suricata
detect-http-host.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /** \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * \brief Handle HTTP host header.
31  * HHHD - Http Host Header Data
32  *
33  */
34 
35 #include "suricata-common.h"
36 #include "suricata.h"
37 #include "flow-util.h"
38 #include "flow.h"
39 #include "app-layer-parser.h"
40 #include "util-unittest.h"
41 #include "util-unittest-helper.h"
42 #include "app-layer.h"
43 #include "app-layer-htp.h"
44 #include "app-layer-protos.h"
45 #include "detect-engine-build.h"
46 #include "detect-engine-alert.h"
47 
48 static int RunTest(const uint8_t *buf, const uint32_t size, const char *sig_str, const int expect)
49 {
50  TcpSession ssn;
51  ThreadVars th_v;
52  DetectEngineThreadCtx *det_ctx = NULL;
53  Flow f;
54  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
55 
56  memset(&th_v, 0, sizeof(th_v));
57  StatsThreadInit(&th_v.stats);
58  memset(&f, 0, sizeof(f));
59  memset(&ssn, 0, sizeof(ssn));
60 
61  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
62  FAIL_IF_NULL(p);
63 
64  FLOW_INITIALIZE(&f);
65  f.protoctx = (void *)&ssn;
66  f.proto = IPPROTO_TCP;
67  f.flags |= FLOW_IPV4;
68  p->flow = &f;
69  p->flowflags |= FLOW_PKT_TOSERVER;
70  p->flowflags |= FLOW_PKT_ESTABLISHED;
71  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
72  f.alproto = ALPROTO_HTTP1;
73 
74  StreamTcpInitConfig(true);
75 
76  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
77  FAIL_IF_NULL(de_ctx);
78  de_ctx->flags |= DE_QUIET;
79 
80  Signature *s = DetectEngineAppendSig(de_ctx, sig_str);
81  FAIL_IF_NULL(s);
82 
83  SigGroupBuild(de_ctx);
84  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
85 
86  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, size);
87  FAIL_IF(r != 0);
88 
89  HtpState *http_state = f.alstate;
90  FAIL_IF_NULL(http_state);
91 
92  /* do detect */
93  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
94  FAIL_IF(PacketAlertCheck(p, 1) != expect);
95 
96  UTHFreePackets(&p, 1);
97  FLOW_DESTROY(&f);
98  AppLayerParserThreadCtxFree(alp_tctx);
99  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
100  DetectEngineCtxFree(de_ctx);
101  StreamTcpFreeConfig(true);
102  StatsThreadCleanup(&th_v.stats);
103  PASS;
104 }
105 /**
106  * \test Test that the http_host content matches against a http request
107  * which holds the content.
108  */
109 static int DetectEngineHttpHHTest01(void)
110 {
111  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
112  "Host: CONNECT\r\n"
113  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
114  uint32_t http_len = sizeof(http_buf) - 1;
115  return RunTest(http_buf, http_len,
116  "alert http any any -> any any "
117  "(msg:\"http host header test\"; "
118  "content:\"connect\"; http_host; "
119  "sid:1;)",
120  1);
121 }
122 
123 /**
124  * \test Test that the http_host content matches against a http request
125  * which holds the content.
126  */
127 static int DetectEngineHttpHHTest02(void)
128 {
129  uint8_t http_buf[] =
130  "GET /index.html HTTP/1.0\r\n"
131  "Host: CONNECT\r\n"
132  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
133  uint32_t http_len = sizeof(http_buf) - 1;
134  return RunTest(http_buf, http_len,
135  "alert http any any -> any any "
136  "(msg:\"http host header test\"; "
137  "content:\"co\"; depth:4; http_host; "
138  "sid:1;)",
139  1);
140 }
141 
142 /**
143  * \test Test that the http_host content matches against a http request
144  * which holds the content.
145  */
146 static int DetectEngineHttpHHTest03(void)
147 {
148  uint8_t http_buf[] =
149  "GET /index.html HTTP/1.0\r\n"
150  "Host: CONNECT\r\n"
151  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
152  uint32_t http_len = sizeof(http_buf) - 1;
153  return RunTest(http_buf, http_len,
154  "alert http any any -> any any "
155  "(msg:\"http_host header test\"; "
156  "content:!\"ect\"; depth:4; http_host; "
157  "sid:1;)",
158  1);
159 }
160 
161 /**
162  * \test Test that the http_host content matches against a http request
163  * which holds the content.
164  */
165 static int DetectEngineHttpHHTest04(void)
166 {
167  uint8_t http_buf[] =
168  "GET /index.html HTTP/1.0\r\n"
169  "Host: CONNECT\r\n"
170  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
171  uint32_t http_len = sizeof(http_buf) - 1;
172  return RunTest(http_buf, http_len,
173  "alert http any any -> any any "
174  "(msg:\"http host header test\"; "
175  "content:\"ect\"; depth:4; http_host; "
176  "sid:1;)",
177  0);
178 }
179 
180 /**
181  * \test Test that the http_host content matches against a http request
182  * which holds the content.
183  */
184 static int DetectEngineHttpHHTest05(void)
185 {
186  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
187  "Host: CONNECT\r\n"
188  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
189  uint32_t http_len = sizeof(http_buf) - 1;
190  return RunTest(http_buf, http_len,
191  "alert http any any -> any any "
192  "(msg:\"http host header test\"; "
193  "content:!\"con\"; depth:4; http_host; "
194  "sid:1;)",
195  0);
196 }
197 
198 /**
199  * \test Test that the http_host header content matches against a http request
200  * which holds the content.
201  */
202 static int DetectEngineHttpHHTest06(void)
203 {
204  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
205  "Host: CONNECT\r\n"
206  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
207  uint32_t http_len = sizeof(http_buf) - 1;
208  return RunTest(http_buf, http_len,
209  "alert http any any -> any any "
210  "(msg:\"http host header test\"; "
211  "content:\"ect\"; offset:3; http_host; "
212  "sid:1;)",
213  1);
214 }
215 
216 /**
217  * \test Test that the http_host content matches against a http request
218  * which holds the content.
219  */
220 static int DetectEngineHttpHHTest07(void)
221 {
222  uint8_t http_buf[] =
223  "GET /index.html HTTP/1.0\r\n"
224  "Host: CONNECT\r\n"
225  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
226  uint32_t http_len = sizeof(http_buf) - 1;
227  return RunTest(http_buf, http_len,
228  "alert http any any -> any any "
229  "(msg:\"http host header test\"; "
230  "content:!\"co\"; offset:3; http_host; "
231  "sid:1;)",
232  1);
233 }
234 
235 /**
236  * \test Test that the http_host header content matches against a http request
237  * which holds the content.
238  */
239 static int DetectEngineHttpHHTest08(void)
240 {
241  uint8_t http_buf[] =
242  "GET /index.html HTTP/1.0\r\n"
243  "Host: CONNECT\r\n"
244  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
245  uint32_t http_len = sizeof(http_buf) - 1;
246  return RunTest(http_buf, http_len,
247  "alert http any any -> any any "
248  "(msg:\"http host header test\"; "
249  "content:!\"ect\"; offset:3; http_host; "
250  "sid:1;)",
251  0);
252 }
253 
254 /**
255  * \test Test that the http_host header content matches against a http request
256  * which holds the content.
257  */
258 static int DetectEngineHttpHHTest09(void)
259 {
260  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
261  "Host: CONNECT\r\n"
262  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
263  uint32_t http_len = sizeof(http_buf) - 1;
264  return RunTest(http_buf, http_len,
265  "alert http any any -> any any "
266  "(msg:\"http host header test\"; "
267  "content:\"con\"; offset:3; http_host; "
268  "sid:1;)",
269  0);
270 }
271 
272 /**
273  * \test Test that the http_host header content matches against a http request
274  * which holds the content.
275  */
276 static int DetectEngineHttpHHTest10(void)
277 {
278  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
279  "Host: CONNECT\r\n"
280  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
281  uint32_t http_len = sizeof(http_buf) - 1;
282  return RunTest(http_buf, http_len,
283  "alert http any any -> any any "
284  "(msg:\"http_host header test\"; "
285  "content:\"co\"; http_host; "
286  "content:\"ec\"; within:4; http_host; "
287  "sid:1;)",
288  1);
289 }
290 
291 /**
292  * \test Test that the http_host header content matches against a http request
293  * which holds the content.
294  */
295 static int DetectEngineHttpHHTest11(void)
296 {
297  uint8_t http_buf[] =
298  "GET /index.html HTTP/1.0\r\n"
299  "Host: CONNECT\r\n"
300  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
301  uint32_t http_len = sizeof(http_buf) - 1;
302  return RunTest(http_buf, http_len,
303  "alert http any any -> any any "
304  "(msg:\"http_host header test\"; "
305  "content:\"co\"; http_host; "
306  "content:!\"ec\"; within:3; http_host; "
307  "sid:1;)",
308  1);
309 }
310 
311 /**
312  * \test Test that the http_host header content matches against a http request
313  * which holds the content.
314  */
315 static int DetectEngineHttpHHTest12(void)
316 {
317  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
318  "Host: CONNECT\r\n"
319  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
320  uint32_t http_len = sizeof(http_buf) - 1;
321  return RunTest(http_buf, http_len,
322  "alert http any any -> any any "
323  "(msg:\"http_host header test\"; "
324  "content:\"co\"; http_host; "
325  "content:\"ec\"; within:3; http_host; "
326  "sid:1;)",
327  0);
328 }
329 
330 /**
331  * \test Test that the http_host header content matches against a http request
332  * which holds the content.
333  */
334 static int DetectEngineHttpHHTest13(void)
335 {
336  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
337  "Host: CONNECT\r\n"
338  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
339  uint32_t http_len = sizeof(http_buf) - 1;
340  return RunTest(http_buf, http_len,
341  "alert http any any -> any any "
342  "(msg:\"http_host header test\"; "
343  "content:\"co\"; http_host; "
344  "content:!\"ec\"; within:4; http_host; "
345  "sid:1;)",
346  0);
347 }
348 
349 /**
350  * \test Test that the http_host header content matches against a http request
351  * which holds the content.
352  */
353 static int DetectEngineHttpHHTest14(void)
354 {
355  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
356  "Host: CONNECT\r\n"
357  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
358  uint32_t http_len = sizeof(http_buf) - 1;
359  return RunTest(http_buf, http_len,
360  "alert http any any -> any any "
361  "(msg:\"http_host header test\"; "
362  "content:\"co\"; http_host; "
363  "content:\"ec\"; distance:2; http_host; "
364  "sid:1;)",
365  1);
366 }
367 
368 /**
369  * \test Test that the http_host header content matches against a http request
370  * which holds the content.
371  */
372 static int DetectEngineHttpHHTest15(void)
373 {
374  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
375  "Host: CONNECT\r\n"
376  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
377  uint32_t http_len = sizeof(http_buf) - 1;
378  return RunTest(http_buf, http_len,
379  "alert http any any -> any any "
380  "(msg:\"http_host header test\"; "
381  "content:\"co\"; http_host; "
382  "content:!\"ec\"; distance:3; http_host; "
383  "sid:1;)",
384  1);
385 }
386 
387 /**
388  * \test Test that the http_host header content matches against a http request
389  * which holds the content.
