3915  goto end;
3916  }
3917 
3918  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
3919  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
3920  goto end;
3921  }
3922 
3923  if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
3924  printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
3925  goto end;
3926  }
3927 
3928  DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
3929  DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
3930  DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
3931  DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
3932  if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
3933  cd2->flags != DETECT_CONTENT_DISTANCE ||
3934  memcmp(cd2->content, "four", cd2->content_len) != 0 ||
3935  hhhd1->flags != (0) ||
3936  memcmp(hhhd1->content, "one", hhhd1->content_len) != 0 ||
3937  hhhd2->flags != (DETECT_CONTENT_DEPTH) ||
3938  memcmp(hhhd2->content, "three", hhhd1->content_len) != 0) {
3939  goto end;
3940  }
3941 
3942  if (DETECT_CONTENT_IS_SINGLE(cd2) ||
3943  !DETECT_CONTENT_IS_SINGLE(hhhd1) ||
3944  DETECT_CONTENT_IS_SINGLE(hhhd2)) {
3945  goto end;
3946  }
3947 
3948  result = 1;
3949 
3950  end:
3951  DetectEngineCtxFree(de_ctx);
3952  return result;
3953 }
3954 
3955 static int DetectHttpHHTest29(void)
3956 {
3957  DetectEngineCtx *de_ctx = NULL;
3958  int result = 0;
3959 
3960  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3961  goto end;
3962 
3963  de_ctx->flags |= DE_QUIET;
3964  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3965  "(content:\"one\"; http_host; "
3966  "content:\"two\"; distance:0; http_host; sid:1;)");
3967  if (de_ctx->sig_list == NULL) {
3968  printf("de_ctx->sig_list == NULL\n");
3969  goto end;
3970  }
3971 
3972  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
3973  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
3974  goto end;
3975  }
3976 
3977  if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
3978  printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
3979  goto end;
3980  }
3981 
3982  DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
3983  DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
3984  if (hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
3985  memcmp(hhhd1->content, "one", hhhd1->content_len) != 0 ||
3986  hhhd2->flags != (DETECT_CONTENT_DISTANCE) ||
3987  memcmp(hhhd2->content, "two", hhhd1->content_len) != 0) {
3988  goto end;
3989  }
3990 
3991  result = 1;
3992 
3993  end:
3994  DetectEngineCtxFree(de_ctx);
3995  return result;
3996 }
3997 
3998 static int DetectHttpHHTest30(void)
3999 {
4000  DetectEngineCtx *de_ctx = NULL;
4001  int result = 0;
4002 
4003  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4004  goto end;
4005 
4006  de_ctx->flags |= DE_QUIET;
4007  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4008  "(content:\"one\"; http_host; "
4009  "content:\"two\"; within:5; http_host; sid:1;)");
4010  if (de_ctx->sig_list == NULL) {
4011  printf("de_ctx->sig_list == NULL\n");
4012  goto end;
4013  }
4014 
4015  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4016  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4017  goto end;
4018  }
4019 
4020  if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
4021  printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
4022  goto end;
4023  }
4024 
4025  DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
4026  DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
4027  if (hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
4028  memcmp(hhhd1->content, "one", hhhd1->content_len) != 0 ||
4029  hhhd2->flags != (DETECT_CONTENT_WITHIN) ||
4030  memcmp(hhhd2->content, "two", hhhd1->content_len) != 0) {
4031  goto end;
4032  }
4033 
4034  result = 1;
4035 
4036  end:
4037  DetectEngineCtxFree(de_ctx);
4038  return result;
4039 }
4040 
4041 static int DetectHttpHHTest31(void)
4042 {
4043  DetectEngineCtx *de_ctx = NULL;
4044  int result = 0;
4045 
4046  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4047  goto end;
4048 
4049  de_ctx->flags |= DE_QUIET;
4050  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4051  "(content:\"one\"; within:5; http_host; sid:1;)");
4052  if (de_ctx->sig_list == NULL) {
4053  printf("de_ctx->sig_list == NULL\n");
4054  goto end;
4055  }
4056 
4057  result = 1;
4058 
4059  end:
4060  DetectEngineCtxFree(de_ctx);
4061  return result;
4062 }
4063 
4064 static int DetectHttpHHTest32(void)
4065 {
4066  DetectEngineCtx *de_ctx = NULL;
4067  int result = 0;
4068 
4069  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4070  goto end;
4071 
4072  de_ctx->flags |= DE_QUIET;
4073  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4074  "(content:\"one\"; http_host; within:5; sid:1;)");
4075  if (de_ctx->sig_list == NULL) {
4076  printf("de_ctx->sig_list != NULL\n");
4077  goto end;
4078  }
4079 
4080  result = 1;
4081 
4082  end:
4083  DetectEngineCtxFree(de_ctx);
4084  return result;
4085 }
4086 
4087 static int DetectHttpHHTest33(void)
4088 {
4089  DetectEngineCtx *de_ctx = NULL;
4090  int result = 0;
4091 
4092  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4093  goto end;
4094 
4095  de_ctx->flags |= DE_QUIET;
4096  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4097  "(content:\"one\"; within:5; sid:1;)");
4098  if (de_ctx->sig_list == NULL) {
4099  printf("de_ctx->sig_list == NULL\n");
4100  goto end;
4101  }
4102 
4103  result = 1;
4104 
4105  end:
4106  DetectEngineCtxFree(de_ctx);
4107  return result;
4108 }
4109 
4110 static int DetectHttpHHTest34(void)
4111 {
4112  DetectEngineCtx *de_ctx = NULL;
4113  int result = 0;
4114 
4115  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4116  goto end;
4117 
4118  de_ctx->flags |= DE_QUIET;
4119  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4120  "(pcre:/one/W; "
4121  "content:\"two\"; within:5; http_host; sid:1;)");
4122  if (de_ctx->sig_list == NULL) {
4123  printf("de_ctx->sig_list == NULL\n");
4124  goto end;
4125  }
4126 
4127  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4128  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4129  goto end;
4130  }
4131 
4132  if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
4133  printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
4134  goto end;
4135  }
4136 
4137  if (de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id] == NULL ||
4138  de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->type != DETECT_CONTENT ||
