suricata
detect-http-host.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /** \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * \brief Handle HTTP host header.
31  * HHHD - Http Host Header Data
32  *
33  */
34 
35 #include "suricata-common.h"
36 #include "suricata.h"
37 #include "flow-util.h"
38 #include "flow.h"
39 #include "app-layer-parser.h"
40 #include "util-unittest.h"
41 #include "util-unittest-helper.h"
42 #include "app-layer.h"
43 #include "app-layer-htp.h"
44 #include "app-layer-protos.h"
45 #include "detect-engine-build.h"
46 #include "detect-engine-alert.h"
47 
48 /**
49  * \test Test that the http_host content matches against a http request
50  * which holds the content.
51  */
52 static int DetectEngineHttpHHTest01(void)
53 {
54  TcpSession ssn;
55  Packet *p = NULL;
56  ThreadVars th_v;
57  DetectEngineCtx *de_ctx = NULL;
58  DetectEngineThreadCtx *det_ctx = NULL;
59  HtpState *http_state = NULL;
60  Flow f;
61  uint8_t http_buf[] =
62  "GET /index.html HTTP/1.0\r\n"
63  "Host: CONNECT\r\n"
64  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
65  uint32_t http_len = sizeof(http_buf) - 1;
66  int result = 0;
67  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
68 
69  memset(&th_v, 0, sizeof(th_v));
70  memset(&f, 0, sizeof(f));
71  memset(&ssn, 0, sizeof(ssn));
72 
73  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
74 
75  FLOW_INITIALIZE(&f);
76  f.protoctx = (void *)&ssn;
77  f.proto = IPPROTO_TCP;
78  f.flags |= FLOW_IPV4;
79  p->flow = &f;
80  p->flowflags |= FLOW_PKT_TOSERVER;
81  p->flowflags |= FLOW_PKT_ESTABLISHED;
82  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
83  f.alproto = ALPROTO_HTTP1;
84 
85  StreamTcpInitConfig(true);
86 
87  de_ctx = DetectEngineCtxInit();
88  if (de_ctx == NULL)
89  goto end;
90 
91  de_ctx->flags |= DE_QUIET;
92 
93  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
94  "(msg:\"http host header test\"; "
95  "content:\"connect\"; http_host; "
96  "sid:1;)");
97  if (de_ctx->sig_list == NULL)
98  goto end;
99 
100  SigGroupBuild(de_ctx);
101  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
102 
103  int r = AppLayerParserParse(
104  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
105  if (r != 0) {
106  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
107  result = 0;
108  goto end;
109  }
110 
111  http_state = f.alstate;
112  if (http_state == NULL) {
113  printf("no http state: ");
114  result = 0;
115  goto end;
116  }
117 
118  /* do detect */
119  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
120 
121  if (!(PacketAlertCheck(p, 1))) {
122  printf("sid 1 didn't match but should have: ");
123  goto end;
124  }
125 
126  result = 1;
127 
128 end:
129  if (alp_tctx != NULL)
130  AppLayerParserThreadCtxFree(alp_tctx);
131  if (de_ctx != NULL)
132  SigGroupCleanup(de_ctx);
133  if (de_ctx != NULL)
134  SigCleanSignatures(de_ctx);
135  if (de_ctx != NULL)
136  DetectEngineCtxFree(de_ctx);
137 
138  StreamTcpFreeConfig(true);
139  FLOW_DESTROY(&f);
140  UTHFreePackets(&p, 1);
141  return result;
142 }
143 
144 /**
145  * \test Test that the http_host content matches against a http request
146  * which holds the content.
147  */
148 static int DetectEngineHttpHHTest02(void)
149 {
150  TcpSession ssn;
151  Packet *p = NULL;
152  ThreadVars th_v;
153  DetectEngineCtx *de_ctx = NULL;
154  DetectEngineThreadCtx *det_ctx = NULL;
155  HtpState *http_state = NULL;
156  Flow f;
157  uint8_t http_buf[] =
158  "GET /index.html HTTP/1.0\r\n"
159  "Host: CONNECT\r\n"
160  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
161  uint32_t http_len = sizeof(http_buf) - 1;
162  int result = 0;
163  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
164 
165  memset(&th_v, 0, sizeof(th_v));
166  memset(&f, 0, sizeof(f));
167  memset(&ssn, 0, sizeof(ssn));
168 
169  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
170 
171  FLOW_INITIALIZE(&f);
172  f.protoctx = (void *)&ssn;
173  f.proto = IPPROTO_TCP;
174  f.flags |= FLOW_IPV4;
175  p->flow = &f;
176  p->flowflags |= FLOW_PKT_TOSERVER;
177  p->flowflags |= FLOW_PKT_ESTABLISHED;
178  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
179  f.alproto = ALPROTO_HTTP1;
180 
181  StreamTcpInitConfig(true);
182 
183  de_ctx = DetectEngineCtxInit();
184  if (de_ctx == NULL)
185  goto end;
186 
187  de_ctx->flags |= DE_QUIET;
188 
189  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
190  "(msg:\"http host header test\"; "
191  "content:\"co\"; depth:4; http_host; "
192  "sid:1;)");
193  if (de_ctx->sig_list == NULL)
194  goto end;
195 
196  SigGroupBuild(de_ctx);
197  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
198 
199  int r = AppLayerParserParse(
200  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
201  if (r != 0) {
202  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
203  result = 0;
204  goto end;
205  }
206 
207  http_state = f.alstate;
208  if (http_state == NULL) {
209  printf("no http state: ");
210  result = 0;
211  goto end;
212  }
213 
214  /* do detect */
215  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
216 
217  if (!(PacketAlertCheck(p, 1))) {
218  printf("sid 1 didn't match but should have: ");
219  goto end;
220  }
221 
222  result = 1;
223 
224 end:
225  if (alp_tctx != NULL)
226  AppLayerParserThreadCtxFree(alp_tctx);
227  if (de_ctx != NULL)
228  SigGroupCleanup(de_ctx);
229  if (de_ctx != NULL)
230  SigCleanSignatures(de_ctx);
231  if (de_ctx != NULL)
232  DetectEngineCtxFree(de_ctx);
233 
234  StreamTcpFreeConfig(true);
235  FLOW_DESTROY(&f);
236  UTHFreePackets(&p, 1);
237  return result;
238 }
239 
240 /**
241  * \test Test that the http_host content matches against a http request
242  * which holds the content.
243  */
244 static int DetectEngineHttpHHTest03(void)
245 {
246  TcpSession ssn;
247  Packet *p = NULL;
248  ThreadVars th_v;
249  DetectEngineCtx *de_ctx = NULL;
250  DetectEngineThreadCtx *det_ctx = NULL;
251  HtpState *http_state = NULL;
252  Flow f;
253  uint8_t http_buf[] =
254  "GET /index.html HTTP/1.0\r\n"
255  "Host: CONNECT\r\n"
256  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
257  uint32_t http_len = sizeof(http_buf) - 1;
258  int result = 0;
259  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
260 
261  memset(&th_v, 0, sizeof(th_v));
262  memset(&f, 0, sizeof(f));
263  memset(&ssn, 0, sizeof(ssn));
264 
265  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
266 
267  FLOW_INITIALIZE(&f);
268  f.protoctx = (void *)&ssn;
269  f.proto = IPPROTO_TCP;
270  f.flags |= FLOW_IPV4;
271  p->flow = &f;
272  p->flowflags |= FLOW_PKT_TOSERVER;
273  p->flowflags |= FLOW_PKT_ESTABLISHED;
274  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
275  f.alproto = ALPROTO_HTTP1;
276 
277  StreamTcpInitConfig(true);
278 
279  de_ctx = DetectEngineCtxInit();
280  if (de_ctx == NULL)
281  goto end;
282 
283  de_ctx->flags |= DE_QUIET;
284 
285  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
286  "(msg:\"http_host header test\"; "
287  "content:!\"ect\"; depth:4; http_host; "
288  "sid:1;)");
289  if (de_ctx->sig_list == NULL)
290  goto end;
291 
292  SigGroupBuild(de_ctx);
293  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
294 
295  int r = AppLayerParserParse(
296  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
297  if (r != 0) {
298  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
299  result = 0;
300  goto end;
301  }
302 
303  http_state = f.alstate;
304  if (http_state == NULL) {
305  printf("no http state: ");
306  result = 0;
307  goto end;
308  }
309 
310  /* do detect */
311  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
312 
313  if (!(PacketAlertCheck(p, 1))) {
314  printf("sid 1 didn't match but should have: ");
315  goto end;
316  }
317 
318  result = 1;
319 
320 end:
321  if (alp_tctx != NULL)
322  AppLayerParserThreadCtxFree(alp_tctx);
323  if (de_ctx != NULL)
324  SigGroupCleanup(de_ctx);
325  if (de_ctx != NULL)
326  SigCleanSignatures(de_ctx);
327  if (de_ctx != NULL)
328  DetectEngineCtxFree(de_ctx);
329 
330  StreamTcpFreeConfig(true);
331  FLOW_DESTROY(&f);
332  UTHFreePackets(&p, 1);
333  return result;
334 }
335 
336 /**
337  * \test Test that the http_host content matches against a http request
338  * which holds the content.
339  */
340 static int DetectEngineHttpHHTest04(void)
341 {
342  TcpSession ssn;
343  Packet *p = NULL;
344  ThreadVars th_v;
345  DetectEngineCtx *de_ctx = NULL;
346  DetectEngineThreadCtx *det_ctx = NULL;
347  HtpState *http_state = NULL;
348  Flow f;
349  uint8_t http_buf[] =
350  "GET /index.html HTTP/1.0\r\n"
351  "Host: CONNECT\r\n"
352  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
353  uint32_t http_len = sizeof(http_buf) - 1;
354  int result = 0;
355  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
356 
357  memset(&th_v, 0, sizeof(th_v));
358  memset(&f, 0, sizeof(f));
359  memset(&ssn, 0, sizeof(ssn));
360 
361  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
362 
363  FLOW_INITIALIZE(&f);
364  f.protoctx = (void *)&ssn;
365  f.proto = IPPROTO_TCP;
366  f.flags |= FLOW_IPV4;
367  p->flow = &f;
368  p->flowflags |= FLOW_PKT_TOSERVER;
369  p->flowflags |= FLOW_PKT_ESTABLISHED;
370  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
371  f.alproto = ALPROTO_HTTP1;
372 
373  StreamTcpInitConfig(true);
374 
375  de_ctx = DetectEngineCtxInit();
376  if (de_ctx == NULL)
377  goto end;
378 
379  de_ctx->flags |= DE_QUIET;
380 
381  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
382  "(msg:\"http host header test\"; "
383  "content:\"ect\"; depth:4; http_host; "
384  "sid:1;)");
385  if (de_ctx->sig_list == NULL)
386  goto end;
387 
388  SigGroupBuild(de_ctx);
389  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
390 
391  int r = AppLayerParserParse(
392  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
393  if (r != 0) {
394  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
395  result = 0;
396  goto end;
397  }
398 
399  http_state = f.alstate;
400  if (http_state == NULL) {
401  printf("no http state: ");
402  result = 0;
403  goto end;
404  }
405 
406  /* do detect */
407  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
408 
409  if (PacketAlertCheck(p, 1)) {
410  printf("sid 1 matched but shouldn't have: ");
411  goto end;
412  }
413 
414  result = 1;
415 
416 end:
417  if (alp_tctx != NULL)
418  AppLayerParserThreadCtxFree(alp_tctx);
419  if (de_ctx != NULL)
420  SigGroupCleanup(de_ctx);
421  if (de_ctx != NULL)
422  SigCleanSignatures(de_ctx);
423  if (de_ctx != NULL)
424  DetectEngineCtxFree(de_ctx);
425 
426  StreamTcpFreeConfig(true);
427  FLOW_DESTROY(&f);
428  UTHFreePackets(&p, 1);
429  return result;
430 }
431 
432 /**
433  * \test Test that the http_host content matches against a http request
434  * which holds the content.
435  */
436 static int DetectEngineHttpHHTest05(void)
437 {
438  TcpSession ssn;
439  Packet *p = NULL;
440  ThreadVars th_v;
441  DetectEngineCtx *de_ctx = NULL;
442  DetectEngineThreadCtx *det_ctx = NULL;
443  HtpState *http_state = NULL;
444  Flow f;
445  uint8_t http_buf[] =
446  "GET /index.html HTTP/1.0\r\n"
447  "Host: CONNECT\r\n"
448  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
449  uint32_t http_len = sizeof(http_buf) - 1;
450  int result = 0;
451  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
452 
453  memset(&th_v, 0, sizeof(th_v));
454  memset(&f, 0, sizeof(f));
455  memset(&ssn, 0, sizeof(ssn));
456 
457  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
458 
459  FLOW_INITIALIZE(&f);
460  f.protoctx = (void *)&ssn;
461  f.proto = IPPROTO_TCP;
462  f.flags |= FLOW_IPV4;
463  p->flow = &f;
464  p->flowflags |= FLOW_PKT_TOSERVER;
465  p->flowflags |= FLOW_PKT_ESTABLISHED;
466  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
467  f.alproto = ALPROTO_HTTP1;
468 
469  StreamTcpInitConfig(true);
470 
471  de_ctx = DetectEngineCtxInit();
472  if (de_ctx == NULL)
473  goto end;
474 
475  de_ctx->flags |= DE_QUIET;
476 
477  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
478  "(msg:\"http host header test\"; "
479  "content:!\"con\"; depth:4; http_host; "
480  "sid:1;)");
481  if (de_ctx->sig_list == NULL)
482  goto end;
483 
484  SigGroupBuild(de_ctx);
485  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
486 
487  int r = AppLayerParserParse(
488  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
489  if (r != 0) {
490  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
491  result = 0;
492  goto end;
493  }
494 
495  http_state = f.alstate;
496  if (http_state == NULL) {
497  printf("no http state: ");
498  result = 0;
499  goto end;
500  }
501 
502  /* do detect */
503  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
504 
505  if (PacketAlertCheck(p, 1)) {
506  printf("sid 1 matched but shouldn't have: ");
507  goto end;
508  }
509 
510  result = 1;
511 
512 end:
513  if (alp_tctx != NULL)
514  AppLayerParserThreadCtxFree(alp_tctx);
515  if (de_ctx != NULL)
516  SigGroupCleanup(de_ctx);
517  if (de_ctx != NULL)
518  SigCleanSignatures(de_ctx);
519  if (de_ctx != NULL)
520  DetectEngineCtxFree(de_ctx);
521 
522  StreamTcpFreeConfig(true);
523  FLOW_DESTROY(&f);
524  UTHFreePackets(&p, 1);
525  return result;
526 }
527 
528 /**
529  * \test Test that the http_host header content matches against a http request
530  * which holds the content.
531  */
532 static int DetectEngineHttpHHTest06(void)
533 {
534  TcpSession ssn;
535  Packet *p = NULL;
536  ThreadVars th_v;
537  DetectEngineCtx *de_ctx = NULL;
538  DetectEngineThreadCtx *det_ctx = NULL;
539  HtpState *http_state = NULL;
540  Flow f;
541  uint8_t http_buf[] =
542  "GET /index.html HTTP/1.0\r\n"
543  "Host: CONNECT\r\n"
544  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
545  uint32_t http_len = sizeof(http_buf) - 1;
546  int result = 0;
547  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
548 
549  memset(&th_v, 0, sizeof(th_v));
550  memset(&f, 0, sizeof(f));
551  memset(&ssn, 0, sizeof(ssn));
552 
553  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
554 
555  FLOW_INITIALIZE(&f);
556  f.protoctx = (void *)&ssn;
557  f.proto = IPPROTO_TCP;
558  f.flags |= FLOW_IPV4;
559  p->flow = &f;
560  p->flowflags |= FLOW_PKT_TOSERVER;
561  p->flowflags |= FLOW_PKT_ESTABLISHED;
562  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
563  f.alproto = ALPROTO_HTTP1;
564 
565  StreamTcpInitConfig(true);
566 
567  de_ctx = DetectEngineCtxInit();
568  if (de_ctx == NULL)
569  goto end;
570 
571  de_ctx->flags |= DE_QUIET;
572 
573  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
574  "(msg:\"http host header test\"; "
575  "content:\"ect\"; offset:3; http_host; "
576  "sid:1;)");
577  if (de_ctx->sig_list == NULL)
578  goto end;
579 
580  SigGroupBuild(de_ctx);
581  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
582 
583  int r = AppLayerParserParse(
584  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
585  if (r != 0) {
586  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
587  result = 0;
588  goto end;
589  }
590 
591  http_state = f.alstate;
592  if (http_state == NULL) {
593  printf("no http state: ");
594  result = 0;
595  goto end;
596  }
597 
598  /* do detect */
599  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
600 
601  if (!(PacketAlertCheck(p, 1))) {
602  printf("sid 1 didn't match but should have: ");
603  goto end;
604  }
605 
606  result = 1;
607 
608 end:
609  if (alp_tctx != NULL)
610  AppLayerParserThreadCtxFree(alp_tctx);
611  if (de_ctx != NULL)
612  SigGroupCleanup(de_ctx);
613  if (de_ctx != NULL)
614  SigCleanSignatures(de_ctx);
615  if (de_ctx != NULL)
616  DetectEngineCtxFree(de_ctx);
617 
618  StreamTcpFreeConfig(true);
619  FLOW_DESTROY(&f);
620  UTHFreePackets(&p, 1);
621  return result;
622 }
623 
624 /**
625  * \test Test that the http_host content matches against a http request
626  * which holds the content.