390  */
391 static int DetectEngineHttpHHTest16(void)
392 {
393  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
394  "Host: CONNECT\r\n"
395  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
396  uint32_t http_len = sizeof(http_buf) - 1;
397  return RunTest(http_buf, http_len,
398  "alert http any any -> any any "
399  "(msg:\"http_host header test\"; "
400  "content:\"co\"; http_host; "
401  "content:\"ec\"; distance:3; http_host; "
402  "sid:1;)",
403  0);
404 }
405 
406 /**
407  * \test Test that the http_host header content matches against a http request
408  * which holds the content.
409  */
410 static int DetectEngineHttpHHTest17(void)
411 {
412  uint8_t http_buf[] =
413  "GET /index.html HTTP/1.0\r\n"
414  "Host: CONNECT\r\n"
415  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
416  uint32_t http_len = sizeof(http_buf) - 1;
417  return RunTest(http_buf, http_len,
418  "alert http any any -> any any "
419  "(msg:\"http_host header test\"; "
420  "content:\"co\"; http_host; "
421  "content:!\"ec\"; distance:2; http_host; "
422  "sid:1;)",
423  0);
424 }
425 
426 static int DetectEngineHttpHHTest18(void)
427 {
428  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
429  "Host: www.kaboom.com\r\n"
430  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
431  uint32_t http_len = sizeof(http_buf) - 1;
432  return RunTest(http_buf, http_len,
433  "alert http any any -> any any "
434  "(msg:\"http_host header test\"; "
435  "content:\"kaboom\"; http_host; "
436  "sid:1;)",
437  1);
438 }
439 
440 static int DetectEngineHttpHHTest19(void)
441 {
442  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
443  "Host: www.kaboom.com:8080\r\n"
444  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
445  uint32_t http_len = sizeof(http_buf) - 1;
446  return RunTest(http_buf, http_len,
447  "alert http any any -> any any "
448  "(msg:\"http_host header test\"; "
449  "content:\"kaboom\"; http_host; "
450  "sid:1;)",
451  1);
452 }
453 
454 static int DetectEngineHttpHHTest20(void)
455 {
456  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
457  "Host: www.kaboom.com:8080\r\n"
458  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
459  uint32_t http_len = sizeof(http_buf) - 1;
460  return RunTest(http_buf, http_len,
461  "alert http any any -> any any "
462  "(msg:\"http_host header test\"; "
463  "content:\"8080\"; http_host; "
464  "sid:1;)",
465  0);
466 }
467 
468 static int DetectEngineHttpHHTest21(void)
469 {
470  uint8_t http_buf[] = "GET http://www.kaboom.com/index.html HTTP/1.0\r\n"
471  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
472  uint32_t http_len = sizeof(http_buf) - 1;
473  return RunTest(http_buf, http_len,
474  "alert http any any -> any any "
475  "(msg:\"http_host header test\"; "
476  "content:\"kaboom\"; http_host; "
477  "sid:1;)",
478  1);
479 }
480 
481 static int DetectEngineHttpHHTest22(void)
482 {
483  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
484  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
485  uint32_t http_len = sizeof(http_buf) - 1;
486  return RunTest(http_buf, http_len,
487  "alert http any any -> any any "
488  "(msg:\"http_host header test\"; "
489  "content:\"kaboom\"; http_host; "
490  "sid:1;)",
491  1);
492 }
493 
494 static int DetectEngineHttpHHTest23(void)
495 {
496  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
497  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
498  uint32_t http_len = sizeof(http_buf) - 1;
499  return RunTest(http_buf, http_len,
500  "alert http any any -> any any "
501  "(msg:\"http_host header test\"; "
502  "content:\"8080\"; http_host; "
503  "sid:1;)",
504  0);
505 }
506 
507 static int DetectEngineHttpHHTest24(void)
508 {
509  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
510  "Host: www.rabbit.com\r\n"
511  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
512  uint32_t http_len = sizeof(http_buf) - 1;
513  return RunTest(http_buf, http_len,
514  "alert http any any -> any any "
515  "(msg:\"http_host header test\"; "
516  "content:\"kaboom\"; http_host; "
517  "sid:1;)",
518  1);
519 }
520 
521 static int DetectEngineHttpHHTest25(void)
522 {
523  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
524  "Host: www.rabbit.com\r\n"
525  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
526  uint32_t http_len = sizeof(http_buf) - 1;
527  return RunTest(http_buf, http_len,
528  "alert http any any -> any any "
529  "(msg:\"http_host header test\"; "
530  "content:\"rabbit\"; http_host; "
531  "sid:1;)",
532  0);
533 }
534 
535 /**
536  * \test Test that a signature containing a http_host is correctly parsed
537  * and the keyword is registered.
538  */
539 static int DetectHttpHHTest01(void)
540 {
541  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
542  FAIL_IF_NULL(de_ctx);
543  de_ctx->flags |= DE_QUIET;
544  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
545  "content:\"one\"; http_host; sid:1;)");
546  FAIL_IF_NULL(s);
547  DetectEngineCtxFree(de_ctx);
548  PASS;
549 }
550 
551 /**
552  * \test Test that an invalid signature containing no content but a
553  * http_host is invalidated.
554  */
555 static int DetectHttpHHTest03(void)
556 {
557  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
558  FAIL_IF_NULL(de_ctx);
559  de_ctx->flags |= DE_QUIET;
560  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
561  "http_host; sid:1;)");
562  FAIL_IF_NOT_NULL(s);
563  DetectEngineCtxFree(de_ctx);
564  PASS;
565 }
566 
567 /**
568  * \test Test that an invalid signature containing a rawbytes along with a
569  * http_host is invalidated.
570  */
571 static int DetectHttpHHTest04(void)
572 {
573  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
574  FAIL_IF_NULL(de_ctx);
575  de_ctx->flags |= DE_QUIET;
576  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
577  "content:\"one\"; rawbytes; http_host; sid:1;)");
578  FAIL_IF_NOT_NULL(s);
579  DetectEngineCtxFree(de_ctx);
580  PASS;
581 }
582 
583 /**
584  * \test Test that a http_host with nocase is parsed.
585  */
586 static int DetectHttpHHTest05(void)
587 {
588  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
589  FAIL_IF_NULL(de_ctx);
590  de_ctx->flags |= DE_QUIET;
591  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
592  "content:\"one\"; http_host; nocase; sid:1;)");
593  FAIL_IF_NOT_NULL(s);
594  DetectEngineCtxFree(de_ctx);
595  PASS;
596 }
597 
598 /** \test invalid sig: uppercase content */
599 static int DetectHttpHHTest05a(void)
600 {
601  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
602  FAIL_IF_NULL(de_ctx);
603  de_ctx->flags |= DE_QUIET;
604 
605  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
606  "(content:\"ABC\"; http_host; sid:1;)");
607  FAIL_IF_NOT_NULL(s);
608 
609  DetectEngineCtxFree(de_ctx);
610  PASS;
611 }
612 
613 /**
614  *\test Test that the http_host content matches against a http request
615  * which holds the content.
616  */
617 static int DetectHttpHHTest06(void)
618 {
619  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
620  "User-Agent: www.openinfosecfoundation.org\r\n"
621  "Host: This is dummy message body\r\n"
622  "Content-Type: text/html\r\n"
623  "\r\n";
624  uint32_t http_len = sizeof(http_buf) - 1;
625  return RunTest(http_buf, http_len,
626  "alert http any any -> any any "
627  "(msg:\"http host test\"; "
628  "content:\"message\"; http_host; "
629  "sid:1;)",
630  1);
631 }
632 
633 /**
634  *\test Test that the http_host content matches against a http request
635  * which holds the content.
636  */
637 static int DetectHttpHHTest07(void)
638 {
639  TcpSession ssn;
640  Packet *p1 = NULL;
641  Packet *p2 = NULL;
642  ThreadVars th_v;
643  DetectEngineThreadCtx *det_ctx = NULL;
644  HtpState *http_state = NULL;
645  Flow f;
646  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
647  "User-Agent: www.openinfosecfoundation.org\r\n"
648  "Host: This is dummy message";
649  uint8_t http2_buf[] = "body1\r\n\r\n";
650  uint32_t http1_len = sizeof(http1_buf) - 1;
651  uint32_t http2_len = sizeof(http2_buf) - 1;
652  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
653 
654  memset(&th_v, 0, sizeof(th_v));
655  StatsThreadInit(&th_v.stats);
656  memset(&f, 0, sizeof(f));
657  memset(&ssn, 0, sizeof(ssn));
658 
659  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
660  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
661 
662  FLOW_INITIALIZE(&f);
663  f.protoctx = (void *)&ssn;
664  f.proto = IPPROTO_TCP;
665  f.flags |= FLOW_IPV4;
666 
667  p1->flow = &f;
668  p1->flowflags |= FLOW_PKT_TOSERVER;
669  p1->flowflags |= FLOW_PKT_ESTABLISHED;
670  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
671  p2->flow = &f;
672  p2->flowflags |= FLOW_PKT_TOSERVER;
673  p2->flowflags |= FLOW_PKT_ESTABLISHED;
674  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
675  f.alproto = ALPROTO_HTTP1;
676 
677  StreamTcpInitConfig(true);
678 
679  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
680  FAIL_IF_NULL(de_ctx);
681  de_ctx->flags |= DE_QUIET;
682 
683  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
684  "(msg:\"http host test\"; "
685  "content:\"message\"; http_host; "
686  "sid:1;)");
687  FAIL_IF_NULL(s);
688 
689  SigGroupBuild(de_ctx);
690  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
691 
692  int r = AppLayerParserParse(
693  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
694  FAIL_IF(r != 0);
695 
696  http_state = f.alstate;
697  FAIL_IF_NULL(http_state);
698 
699  /* do detect */
700  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
701 
702  FAIL_IF(PacketAlertCheck(p1, 1));
703 
704  r = AppLayerParserParse(
705  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
706  FAIL_IF(r != 0);
707 
708  /* do detect */
709  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
710  FAIL_IF(!(PacketAlertCheck(p2, 1)));
711 
712  AppLayerParserThreadCtxFree(alp_tctx);
713  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
714  DetectEngineCtxFree(de_ctx);
715 
716  StreamTcpFreeConfig(true);
717  FLOW_DESTROY(&f);
718  UTHFreePackets(&p1, 1);
719  UTHFreePackets(&p2, 1);
720  StatsThreadCleanup(&th_v.stats);
721  PASS;
722 }
723 
724 /**
725  *\test Test that the http_host content matches against a http request
726  * which holds the content.