4139  de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev == NULL ||
4140  de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->type != DETECT_PCRE) {
4141 
4142  goto end;
4143  }
4144 
4145  DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
4146  DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
4147  if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
4148  hhhd2->flags != (DETECT_CONTENT_WITHIN) ||
4149  memcmp(hhhd2->content, "two", hhhd2->content_len) != 0) {
4150  goto end;
4151  }
4152 
4153  result = 1;
4154 
4155  end:
4156  DetectEngineCtxFree(de_ctx);
4157  return result;
4158 }
4159 
4160 static int DetectHttpHHTest35(void)
4161 {
4162  DetectEngineCtx *de_ctx = NULL;
4163  int result = 0;
4164 
4165  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4166  goto end;
4167 
4168  de_ctx->flags |= DE_QUIET;
4169  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4170  "(content:\"two\"; http_host; "
4171  "pcre:/one/WR; sid:1;)");
4172  if (de_ctx->sig_list == NULL) {
4173  printf("de_ctx->sig_list == NULL\n");
4174  goto end;
4175  }
4176 
4177  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4178  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4179  goto end;
4180  }
4181 
4182  if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
4183  printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
4184  goto end;
4185  }
4186 
4187  if (de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id] == NULL ||
4188  de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->type != DETECT_PCRE ||
4189  de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev == NULL ||
4190  de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->type != DETECT_CONTENT) {
4191 
4192  goto end;
4193  }
4194 
4195  DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
4196  DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
4197  if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
4198  hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
4199  memcmp(hhhd1->content, "two", hhhd1->content_len) != 0) {
4200  goto end;
4201  }
4202 
4203  result = 1;
4204 
4205  end:
4206  DetectEngineCtxFree(de_ctx);
4207  return result;
4208 }
4209 
4210 static int DetectHttpHHTest36(void)
4211 {
4212  DetectEngineCtx *de_ctx = NULL;
4213  int result = 0;
4214 
4215  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4216  goto end;
4217 
4218  de_ctx->flags |= DE_QUIET;
4219  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4220  "(pcre:/one/W; "
4221  "content:\"two\"; distance:5; http_host; sid:1;)");
4222  if (de_ctx->sig_list == NULL) {
4223  printf("de_ctx->sig_list == NULL\n");
4224  goto end;
4225  }
4226 
4227  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4228  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4229  goto end;
4230  }
4231 
4232  if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
4233  printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
4234  goto end;
4235  }
4236 
4237  if (de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id] == NULL ||
4238  de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->type != DETECT_CONTENT ||
4239  de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev == NULL ||
4240  de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->type != DETECT_PCRE) {
4241 
4242  goto end;
4243  }
4244 
4245  DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
4246  DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
4247  if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
4248  hhhd2->flags != (DETECT_CONTENT_DISTANCE) ||
4249  memcmp(hhhd2->content, "two", hhhd2->content_len) != 0) {
4250  goto end;
4251  }
4252 
4253  result = 1;
4254 
4255  end:
4256  DetectEngineCtxFree(de_ctx);
4257  return result;
4258 }
4259 
4260 /**
4261  * \test Test that a signature containting a http_raw_host is correctly parsed
4262  * and the keyword is registered.
4263  */
4264 static int DetectHttpHRHTest01(void)
4265 {
4266  DetectEngineCtx *de_ctx = NULL;
4267  int result = 0;
4268 
4269  de_ctx = DetectEngineCtxInit();
4270  if (de_ctx == NULL)
4271  goto end;
4272 
4273  de_ctx->flags |= DE_QUIET;
4274  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4275  "(msg:\"Testing http_raw_host\"; "
4276  "content:\"one\"; http_raw_host; sid:1;)");
4277  if (de_ctx->sig_list != NULL) {
4278  result = 1;
4279  } else {
4280  goto end;
4281  }
4282 
4283  end:
4284  DetectEngineCtxFree(de_ctx);
4285 
4286  return result;
4287 }
4288 
4289 /**
4290  * \test Test that a signature containing an valid http_raw_host entry is
4291  * parsed.
4292  */
4293 static int DetectHttpHRHTest02(void)
4294 {
4295  DetectEngineCtx *de_ctx = NULL;
4296  int result = 0;
4297 
4298  de_ctx = DetectEngineCtxInit();
4299  if (de_ctx == NULL)
4300  goto end;
4301 
4302  de_ctx->flags |= DE_QUIET;
4303  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4304  "(msg:\"Testing http_raw_host\"; "
4305  "content:\"one\"; http_raw_host; sid:1;)");
4306  if (de_ctx->sig_list != NULL)
4307  result = 1;
4308 
4309  end:
4310  DetectEngineCtxFree(de_ctx);
4311 
4312  return result;
4313 }
4314 
4315 /**
4316  * \test Test that an invalid signature containing no content but a
4317  * http_raw_host is invalidated.
4318  */
4319 static int DetectHttpHRHTest03(void)
4320 {
4321  DetectEngineCtx *de_ctx = NULL;
4322  int result = 0;
4323 
4324  de_ctx = DetectEngineCtxInit();
4325  if (de_ctx == NULL)
4326  goto end;
4327 
4328  de_ctx->flags |= DE_QUIET;
4329  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4330  "(msg:\"Testing http_raw_host\"; "
4331  "http_raw_host; sid:1;)");
4332  if (de_ctx->sig_list == NULL)
4333  result = 1;
4334 
4335  end:
4336  DetectEngineCtxFree(de_ctx);
4337 
4338  return result;
4339 }
4340 
4341 /**
4342  * \test Test that an invalid signature containing a rawbytes along with a
4343  * http_raw_host is invalidated.
4344  */
4345 static int DetectHttpHRHTest04(void)
4346 {
4347  DetectEngineCtx *de_ctx = NULL;
4348  int result = 0;
4349 
4350  de_ctx = DetectEngineCtxInit();
4351  if (de_ctx == NULL)
4352  goto end;
4353 
4354  de_ctx->flags |= DE_QUIET;
4355  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4356  "(msg:\"Testing http_raw_host\"; "
4357  "content:\"one\"; rawbytes; http_raw_host; sid:1;)");
4358  if (de_ctx->sig_list == NULL)
4359  result = 1;
4360 
4361  end:
4362  DetectEngineCtxFree(de_ctx);
4363 
4364  return result;
4365 }
4366 
4367 /**
4368  * \test Test that a http_raw_host with nocase is parsed.