627  */
628 static int DetectEngineHttpHHTest07(void)
629 {
630  TcpSession ssn;
631  Packet *p = NULL;
632  ThreadVars th_v;
633  DetectEngineCtx *de_ctx = NULL;
634  DetectEngineThreadCtx *det_ctx = NULL;
635  HtpState *http_state = NULL;
636  Flow f;
637  uint8_t http_buf[] =
638  "GET /index.html HTTP/1.0\r\n"
639  "Host: CONNECT\r\n"
640  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
641  uint32_t http_len = sizeof(http_buf) - 1;
642  int result = 0;
643  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
644 
645  memset(&th_v, 0, sizeof(th_v));
646  memset(&f, 0, sizeof(f));
647  memset(&ssn, 0, sizeof(ssn));
648 
649  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
650 
651  FLOW_INITIALIZE(&f);
652  f.protoctx = (void *)&ssn;
653  f.proto = IPPROTO_TCP;
654  f.flags |= FLOW_IPV4;
655  p->flow = &f;
656  p->flowflags |= FLOW_PKT_TOSERVER;
657  p->flowflags |= FLOW_PKT_ESTABLISHED;
658  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
659  f.alproto = ALPROTO_HTTP1;
660 
661  StreamTcpInitConfig(true);
662 
663  de_ctx = DetectEngineCtxInit();
664  if (de_ctx == NULL)
665  goto end;
666 
667  de_ctx->flags |= DE_QUIET;
668 
669  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
670  "(msg:\"http host header test\"; "
671  "content:!\"co\"; offset:3; http_host; "
672  "sid:1;)");
673  if (de_ctx->sig_list == NULL)
674  goto end;
675 
676  SigGroupBuild(de_ctx);
677  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
678 
679  int r = AppLayerParserParse(
680  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
681  if (r != 0) {
682  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
683  result = 0;
684  goto end;
685  }
686 
687  http_state = f.alstate;
688  if (http_state == NULL) {
689  printf("no http state: ");
690  result = 0;
691  goto end;
692  }
693 
694  /* do detect */
695  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
696 
697  if (!(PacketAlertCheck(p, 1))) {
698  printf("sid 1 didn't match but should have: ");
699  goto end;
700  }
701 
702  result = 1;
703 
704 end:
705  if (alp_tctx != NULL)
706  AppLayerParserThreadCtxFree(alp_tctx);
707  if (de_ctx != NULL)
708  SigGroupCleanup(de_ctx);
709  if (de_ctx != NULL)
710  SigCleanSignatures(de_ctx);
711  if (de_ctx != NULL)
712  DetectEngineCtxFree(de_ctx);
713 
714  StreamTcpFreeConfig(true);
715  FLOW_DESTROY(&f);
716  UTHFreePackets(&p, 1);
717  return result;
718 }
719 
720 /**
721  * \test Test that the http_host header content matches against a http request
722  * which holds the content.
723  */
724 static int DetectEngineHttpHHTest08(void)
725 {
726  TcpSession ssn;
727  Packet *p = NULL;
728  ThreadVars th_v;
729  DetectEngineCtx *de_ctx = NULL;
730  DetectEngineThreadCtx *det_ctx = NULL;
731  HtpState *http_state = NULL;
732  Flow f;
733  uint8_t http_buf[] =
734  "GET /index.html HTTP/1.0\r\n"
735  "Host: CONNECT\r\n"
736  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
737  uint32_t http_len = sizeof(http_buf) - 1;
738  int result = 0;
739  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
740 
741  memset(&th_v, 0, sizeof(th_v));
742  memset(&f, 0, sizeof(f));
743  memset(&ssn, 0, sizeof(ssn));
744 
745  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
746 
747  FLOW_INITIALIZE(&f);
748  f.protoctx = (void *)&ssn;
749  f.proto = IPPROTO_TCP;
750  f.flags |= FLOW_IPV4;
751  p->flow = &f;
752  p->flowflags |= FLOW_PKT_TOSERVER;
753  p->flowflags |= FLOW_PKT_ESTABLISHED;
754  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
755  f.alproto = ALPROTO_HTTP1;
756 
757  StreamTcpInitConfig(true);
758 
759  de_ctx = DetectEngineCtxInit();
760  if (de_ctx == NULL)
761  goto end;
762 
763  de_ctx->flags |= DE_QUIET;
764 
765  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
766  "(msg:\"http host header test\"; "
767  "content:!\"ect\"; offset:3; http_host; "
768  "sid:1;)");
769  if (de_ctx->sig_list == NULL)
770  goto end;
771 
772  SigGroupBuild(de_ctx);
773  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
774 
775  int r = AppLayerParserParse(
776  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
777  if (r != 0) {
778  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
779  result = 0;
780  goto end;
781  }
782 
783  http_state = f.alstate;
784  if (http_state == NULL) {
785  printf("no http state: ");
786  result = 0;
787  goto end;
788  }
789 
790  /* do detect */
791  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
792 
793  if (PacketAlertCheck(p, 1)) {
794  printf("sid 1 matched but shouldn't have: ");
795  goto end;
796  }
797 
798  result = 1;
799 
800 end:
801  if (alp_tctx != NULL)
802  AppLayerParserThreadCtxFree(alp_tctx);
803  if (de_ctx != NULL)
804  SigGroupCleanup(de_ctx);
805  if (de_ctx != NULL)
806  SigCleanSignatures(de_ctx);
807  if (de_ctx != NULL)
808  DetectEngineCtxFree(de_ctx);
809 
810  StreamTcpFreeConfig(true);
811  FLOW_DESTROY(&f);
812  UTHFreePackets(&p, 1);
813  return result;
814 }
815 
816 /**
817  * \test Test that the http_host header content matches against a http request
818  * which holds the content.
819  */
820 static int DetectEngineHttpHHTest09(void)
821 {
822  TcpSession ssn;
823  Packet *p = NULL;
824  ThreadVars th_v;
825  DetectEngineCtx *de_ctx = NULL;
826  DetectEngineThreadCtx *det_ctx = NULL;
827  HtpState *http_state = NULL;
828  Flow f;
829  uint8_t http_buf[] =
830  "GET /index.html HTTP/1.0\r\n"
831  "Host: CONNECT\r\n"
832  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
833  uint32_t http_len = sizeof(http_buf) - 1;
834  int result = 0;
835  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
836 
837  memset(&th_v, 0, sizeof(th_v));
838  memset(&f, 0, sizeof(f));
839  memset(&ssn, 0, sizeof(ssn));
840 
841  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
842 
843  FLOW_INITIALIZE(&f);
844  f.protoctx = (void *)&ssn;
845  f.proto = IPPROTO_TCP;
846  f.flags |= FLOW_IPV4;
847  p->flow = &f;
848  p->flowflags |= FLOW_PKT_TOSERVER;
849  p->flowflags |= FLOW_PKT_ESTABLISHED;
850  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
851  f.alproto = ALPROTO_HTTP1;
852 
853  StreamTcpInitConfig(true);
854 
855  de_ctx = DetectEngineCtxInit();
856  if (de_ctx == NULL)
857  goto end;
858 
859  de_ctx->flags |= DE_QUIET;
860 
861  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
862  "(msg:\"http host header test\"; "
863  "content:\"con\"; offset:3; http_host; "
864  "sid:1;)");
865  if (de_ctx->sig_list == NULL)
866  goto end;
867 
868  SigGroupBuild(de_ctx);
869  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
870 
871  int r = AppLayerParserParse(
872  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
873  if (r != 0) {
874  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
875  result = 0;
876  goto end;
877  }
878 
879  http_state = f.alstate;
880  if (http_state == NULL) {
881  printf("no http state: ");
882  result = 0;
883  goto end;
884  }
885 
886  /* do detect */
887  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
888 
889  if (PacketAlertCheck(p, 1)) {
890  printf("sid 1 matched but shouldn't have: ");
891  goto end;
892  }
893 
894  result = 1;
895 
896 end:
897  if (alp_tctx != NULL)
898  AppLayerParserThreadCtxFree(alp_tctx);
899  if (de_ctx != NULL)
900  SigGroupCleanup(de_ctx);
901  if (de_ctx != NULL)
902  SigCleanSignatures(de_ctx);
903  if (de_ctx != NULL)
904  DetectEngineCtxFree(de_ctx);
905 
906  StreamTcpFreeConfig(true);
907  FLOW_DESTROY(&f);
908  UTHFreePackets(&p, 1);
909  return result;
910 }
911 
912 /**
913  * \test Test that the http_host header content matches against a http request
914  * which holds the content.
915  */
916 static int DetectEngineHttpHHTest10(void)
917 {
918  TcpSession ssn;
919  Packet *p = NULL;
920  ThreadVars th_v;
921  DetectEngineCtx *de_ctx = NULL;
922  DetectEngineThreadCtx *det_ctx = NULL;
923  HtpState *http_state = NULL;
924  Flow f;
925  uint8_t http_buf[] =
926  "GET /index.html HTTP/1.0\r\n"
927  "Host: CONNECT\r\n"
928  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
929  uint32_t http_len = sizeof(http_buf) - 1;
930  int result = 0;
931  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
932 
933  memset(&th_v, 0, sizeof(th_v));
934  memset(&f, 0, sizeof(f));
935  memset(&ssn, 0, sizeof(ssn));
936 
937  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
938 
939  FLOW_INITIALIZE(&f);
940  f.protoctx = (void *)&ssn;
941  f.proto = IPPROTO_TCP;
942  f.flags |= FLOW_IPV4;
943  p->flow = &f;
944  p->flowflags |= FLOW_PKT_TOSERVER;
945  p->flowflags |= FLOW_PKT_ESTABLISHED;
946  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
947  f.alproto = ALPROTO_HTTP1;
948 
949  StreamTcpInitConfig(true);
950 
951  de_ctx = DetectEngineCtxInit();
952  if (de_ctx == NULL)
953  goto end;
954 
955  de_ctx->flags |= DE_QUIET;
956 
957  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
958  "(msg:\"http_host header test\"; "
959  "content:\"co\"; http_host; "
960  "content:\"ec\"; within:4; http_host; "
961  "sid:1;)");
962  if (de_ctx->sig_list == NULL)
963  goto end;
964 
965  SigGroupBuild(de_ctx);
966  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
967 
968  int r = AppLayerParserParse(
969  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
970  if (r != 0) {
971  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
972  result = 0;
973  goto end;
974  }
975 
976  http_state = f.alstate;
977  if (http_state == NULL) {
978  printf("no http state: ");
979  result = 0;
980  goto end;
981  }
982 
983  /* do detect */
984  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
985 
986  if (!PacketAlertCheck(p, 1)) {
987  printf("sid 1 didn't match but should have: ");
988  goto end;
989  }
990 
991  result = 1;
992 
993 end:
994  if (alp_tctx != NULL)
995  AppLayerParserThreadCtxFree(alp_tctx);
996  if (de_ctx != NULL)
997  SigGroupCleanup(de_ctx);
998  if (de_ctx != NULL)
999  SigCleanSignatures(de_ctx);
1000  if (de_ctx != NULL)
1001  DetectEngineCtxFree(de_ctx);
1002 
1003  StreamTcpFreeConfig(true);
1004  FLOW_DESTROY(&f);
1005  UTHFreePackets(&p, 1);
1006  return result;
1007 }
1008 
1009 /**
1010  * \test Test that the http_host header content matches against a http request
1011  * which holds the content.
1012  */
1013 static int DetectEngineHttpHHTest11(void)
1014 {
1015  TcpSession ssn;
1016  Packet *p = NULL;
1017  ThreadVars th_v;
1018  DetectEngineCtx *de_ctx = NULL;
1019  DetectEngineThreadCtx *det_ctx = NULL;
1020  HtpState *http_state = NULL;
1021  Flow f;
1022  uint8_t http_buf[] =
1023  "GET /index.html HTTP/1.0\r\n"
1024  "Host: CONNECT\r\n"
1025  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1026  uint32_t http_len = sizeof(http_buf) - 1;
1027  int result = 0;
1028  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1029 
1030  memset(&th_v, 0, sizeof(th_v));
1031  memset(&f, 0, sizeof(f));
1032  memset(&ssn, 0, sizeof(ssn));
1033 
1034  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1035 
1036  FLOW_INITIALIZE(&f);
1037  f.protoctx = (void *)&ssn;
1038  f.proto = IPPROTO_TCP;
1039  f.flags |= FLOW_IPV4;
1040  p->flow = &f;
1041  p->flowflags |= FLOW_PKT_TOSERVER;
1042  p->flowflags |= FLOW_PKT_ESTABLISHED;
1043  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1044  f.alproto = ALPROTO_HTTP1;
1045 
1046  StreamTcpInitConfig(true);
1047 
1048  de_ctx = DetectEngineCtxInit();
1049  if (de_ctx == NULL)
1050  goto end;
1051 
1052  de_ctx->flags |= DE_QUIET;
1053 
1054  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1055  "(msg:\"http_host header test\"; "
1056  "content:\"co\"; http_host; "
1057  "content:!\"ec\"; within:3; http_host; "
1058  "sid:1;)");
1059  if (de_ctx->sig_list == NULL)
1060  goto end;
1061 
1062  SigGroupBuild(de_ctx);
1063  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1064 
1065  int r = AppLayerParserParse(
1066  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1067  if (r != 0) {
1068  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1069  result = 0;
1070  goto end;
1071  }
1072 
1073  http_state = f.alstate;
1074  if (http_state == NULL) {
1075  printf("no http state: ");
1076  result = 0;
1077  goto end;
1078  }
1079 
1080  /* do detect */
1081  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1082 
1083  if (!PacketAlertCheck(p, 1)) {
1084  printf("sid 1 didn't match but should have: ");
1085  goto end;
1086  }
1087 
1088  result = 1;
1089 
1090 end:
1091  if (alp_tctx != NULL)
1092  AppLayerParserThreadCtxFree(alp_tctx);
1093  if (de_ctx != NULL)
1094  SigGroupCleanup(de_ctx);
1095  if (de_ctx != NULL)
1096  SigCleanSignatures(de_ctx);
1097  if (de_ctx != NULL)
1098  DetectEngineCtxFree(de_ctx);
1099 
1100  StreamTcpFreeConfig(true);
1101  FLOW_DESTROY(&f);
1102  UTHFreePackets(&p, 1);
1103  return result;
1104 }
1105 
1106 /**
1107  * \test Test that the http_host header content matches against a http request
1108  * which holds the content.
1109  */
1110 static int DetectEngineHttpHHTest12(void)
1111 {
1112  TcpSession ssn;
1113  Packet *p = NULL;
1114  ThreadVars th_v;
1115  DetectEngineCtx *de_ctx = NULL;
1116  DetectEngineThreadCtx *det_ctx = NULL;
1117  HtpState *http_state = NULL;
1118  Flow f;
1119  uint8_t http_buf[] =
1120  "GET /index.html HTTP/1.0\r\n"
1121  "Host: CONNECT\r\n"
1122  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1123  uint32_t http_len = sizeof(http_buf) - 1;
1124  int result = 0;
1125  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1126 
1127  memset(&th_v, 0, sizeof(th_v));
1128  memset(&f, 0, sizeof(f));
1129  memset(&ssn, 0, sizeof(ssn));
1130 
1131  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1132 
1133  FLOW_INITIALIZE(&f);
1134  f.protoctx = (void *)&ssn;
1135  f.proto = IPPROTO_TCP;
1136  f.flags |= FLOW_IPV4;
1137  p->flow = &f;
1138  p->flowflags |= FLOW_PKT_TOSERVER;
1139  p->flowflags |= FLOW_PKT_ESTABLISHED;
1140  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1141  f.alproto = ALPROTO_HTTP1;
1142 
1143  StreamTcpInitConfig(true);
1144 
1145  de_ctx = DetectEngineCtxInit();
1146  if (de_ctx == NULL)
1147  goto end;
1148 
1149  de_ctx->flags |= DE_QUIET;
1150 
1151  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1152  "(msg:\"http_host header test\"; "
1153  "content:\"co\"; http_host; "
1154  "content:\"ec\"; within:3; http_host; "
1155  "sid:1;)");
1156  if (de_ctx->sig_list == NULL)
1157  goto end;
1158 
1159  SigGroupBuild(de_ctx);
1160  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1161 
1162  int r = AppLayerParserParse(
1163  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1164  if (r != 0) {
1165  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1166  result = 0;
1167  goto end;
1168  }
1169 
1170  http_state = f.alstate;
1171  if (http_state == NULL) {
1172  printf("no http state: ");
1173  result = 0;
1174  goto end;
1175  }
1176 
1177  /* do detect */
1178  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1179 
1180  if (PacketAlertCheck(p, 1)) {
1181  printf("sid 1 matched but shouldn't have: ");
1182  goto end;
1183  }
1184 
1185  result = 1;
1186 
1187 end:
1188  if (alp_tctx != NULL)
1189  AppLayerParserThreadCtxFree(alp_tctx);
1190  if (de_ctx != NULL)
1191  SigGroupCleanup(de_ctx);
1192  if (de_ctx != NULL)
1193  SigCleanSignatures(de_ctx);
1194  if (de_ctx != NULL)
1195  DetectEngineCtxFree(de_ctx);
1196 
1197  StreamTcpFreeConfig(true);
1198  FLOW_DESTROY(&f);
1199  UTHFreePackets(&p, 1);
1200  return result;
1201 }
1202 
1203 /**
1204  * \test Test that the http_host header content matches against a http request
1205  * which holds the content.