727  */
728 static int DetectHttpHHTest08(void)
729 {
730  TcpSession ssn;
731  Packet *p1 = NULL;
732  Packet *p2 = NULL;
733  ThreadVars th_v;
734  DetectEngineThreadCtx *det_ctx = NULL;
735  HtpState *http_state = NULL;
736  Flow f;
737  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
738  "User-Agent: www.openinfosecfoundation.org\r\n"
739  "host: This is dummy mess";
740  uint8_t http2_buf[] = "age body\r\n\r\n";
741  uint32_t http1_len = sizeof(http1_buf) - 1;
742  uint32_t http2_len = sizeof(http2_buf) - 1;
743  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
744 
745  memset(&th_v, 0, sizeof(th_v));
746  StatsThreadInit(&th_v.stats);
747  memset(&f, 0, sizeof(f));
748  memset(&ssn, 0, sizeof(ssn));
749 
750  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
751  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
752 
753  FLOW_INITIALIZE(&f);
754  f.protoctx = (void *)&ssn;
755  f.proto = IPPROTO_TCP;
756  f.flags |= FLOW_IPV4;
757 
758  p1->flow = &f;
759  p1->flowflags |= FLOW_PKT_TOSERVER;
760  p1->flowflags |= FLOW_PKT_ESTABLISHED;
761  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
762  p2->flow = &f;
763  p2->flowflags |= FLOW_PKT_TOSERVER;
764  p2->flowflags |= FLOW_PKT_ESTABLISHED;
765  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
766  f.alproto = ALPROTO_HTTP1;
767 
768  StreamTcpInitConfig(true);
769 
770  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
771  FAIL_IF_NULL(de_ctx);
772  de_ctx->flags |= DE_QUIET;
773 
774  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
775  "(msg:\"http host test\"; "
776  "content:\"message\"; http_host; "
777  "sid:1;)");
778  FAIL_IF_NULL(s);
779 
780  SigGroupBuild(de_ctx);
781  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
782 
783  int r = AppLayerParserParse(
784  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
785  FAIL_IF(r != 0);
786 
787  http_state = f.alstate;
788  FAIL_IF_NULL(http_state);
789 
790  /* do detect */
791  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
792 
793  FAIL_IF((PacketAlertCheck(p1, 1)));
794 
795  r = AppLayerParserParse(
796  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
797  FAIL_IF(r != 0);
798 
799  /* do detect */
800  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
801 
802  FAIL_IF(!(PacketAlertCheck(p2, 1)));
803 
804  AppLayerParserThreadCtxFree(alp_tctx);
805  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
806  DetectEngineCtxFree(de_ctx);
807 
808  StreamTcpFreeConfig(true);
809  FLOW_DESTROY(&f);
810  UTHFreePackets(&p1, 1);
811  UTHFreePackets(&p2, 1);
812  StatsThreadCleanup(&th_v.stats);
813  PASS;
814 }
815 
816 /**
817  *\test Test that the http_host content matches against a http request
818  * which holds the content, against a cross boundary present pattern.
819  */
820 static int DetectHttpHHTest09(void)
821 {
822  TcpSession ssn;
823  Packet *p1 = NULL;
824  Packet *p2 = NULL;
825  ThreadVars th_v;
826  DetectEngineThreadCtx *det_ctx = NULL;
827  HtpState *http_state = NULL;
828  Flow f;
829  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
830  "User-Agent: www.openinfosecfoundation.org\r\n"
831  "Host: This is dummy body1";
832  uint8_t http2_buf[] = "This is dummy message body2\r\n"
833  "Content-Type: text/html\r\n"
834  "Content-Length: 46\r\n"
835  "\r\n"
836  "This is dummy body1";
837  uint32_t http1_len = sizeof(http1_buf) - 1;
838  uint32_t http2_len = sizeof(http2_buf) - 1;
839  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
840 
841  memset(&th_v, 0, sizeof(th_v));
842  StatsThreadInit(&th_v.stats);
843  memset(&f, 0, sizeof(f));
844  memset(&ssn, 0, sizeof(ssn));
845 
846  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
847  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
848 
849  FLOW_INITIALIZE(&f);
850  f.protoctx = (void *)&ssn;
851  f.proto = IPPROTO_TCP;
852  f.flags |= FLOW_IPV4;
853 
854  p1->flow = &f;
855  p1->flowflags |= FLOW_PKT_TOSERVER;
856  p1->flowflags |= FLOW_PKT_ESTABLISHED;
857  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
858  p2->flow = &f;
859  p2->flowflags |= FLOW_PKT_TOSERVER;
860  p2->flowflags |= FLOW_PKT_ESTABLISHED;
861  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
862  f.alproto = ALPROTO_HTTP1;
863 
864  StreamTcpInitConfig(true);
865 
866  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
867  FAIL_IF_NULL(de_ctx);
868  de_ctx->flags |= DE_QUIET;
869 
870  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
871  "(msg:\"http host test\"; "
872  "content:\"body1this\"; http_host; "
873  "sid:1;)");
874  FAIL_IF_NULL(s);
875 
876  SigGroupBuild(de_ctx);
877  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
878 
879  int r = AppLayerParserParse(
880  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
881  FAIL_IF(r != 0);
882 
883  http_state = f.alstate;
884  FAIL_IF_NULL(http_state);
885 
886  /* do detect */
887  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
888 
889  FAIL_IF((PacketAlertCheck(p1, 1)));
890 
891  r = AppLayerParserParse(
892  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
893  FAIL_IF(r != 0);
894 
895  /* do detect */
896  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
897 
898  FAIL_IF(!(PacketAlertCheck(p2, 1)));
899 
900  AppLayerParserThreadCtxFree(alp_tctx);
901  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
902  DetectEngineCtxFree(de_ctx);
903 
904  StreamTcpFreeConfig(true);
905  FLOW_DESTROY(&f);
906  UTHFreePackets(&p1, 1);
907  UTHFreePackets(&p2, 1);
908  StatsThreadCleanup(&th_v.stats);
909  PASS;
910 }
911 
912 /**
913  *\test Test that the http_host content matches against a http request
914  * against a case insensitive pattern.
915  */
916 static int DetectHttpHHTest10(void)
917 {
918  TcpSession ssn;
919  Packet *p1 = NULL;
920  Packet *p2 = NULL;
921  ThreadVars th_v;
922  DetectEngineCtx *de_ctx = NULL;
923  DetectEngineThreadCtx *det_ctx = NULL;
924  HtpState *http_state = NULL;
925  Flow f;
926  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
927  "User-Agent: www.openinfosecfoundation.org\r\n"
928  "Host: This is dummy bodY1";
929  uint8_t http2_buf[] = "This is dummy message body2\r\n"
930  "Content-Type: text/html\r\n"
931  "Content-Length: 46\r\n"
932  "\r\n"
933  "This is dummy bodY1";
934  uint32_t http1_len = sizeof(http1_buf) - 1;
935  uint32_t http2_len = sizeof(http2_buf) - 1;
936  int result = 0;
937  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
938 
939  memset(&th_v, 0, sizeof(th_v));
940  StatsThreadInit(&th_v.stats);
941  memset(&f, 0, sizeof(f));
942  memset(&ssn, 0, sizeof(ssn));
943 
944  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
945  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
946 
947  FLOW_INITIALIZE(&f);
948  f.protoctx = (void *)&ssn;
949  f.proto = IPPROTO_TCP;
950  f.flags |= FLOW_IPV4;
951 
952  p1->flow = &f;
953  p1->flowflags |= FLOW_PKT_TOSERVER;
954  p1->flowflags |= FLOW_PKT_ESTABLISHED;
955  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
956  p2->flow = &f;
957  p2->flowflags |= FLOW_PKT_TOSERVER;
958  p2->flowflags |= FLOW_PKT_ESTABLISHED;
959  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
960  f.alproto = ALPROTO_HTTP1;
961 
962  StreamTcpInitConfig(true);
963 
964  de_ctx = DetectEngineCtxInit();
965  if (de_ctx == NULL)
966  goto end;
967 
968  de_ctx->flags |= DE_QUIET;
969 
970  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
971  "(msg:\"http host test\"; "
972  "content:\"body1this\"; http_host; "
973  "sid:1;)");
974  if (de_ctx->sig_list == NULL)
975  goto end;
976 
977  SigGroupBuild(de_ctx);
978  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
979 
980  int r = AppLayerParserParse(
981  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
982  if (r != 0) {
983  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
984  result = 0;
985  goto end;
986  }
987 
988  http_state = f.alstate;
989  if (http_state == NULL) {
990  printf("no http state: \n");
991  result = 0;
992  goto end;
993  }
994 
995  /* do detect */
996  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
997 
998  if ((PacketAlertCheck(p1, 1))) {
999  printf("sid 1 didn't match but should have\n");
1000  goto end;
1001  }
1002 
1003  r = AppLayerParserParse(
1004  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1005  if (r != 0) {
1006  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1007  result = 0;
1008  goto end;
1009  }
1010 
1011  /* do detect */
1012  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1013 
1014  if (!(PacketAlertCheck(p2, 1))) {
1015  printf("sid 1 didn't match but should have");
1016  goto end;
1017  }
1018 
1019  result = 1;
1020 end:
1021  if (alp_tctx != NULL)
1022  AppLayerParserThreadCtxFree(alp_tctx);
1023  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1024  if (de_ctx != NULL)
1025  DetectEngineCtxFree(de_ctx);
1026 
1027  StreamTcpFreeConfig(true);
1028  FLOW_DESTROY(&f);
1029  UTHFreePackets(&p1, 1);
1030  UTHFreePackets(&p2, 1);
1031  StatsThreadCleanup(&th_v.stats);
1032  return result;
1033 }
1034 
1035 /**
1036  *\test Test that the negated http_host content matches against a
1037  * http request which doesn't hold the content.
1038  */
1039 static int DetectHttpHHTest11(void)
1040 {
1041  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1042  "User-Agent: www.openinfosecfoundation.org\r\n"
1043  "Host: This is dummy message body\r\n"
1044  "Content-Type: text/html\r\n"
1045  "\r\n";
1046  uint32_t http_len = sizeof(http_buf) - 1;
1047  return RunTest(http_buf, http_len,
1048  "alert http any any -> any any "
1049  "(msg:\"http host test\"; "
1050  "content:!\"message\"; http_host; "
1051  "sid:1;)",
1052  0);
1053 }
1054 
1055 /**
1056  *\test Negative test that the negated http_host content matches against a
1057  * http request which holds hold the content.
1058  */
1059 static int DetectHttpHHTest12(void)
1060 {
1061  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1062  "User-Agent: www.openinfosecfoundation.org\r\n"
1063  "Host: This is dummy body\r\n"
1064  "\r\n";
1065  uint32_t http_len = sizeof(http_buf) - 1;
1066  return RunTest(http_buf, http_len,
1067  "alert http any any -> any any "
1068  "(msg:\"http host test\"; "
1069  "content:!\"message\"; http_host; "
1070  "sid:1;)",
1071  1);
1072 }
1073 
1074 /**
1075  * \test Test that the http_host content matches against a http request
1076  * which holds the content.