4369  */
4370 static int DetectHttpHRHTest05(void)
4371 {
4372  DetectEngineCtx *de_ctx = NULL;
4373  int result = 0;
4374 
4375  de_ctx = DetectEngineCtxInit();
4376  if (de_ctx == NULL)
4377  goto end;
4378 
4379  de_ctx->flags |= DE_QUIET;
4380  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4381  "(msg:\"Testing http_raw_host\"; "
4382  "content:\"one\"; http_raw_host; sid:1;)");
4383  if (de_ctx->sig_list != NULL)
4384  result = 1;
4385 
4386  end:
4387  DetectEngineCtxFree(de_ctx);
4388 
4389  return result;
4390 }
4391 
4392 /**
4393  *\test Test that the http_raw_host content matches against a http request
4394  * which holds the content.
4395  */
4396 static int DetectHttpHRHTest06(void)
4397 {
4398  TcpSession ssn;
4399  Packet *p = NULL;
4400  ThreadVars th_v;
4401  DetectEngineCtx *de_ctx = NULL;
4402  DetectEngineThreadCtx *det_ctx = NULL;
4403  HtpState *http_state = NULL;
4404  Flow f;
4405  uint8_t http_buf[] =
4406  "GET /index.html HTTP/1.0\r\n"
4407  "User-Agent: www.openinfosecfoundation.org\r\n"
4408  "Host: This is dummy message body\r\n"
4409  "Content-Type: text/html\r\n"
4410  "\r\n";
4411  uint32_t http_len = sizeof(http_buf) - 1;
4412  int result = 0;
4413  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4414 
4415  memset(&th_v, 0, sizeof(th_v));
4416  memset(&f, 0, sizeof(f));
4417  memset(&ssn, 0, sizeof(ssn));
4418 
4419  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4420 
4421  FLOW_INITIALIZE(&f);
4422  f.protoctx = (void *)&ssn;
4423  f.proto = IPPROTO_TCP;
4424  f.flags |= FLOW_IPV4;
4425 
4426  p->flow = &f;
4427  p->flowflags |= FLOW_PKT_TOSERVER;
4428  p->flowflags |= FLOW_PKT_ESTABLISHED;
4429  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
4430  f.alproto = ALPROTO_HTTP1;
4431 
4432  StreamTcpInitConfig(true);
4433 
4434  de_ctx = DetectEngineCtxInit();
4435  if (de_ctx == NULL)
4436  goto end;
4437 
4438  de_ctx->flags |= DE_QUIET;
4439 
4440  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4441  "(msg:\"http host test\"; "
4442  "content:\"message\"; http_raw_host; "
4443  "sid:1;)");
4444  if (de_ctx->sig_list == NULL)
4445  goto end;
4446 
4447  SigGroupBuild(de_ctx);
4448  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4449 
4450  int r = AppLayerParserParse(
4451  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
4452  if (r != 0) {
4453  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4454  result = 0;
4455  goto end;
4456  }
4457 
4458  http_state = f.alstate;
4459  if (http_state == NULL) {
4460  printf("no http state: \n");
4461  result = 0;
4462  goto end;
4463  }
4464 
4465  /* do detect */
4466  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4467 
4468  if (!(PacketAlertCheck(p, 1))) {
4469  printf("sid 1 didn't match but should have\n");
4470  goto end;
4471  }
4472 
4473  result = 1;
4474 end:
4475  if (alp_tctx != NULL)
4476  AppLayerParserThreadCtxFree(alp_tctx);
4477  if (de_ctx != NULL)
4478  DetectEngineCtxFree(de_ctx);
4479 
4480  StreamTcpFreeConfig(true);
4481  FLOW_DESTROY(&f);
4482  UTHFreePackets(&p, 1);
4483  return result;
4484 }
4485 
4486 /**
4487  *\test Test that the http_raw_host content matches against a http request
4488  * which holds the content.
4489  */
4490 static int DetectHttpHRHTest07(void)
4491 {
4492  TcpSession ssn;
4493  Packet *p1 = NULL;
4494  Packet *p2 = NULL;
4495  ThreadVars th_v;
4496  DetectEngineCtx *de_ctx = NULL;
4497  DetectEngineThreadCtx *det_ctx = NULL;
4498  HtpState *http_state = NULL;
4499  Flow f;
4500  uint8_t http1_buf[] =
4501  "GET /index.html HTTP/1.0\r\n"
4502  "User-Agent: www.openinfosecfoundation.org\r\n"
4503  "Host: This is dummy message";
4504  uint8_t http2_buf[] =
4505  "body1\r\n\r\n";
4506  uint32_t http1_len = sizeof(http1_buf) - 1;
4507  uint32_t http2_len = sizeof(http2_buf) - 1;
4508  int result = 0;
4509  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4510 
4511  memset(&th_v, 0, sizeof(th_v));
4512  memset(&f, 0, sizeof(f));
4513  memset(&ssn, 0, sizeof(ssn));
4514 
4515  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4516  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4517 
4518  FLOW_INITIALIZE(&f);
4519  f.protoctx = (void *)&ssn;
4520  f.proto = IPPROTO_TCP;
4521  f.flags |= FLOW_IPV4;
4522 
4523  p1->flow = &f;
4524  p1->flowflags |= FLOW_PKT_TOSERVER;
4525  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4526  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4527  p2->flow = &f;
4528  p2->flowflags |= FLOW_PKT_TOSERVER;
4529  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4530  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4531  f.alproto = ALPROTO_HTTP1;
4532 
4533  StreamTcpInitConfig(true);
4534 
4535  de_ctx = DetectEngineCtxInit();
4536  if (de_ctx == NULL)
4537  goto end;
4538 
4539  de_ctx->flags |= DE_QUIET;
4540 
4541  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4542  "(msg:\"http host test\"; "
4543  "content:\"message\"; http_raw_host; "
4544  "sid:1;)");
4545  if (de_ctx->sig_list == NULL)
4546  goto end;
4547 
4548  SigGroupBuild(de_ctx);
4549  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4550 
4551  int r = AppLayerParserParse(
4552  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4553  if (r != 0) {
4554  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4555  result = 0;
4556  goto end;
4557  }
4558 
4559  http_state = f.alstate;
4560  if (http_state == NULL) {
4561  printf("no http state: ");
4562  goto end;
4563  }
4564 
4565  /* do detect */
4566  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4567 
4568  if (PacketAlertCheck(p1, 1)) {
4569  printf("sid 1 matched on p1 but shouldn't have: ");
4570  goto end;
4571  }
4572 
4573  r = AppLayerParserParse(
4574  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4575  if (r != 0) {
4576  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4577  goto end;
4578  }
4579 
4580  /* do detect */
4581  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4582  if (!(PacketAlertCheck(p2, 1))) {
4583  printf("sid 1 didn't match on p2 but should have: ");
4584  goto end;
4585  }
4586 
4587  result = 1;
4588 end:
4589  if (alp_tctx != NULL)
4590  AppLayerParserThreadCtxFree(alp_tctx);
4591  if (de_ctx != NULL)
4592  DetectEngineCtxFree(de_ctx);
4593 
4594  StreamTcpFreeConfig(true);
4595  FLOW_DESTROY(&f);
4596  UTHFreePackets(&p1, 1);
4597  UTHFreePackets(&p2, 1);
4598  return result;
4599 }
4600 
4601 /**
4602  *\test Test that the http_raw_host content matches against a http request
4603  * which holds the content.