1206  */
1207 static int DetectEngineHttpHHTest13(void)
1208 {
1209  TcpSession ssn;
1210  Packet *p = NULL;
1211  ThreadVars th_v;
1212  DetectEngineCtx *de_ctx = NULL;
1213  DetectEngineThreadCtx *det_ctx = NULL;
1214  HtpState *http_state = NULL;
1215  Flow f;
1216  uint8_t http_buf[] =
1217  "GET /index.html HTTP/1.0\r\n"
1218  "Host: CONNECT\r\n"
1219  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1220  uint32_t http_len = sizeof(http_buf) - 1;
1221  int result = 0;
1222  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1223 
1224  memset(&th_v, 0, sizeof(th_v));
1225  memset(&f, 0, sizeof(f));
1226  memset(&ssn, 0, sizeof(ssn));
1227 
1228  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1229 
1230  FLOW_INITIALIZE(&f);
1231  f.protoctx = (void *)&ssn;
1232  f.proto = IPPROTO_TCP;
1233  f.flags |= FLOW_IPV4;
1234  p->flow = &f;
1235  p->flowflags |= FLOW_PKT_TOSERVER;
1236  p->flowflags |= FLOW_PKT_ESTABLISHED;
1237  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1238  f.alproto = ALPROTO_HTTP1;
1239 
1240  StreamTcpInitConfig(true);
1241 
1242  de_ctx = DetectEngineCtxInit();
1243  if (de_ctx == NULL)
1244  goto end;
1245 
1246  de_ctx->flags |= DE_QUIET;
1247 
1248  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1249  "(msg:\"http_host header test\"; "
1250  "content:\"co\"; http_host; "
1251  "content:!\"ec\"; within:4; http_host; "
1252  "sid:1;)");
1253  if (de_ctx->sig_list == NULL)
1254  goto end;
1255 
1256  SigGroupBuild(de_ctx);
1257  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1258 
1259  int r = AppLayerParserParse(
1260  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1261  if (r != 0) {
1262  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1263  result = 0;
1264  goto end;
1265  }
1266 
1267  http_state = f.alstate;
1268  if (http_state == NULL) {
1269  printf("no http state: ");
1270  result = 0;
1271  goto end;
1272  }
1273 
1274  /* do detect */
1275  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1276 
1277  if (PacketAlertCheck(p, 1)) {
1278  printf("sid 1 matched but shouldn't have: ");
1279  goto end;
1280  }
1281 
1282  result = 1;
1283 
1284 end:
1285  if (alp_tctx != NULL)
1286  AppLayerParserThreadCtxFree(alp_tctx);
1287  if (de_ctx != NULL)
1288  SigGroupCleanup(de_ctx);
1289  if (de_ctx != NULL)
1290  SigCleanSignatures(de_ctx);
1291  if (de_ctx != NULL)
1292  DetectEngineCtxFree(de_ctx);
1293 
1294  StreamTcpFreeConfig(true);
1295  FLOW_DESTROY(&f);
1296  UTHFreePackets(&p, 1);
1297  return result;
1298 }
1299 
1300 /**
1301  * \test Test that the http_host header content matches against a http request
1302  * which holds the content.
1303  */
1304 static int DetectEngineHttpHHTest14(void)
1305 {
1306  TcpSession ssn;
1307  Packet *p = NULL;
1308  ThreadVars th_v;
1309  DetectEngineCtx *de_ctx = NULL;
1310  DetectEngineThreadCtx *det_ctx = NULL;
1311  HtpState *http_state = NULL;
1312  Flow f;
1313  uint8_t http_buf[] =
1314  "GET /index.html HTTP/1.0\r\n"
1315  "Host: CONNECT\r\n"
1316  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1317  uint32_t http_len = sizeof(http_buf) - 1;
1318  int result = 0;
1319  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1320 
1321  memset(&th_v, 0, sizeof(th_v));
1322  memset(&f, 0, sizeof(f));
1323  memset(&ssn, 0, sizeof(ssn));
1324 
1325  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1326 
1327  FLOW_INITIALIZE(&f);
1328  f.protoctx = (void *)&ssn;
1329  f.proto = IPPROTO_TCP;
1330  f.flags |= FLOW_IPV4;
1331  p->flow = &f;
1332  p->flowflags |= FLOW_PKT_TOSERVER;
1333  p->flowflags |= FLOW_PKT_ESTABLISHED;
1334  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1335  f.alproto = ALPROTO_HTTP1;
1336 
1337  StreamTcpInitConfig(true);
1338 
1339  de_ctx = DetectEngineCtxInit();
1340  if (de_ctx == NULL)
1341  goto end;
1342 
1343  de_ctx->flags |= DE_QUIET;
1344 
1345  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1346  "(msg:\"http_host header test\"; "
1347  "content:\"co\"; http_host; "
1348  "content:\"ec\"; distance:2; http_host; "
1349  "sid:1;)");
1350  if (de_ctx->sig_list == NULL)
1351  goto end;
1352 
1353  SigGroupBuild(de_ctx);
1354  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1355 
1356  int r = AppLayerParserParse(
1357  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1358  if (r != 0) {
1359  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1360  result = 0;
1361  goto end;
1362  }
1363 
1364  http_state = f.alstate;
1365  if (http_state == NULL) {
1366  printf("no http state: ");
1367  result = 0;
1368  goto end;
1369  }
1370 
1371  /* do detect */
1372  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1373 
1374  if (!PacketAlertCheck(p, 1)) {
1375  printf("sid 1 didn't match but should have: ");
1376  goto end;
1377  }
1378 
1379  result = 1;
1380 
1381 end:
1382  if (alp_tctx != NULL)
1383  AppLayerParserThreadCtxFree(alp_tctx);
1384  if (de_ctx != NULL)
1385  SigGroupCleanup(de_ctx);
1386  if (de_ctx != NULL)
1387  SigCleanSignatures(de_ctx);
1388  if (de_ctx != NULL)
1389  DetectEngineCtxFree(de_ctx);
1390 
1391  StreamTcpFreeConfig(true);
1392  FLOW_DESTROY(&f);
1393  UTHFreePackets(&p, 1);
1394  return result;
1395 }
1396 
1397 /**
1398  * \test Test that the http_host header content matches against a http request
1399  * which holds the content.
1400  */
1401 static int DetectEngineHttpHHTest15(void)
1402 {
1403  TcpSession ssn;
1404  Packet *p = NULL;
1405  ThreadVars th_v;
1406  DetectEngineCtx *de_ctx = NULL;
1407  DetectEngineThreadCtx *det_ctx = NULL;
1408  HtpState *http_state = NULL;
1409  Flow f;
1410  uint8_t http_buf[] =
1411  "GET /index.html HTTP/1.0\r\n"
1412  "Host: CONNECT\r\n"
1413  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1414  uint32_t http_len = sizeof(http_buf) - 1;
1415  int result = 0;
1416  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1417 
1418  memset(&th_v, 0, sizeof(th_v));
1419  memset(&f, 0, sizeof(f));
1420  memset(&ssn, 0, sizeof(ssn));
1421 
1422  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1423 
1424  FLOW_INITIALIZE(&f);
1425  f.protoctx = (void *)&ssn;
1426  f.proto = IPPROTO_TCP;
1427  f.flags |= FLOW_IPV4;
1428  p->flow = &f;
1429  p->flowflags |= FLOW_PKT_TOSERVER;
1430  p->flowflags |= FLOW_PKT_ESTABLISHED;
1431  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1432  f.alproto = ALPROTO_HTTP1;
1433 
1434  StreamTcpInitConfig(true);
1435 
1436  de_ctx = DetectEngineCtxInit();
1437  if (de_ctx == NULL)
1438  goto end;
1439 
1440  de_ctx->flags |= DE_QUIET;
1441 
1442  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1443  "(msg:\"http_host header test\"; "
1444  "content:\"co\"; http_host; "
1445  "content:!\"ec\"; distance:3; http_host; "
1446  "sid:1;)");
1447  if (de_ctx->sig_list == NULL)
1448  goto end;
1449 
1450  SigGroupBuild(de_ctx);
1451  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1452 
1453  int r = AppLayerParserParse(
1454  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1455  if (r != 0) {
1456  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1457  result = 0;
1458  goto end;
1459  }
1460 
1461  http_state = f.alstate;
1462  if (http_state == NULL) {
1463  printf("no http state: ");
1464  result = 0;
1465  goto end;
1466  }
1467 
1468  /* do detect */
1469  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1470 
1471  if (!PacketAlertCheck(p, 1)) {
1472  printf("sid 1 didn't match but should have: ");
1473  goto end;
1474  }
1475 
1476  result = 1;
1477 
1478 end:
1479  if (alp_tctx != NULL)
1480  AppLayerParserThreadCtxFree(alp_tctx);
1481  if (de_ctx != NULL)
1482  SigGroupCleanup(de_ctx);
1483  if (de_ctx != NULL)
1484  SigCleanSignatures(de_ctx);
1485  if (de_ctx != NULL)
1486  DetectEngineCtxFree(de_ctx);
1487 
1488  StreamTcpFreeConfig(true);
1489  FLOW_DESTROY(&f);
1490  UTHFreePackets(&p, 1);
1491  return result;
1492 }
1493 
1494 /**
1495  * \test Test that the http_host header content matches against a http request
1496  * which holds the content.
1497  */
1498 static int DetectEngineHttpHHTest16(void)
1499 {
1500  TcpSession ssn;
1501  Packet *p = NULL;
1502  ThreadVars th_v;
1503  DetectEngineCtx *de_ctx = NULL;
1504  DetectEngineThreadCtx *det_ctx = NULL;
1505  HtpState *http_state = NULL;
1506  Flow f;
1507  uint8_t http_buf[] =
1508  "GET /index.html HTTP/1.0\r\n"
1509  "Host: CONNECT\r\n"
1510  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1511  uint32_t http_len = sizeof(http_buf) - 1;
1512  int result = 0;
1513  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1514 
1515  memset(&th_v, 0, sizeof(th_v));
1516  memset(&f, 0, sizeof(f));
1517  memset(&ssn, 0, sizeof(ssn));
1518 
1519  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1520 
1521  FLOW_INITIALIZE(&f);
1522  f.protoctx = (void *)&ssn;
1523  f.proto = IPPROTO_TCP;
1524  f.flags |= FLOW_IPV4;
1525  p->flow = &f;
1526  p->flowflags |= FLOW_PKT_TOSERVER;
1527  p->flowflags |= FLOW_PKT_ESTABLISHED;
1528  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1529  f.alproto = ALPROTO_HTTP1;
1530 
1531  StreamTcpInitConfig(true);
1532 
1533  de_ctx = DetectEngineCtxInit();
1534  if (de_ctx == NULL)
1535  goto end;
1536 
1537  de_ctx->flags |= DE_QUIET;
1538 
1539  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1540  "(msg:\"http_host header test\"; "
1541  "content:\"co\"; http_host; "
1542  "content:\"ec\"; distance:3; http_host; "
1543  "sid:1;)");
1544  if (de_ctx->sig_list == NULL)
1545  goto end;
1546 
1547  SigGroupBuild(de_ctx);
1548  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1549 
1550  int r = AppLayerParserParse(
1551  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1552  if (r != 0) {
1553  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1554  result = 0;
1555  goto end;
1556  }
1557 
1558  http_state = f.alstate;
1559  if (http_state == NULL) {
1560  printf("no http state: ");
1561  result = 0;
1562  goto end;
1563  }
1564 
1565  /* do detect */
1566  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1567 
1568  if (PacketAlertCheck(p, 1)) {
1569  printf("sid 1 matched but shouldn't have: ");
1570  goto end;
1571  }
1572 
1573  result = 1;
1574 
1575 end:
1576  if (alp_tctx != NULL)
1577  AppLayerParserThreadCtxFree(alp_tctx);
1578  if (de_ctx != NULL)
1579  SigGroupCleanup(de_ctx);
1580  if (de_ctx != NULL)
1581  SigCleanSignatures(de_ctx);
1582  if (de_ctx != NULL)
1583  DetectEngineCtxFree(de_ctx);
1584 
1585  StreamTcpFreeConfig(true);
1586  FLOW_DESTROY(&f);
1587  UTHFreePackets(&p, 1);
1588  return result;
1589 }
1590 
1591 /**
1592  * \test Test that the http_host header content matches against a http request
1593  * which holds the content.
1594  */
1595 static int DetectEngineHttpHHTest17(void)
1596 {
1597  TcpSession ssn;
1598  Packet *p = NULL;
1599  ThreadVars th_v;
1600  DetectEngineCtx *de_ctx = NULL;
1601  DetectEngineThreadCtx *det_ctx = NULL;
1602  HtpState *http_state = NULL;
1603  Flow f;
1604  uint8_t http_buf[] =
1605  "GET /index.html HTTP/1.0\r\n"
1606  "Host: CONNECT\r\n"
1607  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1608  uint32_t http_len = sizeof(http_buf) - 1;
1609  int result = 0;
1610  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1611 
1612  memset(&th_v, 0, sizeof(th_v));
1613  memset(&f, 0, sizeof(f));
1614  memset(&ssn, 0, sizeof(ssn));
1615 
1616  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1617 
1618  FLOW_INITIALIZE(&f);
1619  f.protoctx = (void *)&ssn;
1620  f.proto = IPPROTO_TCP;
1621  f.flags |= FLOW_IPV4;
1622  p->flow = &f;
1623  p->flowflags |= FLOW_PKT_TOSERVER;
1624  p->flowflags |= FLOW_PKT_ESTABLISHED;
1625  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1626  f.alproto = ALPROTO_HTTP1;
1627 
1628  StreamTcpInitConfig(true);
1629 
1630  de_ctx = DetectEngineCtxInit();
1631  if (de_ctx == NULL)
1632  goto end;
1633 
1634  de_ctx->flags |= DE_QUIET;
1635 
1636  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1637  "(msg:\"http_host header test\"; "
1638  "content:\"co\"; http_host; "
1639  "content:!\"ec\"; distance:2; http_host; "
1640  "sid:1;)");
1641  if (de_ctx->sig_list == NULL)
1642  goto end;
1643 
1644  SigGroupBuild(de_ctx);
1645  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1646 
1647  int r = AppLayerParserParse(
1648  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1649  if (r != 0) {
1650  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1651  result = 0;
1652  goto end;
1653  }
1654 
1655  http_state = f.alstate;
1656  if (http_state == NULL) {
1657  printf("no http state: ");
1658  result = 0;
1659  goto end;
1660  }
1661 
1662  /* do detect */
1663  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1664 
1665  if (PacketAlertCheck(p, 1)) {
1666  printf("sid 1 matched but shouldn't have: ");
1667  goto end;
1668  }
1669 
1670  result = 1;
1671 
1672 end:
1673  if (alp_tctx != NULL)
1674  AppLayerParserThreadCtxFree(alp_tctx);
1675  if (de_ctx != NULL)
1676  SigGroupCleanup(de_ctx);
1677  if (de_ctx != NULL)
1678  SigCleanSignatures(de_ctx);
1679  if (de_ctx != NULL)
1680  DetectEngineCtxFree(de_ctx);
1681 
1682  StreamTcpFreeConfig(true);
1683  FLOW_DESTROY(&f);
1684  UTHFreePackets(&p, 1);
1685  return result;
1686 }
1687 
1688 static int DetectEngineHttpHHTest18(void)
1689 {
1690  TcpSession ssn;
1691  Packet *p = NULL;
1692  ThreadVars th_v;
1693  DetectEngineCtx *de_ctx = NULL;
1694  DetectEngineThreadCtx *det_ctx = NULL;
1695  HtpState *http_state = NULL;
1696  Flow f;
1697  uint8_t http_buf[] =
1698  "GET /index.html HTTP/1.0\r\n"
1699  "Host: www.kaboom.com\r\n"
1700  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1701  uint32_t http_len = sizeof(http_buf) - 1;
1702  int result = 0;
1703  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1704 
1705  memset(&th_v, 0, sizeof(th_v));
1706  memset(&f, 0, sizeof(f));
1707  memset(&ssn, 0, sizeof(ssn));
1708 
1709  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1710 
1711  FLOW_INITIALIZE(&f);
1712  f.protoctx = (void *)&ssn;
1713  f.proto = IPPROTO_TCP;
1714  f.flags |= FLOW_IPV4;
1715  p->flow = &f;
1716  p->flowflags |= FLOW_PKT_TOSERVER;
1717  p->flowflags |= FLOW_PKT_ESTABLISHED;
1718  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1719  f.alproto = ALPROTO_HTTP1;
1720 
1721  StreamTcpInitConfig(true);
1722 
1723  de_ctx = DetectEngineCtxInit();
1724  if (de_ctx == NULL)
1725  goto end;
1726 
1727  de_ctx->flags |= DE_QUIET;
1728 
1729  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1730  "(msg:\"http_host header test\"; "
1731  "content:\"kaboom\"; http_host; "
1732  "sid:1;)");
1733  if (de_ctx->sig_list == NULL)
1734  goto end;
1735 
1736  SigGroupBuild(de_ctx);
1737  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1738 
1739  int r = AppLayerParserParse(
1740  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1741  if (r != 0) {
1742  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1743  result = 0;
1744  goto end;
1745  }
1746 
1747  http_state = f.alstate;
1748  if (http_state == NULL) {
1749  printf("no http state: ");
1750  result = 0;
1751  goto end;
1752  }
1753 
1754  /* do detect */
1755  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1756 
1757  if (!PacketAlertCheck(p, 1)) {
1758  printf("sid 1 didn't match but should have: ");
1759  goto end;
1760  }
1761 
1762  result = 1;
1763 
1764 end:
1765  if (alp_tctx != NULL)
1766  AppLayerParserThreadCtxFree(alp_tctx);
1767  if (de_ctx != NULL)
1768  SigGroupCleanup(de_ctx);
1769  if (de_ctx != NULL)
1770  SigCleanSignatures(de_ctx);
1771  if (de_ctx != NULL)
1772  DetectEngineCtxFree(de_ctx);
1773 
1774  StreamTcpFreeConfig(true);
1775  FLOW_DESTROY(&f);
1776  UTHFreePackets(&p, 1);
1777  return result;
1778 }
1779 
1780 static int DetectEngineHttpHHTest19(void)
1781 {
1782  TcpSession ssn;
1783  Packet *p = NULL;
1784  ThreadVars th_v;
1785  DetectEngineCtx *de_ctx = NULL;
1786  DetectEngineThreadCtx *det_ctx = NULL;
1787  HtpState *http_state = NULL;
1788  Flow f;
1789  uint8_t http_buf[] =
1790  "GET /index.html HTTP/1.0\r\n"
1791  "Host: www.kaboom.com:8080\r\n"
1792  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1793  uint32_t http_len = sizeof(http_buf) - 1;
1794  int result = 0;
1795  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1796 
1797  memset(&th_v, 0, sizeof(th_v));
1798  memset(&f, 0, sizeof(f));
1799  memset(&ssn, 0, sizeof(ssn));
1800 
1801  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1802 
1803  FLOW_INITIALIZE(&f);
1804  f.protoctx = (void *)&ssn;
1805  f.proto = IPPROTO_TCP;
1806  f.flags |= FLOW_IPV4;
1807  p->flow = &f;
1808  p->flowflags |= FLOW_PKT_TOSERVER;
1809  p->flowflags |= FLOW_PKT_ESTABLISHED;