1077  */
1078 static int DetectHttpHHTest13(void)
1079 {
1080  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1081  "User-Agent: www.openinfosecfoundation.org\r\n"
1082  "Host: longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n"
1083  "Content-Type: text/html\r\n"
1084  "\r\n";
1085  uint32_t http_len = sizeof(http_buf) - 1;
1086  return RunTest(http_buf, http_len,
1087  "alert http any any -> any any "
1088  "(msg:\"http host test\"; "
1089  "content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_host; "
1090  "sid:1;)",
1091  1);
1092 }
1093 
1094 /**
1095  * \test multiple http transactions and body chunks of request handling
1096  */
1097 static int DetectHttpHHTest14(void)
1098 {
1099  int result = 0;
1100  Signature *s = NULL;
1101  DetectEngineThreadCtx *det_ctx = NULL;
1102  ThreadVars th_v;
1103  Flow f;
1104  TcpSession ssn;
1105  Packet *p = NULL;
1106  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
1107  uint8_t httpbuf2[] = "Cookie: dummy1\r\n";
1108  uint8_t httpbuf3[] = "Host: Body one!!\r\n\r\n";
1109  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1110  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1111  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1112  uint8_t httpbuf4[] = "GET /?var=val HTTP/1.1\r\n";
1113  uint8_t httpbuf5[] = "Cookie: dummy2\r\n";
1114  uint8_t httpbuf6[] = "Host: Body two\r\n\r\n";
1115  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1116  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
1117  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
1118  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1119 
1120  memset(&th_v, 0, sizeof(th_v));
1121  StatsThreadInit(&th_v.stats);
1122  memset(&f, 0, sizeof(f));
1123  memset(&ssn, 0, sizeof(ssn));
1124 
1125  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1126 
1127  FLOW_INITIALIZE(&f);
1128  f.protoctx = (void *)&ssn;
1129  f.proto = IPPROTO_TCP;
1130  f.flags |= FLOW_IPV4;
1131 
1132  p->flow = &f;
1133  p->flowflags |= FLOW_PKT_TOSERVER;
1134  p->flowflags |= FLOW_PKT_ESTABLISHED;
1135  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1136  f.alproto = ALPROTO_HTTP1;
1137 
1138  StreamTcpInitConfig(true);
1139 
1140  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1141  if (de_ctx == NULL) {
1142  goto end;
1143  }
1144 
1145  de_ctx->flags |= DE_QUIET;
1146 
1147  s = DetectEngineAppendSig(de_ctx,
1148  "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"dummy1\"; "
1149  "http_cookie; content:\"body one\"; http_host; sid:1; rev:1;)");
1150  if (s == NULL) {
1151  printf("sig parse failed: ");
1152  goto end;
1153  }
1154  s = DetectEngineAppendSig(de_ctx,
1155  "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"dummy2\"; "
1156  "http_cookie; content:\"body two\"; http_host; sid:2; rev:1;)");
1157  if (s == NULL) {
1158  printf("sig2 parse failed: ");
1159  goto end;
1160  }
1161 
1162  SigGroupBuild(de_ctx);
1163  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1164 
1165  int r = AppLayerParserParse(
1166  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1167  if (r != 0) {
1168  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1169  goto end;
1170  }
1171 
1172  /* do detect */
1173  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1174  if (PacketAlertCheck(p, 1)) {
1175  printf("sig 1 alerted: ");
1176  goto end;
1177  }
1178  p->alerts.cnt = 0;
1179 
1180  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1181  if (r != 0) {
1182  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
1183  goto end;
1184  }
1185 
1186  /* do detect */
1187  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1188  if (PacketAlertCheck(p, 1)) {
1189  printf("sig 1 alerted (2): ");
1190  goto end;
1191  }
1192  p->alerts.cnt = 0;
1193 
1194  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1195  if (r != 0) {
1196  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
1197  goto end;
1198  }
1199 
1200  /* do detect */
1201  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1202  if (!(PacketAlertCheck(p, 1))) {
1203  printf("sig 1 didn't alert: ");
1204  goto end;
1205  }
1206  p->alerts.cnt = 0;
1207 
1208  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
1209  if (r != 0) {
1210  printf("toserver chunk 5 returned %" PRId32 ", expected 0: ", r);
1211  goto end;
1212  }
1213 
1214  /* do detect */
1215  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1216  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2)) {
1217  printf("sig 1 alerted (4): ");
1218  goto end;
1219  }
1220  p->alerts.cnt = 0;
1221 
1222  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
1223  if (r != 0) {
1224  printf("toserver chunk 6 returned %" PRId32 ", expected 0: ", r);
1225  goto end;
1226  }
1227 
1228  /* do detect */
1229  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1230  if ((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2))) {
1231  printf("sig 1 alerted (request 2, chunk 6): ");
1232  goto end;
1233  }
1234  p->alerts.cnt = 0;
1235 
1236  SCLogDebug("sending data chunk 7");
1237 
1238  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
1239  if (r != 0) {
1240  printf("toserver chunk 7 returned %" PRId32 ", expected 0: ", r);
1241  goto end;
1242  }
1243 
1244  /* do detect */
1245  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1246  if (PacketAlertCheck(p, 1) || !(PacketAlertCheck(p, 2))) {
1247  printf("signature 2 didn't match or sig 1 matched, but shouldn't have: ");
1248  goto end;
1249  }
1250  p->alerts.cnt = 0;
1251 
1252  HtpState *htp_state = f.alstate;
1253  if (htp_state == NULL) {
1254  printf("no http state: ");
1255  result = 0;
1256  goto end;
1257  }
1258 
1259  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
1260  printf("The http app layer doesn't have 2 transactions, but it should: ");
1261  goto end;
1262  }
1263 
1264  result = 1;
1265 end:
1266  if (alp_tctx != NULL)
1267  AppLayerParserThreadCtxFree(alp_tctx);
1268  if (det_ctx != NULL) {
1269  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1270  }
1271  if (de_ctx != NULL) {
1272  DetectEngineCtxFree(de_ctx);
1273  }
1274 
1275  StreamTcpFreeConfig(true);
1276  FLOW_DESTROY(&f);
1277  UTHFreePacket(p);
1278  StatsThreadCleanup(&th_v.stats);
1279  return result;
1280 }
1281 
1282 /**
1283  *\test Test that the http_raw_host content matches against a http request
1284  * which holds the content.
1285  */
1286 static int DetectHttpHRHTest06(void)
1287 {
1288  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1289  "User-Agent: www.openinfosecfoundation.org\r\n"
1290  "Host: This is dummy message body\r\n"
1291  "Content-Type: text/html\r\n"
1292  "\r\n";
1293  uint32_t http_len = sizeof(http_buf) - 1;
1294  return RunTest(http_buf, http_len,
1295  "alert http any any -> any any "
1296  "(msg:\"http host test\"; "
1297  "content:\"message\"; http_raw_host; "
1298  "sid:1;)",
1299  1);
1300 }
1301 
1302 /**
1303  *\test Test that the http_raw_host content matches against a http request
1304  * which holds the content.
1305  */
1306 static int DetectHttpHRHTest07(void)
1307 {
1308  TcpSession ssn;
1309  Packet *p1 = NULL;
1310  Packet *p2 = NULL;
1311  ThreadVars th_v;
1312  DetectEngineCtx *de_ctx = NULL;
1313  DetectEngineThreadCtx *det_ctx = NULL;
1314  HtpState *http_state = NULL;
1315  Flow f;
1316  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
1317  "User-Agent: www.openinfosecfoundation.org\r\n"
1318  "Host: This is dummy message";
1319  uint8_t http2_buf[] = "body1\r\n\r\n";
1320  uint32_t http1_len = sizeof(http1_buf) - 1;
1321  uint32_t http2_len = sizeof(http2_buf) - 1;
1322  int result = 0;
1323  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1324 
1325  memset(&th_v, 0, sizeof(th_v));
1326  StatsThreadInit(&th_v.stats);
1327  memset(&f, 0, sizeof(f));
1328  memset(&ssn, 0, sizeof(ssn));
1329 
1330  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1331  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1332 
1333  FLOW_INITIALIZE(&f);
1334  f.protoctx = (void *)&ssn;
1335  f.proto = IPPROTO_TCP;
1336  f.flags |= FLOW_IPV4;
1337 
1338  p1->flow = &f;
1339  p1->flowflags |= FLOW_PKT_TOSERVER;
1340  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1341  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1342  p2->flow = &f;
1343  p2->flowflags |= FLOW_PKT_TOSERVER;
1344  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1345  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1346  f.alproto = ALPROTO_HTTP1;
1347 
1348  StreamTcpInitConfig(true);
1349 
1350  de_ctx = DetectEngineCtxInit();
1351  if (de_ctx == NULL)
1352  goto end;
1353 
1354  de_ctx->flags |= DE_QUIET;
1355 
1356  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
1357  "(msg:\"http host test\"; "
1358  "content:\"message\"; http_raw_host; "
1359  "sid:1;)");
1360  if (de_ctx->sig_list == NULL)
1361  goto end;
1362 
1363  SigGroupBuild(de_ctx);
1364  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1365 
1366  int r = AppLayerParserParse(
1367  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1368  if (r != 0) {
1369  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1370  result = 0;
1371  goto end;
1372  }
1373 
1374  http_state = f.alstate;
1375  if (http_state == NULL) {
1376  printf("no http state: ");
1377  goto end;
1378  }
1379 
1380  /* do detect */
1381  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1382 
1383  if (PacketAlertCheck(p1, 1)) {
1384  printf("sid 1 matched on p1 but shouldn't have: ");
1385  goto end;
1386  }
1387 
1388  r = AppLayerParserParse(
1389  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1390  if (r != 0) {
1391  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1392  goto end;
1393  }
1394 
1395  /* do detect */
1396  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1397  if (!(PacketAlertCheck(p2, 1))) {
1398  printf("sid 1 didn't match on p2 but should have: ");
1399  goto end;
1400  }
1401 
1402  result = 1;
1403 end:
1404  if (alp_tctx != NULL)
1405  AppLayerParserThreadCtxFree(alp_tctx);
1406  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1407  if (de_ctx != NULL)
1408  DetectEngineCtxFree(de_ctx);
1409 
1410  StreamTcpFreeConfig(true);
1411  FLOW_DESTROY(&f);
1412  UTHFreePackets(&p1, 1);
1413  UTHFreePackets(&p2, 1);
1414  StatsThreadCleanup(&th_v.stats);
1415  return result;
1416 }
1417 
1418 /**
1419  *\test Test that the http_raw_host content matches against a http request
1420  * which holds the content.