4604  */
4605 static int DetectHttpHRHTest08(void)
4606 {
4607  TcpSession ssn;
4608  Packet *p1 = NULL;
4609  Packet *p2 = NULL;
4610  ThreadVars th_v;
4611  DetectEngineCtx *de_ctx = NULL;
4612  DetectEngineThreadCtx *det_ctx = NULL;
4613  HtpState *http_state = NULL;
4614  Flow f;
4615  uint8_t http1_buf[] =
4616  "GET /index.html HTTP/1.0\r\n"
4617  "User-Agent: www.openinfosecfoundation.org\r\n"
4618  "host: This is dummy mess";
4619  uint8_t http2_buf[] =
4620  "age body\r\n\r\n";
4621  uint32_t http1_len = sizeof(http1_buf) - 1;
4622  uint32_t http2_len = sizeof(http2_buf) - 1;
4623  int result = 0;
4624  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4625 
4626  memset(&th_v, 0, sizeof(th_v));
4627  memset(&f, 0, sizeof(f));
4628  memset(&ssn, 0, sizeof(ssn));
4629 
4630  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4631  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4632 
4633  FLOW_INITIALIZE(&f);
4634  f.protoctx = (void *)&ssn;
4635  f.proto = IPPROTO_TCP;
4636  f.flags |= FLOW_IPV4;
4637 
4638  p1->flow = &f;
4639  p1->flowflags |= FLOW_PKT_TOSERVER;
4640  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4641  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4642  p2->flow = &f;
4643  p2->flowflags |= FLOW_PKT_TOSERVER;
4644  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4645  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4646  f.alproto = ALPROTO_HTTP1;
4647 
4648  StreamTcpInitConfig(true);
4649 
4650  de_ctx = DetectEngineCtxInit();
4651  if (de_ctx == NULL)
4652  goto end;
4653 
4654  de_ctx->flags |= DE_QUIET;
4655 
4656  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4657  "(msg:\"http host test\"; "
4658  "content:\"message\"; http_raw_host; "
4659  "sid:1;)");
4660  if (de_ctx->sig_list == NULL)
4661  goto end;
4662 
4663  SigGroupBuild(de_ctx);
4664  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4665 
4666  int r = AppLayerParserParse(
4667  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4668  if (r != 0) {
4669  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4670  result = 0;
4671  goto end;
4672  }
4673 
4674  http_state = f.alstate;
4675  if (http_state == NULL) {
4676  printf("no http state: ");
4677  result = 0;
4678  goto end;
4679  }
4680 
4681  /* do detect */
4682  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4683 
4684  if ((PacketAlertCheck(p1, 1))) {
4685  printf("sid 1 didn't match but should have");
4686  goto end;
4687  }
4688 
4689  r = AppLayerParserParse(
4690  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4691  if (r != 0) {
4692  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4693  result = 0;
4694  goto end;
4695  }
4696 
4697  /* do detect */
4698  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4699 
4700  if (!(PacketAlertCheck(p2, 1))) {
4701  printf("sid 1 didn't match but should have");
4702  goto end;
4703  }
4704 
4705  result = 1;
4706 end:
4707  if (alp_tctx != NULL)
4708  AppLayerParserThreadCtxFree(alp_tctx);
4709  if (de_ctx != NULL)
4710  DetectEngineCtxFree(de_ctx);
4711 
4712  StreamTcpFreeConfig(true);
4713  FLOW_DESTROY(&f);
4714  UTHFreePackets(&p1, 1);
4715  UTHFreePackets(&p2, 1);
4716  return result;
4717 }
4718 
4719 /**
4720  *\test Test that the http_raw_host content matches against a http request
4721  * which holds the content, against a cross boundary present pattern.