1810  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1811  f.alproto = ALPROTO_HTTP1;
1812 
1813  StreamTcpInitConfig(true);
1814 
1815  de_ctx = DetectEngineCtxInit();
1816  if (de_ctx == NULL)
1817  goto end;
1818 
1819  de_ctx->flags |= DE_QUIET;
1820 
1821  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1822  "(msg:\"http_host header test\"; "
1823  "content:\"kaboom\"; http_host; "
1824  "sid:1;)");
1825  if (de_ctx->sig_list == NULL)
1826  goto end;
1827 
1828  SigGroupBuild(de_ctx);
1829  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1830 
1831  int r = AppLayerParserParse(
1832  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1833  if (r != 0) {
1834  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1835  result = 0;
1836  goto end;
1837  }
1838 
1839  http_state = f.alstate;
1840  if (http_state == NULL) {
1841  printf("no http state: ");
1842  result = 0;
1843  goto end;
1844  }
1845 
1846  /* do detect */
1847  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1848 
1849  if (!PacketAlertCheck(p, 1)) {
1850  printf("sid 1 didn't match but should have: ");
1851  goto end;
1852  }
1853 
1854  result = 1;
1855 
1856 end:
1857  if (alp_tctx != NULL)
1858  AppLayerParserThreadCtxFree(alp_tctx);
1859  if (de_ctx != NULL)
1860  SigGroupCleanup(de_ctx);
1861  if (de_ctx != NULL)
1862  SigCleanSignatures(de_ctx);
1863  if (de_ctx != NULL)
1864  DetectEngineCtxFree(de_ctx);
1865 
1866  StreamTcpFreeConfig(true);
1867  FLOW_DESTROY(&f);
1868  UTHFreePackets(&p, 1);
1869  return result;
1870 }
1871 
1872 static int DetectEngineHttpHHTest20(void)
1873 {
1874  TcpSession ssn;
1875  Packet *p = NULL;
1876  ThreadVars th_v;
1877  DetectEngineCtx *de_ctx = NULL;
1878  DetectEngineThreadCtx *det_ctx = NULL;
1879  HtpState *http_state = NULL;
1880  Flow f;
1881  uint8_t http_buf[] =
1882  "GET /index.html HTTP/1.0\r\n"
1883  "Host: www.kaboom.com:8080\r\n"
1884  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1885  uint32_t http_len = sizeof(http_buf) - 1;
1886  int result = 0;
1887  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1888 
1889  memset(&th_v, 0, sizeof(th_v));
1890  memset(&f, 0, sizeof(f));
1891  memset(&ssn, 0, sizeof(ssn));
1892 
1893  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1894 
1895  FLOW_INITIALIZE(&f);
1896  f.protoctx = (void *)&ssn;
1897  f.proto = IPPROTO_TCP;
1898  f.flags |= FLOW_IPV4;
1899  p->flow = &f;
1900  p->flowflags |= FLOW_PKT_TOSERVER;
1901  p->flowflags |= FLOW_PKT_ESTABLISHED;
1902  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1903  f.alproto = ALPROTO_HTTP1;
1904 
1905  StreamTcpInitConfig(true);
1906 
1907  de_ctx = DetectEngineCtxInit();
1908  if (de_ctx == NULL)
1909  goto end;
1910 
1911  de_ctx->flags |= DE_QUIET;
1912 
1913  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1914  "(msg:\"http_host header test\"; "
1915  "content:\"8080\"; http_host; "
1916  "sid:1;)");
1917  if (de_ctx->sig_list == NULL)
1918  goto end;
1919 
1920  SigGroupBuild(de_ctx);
1921  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1922 
1923  int r = AppLayerParserParse(
1924  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1925  if (r != 0) {
1926  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1927  result = 0;
1928  goto end;
1929  }
1930 
1931  http_state = f.alstate;
1932  if (http_state == NULL) {
1933  printf("no http state: ");
1934  result = 0;
1935  goto end;
1936  }
1937 
1938  /* do detect */
1939  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1940 
1941  if (PacketAlertCheck(p, 1)) {
1942  printf("sid 1 matched but it shouldn't have: ");
1943  goto end;
1944  }
1945 
1946  result = 1;
1947 
1948 end:
1949  if (alp_tctx != NULL)
1950  AppLayerParserThreadCtxFree(alp_tctx);
1951  if (de_ctx != NULL)
1952  SigGroupCleanup(de_ctx);
1953  if (de_ctx != NULL)
1954  SigCleanSignatures(de_ctx);
1955  if (de_ctx != NULL)
1956  DetectEngineCtxFree(de_ctx);
1957 
1958  StreamTcpFreeConfig(true);
1959  FLOW_DESTROY(&f);
1960  UTHFreePackets(&p, 1);
1961  return result;
1962 }
1963 
1964 static int DetectEngineHttpHHTest21(void)
1965 {
1966  TcpSession ssn;
1967  Packet *p = NULL;
1968  ThreadVars th_v;
1969  DetectEngineCtx *de_ctx = NULL;
1970  DetectEngineThreadCtx *det_ctx = NULL;
1971  HtpState *http_state = NULL;
1972  Flow f;
1973  uint8_t http_buf[] =
1974  "GET http://www.kaboom.com/index.html HTTP/1.0\r\n"
1975  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
1976  uint32_t http_len = sizeof(http_buf) - 1;
1977  int result = 0;
1978  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1979 
1980  memset(&th_v, 0, sizeof(th_v));
1981  memset(&f, 0, sizeof(f));
1982  memset(&ssn, 0, sizeof(ssn));
1983 
1984  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1985 
1986  FLOW_INITIALIZE(&f);
1987  f.protoctx = (void *)&ssn;
1988  f.proto = IPPROTO_TCP;
1989  f.flags |= FLOW_IPV4;
1990  p->flow = &f;
1991  p->flowflags |= FLOW_PKT_TOSERVER;
1992  p->flowflags |= FLOW_PKT_ESTABLISHED;
1993  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1994  f.alproto = ALPROTO_HTTP1;
1995 
1996  StreamTcpInitConfig(true);
1997 
1998  de_ctx = DetectEngineCtxInit();
1999  if (de_ctx == NULL)
2000  goto end;
2001 
2002  de_ctx->flags |= DE_QUIET;
2003 
2004  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2005  "(msg:\"http_host header test\"; "
2006  "content:\"kaboom\"; http_host; "
2007  "sid:1;)");
2008  if (de_ctx->sig_list == NULL)
2009  goto end;
2010 
2011  SigGroupBuild(de_ctx);
2012  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2013 
2014  int r = AppLayerParserParse(
2015  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2016  if (r != 0) {
2017  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2018  result = 0;
2019  goto end;
2020  }
2021 
2022  http_state = f.alstate;
2023  if (http_state == NULL) {
2024  printf("no http state: ");
2025  result = 0;
2026  goto end;
2027  }
2028 
2029  /* do detect */
2030  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2031 
2032  if (!PacketAlertCheck(p, 1)) {
2033  printf("sid 1 didn't match but should have: ");
2034  goto end;
2035  }
2036 
2037  result = 1;
2038 
2039 end:
2040  if (alp_tctx != NULL)
2041  AppLayerParserThreadCtxFree(alp_tctx);
2042  if (de_ctx != NULL)
2043  SigGroupCleanup(de_ctx);
2044  if (de_ctx != NULL)
2045  SigCleanSignatures(de_ctx);
2046  if (de_ctx != NULL)
2047  DetectEngineCtxFree(de_ctx);
2048 
2049  StreamTcpFreeConfig(true);
2050  FLOW_DESTROY(&f);
2051  UTHFreePackets(&p, 1);
2052  return result;
2053 }
2054 
2055 static int DetectEngineHttpHHTest22(void)
2056 {
2057  TcpSession ssn;
2058  Packet *p = NULL;
2059  ThreadVars th_v;
2060  DetectEngineCtx *de_ctx = NULL;
2061  DetectEngineThreadCtx *det_ctx = NULL;
2062  HtpState *http_state = NULL;
2063  Flow f;
2064  uint8_t http_buf[] =
2065  "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2066  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2067  uint32_t http_len = sizeof(http_buf) - 1;
2068  int result = 0;
2069  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2070 
2071  memset(&th_v, 0, sizeof(th_v));
2072  memset(&f, 0, sizeof(f));
2073  memset(&ssn, 0, sizeof(ssn));
2074 
2075  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2076 
2077  FLOW_INITIALIZE(&f);
2078  f.protoctx = (void *)&ssn;
2079  f.proto = IPPROTO_TCP;
2080  f.flags |= FLOW_IPV4;
2081  p->flow = &f;
2082  p->flowflags |= FLOW_PKT_TOSERVER;
2083  p->flowflags |= FLOW_PKT_ESTABLISHED;
2084  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2085  f.alproto = ALPROTO_HTTP1;
2086 
2087  StreamTcpInitConfig(true);
2088 
2089  de_ctx = DetectEngineCtxInit();
2090  if (de_ctx == NULL)
2091  goto end;
2092 
2093  de_ctx->flags |= DE_QUIET;
2094 
2095  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2096  "(msg:\"http_host header test\"; "
2097  "content:\"kaboom\"; http_host; "
2098  "sid:1;)");
2099  if (de_ctx->sig_list == NULL)
2100  goto end;
2101 
2102  SigGroupBuild(de_ctx);
2103  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2104 
2105  int r = AppLayerParserParse(
2106  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2107  if (r != 0) {
2108  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2109  result = 0;
2110  goto end;
2111  }
2112 
2113  http_state = f.alstate;
2114  if (http_state == NULL) {
2115  printf("no http state: ");
2116  result = 0;
2117  goto end;
2118  }
2119 
2120  /* do detect */
2121  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2122 
2123  if (!PacketAlertCheck(p, 1)) {
2124  printf("sid 1 didn't match but should have: ");
2125  goto end;
2126  }
2127 
2128  result = 1;
2129 
2130 end:
2131  if (alp_tctx != NULL)
2132  AppLayerParserThreadCtxFree(alp_tctx);
2133  if (de_ctx != NULL)
2134  SigGroupCleanup(de_ctx);
2135  if (de_ctx != NULL)
2136  SigCleanSignatures(de_ctx);
2137  if (de_ctx != NULL)
2138  DetectEngineCtxFree(de_ctx);
2139 
2140  StreamTcpFreeConfig(true);
2141  FLOW_DESTROY(&f);
2142  UTHFreePackets(&p, 1);
2143  return result;
2144 }
2145 
2146 static int DetectEngineHttpHHTest23(void)
2147 {
2148  TcpSession ssn;
2149  Packet *p = NULL;
2150  ThreadVars th_v;
2151  DetectEngineCtx *de_ctx = NULL;
2152  DetectEngineThreadCtx *det_ctx = NULL;
2153  HtpState *http_state = NULL;
2154  Flow f;
2155  uint8_t http_buf[] =
2156  "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2157  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2158  uint32_t http_len = sizeof(http_buf) - 1;
2159  int result = 0;
2160  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2161 
2162  memset(&th_v, 0, sizeof(th_v));
2163  memset(&f, 0, sizeof(f));
2164  memset(&ssn, 0, sizeof(ssn));
2165 
2166  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2167 
2168  FLOW_INITIALIZE(&f);
2169  f.protoctx = (void *)&ssn;
2170  f.proto = IPPROTO_TCP;
2171  f.flags |= FLOW_IPV4;
2172  p->flow = &f;
2173  p->flowflags |= FLOW_PKT_TOSERVER;
2174  p->flowflags |= FLOW_PKT_ESTABLISHED;
2175  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2176  f.alproto = ALPROTO_HTTP1;
2177 
2178  StreamTcpInitConfig(true);
2179 
2180  de_ctx = DetectEngineCtxInit();
2181  if (de_ctx == NULL)
2182  goto end;
2183 
2184  de_ctx->flags |= DE_QUIET;
2185 
2186  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2187  "(msg:\"http_host header test\"; "
2188  "content:\"8080\"; http_host; "
2189  "sid:1;)");
2190  if (de_ctx->sig_list == NULL)
2191  goto end;
2192 
2193  SigGroupBuild(de_ctx);
2194  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2195 
2196  int r = AppLayerParserParse(
2197  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2198  if (r != 0) {
2199  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2200  result = 0;
2201  goto end;
2202  }
2203 
2204  http_state = f.alstate;
2205  if (http_state == NULL) {
2206  printf("no http state: ");
2207  result = 0;
2208  goto end;
2209  }
2210 
2211  /* do detect */
2212  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2213 
2214  if (PacketAlertCheck(p, 1)) {
2215  printf("sid 1 matched but it shouldn't have: ");
2216  goto end;
2217  }
2218 
2219  result = 1;
2220 
2221 end:
2222  if (alp_tctx != NULL)
2223  AppLayerParserThreadCtxFree(alp_tctx);
2224  if (de_ctx != NULL)
2225  SigGroupCleanup(de_ctx);
2226  if (de_ctx != NULL)
2227  SigCleanSignatures(de_ctx);
2228  if (de_ctx != NULL)
2229  DetectEngineCtxFree(de_ctx);
2230 
2231  StreamTcpFreeConfig(true);
2232  FLOW_DESTROY(&f);
2233  UTHFreePackets(&p, 1);
2234  return result;
2235 }
2236 
2237 static int DetectEngineHttpHHTest24(void)
2238 {
2239  TcpSession ssn;
2240  Packet *p = NULL;
2241  ThreadVars th_v;
2242  DetectEngineCtx *de_ctx = NULL;
2243  DetectEngineThreadCtx *det_ctx = NULL;
2244  HtpState *http_state = NULL;
2245  Flow f;
2246  uint8_t http_buf[] =
2247  "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2248  "Host: www.rabbit.com\r\n"
2249  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2250  uint32_t http_len = sizeof(http_buf) - 1;
2251  int result = 0;
2252  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2253 
2254  memset(&th_v, 0, sizeof(th_v));
2255  memset(&f, 0, sizeof(f));
2256  memset(&ssn, 0, sizeof(ssn));
2257 
2258  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2259 
2260  FLOW_INITIALIZE(&f);
2261  f.protoctx = (void *)&ssn;
2262  f.proto = IPPROTO_TCP;
2263  f.flags |= FLOW_IPV4;
2264  p->flow = &f;
2265  p->flowflags |= FLOW_PKT_TOSERVER;
2266  p->flowflags |= FLOW_PKT_ESTABLISHED;
2267  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2268  f.alproto = ALPROTO_HTTP1;
2269 
2270  StreamTcpInitConfig(true);
2271 
2272  de_ctx = DetectEngineCtxInit();
2273  if (de_ctx == NULL)
2274  goto end;
2275 
2276  de_ctx->flags |= DE_QUIET;
2277 
2278  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2279  "(msg:\"http_host header test\"; "
2280  "content:\"kaboom\"; http_host; "
2281  "sid:1;)");
2282  if (de_ctx->sig_list == NULL)
2283  goto end;
2284 
2285  SigGroupBuild(de_ctx);
2286  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2287 
2288  int r = AppLayerParserParse(
2289  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2290  if (r != 0) {
2291  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2292  result = 0;
2293  goto end;
2294  }
2295 
2296  http_state = f.alstate;
2297  if (http_state == NULL) {
2298  printf("no http state: ");
2299  result = 0;
2300  goto end;
2301  }
2302 
2303  /* do detect */
2304  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2305 
2306  if (!PacketAlertCheck(p, 1)) {
2307  printf("sid 1 didn't match but it should have: ");
2308  goto end;
2309  }
2310 
2311  result = 1;
2312 
2313 end:
2314  if (alp_tctx != NULL)
2315  AppLayerParserThreadCtxFree(alp_tctx);
2316  if (de_ctx != NULL)
2317  SigGroupCleanup(de_ctx);
2318  if (de_ctx != NULL)
2319  SigCleanSignatures(de_ctx);
2320  if (de_ctx != NULL)
2321  DetectEngineCtxFree(de_ctx);
2322 
2323  StreamTcpFreeConfig(true);
2324  FLOW_DESTROY(&f);
2325  UTHFreePackets(&p, 1);
2326  return result;
2327 }
2328 
2329 static int DetectEngineHttpHHTest25(void)
2330 {
2331  TcpSession ssn;
2332  Packet *p = NULL;
2333  ThreadVars th_v;
2334  DetectEngineCtx *de_ctx = NULL;
2335  DetectEngineThreadCtx *det_ctx = NULL;
2336  HtpState *http_state = NULL;
2337  Flow f;
2338  uint8_t http_buf[] =
2339  "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2340  "Host: www.rabbit.com\r\n"
2341  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2342  uint32_t http_len = sizeof(http_buf) - 1;
2343  int result = 0;
2344  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2345 
2346  memset(&th_v, 0, sizeof(th_v));
2347  memset(&f, 0, sizeof(f));
2348  memset(&ssn, 0, sizeof(ssn));
2349 
2350  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2351 
2352  FLOW_INITIALIZE(&f);
2353  f.protoctx = (void *)&ssn;
2354  f.proto = IPPROTO_TCP;
2355  f.flags |= FLOW_IPV4;
2356  p->flow = &f;
2357  p->flowflags |= FLOW_PKT_TOSERVER;
2358  p->flowflags |= FLOW_PKT_ESTABLISHED;
2359  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2360  f.alproto = ALPROTO_HTTP1;
2361 
2362  StreamTcpInitConfig(true);
2363 
2364  de_ctx = DetectEngineCtxInit();
2365  if (de_ctx == NULL)
2366  goto end;
2367 
2368  de_ctx->flags |= DE_QUIET;
2369 
2370  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2371  "(msg:\"http_host header test\"; "
2372  "content:\"rabbit\"; http_host; "
2373  "sid:1;)");
2374  if (de_ctx->sig_list == NULL)
2375  goto end;
2376 
2377  SigGroupBuild(de_ctx);
2378  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2379 
2380  int r = AppLayerParserParse(
2381  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2382  if (r != 0) {
2383  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2384  result = 0;
2385  goto end;
2386  }
2387 
2388  http_state = f.alstate;
2389  if (http_state == NULL) {
2390  printf("no http state: ");
2391  result = 0;
2392  goto end;
2393  }
2394 
2395  /* do detect */
2396  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2397 
2398  if (PacketAlertCheck(p, 1)) {
2399  printf("sid 1 matched but it shouldn't have: ");
2400  goto end;
2401  }
2402 
2403  result = 1;
2404 
2405 end:
2406  if (alp_tctx != NULL)
2407  AppLayerParserThreadCtxFree(alp_tctx);
2408  if (de_ctx != NULL)
2409  SigGroupCleanup(de_ctx);
2410  if (de_ctx != NULL)
2411  SigCleanSignatures(de_ctx);
2412  if (de_ctx != NULL)
2413  DetectEngineCtxFree(de_ctx);
2414 
2415  StreamTcpFreeConfig(true);
2416  FLOW_DESTROY(&f);
2417  UTHFreePackets(&p, 1);
2418  return result;
2419 }
2420 
2421 /**
2422  * \test Test that a signature containing a http_host is correctly parsed
2423  * and the keyword is registered.