1421  */
1422 static int DetectHttpHRHTest08(void)
1423 {
1424  TcpSession ssn;
1425  Packet *p1 = NULL;
1426  Packet *p2 = NULL;
1427  ThreadVars th_v;
1428  DetectEngineCtx *de_ctx = NULL;
1429  DetectEngineThreadCtx *det_ctx = NULL;
1430  HtpState *http_state = NULL;
1431  Flow f;
1432  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
1433  "User-Agent: www.openinfosecfoundation.org\r\n"
1434  "host: This is dummy mess";
1435  uint8_t http2_buf[] = "age body\r\n\r\n";
1436  uint32_t http1_len = sizeof(http1_buf) - 1;
1437  uint32_t http2_len = sizeof(http2_buf) - 1;
1438  int result = 0;
1439  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1440 
1441  memset(&th_v, 0, sizeof(th_v));
1442  StatsThreadInit(&th_v.stats);
1443  memset(&f, 0, sizeof(f));
1444  memset(&ssn, 0, sizeof(ssn));
1445 
1446  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1447  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1448 
1449  FLOW_INITIALIZE(&f);
1450  f.protoctx = (void *)&ssn;
1451  f.proto = IPPROTO_TCP;
1452  f.flags |= FLOW_IPV4;
1453 
1454  p1->flow = &f;
1455  p1->flowflags |= FLOW_PKT_TOSERVER;
1456  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1457  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1458  p2->flow = &f;
1459  p2->flowflags |= FLOW_PKT_TOSERVER;
1460  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1461  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1462  f.alproto = ALPROTO_HTTP1;
1463 
1464  StreamTcpInitConfig(true);
1465 
1466  de_ctx = DetectEngineCtxInit();
1467  if (de_ctx == NULL)
1468  goto end;
1469 
1470  de_ctx->flags |= DE_QUIET;
1471 
1472  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
1473  "(msg:\"http host test\"; "
1474  "content:\"message\"; http_raw_host; "
1475  "sid:1;)");
1476  if (de_ctx->sig_list == NULL)
1477  goto end;
1478 
1479  SigGroupBuild(de_ctx);
1480  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1481 
1482  int r = AppLayerParserParse(
1483  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1484  if (r != 0) {
1485  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1486  result = 0;
1487  goto end;
1488  }
1489 
1490  http_state = f.alstate;
1491  if (http_state == NULL) {
1492  printf("no http state: ");
1493  result = 0;
1494  goto end;
1495  }
1496 
1497  /* do detect */
1498  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1499 
1500  if ((PacketAlertCheck(p1, 1))) {
1501  printf("sid 1 didn't match but should have");
1502  goto end;
1503  }
1504 
1505  r = AppLayerParserParse(
1506  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1507  if (r != 0) {
1508  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1509  result = 0;
1510  goto end;
1511  }
1512 
1513  /* do detect */
1514  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1515 
1516  if (!(PacketAlertCheck(p2, 1))) {
1517  printf("sid 1 didn't match but should have");
1518  goto end;
1519  }
1520 
1521  result = 1;
1522 end:
1523  if (alp_tctx != NULL)
1524  AppLayerParserThreadCtxFree(alp_tctx);
1525  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1526  if (de_ctx != NULL)
1527  DetectEngineCtxFree(de_ctx);
1528 
1529  StreamTcpFreeConfig(true);
1530  FLOW_DESTROY(&f);
1531  UTHFreePackets(&p1, 1);
1532  UTHFreePackets(&p2, 1);
1533  StatsThreadCleanup(&th_v.stats);
1534  return result;
1535 }
1536 
1537 /**
1538  *\test Test that the http_raw_host content matches against a http request
1539  * which holds the content, against a cross boundary present pattern.
1540  */
1541 static int DetectHttpHRHTest09(void)
1542 {
1543  TcpSession ssn;
1544  Packet *p1 = NULL;
1545  Packet *p2 = NULL;
1546  ThreadVars th_v;
1547  DetectEngineCtx *de_ctx = NULL;
1548  DetectEngineThreadCtx *det_ctx = NULL;
1549  HtpState *http_state = NULL;
1550  Flow f;
1551  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
1552  "User-Agent: www.openinfosecfoundation.org\r\n"
1553  "Host: This is dummy body1";
1554  uint8_t http2_buf[] = "This is dummy message body2\r\n"
1555  "Content-Type: text/html\r\n"
1556  "Content-Length: 46\r\n"
1557  "\r\n"
1558  "This is dummy body1";
1559  uint32_t http1_len = sizeof(http1_buf) - 1;
1560  uint32_t http2_len = sizeof(http2_buf) - 1;
1561  int result = 0;
1562  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1563 
1564  memset(&th_v, 0, sizeof(th_v));
1565  StatsThreadInit(&th_v.stats);
1566  memset(&f, 0, sizeof(f));
1567  memset(&ssn, 0, sizeof(ssn));
1568 
1569  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1570  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1571 
1572  FLOW_INITIALIZE(&f);
1573  f.protoctx = (void *)&ssn;
1574  f.proto = IPPROTO_TCP;
1575  f.flags |= FLOW_IPV4;
1576 
1577  p1->flow = &f;
1578  p1->flowflags |= FLOW_PKT_TOSERVER;
1579  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1580  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1581  p2->flow = &f;
1582  p2->flowflags |= FLOW_PKT_TOSERVER;
1583  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1584  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1585  f.alproto = ALPROTO_HTTP1;
1586 
1587  StreamTcpInitConfig(true);
1588 
1589  de_ctx = DetectEngineCtxInit();
1590  if (de_ctx == NULL)
1591  goto end;
1592 
1593  de_ctx->flags |= DE_QUIET;
1594 
1595  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
1596  "(msg:\"http host test\"; "
1597  "content:\"body1This\"; http_raw_host; "
1598  "sid:1;)");
1599  if (de_ctx->sig_list == NULL)
1600  goto end;
1601 
1602  SigGroupBuild(de_ctx);
1603  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1604 
1605  int r = AppLayerParserParse(
1606  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1607  if (r != 0) {
1608  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1609  result = 0;
1610  goto end;
1611  }
1612 
1613  http_state = f.alstate;
1614  if (http_state == NULL) {
1615  printf("no http state: ");
1616  result = 0;
1617  goto end;
1618  }
1619 
1620  /* do detect */
1621  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1622 
1623  if ((PacketAlertCheck(p1, 1))) {
1624  printf("sid 1 didn't match but should have");
1625  goto end;
1626  }
1627 
1628  r = AppLayerParserParse(
1629  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1630  if (r != 0) {
1631  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1632  result = 0;
1633  goto end;
1634  }
1635 
1636  /* do detect */
1637  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1638 
1639  if (!(PacketAlertCheck(p2, 1))) {
1640  printf("sid 1 didn't match but should have");
1641  goto end;
1642  }
1643 
1644  result = 1;
1645 end:
1646  if (alp_tctx != NULL)
1647  AppLayerParserThreadCtxFree(alp_tctx);
1648  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1649  if (de_ctx != NULL)
1650  DetectEngineCtxFree(de_ctx);
1651 
1652  StreamTcpFreeConfig(true);
1653  FLOW_DESTROY(&f);
1654  UTHFreePackets(&p1, 1);
1655  UTHFreePackets(&p2, 1);
1656  StatsThreadCleanup(&th_v.stats);
1657  return result;
1658 }
1659 
1660 /**
1661  *\test Test that the http_raw_host content matches against a http request
1662  * against a case insensitive pattern.
1663  */
1664 static int DetectHttpHRHTest10(void)
1665 {
1666  TcpSession ssn;
1667  Packet *p1 = NULL;
1668  Packet *p2 = NULL;
1669  ThreadVars th_v;
1670  DetectEngineCtx *de_ctx = NULL;
1671  DetectEngineThreadCtx *det_ctx = NULL;
1672  HtpState *http_state = NULL;
1673  Flow f;
1674  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
1675  "User-Agent: www.openinfosecfoundation.org\r\n"
1676  "Host: This is dummy bodY1";
1677  uint8_t http2_buf[] = "This is dummy message body2\r\n"
1678  "Content-Type: text/html\r\n"
1679  "Content-Length: 46\r\n"
1680  "\r\n"
1681  "This is dummy bodY1";
1682  uint32_t http1_len = sizeof(http1_buf) - 1;
1683  uint32_t http2_len = sizeof(http2_buf) - 1;
1684  int result = 0;
1685  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1686 
1687  memset(&th_v, 0, sizeof(th_v));
1688  StatsThreadInit(&th_v.stats);
1689  memset(&f, 0, sizeof(f));
1690  memset(&ssn, 0, sizeof(ssn));
1691 
1692  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1693  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1694 
1695  FLOW_INITIALIZE(&f);
1696  f.protoctx = (void *)&ssn;
1697  f.proto = IPPROTO_TCP;
1698  f.flags |= FLOW_IPV4;
1699 
1700  p1->flow = &f;
1701  p1->flowflags |= FLOW_PKT_TOSERVER;
1702  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1703  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1704  p2->flow = &f;
1705  p2->flowflags |= FLOW_PKT_TOSERVER;
1706  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1707  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1708  f.alproto = ALPROTO_HTTP1;
1709 
1710  StreamTcpInitConfig(true);
1711 
1712  de_ctx = DetectEngineCtxInit();
1713  if (de_ctx == NULL)
1714  goto end;
1715 
1716  de_ctx->flags |= DE_QUIET;
1717 
1718  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
1719  "(msg:\"http host test\"; "
1720  "content:\"bodY1This\"; http_raw_host; "
1721  "sid:1;)");
1722  if (de_ctx->sig_list == NULL)
1723  goto end;
1724 
1725  SigGroupBuild(de_ctx);
1726  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1727 
1728  int r = AppLayerParserParse(
1729  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1730  if (r != 0) {
1731  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1732  result = 0;
1733  goto end;
1734  }
1735 
1736  http_state = f.alstate;
1737  if (http_state == NULL) {
1738  printf("no http state: \n");
1739  result = 0;
1740  goto end;
1741  }
1742 
1743  /* do detect */
1744  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1745 
1746  if ((PacketAlertCheck(p1, 1))) {
1747  printf("sid 1 didn't match but should have\n");
1748  goto end;
1749  }
1750 
1751  r = AppLayerParserParse(
1752  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1753  if (r != 0) {
1754  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1755  result = 0;
1756  goto end;
1757  }
1758 
1759  /* do detect */
1760  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1761 
1762  if (!(PacketAlertCheck(p2, 1))) {
1763  printf("sid 1 didn't match but should have");
1764  goto end;
1765  }
1766 
1767  result = 1;
1768 end:
1769  if (alp_tctx != NULL)
1770  AppLayerParserThreadCtxFree(alp_tctx);
1771  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1772  if (de_ctx != NULL)
1773  DetectEngineCtxFree(de_ctx);
1774 
1775  StreamTcpFreeConfig(true);
1776  FLOW_DESTROY(&f);
1777  UTHFreePackets(&p1, 1);
1778  UTHFreePackets(&p2, 1);
1779  StatsThreadCleanup(&th_v.stats);
1780  return result;
1781 }
1782 
1783 /**
1784  *\test Test that the negated http_raw_host content matches against a
1785  * http request which doesn't hold the content.
1786  */
1787 static int DetectHttpHRHTest11(void)
1788 {
1789  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1790  "User-Agent: www.openinfosecfoundation.org\r\n"
1791  "Host: This is dummy message body\r\n"
1792  "Content-Type: text/html\r\n"
1793  "\r\n";
1794  uint32_t http_len = sizeof(http_buf) - 1;
1795  return RunTest(http_buf, http_len,
1796  "alert http any any -> any any "
1797  "(msg:\"http host test\"; "
1798  "content:!\"message\"; http_raw_host; "
1799  "sid:1;)",
1800  0);
1801 }
1802 
1803 /**
1804  *\test Negative test that the negated http_raw_host content matches against a
1805  * http request which holds hold the content.
1806  */
1807 static int DetectHttpHRHTest12(void)
1808 {
1809  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1810  "User-Agent: www.openinfosecfoundation.org\r\n"
1811  "Host: This is dummy body\r\n"
1812  "\r\n";
1813  uint32_t http_len = sizeof(http_buf) - 1;
1814  return RunTest(http_buf, http_len,
1815  "alert http any any -> any any "
1816  "(msg:\"http host test\"; "
1817  "content:!\"message\"; http_raw_host; "
1818  "sid:1;)",
1819  1);
1820 }
1821 
1822 /**
1823  * \test Test that the http_raw_host content matches against a http request
1824  * which holds the content.