4722  */
4723 static int DetectHttpHRHTest09(void)
4724 {
4725  TcpSession ssn;
4726  Packet *p1 = NULL;
4727  Packet *p2 = NULL;
4728  ThreadVars th_v;
4729  DetectEngineCtx *de_ctx = NULL;
4730  DetectEngineThreadCtx *det_ctx = NULL;
4731  HtpState *http_state = NULL;
4732  Flow f;
4733  uint8_t http1_buf[] =
4734  "GET /index.html HTTP/1.0\r\n"
4735  "User-Agent: www.openinfosecfoundation.org\r\n"
4736  "Host: This is dummy body1";
4737  uint8_t http2_buf[] =
4738  "This is dummy message body2\r\n"
4739  "Content-Type: text/html\r\n"
4740  "Content-Length: 46\r\n"
4741  "\r\n"
4742  "This is dummy body1";
4743  uint32_t http1_len = sizeof(http1_buf) - 1;
4744  uint32_t http2_len = sizeof(http2_buf) - 1;
4745  int result = 0;
4746  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4747 
4748  memset(&th_v, 0, sizeof(th_v));
4749  memset(&f, 0, sizeof(f));
4750  memset(&ssn, 0, sizeof(ssn));
4751 
4752  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4753  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4754 
4755  FLOW_INITIALIZE(&f);
4756  f.protoctx = (void *)&ssn;
4757  f.proto = IPPROTO_TCP;
4758  f.flags |= FLOW_IPV4;
4759 
4760  p1->flow = &f;
4761  p1->flowflags |= FLOW_PKT_TOSERVER;
4762  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4763  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4764  p2->flow = &f;
4765  p2->flowflags |= FLOW_PKT_TOSERVER;
4766  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4767  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4768  f.alproto = ALPROTO_HTTP1;
4769 
4770  StreamTcpInitConfig(true);
4771 
4772  de_ctx = DetectEngineCtxInit();
4773  if (de_ctx == NULL)
4774  goto end;
4775 
4776  de_ctx->flags |= DE_QUIET;
4777 
4778  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4779  "(msg:\"http host test\"; "
4780  "content:\"body1This\"; http_raw_host; "
4781  "sid:1;)");
4782  if (de_ctx->sig_list == NULL)
4783  goto end;
4784 
4785  SigGroupBuild(de_ctx);
4786  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4787 
4788  int r = AppLayerParserParse(
4789  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4790  if (r != 0) {
4791  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4792  result = 0;
4793  goto end;
4794  }
4795 
4796  http_state = f.alstate;
4797  if (http_state == NULL) {
4798  printf("no http state: ");
4799  result = 0;
4800  goto end;
4801  }
4802 
4803  /* do detect */
4804  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4805 
4806  if ((PacketAlertCheck(p1, 1))) {
4807  printf("sid 1 didn't match but should have");
4808  goto end;
4809  }
4810 
4811  r = AppLayerParserParse(
4812  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4813  if (r != 0) {
4814  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4815  result = 0;
4816  goto end;
4817  }
4818 
4819  /* do detect */
4820  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4821 
4822  if (!(PacketAlertCheck(p2, 1))) {
4823  printf("sid 1 didn't match but should have");
4824  goto end;
4825  }
4826 
4827  result = 1;
4828 end:
4829  if (alp_tctx != NULL)
4830  AppLayerParserThreadCtxFree(alp_tctx);
4831  if (de_ctx != NULL)
4832  DetectEngineCtxFree(de_ctx);
4833 
4834  StreamTcpFreeConfig(true);
4835  FLOW_DESTROY(&f);
4836  UTHFreePackets(&p1, 1);
4837  UTHFreePackets(&p2, 1);
4838  return result;
4839 }
4840 
4841 /**
4842  *\test Test that the http_raw_host content matches against a http request
4843  * against a case insensitive pattern.
4844  */
4845 static int DetectHttpHRHTest10(void)
4846 {
4847  TcpSession ssn;
4848  Packet *p1 = NULL;
4849  Packet *p2 = NULL;
4850  ThreadVars th_v;
4851  DetectEngineCtx *de_ctx = NULL;
4852  DetectEngineThreadCtx *det_ctx = NULL;
4853  HtpState *http_state = NULL;
4854  Flow f;
4855  uint8_t http1_buf[] =
4856  "GET /index.html HTTP/1.0\r\n"
4857  "User-Agent: www.openinfosecfoundation.org\r\n"
4858  "Host: This is dummy bodY1";
4859  uint8_t http2_buf[] =
4860  "This is dummy message body2\r\n"
4861  "Content-Type: text/html\r\n"
4862  "Content-Length: 46\r\n"
4863  "\r\n"
4864  "This is dummy bodY1";
4865  uint32_t http1_len = sizeof(http1_buf) - 1;
4866  uint32_t http2_len = sizeof(http2_buf) - 1;
4867  int result = 0;
4868  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4869 
4870  memset(&th_v, 0, sizeof(th_v));
4871  memset(&f, 0, sizeof(f));
4872  memset(&ssn, 0, sizeof(ssn));
4873 
4874  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4875  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4876 
4877  FLOW_INITIALIZE(&f);
4878  f.protoctx = (void *)&ssn;
4879  f.proto = IPPROTO_TCP;
4880  f.flags |= FLOW_IPV4;
4881 
4882  p1->flow = &f;
4883  p1->flowflags |= FLOW_PKT_TOSERVER;
4884  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4885  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4886  p2->flow = &f;
4887  p2->flowflags |= FLOW_PKT_TOSERVER;
4888  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4889  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4890  f.alproto = ALPROTO_HTTP1;
4891 
4892  StreamTcpInitConfig(true);
4893 
4894  de_ctx = DetectEngineCtxInit();
4895  if (de_ctx == NULL)
4896  goto end;
4897 
4898  de_ctx->flags |= DE_QUIET;
4899 
4900  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4901  "(msg:\"http host test\"; "
4902  "content:\"bodY1This\"; http_raw_host; "
4903  "sid:1;)");
4904  if (de_ctx->sig_list == NULL)
4905  goto end;
4906 
4907  SigGroupBuild(de_ctx);
4908  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4909 
4910  int r = AppLayerParserParse(
4911  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4912  if (r != 0) {
4913  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4914  result = 0;
4915  goto end;
4916  }
4917 
4918  http_state = f.alstate;
4919  if (http_state == NULL) {
4920  printf("no http state: \n");
4921  result = 0;
4922  goto end;
4923  }
4924 
4925  /* do detect */
4926  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4927 
4928  if ((PacketAlertCheck(p1, 1))) {
4929  printf("sid 1 didn't match but should have\n");
4930  goto end;
4931  }
4932 
4933  r = AppLayerParserParse(
4934  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4935  if (r != 0) {
4936  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
4937  result = 0;
4938  goto end;
4939  }
4940 
4941  /* do detect */
4942  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4943 
4944  if (!(PacketAlertCheck(p2, 1))) {
4945  printf("sid 1 didn't match but should have");
4946  goto end;
4947  }
4948 
4949  result = 1;
4950 end:
4951  if (alp_tctx != NULL)
4952  AppLayerParserThreadCtxFree(alp_tctx);
4953  if (de_ctx != NULL)
4954  DetectEngineCtxFree(de_ctx);
4955 
4956  StreamTcpFreeConfig(true);
4957  FLOW_DESTROY(&f);
4958  UTHFreePackets(&p1, 1);
4959  UTHFreePackets(&p2, 1);
4960  return result;
4961 }
4962 
4963 /**
4964  *\test Test that the negated http_raw_host content matches against a
4965  * http request which doesn't hold the content.