2424  */
2425 static int DetectHttpHHTest01(void)
2426 {
2427  DetectEngineCtx *de_ctx = NULL;
2428  int result = 0;
2429 
2430  de_ctx = DetectEngineCtxInit();
2431  if (de_ctx == NULL)
2432  goto end;
2433 
2434  de_ctx->flags |= DE_QUIET;
2435  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2436  "(msg:\"Testing http_host\"; "
2437  "content:\"one\"; http_host; sid:1;)");
2438  if (de_ctx->sig_list != NULL) {
2439  result = 1;
2440  } else {
2441  goto end;
2442  }
2443 
2444  end:
2445  DetectEngineCtxFree(de_ctx);
2446 
2447  return result;
2448 }
2449 
2450 /**
2451  * \test Test that a signature containing an valid http_host entry is
2452  * parsed.
2453  */
2454 static int DetectHttpHHTest02(void)
2455 {
2456  DetectEngineCtx *de_ctx = NULL;
2457  int result = 0;
2458 
2459  de_ctx = DetectEngineCtxInit();
2460  if (de_ctx == NULL)
2461  goto end;
2462 
2463  de_ctx->flags |= DE_QUIET;
2464  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2465  "(msg:\"Testing http_host\"; "
2466  "content:\"one\"; http_host; sid:1;)");
2467  if (de_ctx->sig_list != NULL)
2468  result = 1;
2469 
2470  end:
2471  DetectEngineCtxFree(de_ctx);
2472 
2473  return result;
2474 }
2475 
2476 /**
2477  * \test Test that an invalid signature containing no content but a
2478  * http_host is invalidated.
2479  */
2480 static int DetectHttpHHTest03(void)
2481 {
2482  DetectEngineCtx *de_ctx = NULL;
2483  int result = 0;
2484 
2485  de_ctx = DetectEngineCtxInit();
2486  if (de_ctx == NULL)
2487  goto end;
2488 
2489  de_ctx->flags |= DE_QUIET;
2490  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2491  "(msg:\"Testing http_host\"; "
2492  "http_host; sid:1;)");
2493  if (de_ctx->sig_list == NULL)
2494  result = 1;
2495 
2496  end:
2497  DetectEngineCtxFree(de_ctx);
2498 
2499  return result;
2500 }
2501 
2502 /**
2503  * \test Test that an invalid signature containing a rawbytes along with a
2504  * http_host is invalidated.
2505  */
2506 static int DetectHttpHHTest04(void)
2507 {
2508  DetectEngineCtx *de_ctx = NULL;
2509  int result = 0;
2510 
2511  de_ctx = DetectEngineCtxInit();
2512  if (de_ctx == NULL)
2513  goto end;
2514 
2515  de_ctx->flags |= DE_QUIET;
2516  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2517  "(msg:\"Testing http_host\"; "
2518  "content:\"one\"; rawbytes; http_host; sid:1;)");
2519  if (de_ctx->sig_list == NULL)
2520  result = 1;
2521 
2522  end:
2523  DetectEngineCtxFree(de_ctx);
2524 
2525  return result;
2526 }
2527 
2528 /**
2529  * \test Test that a http_host with nocase is parsed.
2530  */
2531 static int DetectHttpHHTest05(void)
2532 {
2533  DetectEngineCtx *de_ctx = NULL;
2534  int result = 0;
2535 
2536  de_ctx = DetectEngineCtxInit();
2537  if (de_ctx == NULL)
2538  goto end;
2539 
2540  de_ctx->flags |= DE_QUIET;
2541  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2542  "(msg:\"Testing http_host\"; "
2543  "content:\"one\"; http_host; sid:1;)");
2544  if (de_ctx->sig_list != NULL)
2545  result = 1;
2546 
2547  end:
2548  DetectEngineCtxFree(de_ctx);
2549 
2550  return result;
2551 }
2552 
2553 /** \test invalid sig: uppercase content */
2554 static int DetectHttpHHTest05a(void)
2555 {
2556  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2557  FAIL_IF_NULL(de_ctx);
2558  de_ctx->flags |= DE_QUIET;
2559 
2560  Signature *s = DetectEngineAppendSig(de_ctx,
2561  "alert tcp any any -> any any "
2562  "(content:\"ABC\"; http_host; sid:1;)");
2563  FAIL_IF_NOT_NULL(s);
2564 
2565  DetectEngineCtxFree(de_ctx);
2566  PASS;
2567 }
2568 
2569 /**
2570  *\test Test that the http_host content matches against a http request
2571  * which holds the content.
2572  */
2573 static int DetectHttpHHTest06(void)
2574 {
2575  TcpSession ssn;
2576  Packet *p = NULL;
2577  ThreadVars th_v;
2578  DetectEngineCtx *de_ctx = NULL;
2579  DetectEngineThreadCtx *det_ctx = NULL;
2580  HtpState *http_state = NULL;
2581  Flow f;
2582  uint8_t http_buf[] =
2583  "GET /index.html HTTP/1.0\r\n"
2584  "User-Agent: www.openinfosecfoundation.org\r\n"
2585  "Host: This is dummy message body\r\n"
2586  "Content-Type: text/html\r\n"
2587  "\r\n";
2588  uint32_t http_len = sizeof(http_buf) - 1;
2589  int result = 0;
2590  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2591 
2592  memset(&th_v, 0, sizeof(th_v));
2593  memset(&f, 0, sizeof(f));
2594  memset(&ssn, 0, sizeof(ssn));
2595 
2596  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2597 
2598  FLOW_INITIALIZE(&f);
2599  f.protoctx = (void *)&ssn;
2600  f.proto = IPPROTO_TCP;
2601  f.flags |= FLOW_IPV4;
2602 
2603  p->flow = &f;
2604  p->flowflags |= FLOW_PKT_TOSERVER;
2605  p->flowflags |= FLOW_PKT_ESTABLISHED;
2606  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2607  f.alproto = ALPROTO_HTTP1;
2608 
2609  StreamTcpInitConfig(true);
2610 
2611  de_ctx = DetectEngineCtxInit();
2612  if (de_ctx == NULL)
2613  goto end;
2614 
2615  de_ctx->flags |= DE_QUIET;
2616 
2617  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2618  "(msg:\"http host test\"; "
2619  "content:\"message\"; http_host; "
2620  "sid:1;)");
2621  if (de_ctx->sig_list == NULL)
2622  goto end;
2623 
2624  SigGroupBuild(de_ctx);
2625  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2626 
2627  int r = AppLayerParserParse(
2628  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2629  if (r != 0) {
2630  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2631  result = 0;
2632  goto end;
2633  }
2634 
2635  http_state = f.alstate;
2636  if (http_state == NULL) {
2637  printf("no http state: \n");
2638  result = 0;
2639  goto end;
2640  }
2641 
2642  /* do detect */
2643  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2644 
2645  if (!(PacketAlertCheck(p, 1))) {
2646  printf("sid 1 didn't match but should have\n");
2647  goto end;
2648  }
2649 
2650  result = 1;
2651 end:
2652  if (alp_tctx != NULL)
2653  AppLayerParserThreadCtxFree(alp_tctx);
2654  if (de_ctx != NULL)
2655  DetectEngineCtxFree(de_ctx);
2656 
2657  StreamTcpFreeConfig(true);
2658  FLOW_DESTROY(&f);
2659  UTHFreePackets(&p, 1);
2660  return result;
2661 }
2662 
2663 /**
2664  *\test Test that the http_host content matches against a http request
2665  * which holds the content.
2666  */
2667 static int DetectHttpHHTest07(void)
2668 {
2669  TcpSession ssn;
2670  Packet *p1 = NULL;
2671  Packet *p2 = NULL;
2672  ThreadVars th_v;
2673  DetectEngineCtx *de_ctx = NULL;
2674  DetectEngineThreadCtx *det_ctx = NULL;
2675  HtpState *http_state = NULL;
2676  Flow f;
2677  uint8_t http1_buf[] =
2678  "GET /index.html HTTP/1.0\r\n"
2679  "User-Agent: www.openinfosecfoundation.org\r\n"
2680  "Host: This is dummy message";
2681  uint8_t http2_buf[] =
2682  "body1\r\n\r\n";
2683  uint32_t http1_len = sizeof(http1_buf) - 1;
2684  uint32_t http2_len = sizeof(http2_buf) - 1;
2685  int result = 0;
2686  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2687 
2688  memset(&th_v, 0, sizeof(th_v));
2689  memset(&f, 0, sizeof(f));
2690  memset(&ssn, 0, sizeof(ssn));
2691 
2692  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2693  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2694 
2695  FLOW_INITIALIZE(&f);
2696  f.protoctx = (void *)&ssn;
2697  f.proto = IPPROTO_TCP;
2698  f.flags |= FLOW_IPV4;
2699 
2700  p1->flow = &f;
2701  p1->flowflags |= FLOW_PKT_TOSERVER;
2702  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2703  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2704  p2->flow = &f;
2705  p2->flowflags |= FLOW_PKT_TOSERVER;
2706  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2707  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2708  f.alproto = ALPROTO_HTTP1;
2709 
2710  StreamTcpInitConfig(true);
2711 
2712  de_ctx = DetectEngineCtxInit();
2713  if (de_ctx == NULL)
2714  goto end;
2715 
2716  de_ctx->flags |= DE_QUIET;
2717 
2718  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2719  "(msg:\"http host test\"; "
2720  "content:\"message\"; http_host; "
2721  "sid:1;)");
2722  if (de_ctx->sig_list == NULL)
2723  goto end;
2724 
2725  SigGroupBuild(de_ctx);
2726  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2727 
2728  int r = AppLayerParserParse(
2729  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2730  if (r != 0) {
2731  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2732  result = 0;
2733  goto end;
2734  }
2735 
2736  http_state = f.alstate;
2737  if (http_state == NULL) {
2738  printf("no http state: ");
2739  goto end;
2740  }
2741 
2742  /* do detect */
2743  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2744 
2745  if (PacketAlertCheck(p1, 1)) {
2746  printf("sid 1 matched on p1 but shouldn't have: ");
2747  goto end;
2748  }
2749 
2750  r = AppLayerParserParse(
2751  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2752  if (r != 0) {
2753  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2754  goto end;
2755  }
2756 
2757  /* do detect */
2758  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2759  if (!(PacketAlertCheck(p2, 1))) {
2760  printf("sid 1 didn't match on p2 but should have: ");
2761  goto end;
2762  }
2763 
2764  result = 1;
2765 end:
2766  if (alp_tctx != NULL)
2767  AppLayerParserThreadCtxFree(alp_tctx);
2768  if (de_ctx != NULL)
2769  DetectEngineCtxFree(de_ctx);
2770 
2771  StreamTcpFreeConfig(true);
2772  FLOW_DESTROY(&f);
2773  UTHFreePackets(&p1, 1);
2774  UTHFreePackets(&p2, 1);
2775  return result;
2776 }
2777 
2778 /**
2779  *\test Test that the http_host content matches against a http request
2780  * which holds the content.
2781  */
2782 static int DetectHttpHHTest08(void)
2783 {
2784  TcpSession ssn;
2785  Packet *p1 = NULL;
2786  Packet *p2 = NULL;
2787  ThreadVars th_v;
2788  DetectEngineCtx *de_ctx = NULL;
2789  DetectEngineThreadCtx *det_ctx = NULL;
2790  HtpState *http_state = NULL;
2791  Flow f;
2792  uint8_t http1_buf[] =
2793  "GET /index.html HTTP/1.0\r\n"
2794  "User-Agent: www.openinfosecfoundation.org\r\n"
2795  "host: This is dummy mess";
2796  uint8_t http2_buf[] =
2797  "age body\r\n\r\n";
2798  uint32_t http1_len = sizeof(http1_buf) - 1;
2799  uint32_t http2_len = sizeof(http2_buf) - 1;
2800  int result = 0;
2801  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2802 
2803  memset(&th_v, 0, sizeof(th_v));
2804  memset(&f, 0, sizeof(f));
2805  memset(&ssn, 0, sizeof(ssn));
2806 
2807  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2808  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2809 
2810  FLOW_INITIALIZE(&f);
2811  f.protoctx = (void *)&ssn;
2812  f.proto = IPPROTO_TCP;
2813  f.flags |= FLOW_IPV4;
2814 
2815  p1->flow = &f;
2816  p1->flowflags |= FLOW_PKT_TOSERVER;
2817  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2818  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2819  p2->flow = &f;
2820  p2->flowflags |= FLOW_PKT_TOSERVER;
2821  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2822  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2823  f.alproto = ALPROTO_HTTP1;
2824 
2825  StreamTcpInitConfig(true);
2826 
2827  de_ctx = DetectEngineCtxInit();
2828  if (de_ctx == NULL)
2829  goto end;
2830 
2831  de_ctx->flags |= DE_QUIET;
2832 
2833  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2834  "(msg:\"http host test\"; "
2835  "content:\"message\"; http_host; "
2836  "sid:1;)");
2837  if (de_ctx->sig_list == NULL)
2838  goto end;
2839 
2840  SigGroupBuild(de_ctx);
2841  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2842 
2843  int r = AppLayerParserParse(
2844  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2845  if (r != 0) {
2846  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2847  result = 0;
2848  goto end;
2849  }
2850 
2851  http_state = f.alstate;
2852  if (http_state == NULL) {
2853  printf("no http state: ");
2854  result = 0;
2855  goto end;
2856  }
2857 
2858  /* do detect */
2859  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2860 
2861  if ((PacketAlertCheck(p1, 1))) {
2862  printf("sid 1 didn't match but should have");
2863  goto end;
2864  }
2865 
2866  r = AppLayerParserParse(
2867  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2868  if (r != 0) {
2869  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2870  result = 0;
2871  goto end;
2872  }
2873 
2874  /* do detect */
2875  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2876 
2877  if (!(PacketAlertCheck(p2, 1))) {
2878  printf("sid 1 didn't match but should have");
2879  goto end;
2880  }
2881 
2882  result = 1;
2883 end:
2884  if (alp_tctx != NULL)
2885  AppLayerParserThreadCtxFree(alp_tctx);
2886  if (de_ctx != NULL)
2887  DetectEngineCtxFree(de_ctx);
2888 
2889  StreamTcpFreeConfig(true);
2890  FLOW_DESTROY(&f);
2891  UTHFreePackets(&p1, 1);
2892  UTHFreePackets(&p2, 1);
2893  return result;
2894 }
2895 
2896 /**
2897  *\test Test that the http_host content matches against a http request
2898  * which holds the content, against a cross boundary present pattern.