1825  */
1826 static int DetectHttpHRHTest13(void)
1827 {
1828  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1829  "User-Agent: www.openinfosecfoundation.org\r\n"
1830  "Host: longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n"
1831  "Content-Type: text/html\r\n"
1832  "\r\n";
1833  uint32_t http_len = sizeof(http_buf) - 1;
1834  return RunTest(http_buf, http_len,
1835  "alert http any any -> any any "
1836  "(msg:\"http host test\"; "
1837  "content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_raw_host; "
1838  "sid:1;)",
1839  1);
1840 }
1841 
1842 /**
1843  * \test multiple http transactions and body chunks of request handling
1844  */
1845 static int DetectHttpHRHTest14(void)
1846 {
1847  int result = 0;
1848  Signature *s = NULL;
1849  DetectEngineThreadCtx *det_ctx = NULL;
1850  ThreadVars th_v;
1851  Flow f;
1852  TcpSession ssn;
1853  Packet *p = NULL;
1854  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
1855  uint8_t httpbuf2[] = "Cookie: dummy1\r\n";
1856  uint8_t httpbuf3[] = "Host: Body one!!\r\n\r\n";
1857  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1858  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1859  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1860  uint8_t httpbuf4[] = "GET /?var=val HTTP/1.1\r\n";
1861  uint8_t httpbuf5[] = "Cookie: dummy2\r\n";
1862  uint8_t httpbuf6[] = "Host: Body two\r\n\r\n";
1863  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1864  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
1865  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
1866  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1867 
1868  memset(&th_v, 0, sizeof(th_v));
1869  StatsThreadInit(&th_v.stats);
1870  memset(&f, 0, sizeof(f));
1871  memset(&ssn, 0, sizeof(ssn));
1872 
1873  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1874 
1875  FLOW_INITIALIZE(&f);
1876  f.protoctx = (void *)&ssn;
1877  f.proto = IPPROTO_TCP;
1878  f.flags |= FLOW_IPV4;
1879 
1880  p->flow = &f;
1881  p->flowflags |= FLOW_PKT_TOSERVER;
1882  p->flowflags |= FLOW_PKT_ESTABLISHED;
1883  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1884  f.alproto = ALPROTO_HTTP1;
1885 
1886  StreamTcpInitConfig(true);
1887 
1888  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1889  if (de_ctx == NULL) {
1890  goto end;
1891  }
1892 
1893  de_ctx->flags |= DE_QUIET;
1894 
1895  s = DetectEngineAppendSig(de_ctx,
1896  "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"dummy1\"; "
1897  "http_cookie; content:\"Body one\"; http_raw_host; sid:1; rev:1;)");
1898  if (s == NULL) {
1899  printf("sig parse failed: ");
1900  goto end;
1901  }
1902  s = DetectEngineAppendSig(de_ctx,
1903  "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"dummy2\"; "
1904  "http_cookie; content:\"Body two\"; http_raw_host; sid:2; rev:1;)");
1905  if (s == NULL) {
1906  printf("sig2 parse failed: ");
1907  goto end;
1908  }
1909 
1910  SigGroupBuild(de_ctx);
1911  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1912 
1913  int r = AppLayerParserParse(
1914  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1915  if (r != 0) {
1916  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1917  goto end;
1918  }
1919 
1920  /* do detect */
1921  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1922  if (PacketAlertCheck(p, 1)) {
1923  printf("sig 1 alerted: ");
1924  goto end;
1925  }
1926  p->alerts.cnt = 0;
1927 
1928  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1929  if (r != 0) {
1930  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
1931  goto end;
1932  }
1933 
1934  /* do detect */
1935  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1936  if (PacketAlertCheck(p, 1)) {
1937  printf("sig 1 alerted (2): ");
1938  goto end;
1939  }
1940  p->alerts.cnt = 0;
1941 
1942  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1943  if (r != 0) {
1944  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
1945  goto end;
1946  }
1947 
1948  /* do detect */
1949  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1950  if (!(PacketAlertCheck(p, 1))) {
1951  printf("sig 1 didn't alert: ");
1952  goto end;
1953  }
1954  p->alerts.cnt = 0;
1955 
1956  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
1957  if (r != 0) {
1958  printf("toserver chunk 5 returned %" PRId32 ", expected 0: ", r);
1959  goto end;
1960  }
1961 
1962  /* do detect */
1963  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1964  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2)) {
1965  printf("sig 1 alerted (4): ");
1966  goto end;
1967  }
1968  p->alerts.cnt = 0;
1969 
1970  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
1971  if (r != 0) {
1972  printf("toserver chunk 6 returned %" PRId32 ", expected 0: ", r);
1973  goto end;
1974  }
1975 
1976  /* do detect */
1977  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1978  if ((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2))) {
1979  printf("sig 1 alerted (request 2, chunk 6): ");
1980  goto end;
1981  }
1982  p->alerts.cnt = 0;
1983 
1984  SCLogDebug("sending data chunk 7");
1985 
1986  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
1987  if (r != 0) {
1988  printf("toserver chunk 7 returned %" PRId32 ", expected 0: ", r);
1989  goto end;
1990  }
1991 
1992  /* do detect */
1993  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1994  if (PacketAlertCheck(p, 1) || !(PacketAlertCheck(p, 2))) {
1995  printf("signature 2 didn't match or sig 1 matched, but shouldn't have: ");
1996  goto end;
1997  }
1998  p->alerts.cnt = 0;
1999 
2000  HtpState *htp_state = f.alstate;
2001  if (htp_state == NULL) {
2002  printf("no http state: ");
2003  result = 0;
2004  goto end;
2005  }
2006 
2007  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
2008  printf("The http app layer doesn't have 2 transactions, but it should: ");
2009  goto end;
2010  }
2011 
2012  result = 1;
2013 end:
2014  if (alp_tctx != NULL)
2015  AppLayerParserThreadCtxFree(alp_tctx);
2016  if (det_ctx != NULL) {
2017  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2018  }
2019  if (de_ctx != NULL) {
2020  DetectEngineCtxFree(de_ctx);
2021  }
2022 
2023  StreamTcpFreeConfig(true);
2024  FLOW_DESTROY(&f);
2025  UTHFreePacket(p);
2026  StatsThreadCleanup(&th_v.stats);
2027  return result;
2028 }
2029 
2030 /**
2031  *\test Test that the http_raw_host content matches against a http request
2032  * against a case insensitive pattern.
2033  */
2034 static int DetectHttpHRHTest37(void)
2035 {
2036  TcpSession ssn;
2037  Packet *p1 = NULL;
2038  Packet *p2 = NULL;
2039  ThreadVars th_v;
2040  DetectEngineCtx *de_ctx = NULL;
2041  DetectEngineThreadCtx *det_ctx = NULL;
2042  HtpState *http_state = NULL;
2043  Flow f;
2044  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
2045  "User-Agent: www.openinfosecfoundation.org\r\n"
2046  "Host: This is dummy bodY1";
2047  uint8_t http2_buf[] = "This is dummy message body2\r\n"
2048  "Content-Type: text/html\r\n"
2049  "Content-Length: 46\r\n"
2050  "\r\n"
2051  "This is dummy bodY1";
2052  uint32_t http1_len = sizeof(http1_buf) - 1;
2053  uint32_t http2_len = sizeof(http2_buf) - 1;
2054  int result = 0;
2055  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2056 
2057  memset(&th_v, 0, sizeof(th_v));
2058  StatsThreadInit(&th_v.stats);
2059  memset(&f, 0, sizeof(f));
2060  memset(&ssn, 0, sizeof(ssn));
2061 
2062  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2063  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2064 
2065  FLOW_INITIALIZE(&f);
2066  f.protoctx = (void *)&ssn;
2067  f.proto = IPPROTO_TCP;
2068  f.flags |= FLOW_IPV4;
2069 
2070  p1->flow = &f;
2071  p1->flowflags |= FLOW_PKT_TOSERVER;
2072  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2073  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2074  p2->flow = &f;
2075  p2->flowflags |= FLOW_PKT_TOSERVER;
2076  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2077  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2078  f.alproto = ALPROTO_HTTP1;
2079 
2080  StreamTcpInitConfig(true);
2081 
2082  de_ctx = DetectEngineCtxInit();
2083  if (de_ctx == NULL)
2084  goto end;
2085 
2086  de_ctx->flags |= DE_QUIET;
2087 
2088  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
2089  "(msg:\"http host test\"; "
2090  "content:\"body1this\"; http_raw_host; nocase; "
2091  "sid:1;)");
2092  if (de_ctx->sig_list == NULL)
2093  goto end;
2094 
2095  SigGroupBuild(de_ctx);
2096  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2097 
2098  int r = AppLayerParserParse(
2099  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2100  if (r != 0) {
2101  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2102  result = 0;
2103  goto end;
2104  }
2105 
2106  http_state = f.alstate;
2107  if (http_state == NULL) {
2108  printf("no http state: \n");
2109  result = 0;
2110  goto end;
2111  }
2112 
2113  /* do detect */
2114  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2115 
2116  if ((PacketAlertCheck(p1, 1))) {
2117  printf("sid 1 didn't match but should have\n");
2118  goto end;
2119  }
2120 
2121  r = AppLayerParserParse(
2122  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2123  if (r != 0) {
2124  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2125  result = 0;
2126  goto end;
2127  }
2128 
2129  /* do detect */
2130  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2131 
2132  if (!(PacketAlertCheck(p2, 1))) {
2133  printf("sid 1 didn't match but should have");
2134  goto end;
2135  }
2136 
2137  result = 1;
2138 end:
2139  if (alp_tctx != NULL)
2140  AppLayerParserThreadCtxFree(alp_tctx);
2141  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2142  if (de_ctx != NULL)
2143  DetectEngineCtxFree(de_ctx);
2144 
2145  StreamTcpFreeConfig(true);
2146  FLOW_DESTROY(&f);
2147  UTHFreePackets(&p1, 1);
2148  UTHFreePackets(&p2, 1);
2149  StatsThreadCleanup(&th_v.stats);
2150  return result;
2151 }
2152 
2153 /**
2154  * \test Test that the http_raw_host content matches against a http request
2155  * which holds the content.
2156  */
2157 static int DetectEngineHttpHRHTest01(void)
2158 {
2159  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2160  "Host: CONNECT\r\n"
2161  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2162  uint32_t http_len = sizeof(http_buf) - 1;
2163  return RunTest(http_buf, http_len,
2164  "alert http any any -> any any "
2165  "(msg:\"http host header test\"; "
2166  "content:\"CONNECT\"; http_raw_host; "
2167  "sid:1;)",
2168  1);
2169 }
2170 
2171 /**
2172  * \test Test that the http_raw_host content matches against a http request
2173  * which holds the content.
2174  */
2175 static int DetectEngineHttpHRHTest02(void)
2176 {
2177  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2178  "Host: CONNECT\r\n"
2179  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2180  uint32_t http_len = sizeof(http_buf) - 1;
2181  return RunTest(http_buf, http_len,
2182  "alert http any any -> any any "
2183  "(msg:\"http host header test\"; "
2184  "content:\"CO\"; depth:4; http_raw_host; "
2185  "sid:1;)",
2186  1);
2187 }
2188 
2189 /**
2190  * \test Test that the http_raw_host content matches against a http request
2191  * which holds the content.