4966  */
4967 static int DetectHttpHRHTest11(void)
4968 {
4969  TcpSession ssn;
4970  Packet *p = NULL;
4971  ThreadVars th_v;
4972  DetectEngineCtx *de_ctx = NULL;
4973  DetectEngineThreadCtx *det_ctx = NULL;
4974  HtpState *http_state = NULL;
4975  Flow f;
4976  uint8_t http_buf[] =
4977  "GET /index.html HTTP/1.0\r\n"
4978  "User-Agent: www.openinfosecfoundation.org\r\n"
4979  "Host: This is dummy message body\r\n"
4980  "Content-Type: text/html\r\n"
4981  "\r\n";
4982  uint32_t http_len = sizeof(http_buf) - 1;
4983  int result = 0;
4984  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4985 
4986  memset(&th_v, 0, sizeof(th_v));
4987  memset(&f, 0, sizeof(f));
4988  memset(&ssn, 0, sizeof(ssn));
4989 
4990  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4991 
4992  FLOW_INITIALIZE(&f);
4993  f.protoctx = (void *)&ssn;
4994  f.proto = IPPROTO_TCP;
4995  f.flags |= FLOW_IPV4;
4996 
4997  p->flow = &f;
4998  p->flowflags |= FLOW_PKT_TOSERVER;
4999  p->flowflags |= FLOW_PKT_ESTABLISHED;
5000  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5001  f.alproto = ALPROTO_HTTP1;
5002 
5003  StreamTcpInitConfig(true);
5004 
5005  de_ctx = DetectEngineCtxInit();
5006  if (de_ctx == NULL)
5007  goto end;
5008 
5009  de_ctx->flags |= DE_QUIET;
5010 
5011  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5012  "(msg:\"http host test\"; "
5013  "content:!\"message\"; http_raw_host; "
5014  "sid:1;)");
5015  if (de_ctx->sig_list == NULL)
5016  goto end;
5017 
5018  SigGroupBuild(de_ctx);
5019  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5020 
5021  int r = AppLayerParserParse(
5022  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
5023  if (r != 0) {
5024  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5025  result = 0;
5026  goto end;
5027  }
5028 
5029  http_state = f.alstate;
5030  if (http_state == NULL) {
5031  printf("no http state: ");
5032  result = 0;
5033  goto end;
5034  }
5035 
5036  /* do detect */
5037  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5038 
5039  if (PacketAlertCheck(p, 1)) {
5040  printf("sid 1 matched but shouldn't have");
5041  goto end;
5042  }
5043 
5044  result = 1;
5045 end:
5046  if (alp_tctx != NULL)
5047  AppLayerParserThreadCtxFree(alp_tctx);
5048  if (de_ctx != NULL)
5049  DetectEngineCtxFree(de_ctx);
5050 
5051  StreamTcpFreeConfig(true);
5052  FLOW_DESTROY(&f);
5053  UTHFreePackets(&p, 1);
5054  return result;
5055 }
5056 
5057 /**
5058  *\test Negative test that the negated http_raw_host content matches against a
5059  * http request which holds hold the content.
5060  */
5061 static int DetectHttpHRHTest12(void)
5062 {
5063  TcpSession ssn;
5064  Packet *p = NULL;
5065  ThreadVars th_v;
5066  DetectEngineCtx *de_ctx = NULL;
5067  DetectEngineThreadCtx *det_ctx = NULL;
5068  HtpState *http_state = NULL;
5069  Flow f;
5070  uint8_t http_buf[] =
5071  "GET /index.html HTTP/1.0\r\n"
5072  "User-Agent: www.openinfosecfoundation.org\r\n"
5073  "Host: This is dummy body\r\n"
5074  "\r\n";
5075  uint32_t http_len = sizeof(http_buf) - 1;
5076  int result = 0;
5077  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5078 
5079  memset(&th_v, 0, sizeof(th_v));
5080  memset(&f, 0, sizeof(f));
5081  memset(&ssn, 0, sizeof(ssn));
5082 
5083  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5084 
5085  FLOW_INITIALIZE(&f);
5086  f.protoctx = (void *)&ssn;
5087  f.proto = IPPROTO_TCP;
5088  f.flags |= FLOW_IPV4;
5089 
5090  p->flow = &f;
5091  p->flowflags |= FLOW_PKT_TOSERVER;
5092  p->flowflags |= FLOW_PKT_ESTABLISHED;
5093  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5094  f.alproto = ALPROTO_HTTP1;
5095 
5096  StreamTcpInitConfig(true);
5097 
5098  de_ctx = DetectEngineCtxInit();
5099  if (de_ctx == NULL)
5100  goto end;
5101 
5102  de_ctx->flags |= DE_QUIET;
5103 
5104  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5105  "(msg:\"http host test\"; "
5106  "content:!\"message\"; http_raw_host; "
5107  "sid:1;)");
5108  if (de_ctx->sig_list == NULL)
5109  goto end;
5110 
5111  SigGroupBuild(de_ctx);
5112  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5113 
5114  int r = AppLayerParserParse(
5115  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
5116  if (r != 0) {
5117  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5118  result = 0;
5119  goto end;
5120  }
5121 
5122  http_state = f.alstate;
5123  if (http_state == NULL) {
5124  printf("no http state: ");
5125  result = 0;
5126  goto end;
5127  }
5128 
5129  /* do detect */
5130  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5131 
5132  if (!(PacketAlertCheck(p, 1))) {
5133  printf("sid 1 didn't match but should have");
5134  goto end;
5135  }
5136 
5137  result = 1;
5138 end:
5139  if (alp_tctx != NULL)
5140  AppLayerParserThreadCtxFree(alp_tctx);
5141  if (de_ctx != NULL)
5142  DetectEngineCtxFree(de_ctx);
5143 
5144  StreamTcpFreeConfig(true);
5145  FLOW_DESTROY(&f);
5146  UTHFreePackets(&p, 1);
5147  return result;
5148 }
5149 
5150 /**
5151  * \test Test that the http_raw_host content matches against a http request
5152  * which holds the content.