2899  */
2900 static int DetectHttpHHTest09(void)
2901 {
2902  TcpSession ssn;
2903  Packet *p1 = NULL;
2904  Packet *p2 = NULL;
2905  ThreadVars th_v;
2906  DetectEngineCtx *de_ctx = NULL;
2907  DetectEngineThreadCtx *det_ctx = NULL;
2908  HtpState *http_state = NULL;
2909  Flow f;
2910  uint8_t http1_buf[] =
2911  "GET /index.html HTTP/1.0\r\n"
2912  "User-Agent: www.openinfosecfoundation.org\r\n"
2913  "Host: This is dummy body1";
2914  uint8_t http2_buf[] =
2915  "This is dummy message body2\r\n"
2916  "Content-Type: text/html\r\n"
2917  "Content-Length: 46\r\n"
2918  "\r\n"
2919  "This is dummy body1";
2920  uint32_t http1_len = sizeof(http1_buf) - 1;
2921  uint32_t http2_len = sizeof(http2_buf) - 1;
2922  int result = 0;
2923  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2924 
2925  memset(&th_v, 0, sizeof(th_v));
2926  memset(&f, 0, sizeof(f));
2927  memset(&ssn, 0, sizeof(ssn));
2928 
2929  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2930  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2931 
2932  FLOW_INITIALIZE(&f);
2933  f.protoctx = (void *)&ssn;
2934  f.proto = IPPROTO_TCP;
2935  f.flags |= FLOW_IPV4;
2936 
2937  p1->flow = &f;
2938  p1->flowflags |= FLOW_PKT_TOSERVER;
2939  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2940  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2941  p2->flow = &f;
2942  p2->flowflags |= FLOW_PKT_TOSERVER;
2943  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2944  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2945  f.alproto = ALPROTO_HTTP1;
2946 
2947  StreamTcpInitConfig(true);
2948 
2949  de_ctx = DetectEngineCtxInit();
2950  if (de_ctx == NULL)
2951  goto end;
2952 
2953  de_ctx->flags |= DE_QUIET;
2954 
2955  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2956  "(msg:\"http host test\"; "
2957  "content:\"body1this\"; http_host; "
2958  "sid:1;)");
2959  if (de_ctx->sig_list == NULL)
2960  goto end;
2961 
2962  SigGroupBuild(de_ctx);
2963  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2964 
2965  int r = AppLayerParserParse(
2966  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2967  if (r != 0) {
2968  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2969  result = 0;
2970  goto end;
2971  }
2972 
2973  http_state = f.alstate;
2974  if (http_state == NULL) {
2975  printf("no http state: ");
2976  result = 0;
2977  goto end;
2978  }
2979 
2980  /* do detect */
2981  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2982 
2983  if ((PacketAlertCheck(p1, 1))) {
2984  printf("sid 1 didn't match but should have");
2985  goto end;
2986  }
2987 
2988  r = AppLayerParserParse(
2989  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2990  if (r != 0) {
2991  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2992  result = 0;
2993  goto end;
2994  }
2995 
2996  /* do detect */
2997  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2998 
2999  if (!(PacketAlertCheck(p2, 1))) {
3000  printf("sid 1 didn't match but should have");
3001  goto end;
3002  }
3003 
3004  result = 1;
3005 end:
3006  if (alp_tctx != NULL)
3007  AppLayerParserThreadCtxFree(alp_tctx);
3008  if (de_ctx != NULL)
3009  DetectEngineCtxFree(de_ctx);
3010 
3011  StreamTcpFreeConfig(true);
3012  FLOW_DESTROY(&f);
3013  UTHFreePackets(&p1, 1);
3014  UTHFreePackets(&p2, 1);
3015  return result;
3016 }
3017 
3018 /**
3019  *\test Test that the http_host content matches against a http request
3020  * against a case insensitive pattern.
3021  */
3022 static int DetectHttpHHTest10(void)
3023 {
3024  TcpSession ssn;
3025  Packet *p1 = NULL;
3026  Packet *p2 = NULL;
3027  ThreadVars th_v;
3028  DetectEngineCtx *de_ctx = NULL;
3029  DetectEngineThreadCtx *det_ctx = NULL;
3030  HtpState *http_state = NULL;
3031  Flow f;
3032  uint8_t http1_buf[] =
3033  "GET /index.html HTTP/1.0\r\n"
3034  "User-Agent: www.openinfosecfoundation.org\r\n"
3035  "Host: This is dummy bodY1";
3036  uint8_t http2_buf[] =
3037  "This is dummy message body2\r\n"
3038  "Content-Type: text/html\r\n"
3039  "Content-Length: 46\r\n"
3040  "\r\n"
3041  "This is dummy bodY1";
3042  uint32_t http1_len = sizeof(http1_buf) - 1;
3043  uint32_t http2_len = sizeof(http2_buf) - 1;
3044  int result = 0;
3045  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3046 
3047  memset(&th_v, 0, sizeof(th_v));
3048  memset(&f, 0, sizeof(f));
3049  memset(&ssn, 0, sizeof(ssn));
3050 
3051  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3052  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3053 
3054  FLOW_INITIALIZE(&f);
3055  f.protoctx = (void *)&ssn;
3056  f.proto = IPPROTO_TCP;
3057  f.flags |= FLOW_IPV4;
3058 
3059  p1->flow = &f;
3060  p1->flowflags |= FLOW_PKT_TOSERVER;
3061  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3062  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3063  p2->flow = &f;
3064  p2->flowflags |= FLOW_PKT_TOSERVER;
3065  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3066  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3067  f.alproto = ALPROTO_HTTP1;
3068 
3069  StreamTcpInitConfig(true);
3070 
3071  de_ctx = DetectEngineCtxInit();
3072  if (de_ctx == NULL)
3073  goto end;
3074 
3075  de_ctx->flags |= DE_QUIET;
3076 
3077  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3078  "(msg:\"http host test\"; "
3079  "content:\"body1this\"; http_host; "
3080  "sid:1;)");
3081  if (de_ctx->sig_list == NULL)
3082  goto end;
3083 
3084  SigGroupBuild(de_ctx);
3085  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3086 
3087  int r = AppLayerParserParse(
3088  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3089  if (r != 0) {
3090  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3091  result = 0;
3092  goto end;
3093  }
3094 
3095  http_state = f.alstate;
3096  if (http_state == NULL) {
3097  printf("no http state: \n");
3098  result = 0;
3099  goto end;
3100  }
3101 
3102  /* do detect */
3103  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3104 
3105  if ((PacketAlertCheck(p1, 1))) {
3106  printf("sid 1 didn't match but should have\n");
3107  goto end;
3108  }
3109 
3110  r = AppLayerParserParse(
3111  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3112  if (r != 0) {
3113  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3114  result = 0;
3115  goto end;
3116  }
3117 
3118 
3119  /* do detect */
3120  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3121 
3122  if (!(PacketAlertCheck(p2, 1))) {
3123  printf("sid 1 didn't match but should have");
3124  goto end;
3125  }
3126 
3127  result = 1;
3128 end:
3129  if (alp_tctx != NULL)
3130  AppLayerParserThreadCtxFree(alp_tctx);
3131  if (de_ctx != NULL)
3132  DetectEngineCtxFree(de_ctx);
3133 
3134  StreamTcpFreeConfig(true);
3135  FLOW_DESTROY(&f);
3136  UTHFreePackets(&p1, 1);
3137  UTHFreePackets(&p2, 1);
3138  return result;
3139 }
3140 
3141 /**
3142  *\test Test that the negated http_host content matches against a
3143  * http request which doesn't hold the content.
3144  */
3145 static int DetectHttpHHTest11(void)
3146 {
3147  TcpSession ssn;
3148  Packet *p = NULL;
3149  ThreadVars th_v;
3150  DetectEngineCtx *de_ctx = NULL;
3151  DetectEngineThreadCtx *det_ctx = NULL;
3152  HtpState *http_state = NULL;
3153  Flow f;
3154  uint8_t http_buf[] =
3155  "GET /index.html HTTP/1.0\r\n"
3156  "User-Agent: www.openinfosecfoundation.org\r\n"
3157  "Host: This is dummy message body\r\n"
3158  "Content-Type: text/html\r\n"
3159  "\r\n";
3160  uint32_t http_len = sizeof(http_buf) - 1;
3161  int result = 0;
3162  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3163 
3164  memset(&th_v, 0, sizeof(th_v));
3165  memset(&f, 0, sizeof(f));
3166  memset(&ssn, 0, sizeof(ssn));
3167 
3168  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3169 
3170  FLOW_INITIALIZE(&f);
3171  f.protoctx = (void *)&ssn;
3172  f.proto = IPPROTO_TCP;
3173  f.flags |= FLOW_IPV4;
3174 
3175  p->flow = &f;
3176  p->flowflags |= FLOW_PKT_TOSERVER;
3177  p->flowflags |= FLOW_PKT_ESTABLISHED;
3178  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3179  f.alproto = ALPROTO_HTTP1;
3180 
3181  StreamTcpInitConfig(true);
3182 
3183  de_ctx = DetectEngineCtxInit();
3184  if (de_ctx == NULL)
3185  goto end;
3186 
3187  de_ctx->flags |= DE_QUIET;
3188 
3189  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3190  "(msg:\"http host test\"; "
3191  "content:!\"message\"; http_host; "
3192  "sid:1;)");
3193  if (de_ctx->sig_list == NULL)
3194  goto end;
3195 
3196  SigGroupBuild(de_ctx);
3197  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3198 
3199  int r = AppLayerParserParse(
3200  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
3201  if (r != 0) {
3202  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3203  result = 0;
3204  goto end;
3205  }
3206 
3207  http_state = f.alstate;
3208  if (http_state == NULL) {
3209  printf("no http state: ");
3210  result = 0;
3211  goto end;
3212  }
3213 
3214  /* do detect */
3215  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3216 
3217  if (PacketAlertCheck(p, 1)) {
3218  printf("sid 1 matched but shouldn't have");
3219  goto end;
3220  }
3221 
3222  result = 1;
3223 end:
3224  if (alp_tctx != NULL)
3225  AppLayerParserThreadCtxFree(alp_tctx);
3226  if (de_ctx != NULL)
3227  DetectEngineCtxFree(de_ctx);
3228 
3229  StreamTcpFreeConfig(true);
3230  FLOW_DESTROY(&f);
3231  UTHFreePackets(&p, 1);
3232  return result;
3233 }
3234 
3235 /**
3236  *\test Negative test that the negated http_host content matches against a
3237  * http request which holds hold the content.
3238  */
3239 static int DetectHttpHHTest12(void)
3240 {
3241  TcpSession ssn;
3242  Packet *p = NULL;
3243  ThreadVars th_v;
3244  DetectEngineCtx *de_ctx = NULL;
3245  DetectEngineThreadCtx *det_ctx = NULL;
3246  HtpState *http_state = NULL;
3247  Flow f;
3248  uint8_t http_buf[] =
3249  "GET /index.html HTTP/1.0\r\n"
3250  "User-Agent: www.openinfosecfoundation.org\r\n"
3251  "Host: This is dummy body\r\n"
3252  "\r\n";
3253  uint32_t http_len = sizeof(http_buf) - 1;
3254  int result = 0;
3255  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3256 
3257  memset(&th_v, 0, sizeof(th_v));
3258  memset(&f, 0, sizeof(f));
3259  memset(&ssn, 0, sizeof(ssn));
3260 
3261  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3262 
3263  FLOW_INITIALIZE(&f);
3264  f.protoctx = (void *)&ssn;
3265  f.proto = IPPROTO_TCP;
3266  f.flags |= FLOW_IPV4;
3267 
3268  p->flow = &f;
3269  p->flowflags |= FLOW_PKT_TOSERVER;
3270  p->flowflags |= FLOW_PKT_ESTABLISHED;
3271  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3272  f.alproto = ALPROTO_HTTP1;
3273 
3274  StreamTcpInitConfig(true);
3275 
3276  de_ctx = DetectEngineCtxInit();
3277  if (de_ctx == NULL)
3278  goto end;
3279 
3280  de_ctx->flags |= DE_QUIET;
3281 
3282  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3283  "(msg:\"http host test\"; "
3284  "content:!\"message\"; http_host; "
3285  "sid:1;)");
3286  if (de_ctx->sig_list == NULL)
3287  goto end;
3288 
3289  SigGroupBuild(de_ctx);
3290  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3291 
3292  int r = AppLayerParserParse(
3293  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
3294  if (r != 0) {
3295  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3296  result = 0;
3297  goto end;
3298  }
3299 
3300  http_state = f.alstate;
3301  if (http_state == NULL) {
3302  printf("no http state: ");
3303  result = 0;
3304  goto end;
3305  }
3306 
3307  /* do detect */
3308  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3309 
3310  if (!(PacketAlertCheck(p, 1))) {
3311  printf("sid 1 didn't match but should have");
3312  goto end;
3313  }
3314 
3315  result = 1;
3316 end:
3317  if (alp_tctx != NULL)
3318  AppLayerParserThreadCtxFree(alp_tctx);
3319  if (de_ctx != NULL)
3320  DetectEngineCtxFree(de_ctx);
3321 
3322  StreamTcpFreeConfig(true);
3323  FLOW_DESTROY(&f);
3324  UTHFreePackets(&p, 1);
3325  return result;
3326 }
3327 
3328 /**
3329  * \test Test that the http_host content matches against a http request
3330  * which holds the content.
3331  */
3332 static int DetectHttpHHTest13(void)
3333 {
3334  TcpSession ssn;
3335  Packet *p = NULL;
3336  ThreadVars th_v;
3337  DetectEngineCtx *de_ctx = NULL;
3338  DetectEngineThreadCtx *det_ctx = NULL;
3339  HtpState *http_state = NULL;
3340  Flow f;
3341  uint8_t http_buf[] =
3342  "GET /index.html HTTP/1.0\r\n"
3343  "User-Agent: www.openinfosecfoundation.org\r\n"
3344  "Host: longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n"
3345  "Content-Type: text/html\r\n"
3346  "\r\n";
3347  uint32_t http_len = sizeof(http_buf) - 1;
3348  int result = 0;
3349  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3350 
3351  memset(&th_v, 0, sizeof(th_v));
3352  memset(&f, 0, sizeof(f));
3353  memset(&ssn, 0, sizeof(ssn));
3354 
3355  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3356 
3357  FLOW_INITIALIZE(&f);
3358  f.protoctx = (void *)&ssn;
3359  f.proto = IPPROTO_TCP;
3360  f.flags |= FLOW_IPV4;
3361 
3362  p->flow = &f;
3363  p->flowflags |= FLOW_PKT_TOSERVER;
3364  p->flowflags |= FLOW_PKT_ESTABLISHED;
3365  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3366  f.alproto = ALPROTO_HTTP1;
3367 
3368  StreamTcpInitConfig(true);
3369 
3370  de_ctx = DetectEngineCtxInit();
3371  if (de_ctx == NULL)
3372  goto end;
3373 
3374  de_ctx->flags |= DE_QUIET;
3375 
3376  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3377  "(msg:\"http host test\"; "
3378  "content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_host; "
3379  "sid:1;)");
3380  if (de_ctx->sig_list == NULL)
3381  goto end;
3382 
3383  SigGroupBuild(de_ctx);
3384  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3385 
3386  int r = AppLayerParserParse(
3387  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
3388  if (r != 0) {
3389  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3390  result = 0;
3391  goto end;
3392  }
3393 
3394  http_state = f.alstate;
3395  if (http_state == NULL) {
3396  printf("no http state: ");
3397  result = 0;
3398  goto end;
3399  }
3400 
3401  /* do detect */
3402  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3403 
3404  if (!(PacketAlertCheck(p, 1))) {
3405  printf("sid 1 didn't match but should have");
3406  goto end;
3407  }
3408 
3409  result = 1;
3410 end:
3411  if (alp_tctx != NULL)
3412  AppLayerParserThreadCtxFree(alp_tctx);
3413  if (de_ctx != NULL)
3414  DetectEngineCtxFree(de_ctx);
3415 
3416  StreamTcpFreeConfig(true);
3417  FLOW_DESTROY(&f);
3418  UTHFreePackets(&p, 1);
3419  return result;
3420 }
3421 
3422 /**
3423  * \test multiple http transactions and body chunks of request handling
3424  */
3425 static int DetectHttpHHTest14(void)
3426 {
3427  int result = 0;
3428  Signature *s = NULL;
3429  DetectEngineThreadCtx *det_ctx = NULL;
3430  ThreadVars th_v;
3431  Flow f;
3432  TcpSession ssn;
3433  Packet *p = NULL;
3434  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
3435  uint8_t httpbuf2[] = "Cookie: dummy1\r\n";
3436  uint8_t httpbuf3[] = "Host: Body one!!\r\n\r\n";
3437  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
3438  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
3439  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
3440  uint8_t httpbuf4[] = "GET /?var=val HTTP/1.1\r\n";
3441  uint8_t httpbuf5[] = "Cookie: dummy2\r\n";
3442  uint8_t httpbuf6[] = "Host: Body two\r\n\r\n";
3443  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
3444  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
3445  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
3446  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3447 
3448  memset(&th_v, 0, sizeof(th_v));
3449  memset(&f, 0, sizeof(f));
3450  memset(&ssn, 0, sizeof(ssn));
3451 
3452  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3453 
3454  FLOW_INITIALIZE(&f);
3455  f.protoctx = (void *)&ssn;
3456  f.proto = IPPROTO_TCP;
3457  f.flags |= FLOW_IPV4;
3458 
3459  p->flow = &f;
3460  p->flowflags |= FLOW_PKT_TOSERVER;
3461  p->flowflags |= FLOW_PKT_ESTABLISHED;
3462  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3463  f.alproto = ALPROTO_HTTP1;
3464 
3465  StreamTcpInitConfig(true);
3466 
3467  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3468  if (de_ctx == NULL) {
3469  goto end;
3470  }
3471 
3472  de_ctx->flags |= DE_QUIET;
3473 
3474  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"dummy1\"; http_cookie; content:\"body one\"; http_host; sid:1; rev:1;)");
3475  if (s == NULL) {
3476  printf("sig parse failed: ");
3477  goto end;
3478  }
3479  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"dummy2\"; http_cookie; content:\"body two\"; http_host; sid:2; rev:1;)");
3480  if (s == NULL) {
3481  printf("sig2 parse failed: ");
3482  goto end;
3483  }
3484 
3485  SigGroupBuild(de_ctx);
3486  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3487 
3488  int r = AppLayerParserParse(
3489  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
3490  if (r != 0) {
3491  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3492  goto end;
3493  }
3494 
3495  /* do detect */
3496  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3497  if (PacketAlertCheck(p, 1)) {
3498  printf("sig 1 alerted: ");
3499  goto end;
3500  }
3501  p->alerts.cnt = 0;
3502 
3503  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
3504  if (r != 0) {
3505  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
3506  goto end;
3507  }
3508 
3509  /* do detect */
3510  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3511  if (PacketAlertCheck(p, 1)) {
3512  printf("sig 1 alerted (2): ");
3513  goto end;
3514  }
3515  p->alerts.cnt = 0;
3516 
3517  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
3518  if (r != 0) {
3519  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
3520  goto end;
3521  }
3522 
3523  /* do detect */
3524  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3525  if (!(PacketAlertCheck(p, 1))) {
3526  printf("sig 1 didn't alert: ");
3527  goto end;
3528  }
3529  p->alerts.cnt = 0;
3530 
3531  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
3532  if (r != 0) {
3533  printf("toserver chunk 5 returned %" PRId32 ", expected 0: ", r);
3534  goto end;
3535  }
3536 
3537  /* do detect */
3538  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3539  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2)) {
3540  printf("sig 1 alerted (4): ");
3541  goto end;
3542  }
3543  p->alerts.cnt = 0;
3544 
3545  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
3546  if (r != 0) {
3547  printf("toserver chunk 6 returned %" PRId32 ", expected 0: ", r);
3548  goto end;
3549  }
3550 
3551  /* do detect */
3552  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3553  if ((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2))) {
3554  printf("sig 1 alerted (request 2, chunk 6): ");
3555  goto end;
3556  }
3557  p->alerts.cnt = 0;
3558 
3559  SCLogDebug("sending data chunk 7");
3560 
3561  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
3562  if (r != 0) {
3563  printf("toserver chunk 7 returned %" PRId32 ", expected 0: ", r);
3564  goto end;
3565  }
3566 
3567  /* do detect */
3568  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3569  if (PacketAlertCheck(p, 1) || !(PacketAlertCheck(p, 2))) {
3570  printf("signature 2 didn't match or sig 1 matched, but shouldn't have: ");
3571  goto end;
3572  }
3573  p->alerts.cnt = 0;
3574 
3575  HtpState *htp_state = f.alstate;
3576  if (htp_state == NULL) {
3577  printf("no http state: ");
3578  result = 0;
3579  goto end;
3580  }
3581 
3582  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
3583  printf("The http app layer doesn't have 2 transactions, but it should: ");
3584  goto end;
3585  }
3586 
3587  result = 1;
3588 end:
3589  if (alp_tctx != NULL)
3590  AppLayerParserThreadCtxFree(alp_tctx);
3591  if (det_ctx != NULL) {
3592  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3593  }
3594  if (de_ctx != NULL) {
3595  DetectEngineCtxFree(de_ctx);
3596  }
3597 
3598  StreamTcpFreeConfig(true);
3599  FLOW_DESTROY(&f);
3600  UTHFreePacket(p);
3601  return result;
3602 }
3603 
3604 /**
3605  *\test Test that the http_raw_host content matches against a http request
3606  * which holds the content.