2192  */
2193 static int DetectEngineHttpHRHTest03(void)
2194 {
2195  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2196  "Host: CONNECT\r\n"
2197  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2198  uint32_t http_len = sizeof(http_buf) - 1;
2199  return RunTest(http_buf, http_len,
2200  "alert http any any -> any any "
2201  "(msg:\"http_raw_host header test\"; "
2202  "content:!\"ECT\"; depth:4; http_raw_host; "
2203  "sid:1;)",
2204  1);
2205 }
2206 
2207 /**
2208  * \test Test that the http_raw_host content matches against a http request
2209  * which holds the content.
2210  */
2211 static int DetectEngineHttpHRHTest04(void)
2212 {
2213  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2214  "Host: CONNECT\r\n"
2215  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2216  uint32_t http_len = sizeof(http_buf) - 1;
2217  return RunTest(http_buf, http_len,
2218  "alert http any any -> any any "
2219  "(msg:\"http host header test\"; "
2220  "content:\"ECT\"; depth:4; http_raw_host; "
2221  "sid:1;)",
2222  0);
2223 }
2224 
2225 /**
2226  * \test Test that the http_raw_host content matches against a http request
2227  * which holds the content.
2228  */
2229 static int DetectEngineHttpHRHTest05(void)
2230 {
2231  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2232  "Host: CONNECT\r\n"
2233  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2234  uint32_t http_len = sizeof(http_buf) - 1;
2235  return RunTest(http_buf, http_len,
2236  "alert http any any -> any any "
2237  "(msg:\"http host header test\"; "
2238  "content:!\"CON\"; depth:4; http_raw_host; "
2239  "sid:1;)",
2240  0);
2241 }
2242 
2243 /**
2244  * \test Test that the http_raw_host header content matches against a http request
2245  * which holds the content.
2246  */
2247 static int DetectEngineHttpHRHTest06(void)
2248 {
2249  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2250  "Host: CONNECT\r\n"
2251  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2252  uint32_t http_len = sizeof(http_buf) - 1;
2253  return RunTest(http_buf, http_len,
2254  "alert http any any -> any any "
2255  "(msg:\"http host header test\"; "
2256  "content:\"ECT\"; offset:3; http_raw_host; "
2257  "sid:1;)",
2258  1);
2259 }
2260 
2261 /**
2262  * \test Test that the http_raw_host content matches against a http request
2263  * which holds the content.
2264  */
2265 static int DetectEngineHttpHRHTest07(void)
2266 {
2267  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2268  "Host: CONNECT\r\n"
2269  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2270  uint32_t http_len = sizeof(http_buf) - 1;
2271  return RunTest(http_buf, http_len,
2272  "alert http any any -> any any "
2273  "(msg:\"http host header test\"; "
2274  "content:!\"CO\"; offset:3; http_raw_host; "
2275  "sid:1;)",
2276  1);
2277 }
2278 
2279 /**
2280  * \test Test that the http_raw_host header content matches against a http request
2281  * which holds the content.
2282  */
2283 static int DetectEngineHttpHRHTest08(void)
2284 {
2285  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2286  "Host: CONNECT\r\n"
2287  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2288  uint32_t http_len = sizeof(http_buf) - 1;
2289  return RunTest(http_buf, http_len,
2290  "alert http any any -> any any "
2291  "(msg:\"http host header test\"; "
2292  "content:!\"ECT\"; offset:3; http_raw_host; "
2293  "sid:1;)",
2294  0);
2295 }
2296 
2297 /**
2298  * \test Test that the http_raw_host header content matches against a http request
2299  * which holds the content.
2300  */
2301 static int DetectEngineHttpHRHTest09(void)
2302 {
2303  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2304  "Host: CONNECT\r\n"
2305  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2306  uint32_t http_len = sizeof(http_buf) - 1;
2307  return RunTest(http_buf, http_len,
2308  "alert http any any -> any any "
2309  "(msg:\"http host header test\"; "
2310  "content:\"CON\"; offset:3; http_raw_host; "
2311  "sid:1;)",
2312  0);
2313 }
2314 
2315 /**
2316  * \test Test that the http_raw_host header content matches against a http request
2317  * which holds the content.
2318  */
2319 static int DetectEngineHttpHRHTest10(void)
2320 {
2321  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2322  "Host: CONNECT\r\n"
2323  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2324  uint32_t http_len = sizeof(http_buf) - 1;
2325  return RunTest(http_buf, http_len,
2326  "alert http any any -> any any "
2327  "(msg:\"http_raw_host header test\"; "
2328  "content:\"CO\"; http_raw_host; "
2329  "content:\"EC\"; within:4; http_raw_host; "
2330  "sid:1;)",
2331  1);
2332 }
2333 
2334 /**
2335  * \test Test that the http_raw_host header content matches against a http request
2336  * which holds the content.
2337  */
2338 static int DetectEngineHttpHRHTest11(void)
2339 {
2340  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2341  "Host: CONNECT\r\n"
2342  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2343  uint32_t http_len = sizeof(http_buf) - 1;
2344  return RunTest(http_buf, http_len,
2345  "alert http any any -> any any "
2346  "(msg:\"http_raw_host header test\"; "
2347  "content:\"CO\"; http_raw_host; "
2348  "content:!\"EC\"; within:3; http_raw_host; "
2349  "sid:1;)",
2350  1);
2351 }
2352 
2353 /**
2354  * \test Test that the http_raw_host header content matches against a http request
2355  * which holds the content.
2356  */
2357 static int DetectEngineHttpHRHTest12(void)
2358 {
2359  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2360  "Host: CONNECT\r\n"
2361  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2362  uint32_t http_len = sizeof(http_buf) - 1;
2363  return RunTest(http_buf, http_len,
2364  "alert http any any -> any any "
2365  "(msg:\"http_raw_host header test\"; "
2366  "content:\"CO\"; http_raw_host; "
2367  "content:\"EC\"; within:3; http_raw_host; "
2368  "sid:1;)",
2369  0);
2370 }
2371 
2372 /**
2373  * \test Test that the http_raw_host header content matches against a http request
2374  * which holds the content.
2375  */
2376 static int DetectEngineHttpHRHTest13(void)
2377 {
2378  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2379  "Host: CONNECT\r\n"
2380  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2381  uint32_t http_len = sizeof(http_buf) - 1;
2382  return RunTest(http_buf, http_len,
2383  "alert http any any -> any any "
2384  "(msg:\"http_raw_host header test\"; "
2385  "content:\"CO\"; http_raw_host; "
2386  "content:!\"EC\"; within:4; http_raw_host; "
2387  "sid:1;)",
2388  0);
2389 }
2390 
2391 /**
2392  * \test Test that the http_raw_host header content matches against a http request
2393  * which holds the content.
2394  */
2395 static int DetectEngineHttpHRHTest14(void)
2396 {
2397  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2398  "Host: CONNECT\r\n"
2399  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2400  uint32_t http_len = sizeof(http_buf) - 1;
2401  return RunTest(http_buf, http_len,
2402  "alert http any any -> any any "
2403  "(msg:\"http_raw_host header test\"; "
2404  "content:\"CO\"; http_raw_host; "
2405  "content:\"EC\"; distance:2; http_raw_host; "
2406  "sid:1;)",
2407  1);
2408 }
2409 
2410 /**
2411  * \test Test that the http_raw_host header content matches against a http request
2412  * which holds the content.
2413  */
2414 static int DetectEngineHttpHRHTest15(void)
2415 {
2416  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2417  "Host: CONNECT\r\n"
2418  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2419  uint32_t http_len = sizeof(http_buf) - 1;
2420  return RunTest(http_buf, http_len,
2421  "alert http any any -> any any "
2422  "(msg:\"http_raw_host header test\"; "
2423  "content:\"CO\"; http_raw_host; "
2424  "content:!\"EC\"; distance:3; http_raw_host; "
2425  "sid:1;)",
2426  1);
2427 }
2428 
2429 /**
2430  * \test Test that the http_raw_host header content matches against a http request
2431  * which holds the content.
2432  */
2433 static int DetectEngineHttpHRHTest16(void)
2434 {
2435  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2436  "Host: CONNECT\r\n"
2437  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2438  uint32_t http_len = sizeof(http_buf) - 1;
2439  return RunTest(http_buf, http_len,
2440  "alert http any any -> any any "
2441  "(msg:\"http_raw_host header test\"; "
2442  "content:\"CO\"; http_raw_host; "
2443  "content:\"EC\"; distance:3; http_raw_host; "
2444  "sid:1;)",
2445  0);
2446 }
2447 
2448 /**
2449  * \test Test that the http_raw_host header content matches against a http request
2450  * which holds the content.