5153  */
5154 static int DetectHttpHRHTest13(void)
5155 {
5156  TcpSession ssn;
5157  Packet *p = NULL;
5158  ThreadVars th_v;
5159  DetectEngineCtx *de_ctx = NULL;
5160  DetectEngineThreadCtx *det_ctx = NULL;
5161  HtpState *http_state = NULL;
5162  Flow f;
5163  uint8_t http_buf[] =
5164  "GET /index.html HTTP/1.0\r\n"
5165  "User-Agent: www.openinfosecfoundation.org\r\n"
5166  "Host: longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n"
5167  "Content-Type: text/html\r\n"
5168  "\r\n";
5169  uint32_t http_len = sizeof(http_buf) - 1;
5170  int result = 0;
5171  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5172 
5173  memset(&th_v, 0, sizeof(th_v));
5174  memset(&f, 0, sizeof(f));
5175  memset(&ssn, 0, sizeof(ssn));
5176 
5177  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5178 
5179  FLOW_INITIALIZE(&f);
5180  f.protoctx = (void *)&ssn;
5181  f.proto = IPPROTO_TCP;
5182  f.flags |= FLOW_IPV4;
5183 
5184  p->flow = &f;
5185  p->flowflags |= FLOW_PKT_TOSERVER;
5186  p->flowflags |= FLOW_PKT_ESTABLISHED;
5187  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5188  f.alproto = ALPROTO_HTTP1;
5189 
5190  StreamTcpInitConfig(true);
5191 
5192  de_ctx = DetectEngineCtxInit();
5193  if (de_ctx == NULL)
5194  goto end;
5195 
5196  de_ctx->flags |= DE_QUIET;
5197 
5198  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5199  "(msg:\"http host test\"; "
5200  "content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_raw_host; "
5201  "sid:1;)");
5202  if (de_ctx->sig_list == NULL)
5203  goto end;
5204 
5205  SigGroupBuild(de_ctx);
5206  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5207 
5208  int r = AppLayerParserParse(
5209  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
5210  if (r != 0) {
5211  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5212  result = 0;
5213  goto end;
5214  }
5215 
5216  http_state = f.alstate;
5217  if (http_state == NULL) {
5218  printf("no http state: ");
5219  result = 0;
5220  goto end;
5221  }
5222 
5223  /* do detect */
5224  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5225 
5226  if (!(PacketAlertCheck(p, 1))) {
5227  printf("sid 1 didn't match but should have");
5228  goto end;
5229  }
5230 
5231  result = 1;
5232 end:
5233  if (alp_tctx != NULL)
5234  AppLayerParserThreadCtxFree(alp_tctx);
5235  if (de_ctx != NULL)
5236  DetectEngineCtxFree(de_ctx);
5237 
5238  StreamTcpFreeConfig(true);
5239  FLOW_DESTROY(&f);
5240  UTHFreePackets(&p, 1);
5241  return result;
5242 }
5243 
5244 /**
5245  * \test multiple http transactions and body chunks of request handling
5246  */
5247 static int DetectHttpHRHTest14(void)
5248 {
5249  int result = 0;
5250  Signature *s = NULL;
5251  DetectEngineThreadCtx *det_ctx = NULL;
5252  ThreadVars th_v;
5253  Flow f;
5254  TcpSession ssn;
5255  Packet *p = NULL;
5256  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
5257  uint8_t httpbuf2[] = "Cookie: dummy1\r\n";
5258  uint8_t httpbuf3[] = "Host: Body one!!\r\n\r\n";
5259  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
5260  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
5261  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
5262  uint8_t httpbuf4[] = "GET /?var=val HTTP/1.1\r\n";
5263  uint8_t httpbuf5[] = "Cookie: dummy2\r\n";
5264  uint8_t httpbuf6[] = "Host: Body two\r\n\r\n";
5265  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
5266  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
5267  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
5268  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5269 
5270  memset(&th_v, 0, sizeof(th_v));
5271  memset(&f, 0, sizeof(f));
5272  memset(&ssn, 0, sizeof(ssn));
5273 
5274  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5275 
5276  FLOW_INITIALIZE(&f);
5277  f.protoctx = (void *)&ssn;
5278  f.proto = IPPROTO_TCP;
5279  f.flags |= FLOW_IPV4;
5280 
5281  p->flow = &f;
5282  p->flowflags |= FLOW_PKT_TOSERVER;
5283  p->flowflags |= FLOW_PKT_ESTABLISHED;
5284  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5285  f.alproto = ALPROTO_HTTP1;
5286 
5287  StreamTcpInitConfig(true);
5288 
5289  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5290  if (de_ctx == NULL) {
5291  goto end;
5292  }
5293 
5294  de_ctx->flags |= DE_QUIET;
5295 
5296  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"dummy1\"; http_cookie; content:\"Body one\"; http_raw_host; sid:1; rev:1;)");
5297  if (s == NULL) {
5298  printf("sig parse failed: ");
5299  goto end;
5300  }
5301  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"dummy2\"; http_cookie; content:\"Body two\"; http_raw_host; sid:2; rev:1;)");
5302  if (s == NULL) {
5303  printf("sig2 parse failed: ");
5304  goto end;
5305  }
5306 
5307  SigGroupBuild(de_ctx);
5308  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5309 
5310  int r = AppLayerParserParse(
5311  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
5312  if (r != 0) {
5313  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5314  goto end;
5315  }
5316 
5317  /* do detect */
5318  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5319  if (PacketAlertCheck(p, 1)) {
5320  printf("sig 1 alerted: ");
5321  goto end;
5322  }
5323  p->alerts.cnt = 0;
5324 
5325  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
5326  if (r != 0) {
5327  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
5328  goto end;
5329  }
5330 
5331  /* do detect */
5332  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5333  if (PacketAlertCheck(p, 1)) {
5334  printf("sig 1 alerted (2): ");
5335  goto end;
5336  }
5337  p->alerts.cnt = 0;
5338 
5339  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
5340  if (r != 0) {
5341  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
5342  goto end;
5343  }
5344 
5345  /* do detect */
5346  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5347  if (!(PacketAlertCheck(p, 1))) {
5348  printf("sig 1 didn't alert: ");
5349  goto end;
5350  }
5351  p->alerts.cnt = 0;
5352 
5353  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
5354  if (r != 0) {
5355  printf("toserver chunk 5 returned %" PRId32 ", expected 0: ", r);
5356  goto end;
5357  }
5358 
5359  /* do detect */
5360  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5361  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2)) {
5362  printf("sig 1 alerted (4): ");
5363  goto end;
5364  }
5365  p->alerts.cnt = 0;
5366 
5367  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
5368  if (r != 0) {
5369  printf("toserver chunk 6 returned %" PRId32 ", expected 0: ", r);
5370  goto end;
5371  }