3607  */
3608 static int DetectHttpHRHTest06(void)
3609 {
3610  TcpSession ssn;
3611  Packet *p = NULL;
3612  ThreadVars th_v;
3613  DetectEngineCtx *de_ctx = NULL;
3614  DetectEngineThreadCtx *det_ctx = NULL;
3615  HtpState *http_state = NULL;
3616  Flow f;
3617  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
3618  "User-Agent: www.openinfosecfoundation.org\r\n"
3619  "Host: This is dummy message body\r\n"
3620  "Content-Type: text/html\r\n"
3621  "\r\n";
3622  uint32_t http_len = sizeof(http_buf) - 1;
3623  int result = 0;
3624  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3625 
3626  memset(&th_v, 0, sizeof(th_v));
3627  memset(&f, 0, sizeof(f));
3628  memset(&ssn, 0, sizeof(ssn));
3629 
3630  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3631 
3632  FLOW_INITIALIZE(&f);
3633  f.protoctx = (void *)&ssn;
3634  f.proto = IPPROTO_TCP;
3635  f.flags |= FLOW_IPV4;
3636 
3637  p->flow = &f;
3638  p->flowflags |= FLOW_PKT_TOSERVER;
3639  p->flowflags |= FLOW_PKT_ESTABLISHED;
3640  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3641  f.alproto = ALPROTO_HTTP1;
3642 
3643  StreamTcpInitConfig(true);
3644 
3645  de_ctx = DetectEngineCtxInit();
3646  if (de_ctx == NULL)
3647  goto end;
3648 
3649  de_ctx->flags |= DE_QUIET;
3650 
3651  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
3652  "(msg:\"http host test\"; "
3653  "content:\"message\"; http_raw_host; "
3654  "sid:1;)");
3655  if (de_ctx->sig_list == NULL)
3656  goto end;
3657 
3658  SigGroupBuild(de_ctx);
3659  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3660 
3661  int r = AppLayerParserParse(
3662  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
3663  if (r != 0) {
3664  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3665  result = 0;
3666  goto end;
3667  }
3668 
3669  http_state = f.alstate;
3670  if (http_state == NULL) {
3671  printf("no http state: \n");
3672  result = 0;
3673  goto end;
3674  }
3675 
3676  /* do detect */
3677  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3678 
3679  if (!(PacketAlertCheck(p, 1))) {
3680  printf("sid 1 didn't match but should have\n");
3681  goto end;
3682  }
3683 
3684  result = 1;
3685 end:
3686  if (alp_tctx != NULL)
3687  AppLayerParserThreadCtxFree(alp_tctx);
3688  if (de_ctx != NULL)
3689  DetectEngineCtxFree(de_ctx);
3690 
3691  StreamTcpFreeConfig(true);
3692  FLOW_DESTROY(&f);
3693  UTHFreePackets(&p, 1);
3694  return result;
3695 }
3696 
3697 /**
3698  *\test Test that the http_raw_host content matches against a http request
3699  * which holds the content.
3700  */
3701 static int DetectHttpHRHTest07(void)
3702 {
3703  TcpSession ssn;
3704  Packet *p1 = NULL;
3705  Packet *p2 = NULL;
3706  ThreadVars th_v;
3707  DetectEngineCtx *de_ctx = NULL;
3708  DetectEngineThreadCtx *det_ctx = NULL;
3709  HtpState *http_state = NULL;
3710  Flow f;
3711  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
3712  "User-Agent: www.openinfosecfoundation.org\r\n"
3713  "Host: This is dummy message";
3714  uint8_t http2_buf[] = "body1\r\n\r\n";
3715  uint32_t http1_len = sizeof(http1_buf) - 1;
3716  uint32_t http2_len = sizeof(http2_buf) - 1;
3717  int result = 0;
3718  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3719 
3720  memset(&th_v, 0, sizeof(th_v));
3721  memset(&f, 0, sizeof(f));
3722  memset(&ssn, 0, sizeof(ssn));
3723 
3724  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3725  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3726 
3727  FLOW_INITIALIZE(&f);
3728  f.protoctx = (void *)&ssn;
3729  f.proto = IPPROTO_TCP;
3730  f.flags |= FLOW_IPV4;
3731 
3732  p1->flow = &f;
3733  p1->flowflags |= FLOW_PKT_TOSERVER;
3734  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3735  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3736  p2->flow = &f;
3737  p2->flowflags |= FLOW_PKT_TOSERVER;
3738  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3739  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3740  f.alproto = ALPROTO_HTTP1;
3741 
3742  StreamTcpInitConfig(true);
3743 
3744  de_ctx = DetectEngineCtxInit();
3745  if (de_ctx == NULL)
3746  goto end;
3747 
3748  de_ctx->flags |= DE_QUIET;
3749 
3750  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
3751  "(msg:\"http host test\"; "
3752  "content:\"message\"; http_raw_host; "
3753  "sid:1;)");
3754  if (de_ctx->sig_list == NULL)
3755  goto end;
3756 
3757  SigGroupBuild(de_ctx);
3758  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3759 
3760  int r = AppLayerParserParse(
3761  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3762  if (r != 0) {
3763  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3764  result = 0;
3765  goto end;
3766  }
3767 
3768  http_state = f.alstate;
3769  if (http_state == NULL) {
3770  printf("no http state: ");
3771  goto end;
3772  }
3773 
3774  /* do detect */
3775  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3776 
3777  if (PacketAlertCheck(p1, 1)) {
3778  printf("sid 1 matched on p1 but shouldn't have: ");
3779  goto end;
3780  }
3781 
3782  r = AppLayerParserParse(
3783  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3784  if (r != 0) {
3785  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3786  goto end;
3787  }
3788 
3789  /* do detect */
3790  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3791  if (!(PacketAlertCheck(p2, 1))) {
3792  printf("sid 1 didn't match on p2 but should have: ");
3793  goto end;
3794  }
3795 
3796  result = 1;
3797 end:
3798  if (alp_tctx != NULL)
3799  AppLayerParserThreadCtxFree(alp_tctx);
3800  if (de_ctx != NULL)
3801  DetectEngineCtxFree(de_ctx);
3802 
3803  StreamTcpFreeConfig(true);
3804  FLOW_DESTROY(&f);
3805  UTHFreePackets(&p1, 1);
3806  UTHFreePackets(&p2, 1);
3807  return result;
3808 }
3809 
3810 /**
3811  *\test Test that the http_raw_host content matches against a http request
3812  * which holds the content.
3813  */
3814 static int DetectHttpHRHTest08(void)
3815 {
3816  TcpSession ssn;
3817  Packet *p1 = NULL;
3818  Packet *p2 = NULL;
3819  ThreadVars th_v;
3820  DetectEngineCtx *de_ctx = NULL;
3821  DetectEngineThreadCtx *det_ctx = NULL;
3822  HtpState *http_state = NULL;
3823  Flow f;
3824  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
3825  "User-Agent: www.openinfosecfoundation.org\r\n"
3826  "host: This is dummy mess";
3827  uint8_t http2_buf[] = "age body\r\n\r\n";
3828  uint32_t http1_len = sizeof(http1_buf) - 1;
3829  uint32_t http2_len = sizeof(http2_buf) - 1;
3830  int result = 0;
3831  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3832 
3833  memset(&th_v, 0, sizeof(th_v));
3834  memset(&f, 0, sizeof(f));
3835  memset(&ssn, 0, sizeof(ssn));
3836 
3837  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3838  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3839 
3840  FLOW_INITIALIZE(&f);
3841  f.protoctx = (void *)&ssn;
3842  f.proto = IPPROTO_TCP;
3843  f.flags |= FLOW_IPV4;
3844 
3845  p1->flow = &f;
3846  p1->flowflags |= FLOW_PKT_TOSERVER;
3847  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3848  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3849  p2->flow = &f;
3850  p2->flowflags |= FLOW_PKT_TOSERVER;
3851  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3852  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3853  f.alproto = ALPROTO_HTTP1;
3854 
3855  StreamTcpInitConfig(true);
3856 
3857  de_ctx = DetectEngineCtxInit();
3858  if (de_ctx == NULL)
3859  goto end;
3860 
3861  de_ctx->flags |= DE_QUIET;
3862 
3863  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
3864  "(msg:\"http host test\"; "
3865  "content:\"message\"; http_raw_host; "
3866  "sid:1;)");
3867  if (de_ctx->sig_list == NULL)
3868  goto end;
3869 
3870  SigGroupBuild(de_ctx);
3871  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3872 
3873  int r = AppLayerParserParse(
3874  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3875  if (r != 0) {
3876  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3877  result = 0;
3878  goto end;
3879  }
3880 
3881  http_state = f.alstate;
3882  if (http_state == NULL) {
3883  printf("no http state: ");
3884  result = 0;
3885  goto end;
3886  }
3887 
3888  /* do detect */
3889  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3890 
3891  if ((PacketAlertCheck(p1, 1))) {
3892  printf("sid 1 didn't match but should have");
3893  goto end;
3894  }
3895 
3896  r = AppLayerParserParse(
3897  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3898  if (r != 0) {
3899  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3900  result = 0;
3901  goto end;
3902  }
3903 
3904  /* do detect */
3905  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3906 
3907  if (!(PacketAlertCheck(p2, 1))) {
3908  printf("sid 1 didn't match but should have");
3909  goto end;
3910  }
3911 
3912  result = 1;
3913 end:
3914  if (alp_tctx != NULL)
3915  AppLayerParserThreadCtxFree(alp_tctx);
3916  if (de_ctx != NULL)
3917  DetectEngineCtxFree(de_ctx);
3918 
3919  StreamTcpFreeConfig(true);
3920  FLOW_DESTROY(&f);
3921  UTHFreePackets(&p1, 1);
3922  UTHFreePackets(&p2, 1);
3923  return result;
3924 }
3925 
3926 /**
3927  *\test Test that the http_raw_host content matches against a http request
3928  * which holds the content, against a cross boundary present pattern.
3929  */
3930 static int DetectHttpHRHTest09(void)
3931 {
3932  TcpSession ssn;
3933  Packet *p1 = NULL;
3934  Packet *p2 = NULL;
3935  ThreadVars th_v;
3936  DetectEngineCtx *de_ctx = NULL;
3937  DetectEngineThreadCtx *det_ctx = NULL;
3938  HtpState *http_state = NULL;
3939  Flow f;
3940  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
3941  "User-Agent: www.openinfosecfoundation.org\r\n"
3942  "Host: This is dummy body1";
3943  uint8_t http2_buf[] = "This is dummy message body2\r\n"
3944  "Content-Type: text/html\r\n"
3945  "Content-Length: 46\r\n"
3946  "\r\n"
3947  "This is dummy body1";
3948  uint32_t http1_len = sizeof(http1_buf) - 1;
3949  uint32_t http2_len = sizeof(http2_buf) - 1;
3950  int result = 0;
3951  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3952 
3953  memset(&th_v, 0, sizeof(th_v));
3954  memset(&f, 0, sizeof(f));
3955  memset(&ssn, 0, sizeof(ssn));
3956 
3957  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3958  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3959 
3960  FLOW_INITIALIZE(&f);
3961  f.protoctx = (void *)&ssn;
3962  f.proto = IPPROTO_TCP;
3963  f.flags |= FLOW_IPV4;
3964 
3965  p1->flow = &f;
3966  p1->flowflags |= FLOW_PKT_TOSERVER;
3967  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3968  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3969  p2->flow = &f;
3970  p2->flowflags |= FLOW_PKT_TOSERVER;
3971  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3972  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3973  f.alproto = ALPROTO_HTTP1;
3974 
3975  StreamTcpInitConfig(true);
3976 
3977  de_ctx = DetectEngineCtxInit();
3978  if (de_ctx == NULL)
3979  goto end;
3980 
3981  de_ctx->flags |= DE_QUIET;
3982 
3983  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
3984  "(msg:\"http host test\"; "
3985  "content:\"body1This\"; http_raw_host; "
3986  "sid:1;)");
3987  if (de_ctx->sig_list == NULL)
3988  goto end;
3989 
3990  SigGroupBuild(de_ctx);
3991  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3992 
3993  int r = AppLayerParserParse(
3994  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3995  if (r != 0) {
3996  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3997  result = 0;
3998  goto end;
3999  }
4000 
4001  http_state = f.alstate;
4002  if (http_state == NULL) {
4003  printf("no http state: ");
4004  result = 0;
4005  goto end;
4006  }
4007 
4008  /* do detect */
4009  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4010 
4011  if ((PacketAlertCheck(p1, 1))) {
4012  printf("sid 1 didn't match but should have");
4013  goto end;
4014  }
4015 
4016  r = AppLayerParserParse(
4017  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4018  if (r != 0) {
4019  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4020  result = 0;
4021  goto end;
4022  }
4023 
4024  /* do detect */
4025  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4026 
4027  if (!(PacketAlertCheck(p2, 1))) {
4028  printf("sid 1 didn't match but should have");
4029  goto end;
4030  }
4031 
4032  result = 1;
4033 end:
4034  if (alp_tctx != NULL)
4035  AppLayerParserThreadCtxFree(alp_tctx);
4036  if (de_ctx != NULL)
4037  DetectEngineCtxFree(de_ctx);
4038 
4039  StreamTcpFreeConfig(true);
4040  FLOW_DESTROY(&f);
4041  UTHFreePackets(&p1, 1);
4042  UTHFreePackets(&p2, 1);
4043  return result;
4044 }
4045 
4046 /**
4047  *\test Test that the http_raw_host content matches against a http request
4048  * against a case insensitive pattern.