2451  */
2452 static int DetectEngineHttpHRHTest17(void)
2453 {
2454  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2455  "Host: CONNECT\r\n"
2456  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2457  uint32_t http_len = sizeof(http_buf) - 1;
2458  return RunTest(http_buf, http_len,
2459  "alert http any any -> any any "
2460  "(msg:\"http_raw_host header test\"; "
2461  "content:\"CO\"; http_raw_host; "
2462  "content:!\"EC\"; distance:2; http_raw_host; "
2463  "sid:1;)",
2464  0);
2465 }
2466 
2467 static int DetectEngineHttpHRHTest18(void)
2468 {
2469  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2470  "Host: www.kaboom.com:8080\r\n"
2471  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2472  uint32_t http_len = sizeof(http_buf) - 1;
2473  return RunTest(http_buf, http_len,
2474  "alert http any any -> any any "
2475  "(msg:\"http_raw_host header test\"; "
2476  "content:\"kaboom\"; http_raw_host; nocase; "
2477  "sid:1;)",
2478  1);
2479 }
2480 
2481 static int DetectEngineHttpHRHTest19(void)
2482 {
2483  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2484  "Host: www.kaboom.com:8080\r\n"
2485  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2486  uint32_t http_len = sizeof(http_buf) - 1;
2487  return RunTest(http_buf, http_len,
2488  "alert http any any -> any any "
2489  "(msg:\"http_raw_host header test\"; "
2490  "content:\"kaboom\"; http_raw_host; nocase; "
2491  "sid:1;)",
2492  1);
2493 }
2494 
2495 static int DetectEngineHttpHRHTest20(void)
2496 {
2497  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2498  "Host: www.kaboom.com:8080\r\n"
2499  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2500  uint32_t http_len = sizeof(http_buf) - 1;
2501  return RunTest(http_buf, http_len,
2502  "alert http any any -> any any "
2503  "(msg:\"http_raw_host header test\"; "
2504  "content:\"8080\"; http_raw_host; nocase; "
2505  "sid:1;)",
2506  1);
2507 }
2508 
2509 static int DetectEngineHttpHRHTest21(void)
2510 {
2511  uint8_t http_buf[] = "GET http://www.kaboom.com/index.html HTTP/1.0\r\n"
2512  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2513  uint32_t http_len = sizeof(http_buf) - 1;
2514  return RunTest(http_buf, http_len,
2515  "alert http any any -> any any "
2516  "(msg:\"http_raw_host header test\"; "
2517  "content:\"kaboom\"; http_raw_host; nocase; "
2518  "sid:1;)",
2519  1);
2520 }
2521 
2522 static int DetectEngineHttpHRHTest22(void)
2523 {
2524  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2525  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2526  uint32_t http_len = sizeof(http_buf) - 1;
2527  return RunTest(http_buf, http_len,
2528  "alert http any any -> any any "
2529  "(msg:\"http_raw_host header test\"; "
2530  "content:\"kaboom\"; http_raw_host; nocase; "
2531  "sid:1;)",
2532  1);
2533 }
2534 
2535 static int DetectEngineHttpHRHTest23(void)
2536 {
2537  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2538  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2539  uint32_t http_len = sizeof(http_buf) - 1;
2540  return RunTest(http_buf, http_len,
2541  "alert http any any -> any any "
2542  "(msg:\"http_raw_host header test\"; "
2543  "content:\"8080\"; http_raw_host; nocase; "
2544  "sid:1;)",
2545  0);
2546 }
2547 
2548 static int DetectEngineHttpHRHTest24(void)
2549 {
2550  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2551  "Host: www.rabbit.com\r\n"
2552  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2553  uint32_t http_len = sizeof(http_buf) - 1;
2554  return RunTest(http_buf, http_len,
2555  "alert http any any -> any any "
2556  "(msg:\"http_raw_host header test\"; "
2557  "content:\"kaboom\"; http_raw_host; nocase; "
2558  "sid:1;)",
2559  1);
2560 }
2561 
2562 static int DetectEngineHttpHRHTest25(void)
2563 {
2564  uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2565  "Host: www.rabbit.com\r\n"
2566  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2567  uint32_t http_len = sizeof(http_buf) - 1;
2568  return RunTest(http_buf, http_len,
2569  "alert http any any -> any any "
2570  "(msg:\"http_raw_host header test\"; "
2571  "content:\"rabbit\"; http_raw_host; nocase; "
2572  "sid:1;)",
2573  0);
2574 }
2575 
2576 void DetectHttpHHRegisterTests(void)
2577 {
2578  UtRegisterTest("DetectHttpHHTest01", DetectHttpHHTest01);
2579  UtRegisterTest("DetectHttpHHTest03", DetectHttpHHTest03);
2580  UtRegisterTest("DetectHttpHHTest04", DetectHttpHHTest04);
2581  UtRegisterTest("DetectHttpHHTest05", DetectHttpHHTest05);
2582  UtRegisterTest("DetectHttpHHTest05a", DetectHttpHHTest05a);
2583  UtRegisterTest("DetectHttpHHTest06", DetectHttpHHTest06);
2584  UtRegisterTest("DetectHttpHHTest07", DetectHttpHHTest07);
2585  UtRegisterTest("DetectHttpHHTest08", DetectHttpHHTest08);
2586  UtRegisterTest("DetectHttpHHTest09", DetectHttpHHTest09);
2587  UtRegisterTest("DetectHttpHHTest10", DetectHttpHHTest10);
2588  UtRegisterTest("DetectHttpHHTest11", DetectHttpHHTest11);
2589  UtRegisterTest("DetectHttpHHTest12", DetectHttpHHTest12);
2590  UtRegisterTest("DetectHttpHHTest13", DetectHttpHHTest13);
2591  UtRegisterTest("DetectHttpHHTest14", DetectHttpHHTest14);
2592 
2593  UtRegisterTest("DetectEngineHttpHHTest01", DetectEngineHttpHHTest01);
2594  UtRegisterTest("DetectEngineHttpHHTest02", DetectEngineHttpHHTest02);
2595  UtRegisterTest("DetectEngineHttpHHTest03", DetectEngineHttpHHTest03);
2596  UtRegisterTest("DetectEngineHttpHHTest04", DetectEngineHttpHHTest04);
2597  UtRegisterTest("DetectEngineHttpHHTest05", DetectEngineHttpHHTest05);
2598  UtRegisterTest("DetectEngineHttpHHTest06", DetectEngineHttpHHTest06);
2599  UtRegisterTest("DetectEngineHttpHHTest07", DetectEngineHttpHHTest07);
2600  UtRegisterTest("DetectEngineHttpHHTest08", DetectEngineHttpHHTest08);
2601  UtRegisterTest("DetectEngineHttpHHTest09", DetectEngineHttpHHTest09);
2602  UtRegisterTest("DetectEngineHttpHHTest10", DetectEngineHttpHHTest10);
2603  UtRegisterTest("DetectEngineHttpHHTest11", DetectEngineHttpHHTest11);
2604  UtRegisterTest("DetectEngineHttpHHTest12", DetectEngineHttpHHTest12);
2605  UtRegisterTest("DetectEngineHttpHHTest13", DetectEngineHttpHHTest13);
2606  UtRegisterTest("DetectEngineHttpHHTest14", DetectEngineHttpHHTest14);
2607  UtRegisterTest("DetectEngineHttpHHTest15", DetectEngineHttpHHTest15);
2608  UtRegisterTest("DetectEngineHttpHHTest16", DetectEngineHttpHHTest16);
2609  UtRegisterTest("DetectEngineHttpHHTest17", DetectEngineHttpHHTest17);
2610  UtRegisterTest("DetectEngineHttpHHTest18", DetectEngineHttpHHTest18);
2611  UtRegisterTest("DetectEngineHttpHHTest19", DetectEngineHttpHHTest19);
2612  UtRegisterTest("DetectEngineHttpHHTest20", DetectEngineHttpHHTest20);
2613  UtRegisterTest("DetectEngineHttpHHTest21", DetectEngineHttpHHTest21);
2614  UtRegisterTest("DetectEngineHttpHHTest22", DetectEngineHttpHHTest22);
2615  UtRegisterTest("DetectEngineHttpHHTest23", DetectEngineHttpHHTest23);
2616  UtRegisterTest("DetectEngineHttpHHTest24", DetectEngineHttpHHTest24);
2617  UtRegisterTest("DetectEngineHttpHHTest25", DetectEngineHttpHHTest25);
2618 
2619  UtRegisterTest("DetectHttpHRHTest06", DetectHttpHRHTest06);
2620  UtRegisterTest("DetectHttpHRHTest07", DetectHttpHRHTest07);
2621  UtRegisterTest("DetectHttpHRHTest08", DetectHttpHRHTest08);
2622  UtRegisterTest("DetectHttpHRHTest09", DetectHttpHRHTest09);
2623  UtRegisterTest("DetectHttpHRHTest10", DetectHttpHRHTest10);
2624  UtRegisterTest("DetectHttpHRHTest11", DetectHttpHRHTest11);
2625  UtRegisterTest("DetectHttpHRHTest12", DetectHttpHRHTest12);
2626  UtRegisterTest("DetectHttpHRHTest13", DetectHttpHRHTest13);
2627  UtRegisterTest("DetectHttpHRHTest14", DetectHttpHRHTest14);
2628 
2629  UtRegisterTest("DetectHttpHRHTest37", DetectHttpHRHTest37);
2630 
2631  UtRegisterTest("DetectEngineHttpHRHTest01", DetectEngineHttpHRHTest01);
2632  UtRegisterTest("DetectEngineHttpHRHTest02", DetectEngineHttpHRHTest02);
2633  UtRegisterTest("DetectEngineHttpHRHTest03", DetectEngineHttpHRHTest03);
2634  UtRegisterTest("DetectEngineHttpHRHTest04", DetectEngineHttpHRHTest04);
2635  UtRegisterTest("DetectEngineHttpHRHTest05", DetectEngineHttpHRHTest05);
2636  UtRegisterTest("DetectEngineHttpHRHTest06", DetectEngineHttpHRHTest06);
2637  UtRegisterTest("DetectEngineHttpHRHTest07", DetectEngineHttpHRHTest07);
2638  UtRegisterTest("DetectEngineHttpHRHTest08", DetectEngineHttpHRHTest08);
2639  UtRegisterTest("DetectEngineHttpHRHTest09", DetectEngineHttpHRHTest09);
2640  UtRegisterTest("DetectEngineHttpHRHTest10", DetectEngineHttpHRHTest10);
2641  UtRegisterTest("DetectEngineHttpHRHTest11", DetectEngineHttpHRHTest11);
2642  UtRegisterTest("DetectEngineHttpHRHTest12", DetectEngineHttpHRHTest12);
2643  UtRegisterTest("DetectEngineHttpHRHTest13", DetectEngineHttpHRHTest13);
2644  UtRegisterTest("DetectEngineHttpHRHTest14", DetectEngineHttpHRHTest14);
2645  UtRegisterTest("DetectEngineHttpHRHTest15", DetectEngineHttpHRHTest15);
2646  UtRegisterTest("DetectEngineHttpHRHTest16", DetectEngineHttpHRHTest16);
2647  UtRegisterTest("DetectEngineHttpHRHTest17", DetectEngineHttpHRHTest17);
2648  UtRegisterTest("DetectEngineHttpHRHTest18", DetectEngineHttpHRHTest18);
2649  UtRegisterTest("DetectEngineHttpHRHTest19", DetectEngineHttpHRHTest19);
2650  UtRegisterTest("DetectEngineHttpHRHTest20", DetectEngineHttpHRHTest20);
2651  UtRegisterTest("DetectEngineHttpHRHTest21", DetectEngineHttpHRHTest21);
2652  UtRegisterTest("DetectEngineHttpHRHTest22", DetectEngineHttpHRHTest22);
2653  UtRegisterTest("DetectEngineHttpHRHTest23", DetectEngineHttpHRHTest23);
2654  UtRegisterTest("DetectEngineHttpHRHTest24", DetectEngineHttpHRHTest24);
2655  UtRegisterTest("DetectEngineHttpHRHTest25", DetectEngineHttpHRHTest25);
2656 }
2657 
2658 /**
2659  * @}
2660  */
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
flow-util.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
Flow_::proto
uint8_t proto
Definition: flow.h:370
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:287
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
Flow_
Flow data structure.
Definition: flow.h:348
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:933
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2418
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3440
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
Flow_::protoctx
void * protoctx
Definition: flow.h:433
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:620
util-unittest.h
HtpState_
Definition: app-layer-htp.h:181
util-unittest-helper.h
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:496
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
app-layer-htp.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1245
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
DetectHttpHHRegisterTests
void DetectHttpHHRegisterTests(void)
Definition: detect-http-host.c:2576
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3364
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3098
app-layer-parser.h
Packet_
Definition: decode.h:501
detect-engine-build.h
detect-engine-alert.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2194
StatsThreadInit
void StatsThreadInit(StatsThreadContext *stats)
Definition: counters.c:1258
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:867
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1277
suricata-common.h
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3601
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:942
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:473
Flow_::alstate
void * alstate
Definition: flow.h:471
Flow_::flags
uint32_t flags
Definition: flow.h:413
Signature_
Signature container.
Definition: detect.h:668
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
app-layer-protos.h
suricata.h
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:935
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
StatsThreadCleanup
void StatsThreadCleanup(StatsThreadContext *stats)
Definition: counters.c:1354
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1088
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456