5372 
5373  /* do detect */
5374  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5375  if ((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2))) {
5376  printf("sig 1 alerted (request 2, chunk 6): ");
5377  goto end;
5378  }
5379  p->alerts.cnt = 0;
5380 
5381  SCLogDebug("sending data chunk 7");
5382 
5383  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
5384  if (r != 0) {
5385  printf("toserver chunk 7 returned %" PRId32 ", expected 0: ", r);
5386  goto end;
5387  }
5388 
5389  /* do detect */
5390  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5391  if (PacketAlertCheck(p, 1) || !(PacketAlertCheck(p, 2))) {
5392  printf("signature 2 didn't match or sig 1 matched, but shouldn't have: ");
5393  goto end;
5394  }
5395  p->alerts.cnt = 0;
5396 
5397  HtpState *htp_state = f.alstate;
5398  if (htp_state == NULL) {
5399  printf("no http state: ");
5400  result = 0;
5401  goto end;
5402  }
5403 
5404  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
5405  printf("The http app layer doesn't have 2 transactions, but it should: ");
5406  goto end;
5407  }
5408 
5409  result = 1;
5410 end:
5411  if (alp_tctx != NULL)
5412  AppLayerParserThreadCtxFree(alp_tctx);
5413  if (det_ctx != NULL) {
5414  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
5415  }
5416  if (de_ctx != NULL) {
5417  DetectEngineCtxFree(de_ctx);
5418  }
5419 
5420  StreamTcpFreeConfig(true);
5421  FLOW_DESTROY(&f);
5422  UTHFreePacket(p);
5423  return result;
5424 }
5425 
5426 static int DetectHttpHRHTest22(void)
5427 {
5428  DetectEngineCtx *de_ctx = NULL;
5429  int result = 0;
5430 
5431  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
5432  goto end;
5433 
5434  de_ctx->flags |= DE_QUIET;
5435  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
5436  "(content:\"one\"; content:\"two\"; http_raw_host; "
5437  "content:\"three\"; distance:10; http_raw_host; content:\"four\"; sid:1;)");
5438  if (de_ctx->sig_list == NULL) {
5439  printf("de_ctx->sig_list == NULL\n");
5440  goto end;
5441  }
5442 
5443  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
5444  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
5445  goto end;
5446  }
5447 
5448  if (de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL) {
5449  printf("de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL\n");
5450  goto end;
5451  }
5452 
5453  DetectContentData *cd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
5454  DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
5455  DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
5456  DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
5457  if (cd1->flags != 0 || memcmp(cd1->content, "one", cd1->content_len) != 0 ||
5458  cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
5459  hrhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
5460  memcmp(hrhhd1->content, "two", hrhhd1->content_len) != 0 ||
5461  hrhhd2->flags != (DETECT_CONTENT_DISTANCE) ||
5462  memcmp(hrhhd2->content, "three", hrhhd1->content_len) != 0) {
5463  goto end;
5464  }
5465 
5466  if (!DETECT_CONTENT_IS_SINGLE(cd1) ||
5467  !DETECT_CONTENT_IS_SINGLE(cd2) ||
5468  DETECT_CONTENT_IS_SINGLE(hrhhd1) ||
5469  DETECT_CONTENT_IS_SINGLE(hrhhd2)) {
5470  goto end;
5471  }
5472 
5473  result = 1;
5474 
5475  end:
5476  SigCleanSignatures(de_ctx);
5477  DetectEngineCtxFree(de_ctx);
5478  return result;
5479 }
5480 
5481 static int DetectHttpHRHTest23(void)
5482 {
5483  DetectEngineCtx *de_ctx = NULL;
5484  int result = 0;
5485 
5486  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
5487  goto end;
5488 
5489  de_ctx->flags |= DE_QUIET;
5490  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
5491  "(content:\"one\"; http_raw_host; pcre:/two/; "
5492  "content:\"three\"; distance:10; http_raw_host; content:\"four\"; sid:1;)");
5493  if (de_ctx->sig_list == NULL) {
5494  printf("de_ctx->sig_list == NULL\n");
5495  goto end;
5496  }
5497 
5498  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
5499  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
5500  goto end;
5501  }
5502 
5503  if (de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL) {
5504  printf("de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL\n");
5505  goto end;
5506  }
5507 
5508  DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
5509  DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
5510  DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
5511  DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
5512  if (pd1->flags != 0 ||
5513  cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
5514  hrhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
5515  memcmp(hrhhd1->content, "one", hrhhd1->content_len) != 0 ||
5516  hrhhd2->flags != (DETECT_CONTENT_DISTANCE) ||
5517  memcmp(hrhhd2->content, "three", hrhhd1->content_len) != 0) {
5518  goto end;
5519  }
5520 
5521  if (!DETECT_CONTENT_IS_SINGLE(cd2) ||
5522  DETECT_CONTENT_IS_SINGLE(hrhhd1) ||
5523  DETECT_CONTENT_IS_SINGLE(hrhhd2)) {
5524  goto end;
5525  }
5526 
5527  result = 1;
5528 
5529  end:
5530  SigCleanSignatures(de_ctx);
5531  DetectEngineCtxFree(de_ctx);
5532  return result;
5533 }
5534 
5535 static int DetectHttpHRHTest24(void)
5536 {
5537  DetectEngineCtx *de_ctx = NULL;
5538  int result = 0;
5539 
5540  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
5541  goto end;
5542 
5543  de_ctx->flags |= DE_QUIET;
5544  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
5545  "(content:\"one\"; http_raw_host; pcre:/two/; "
5546  "content:\"three\"; distance:10; within:15; http_raw_host; content:\"four\"; sid:1;)");
5547  if (de_ctx->sig_list == NULL) {
5548  printf("de_ctx->sig_list == NULL\n");
5549  goto end;
5550  }
5551 
5552  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
5553  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
5554  goto end;
5555  }
5556 
5557  if (de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL) {
5558  printf("de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL\n");
5559  goto end;
5560  }
5561 
5562  DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
5563  DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
5564  DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
5565  DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
5566  if (pd1->flags != 0 ||
5567  cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
5568  hrhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
5569  memcmp(hrhhd1->content, "one", hrhhd1->content_len) != 0 ||
5570  hrhhd2->flags != (DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN) ||
5571&