4049  */
4050 static int DetectHttpHRHTest10(void)
4051 {
4052  TcpSession ssn;
4053  Packet *p1 = NULL;
4054  Packet *p2 = NULL;
4055  ThreadVars th_v;
4056  DetectEngineCtx *de_ctx = NULL;
4057  DetectEngineThreadCtx *det_ctx = NULL;
4058  HtpState *http_state = NULL;
4059  Flow f;
4060  uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
4061  "User-Agent: www.openinfosecfoundation.org\r\n"
4062  "Host: This is dummy bodY1";
4063  uint8_t http2_buf[] = "This is dummy message body2\r\n"
4064  "Content-Type: text/html\r\n"
4065  "Content-Length: 46\r\n"
4066  "\r\n"
4067  "This is dummy bodY1";
4068  uint32_t http1_len = sizeof(http1_buf) - 1;
4069  uint32_t http2_len = sizeof(http2_buf) - 1;
4070  int result = 0;
4071  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4072 
4073  memset(&th_v, 0, sizeof(th_v));
4074  memset(&f, 0, sizeof(f));
4075  memset(&ssn, 0, sizeof(ssn));
4076 
4077  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4078  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4079 
4080  FLOW_INITIALIZE(&f);
4081  f.protoctx = (void *)&ssn;
4082  f.proto = IPPROTO_TCP;
4083  f.flags |= FLOW_IPV4;
4084 
4085  p1->flow = &f;
4086  p1->flowflags |= FLOW_PKT_TOSERVER;
4087  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4088  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
4089  p2->flow = &f;
4090  p2->flowflags |= FLOW_PKT_TOSERVER;
4091  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4092  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
4093  f.alproto = ALPROTO_HTTP1;
4094 
4095  StreamTcpInitConfig(true);
4096 
4097  de_ctx = DetectEngineCtxInit();
4098  if (de_ctx == NULL)
4099  goto end;
4100 
4101  de_ctx->flags |= DE_QUIET;
4102 
4103  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
4104  "(msg:\"http host test\"; "
4105  "content:\"bodY1This\"; http_raw_host; "
4106  "sid:1;)");
4107  if (de_ctx->sig_list == NULL)
4108  goto end;
4109 
4110  SigGroupBuild(de_ctx);
4111  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4112 
4113  int r = AppLayerParserParse(
4114  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4115  if (r != 0) {
4116  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4117  result = 0;
4118  goto end;
4119  }
4120 
4121  http_state = f.alstate;
4122  if (http_state == NULL) {
4123  printf("no http state: \n");
4124  result = 0;
4125  goto end;
4126  }
4127 
4128  /* do detect */
4129  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4130 
4131  if ((PacketAlertCheck(p1, 1))) {
4132  printf("sid 1 didn't match but should have\n");
4133  goto end;
4134  }
4135 
4136  r = AppLayerParserParse(
4137  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4138  if (r != 0) {
4139  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
4140  result = 0;
4141  goto end;
4142  }
4143 
4144  /* do detect */
4145  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4146 
4147  if (!(PacketAlertCheck(p2, 1))) {
4148  printf("sid 1 didn't match but should have");
4149  goto end;
4150  }
4151 
4152  result = 1;
4153 end:
4154  if (alp_tctx != NULL)
4155  AppLayerParserThreadCtxFree(alp_tctx);
4156  if (de_ctx != NULL)
4157  DetectEngineCtxFree(de_ctx);
4158 
4159  StreamTcpFreeConfig(true);
4160  FLOW_DESTROY(&f);
4161  UTHFreePackets(&p1, 1);
4162  UTHFreePackets(&p2, 1);
4163  return result;
4164 }
4165 
4166 /**
4167  *\test Test that the negated http_raw_host content matches against a
4168  * http request which doesn't hold the content.
4169  */
4170 static int DetectHttpHRHTest11(void)
4171 {
4172  TcpSession ssn;
4173  Packet *p = NULL;
4174  ThreadVars th_v;
4175  DetectEngineCtx *de_ctx = NULL;
4176  DetectEngineThreadCtx *det_ctx = NULL;
4177  HtpState *http_state = NULL;
4178  Flow f;
4179  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
4180  "User-Agent: www.openinfosecfoundation.org\r\n"
4181  "Host: This is dummy message body\r\n"
4182  "Content-Type: text/html\r\n"
4183  "\r\n";
4184  uint32_t http_len = sizeof(http_buf) - 1;
4185  int result = 0;
4186  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4187 
4188  memset(&th_v, 0, sizeof(th_v));
4189  memset(&f, 0, sizeof(f));
4190  memset(&ssn, 0, sizeof(ssn));
4191 
4192  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4193 
4194  FLOW_INITIALIZE(&f);
4195  f.protoctx = (void *)&ssn;
4196  f.proto = IPPROTO_TCP;
4197  f.flags |= FLOW_IPV4;
4198 
4199  p->flow = &f;
4200  p->flowflags |= FLOW_PKT_TOSERVER;
4201  p->flowflags |= FLOW_PKT_ESTABLISHED;
4202  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
4203  f.alproto = ALPROTO_HTTP1;
4204 
4205  StreamTcpInitConfig(true);
4206 
4207  de_ctx = DetectEngineCtxInit();
4208  if (de_ctx == NULL)
4209  goto end;
4210 
4211  de_ctx->flags |= DE_QUIET;
4212 
4213  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
4214  "(msg:\"http host test\"; "
4215  "content:!\"message\"; http_raw_host; "
4216  "sid:1;)");
4217  if (de_ctx->sig_list == NULL)
4218  goto end;
4219 
4220  SigGroupBuild(de_ctx);
4221  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4222 
4223  int r = AppLayerParserParse(
4224  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
4225  if (r != 0) {
4226  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4227  result = 0;
4228  goto end;
4229  }
4230 
4231  http_state = f.alstate;
4232  if (http_state == NULL) {
4233  printf("no http state: ");
4234  result = 0;
4235  goto end;
4236  }
4237 
4238  /* do detect */
4239  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4240 
4241  if (PacketAlertCheck(p, 1)) {
4242  printf("sid 1 matched but shouldn't have");
4243  goto end;
4244  }
4245 
4246  result = 1;
4247 end:
4248  if (alp_tctx != NULL)
4249  AppLayerParserThreadCtxFree(alp_tctx);
4250  if (de_ctx != NULL)
4251  DetectEngineCtxFree(de_ctx);
4252 
4253  StreamTcpFreeConfig(true);
4254  FLOW_DESTROY(&f);
4255  UTHFreePackets(&p, 1);
4256  return result;
4257 }
4258 
4259 /**
4260  *\test Negative test that the negated http_raw_host content matches against a
4261  * http request which holds hold the content.
4262  */
4263 static int DetectHttpHRHTest12(void)
4264 {
4265  TcpSession ssn;
4266  Packet *p = NULL;
4267  ThreadVars th_v;
4268  DetectEngineCtx *de_ctx = NULL;
4269  DetectEngineThreadCtx *det_ctx = NULL;
4270  HtpState *http_state = NULL;
4271  Flow f;
4272  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
4273  "User-Agent: www.openinfosecfoundation.org\r\n"
4274  "Host: This is dummy body\r\n"
4275  "\r\n";
4276  uint32_t http_len = sizeof(http_buf) - 1;
4277  int result = 0;
4278  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4279 
4280  memset(&th_v, 0, sizeof(th_v));
4281  memset(&f, 0, sizeof(f));
4282  memset(&ssn, 0, sizeof(ssn));
4283 
4284  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4285 
4286  FLOW_INITIALIZE(&f);
4287  f.protoctx = (void *)&ssn;
4288  f.proto = IPPROTO_TCP;
4289  f.flags |= FLOW_IPV4;
4290 
4291  p->flow = &f;
4292  p->flowflags |= FLOW_PKT_TOSERVER;
4293  p->flowflags |= FLOW_PKT_ESTABLISHED;
4294  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
4295  f.alproto = ALPROTO_HTTP1;
4296 
4297  StreamTcpInitConfig(true);
4298 
4299  de_ctx = DetectEngineCtxInit();
4300  if (de_ctx == NULL)
4301  goto end;
4302 
4303  de_ctx->flags |= DE_QUIET;
4304 
4305  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
4306  "(msg:\"http host test\"; "
4307  "content:!\"message\"; http_raw_host; "
4308  "sid:1;)");
4309  if (de_ctx->sig_list == NULL)
4310  goto end;
4311 
4312  SigGroupBuild(de_ctx);
4313  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4314 
4315  int r = AppLayerParserParse(
4316  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
4317  if (r != 0) {
4318  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4319  result = 0;
4320  goto end;
4321  }
4322 
4323  http_state = f.alstate;
4324  if (http_state == NULL) {
4325  printf("no http state: ");
4326  result = 0;
4327  goto end;
4328  }
4329 
4330  /* do detect */
4331  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4332 
4333  if (!(PacketAlertCheck(p, 1))) {
4334  printf("sid 1 didn't match but should have");
4335  goto end;
4336  }
4337 
4338  result = 1;
4339 end:
4340  if (alp_tctx != NULL)
4341  AppLayerParserThreadCtxFree(alp_tctx);
4342  if (de_ctx != NULL)
4343  DetectEngineCtxFree(de_ctx);
4344 
4345  StreamTcpFreeConfig(true);
4346  FLOW_DESTROY(&f);
4347  UTHFreePackets(&p, 1);
4348  return result;
4349 }
4350 
4351 /**
4352  * \test Test that the http_raw_host content matches against a http request
4353  * which holds the content.
4354  */
4355 static int DetectHttpHRHTest13(void)
4356 {
4357  TcpSession ssn;
4358  Packet *p = NULL;
4359  ThreadVars th_v;
4360  DetectEngineCtx *de_ctx = NULL;
4361  DetectEngineThreadCtx *det_ctx = NULL;
4362  HtpState *http_state = NULL;
4363  Flow f;
4364  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
4365  "User-Agent: www.openinfosecfoundation.org\r\n"
4366  "Host: longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n"
4367  "Content-Type: text/html\r\n"
4368  "\r\n";
4369  uint32_t http_len = sizeof(http_buf) - 1;
4370  int result = 0;
4371  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4372 
4373  memset(&th_v, 0, sizeof(th_v));
4374  memset(&f, 0, sizeof(f));
4375  memset(&ssn, 0, sizeof(ssn));
4376 
4377  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4378 
4379  FLOW_INITIALIZE(&f);
4380  f.protoctx = (void *)&ssn;
4381  f.proto = IPPROTO_TCP;
4382  f.flags |= FLOW_IPV4;
4383 
4384  p->flow = &f;
4385  p->flowflags |= FLOW_PKT_TOSERVER;
4386  p->flowflags |= FLOW_PKT_ESTABLISHED;
4387  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
4388  f.alproto = ALPROTO_HTTP1;
4389 
4390  StreamTcpInitConfig(true);
4391 
4392  de_ctx = DetectEngineCtxInit();
4393  if (de_ctx == NULL)
4394  goto end;
4395 
4396  de_ctx->flags |= DE_QUIET;
4397 
4398  de_ctx->sig_list =
4399  SigInit(de_ctx, "alert http any any -> any any "
4400  "(msg:\"http host test\"; "
4401  "content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_raw_host; "
4402  "sid:1;)");
4403  if (de_ctx->sig_list == NULL)
4404  goto end;
4405 
4406  SigGroupBuild(de_ctx);
4407  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4408 
4409  int r = AppLayerParserParse(
4410  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
4411  if (r != 0) {
4412  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4413  result = 0;
4414  goto end;
4415  }
4416 
4417  http_state = f.alstate;
4418  if (http_state == NULL) {
4419  printf("no http state: ");
4420  result = 0;
4421  goto end;
4422  }
4423 
4424  /* do detect */
4425  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4426 
4427  if (!(PacketAlertCheck(p, 1))) {
4428  printf("sid 1 didn't match but should have");
4429  goto end;
4430  }
4431 
4432  result = 1;
4433 end:
4434  if (alp_tctx != NULL)
4435  AppLayerParserThreadCtxFree(alp_tctx);
4436  if (de_ctx != NULL)
4437  DetectEngineCtxFree(de_ctx);
4438 
4439  StreamTcpFreeConfig(true);
4440  FLOW_DESTROY(&f);
4441  UTHFreePackets(&p, 1);
4442  return result;
4443 }
4444 
4445 /**
4446  * \test multiple http transactions and body chunks of request handling
4447  */
4448 static int DetectHttpHRHTest14(void)
4449 {
4450  int result = 0;
4451  Signature *s = NULL;
4452  DetectEngineThreadCtx *det_ctx = NULL;
4453  ThreadVars th_v;
4454  Flow f;
4455  TcpSession ssn;
4456  Packet *p = NULL;
4457  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
4458  uint8_t httpbuf2[] = "Cookie: dummy1\r\n";
4459  uint8_t httpbuf3[] = "Host: Body one!!\r\n\r\n";
4460  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
4461  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
4462  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
4463  uint8_t httpbuf4[] = "GET /?var=val HTTP/1.1\r\n";
4464  uint8_t httpbuf5[] = "Cookie: dummy2\r\n";
4465  uint8_t httpbuf6[] = "Host: Body two\r\n\r\n";
4466  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
4467  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
4468  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
4469  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4470 
4471  memset(&th_v, 0, sizeof(th_v));
4472  memset(&f, 0, sizeof(f));
4473  memset(&ssn, 0, sizeof(ssn));
4474 
4475  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4476 
4477  FLOW_INITIALIZE(&f);
4478  f.protoctx = (void *)&ssn;
4479  f.proto = IPPROTO_TCP;
4480  f.flags |= FLOW_IPV4;
4481 
4482  p->flow = &f;
4483  p->flowflags |= FLOW_PKT_TOSERVER;
4484  p->flowflags |= FLOW_PKT_ESTABLISHED;
4485  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
4486  f.alproto = ALPROTO_HTTP1;
4487 
4488  StreamTcpInitConfig(true);
4489 
4490  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4491  if (de_ctx == NULL) {
4492  goto end;
4493  }
4494 
4495  de_ctx->flags |= DE_QUIET;
4496 
4497  s = DetectEngineAppendSig(de_ctx,
4498  "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"dummy1\"; "
4499  "http_cookie; content:\"Body one\"; http_raw_host; sid:1; rev:1;)");
4500  if (s == NULL) {
4501  printf("sig parse failed: ");
4502  goto end;
4503  }
4504  s = DetectEngineAppendSig(de_ctx,
4505  "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"dummy2\"; "
4506  "http_cookie; content:\"Body two\"; http_raw_host; sid:2; rev:1;)");
4507  if (s == NULL) {
4508  printf("sig2 parse failed: ");
4509  goto end;
4510  }
4511 
4512  SigGroupBuild(de_ctx);
4513  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4514 
4515  int r = AppLayerParserParse(
4516  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
4517  if (r != 0) {
4518  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4519  goto end;
4520  }
4521 
4522  /* do detect */
4523  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4524  if (PacketAlertCheck(p, 1)) {
4525  printf("sig 1 alerted: ");
4526  goto end;
4527  }
4528  p->alerts.cnt = 0;
4529 
4530  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
4531  if (r != 0) {
4532  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
4533  goto end;
4534  }
4535 
4536  /* do detect */
4537  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4538  if (PacketAlertCheck(p, 1)) {
4539  printf("sig 1 alerted (2): ");
4540  goto end;
4541  }
4542  p->alerts.cnt = 0;
4543 
4544  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
4545  if (r != 0) {
4546  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
4547  goto end;
4548  }
4549 
4550  /* do detect */
4551  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4552  if (!(PacketAlertCheck(p, 1))) {
4553  printf("sig 1 didn't alert: ");
4554  goto end;
4555  }
4556  p->alerts.cnt = 0;
4557 
4558  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
4559  if (r != 0) {
4560  printf("toserver chunk 5 returned %" PRId32 ", expected 0: ", r);
4561  goto end;
4562  }
4563 
4564  /* do detect */
4565  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4566  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2)) {
4567  printf("sig 1 alerted (4): ");
4568  goto end;
4569  }
4570  p->alerts.cnt = 0;
4571 
4572  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
4573  if (r != 0) {
4574  printf("toserver chunk 6 returned %" PRId32 ", expected 0: ", r);
4575  goto end;
4576  }
4577 
4578  /* do detect */
4579  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4580  if ((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2))) {
4581  printf("sig 1 alerted (request 2, chunk 6): ");
4582  goto end;
4583  }
4584  p->alerts.cnt = 0;
4585 
4586  SCLogDebug("sending data chunk 7");
4587 
4588  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
4589  if (r != 0) {
4590  printf("toserver chunk 7 returned %" PRId32 ", expected 0: ", r);
4591  goto end;
4592  }
4593 
4594  /* do detect */
4595  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4596  if (PacketAlertCheck(p, 1) || !(PacketAlertCheck(p, 2))) {
4597  printf("signature 2 didn't match or sig 1 matched, but shouldn't have: ");
4598  goto end;
4599  }
4600  p->alerts.cnt = 0;
4601 
4602  HtpState *htp_state = f.alstate;
4603  if (htp_state == NULL) {
4604  printf("no http state: ");
4605  result = 0;
4606  goto end;
4607  }
4608 
4609  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
4610  printf("The http app layer doesn't have 2 transactions, but it should: ");
4611  goto end;
4612  }
4613 
4614  result = 1;
4615 end:
4616  if (alp_tctx != NULL)
4617  AppLayerParserThreadCtxFree(alp_tctx);
4618  if (det_ctx != NULL) {
4619  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4620  }
4621  if (de_ctx != NULL) {
4622  DetectEngineCtxFree(de_ctx);
4623  }
4624 
4625  StreamTcpFreeConfig(true);
4626  FLOW_DESTROY(&f);
4627  UTHFreePacket(p);
4628  return result;
4629 }
4630 
4631 /**
4632  *\test Test that the http_raw_host content matches against a http request
4633  * against a case insensitive pattern.
4634  */
4635 static int DetectHttpHRHTest37(void)
4636 {
4637  TcpSession ssn;
4638  Packet *p1 = NULL;
4639  Packet *p2 = NULL;
4640  ThreadVars th_v;
4641  DetectEngineCtx *de_ctx = NULL;
4642  DetectEngineThreadCtx *det_ctx = NULL;
4643  HtpState *http_state = NULL;
4644  Flow f;
4645  uint8_t http1_buf[] =
4646  "GET /index.html HTTP/1.0\r\n"
4647  "User-Agent: www.openinfosecfoundation.org\r\n"
4648  "Host: This is dummy bodY1";
4649  uint8_t http2_buf[] =
4650  "This is dummy message body2\r\n"
4651  "Content-Type: text/html\r\n"
4652  "Content-Length: 46\r\n"
4653  "\r\n"
4654  "This is dummy bodY1";
4655  uint32_t http1_len = sizeof(http1_buf) - 1;
4656  uint32_t http2_len = sizeof(http2_buf) - 1;
4657  int result = 0;
4658  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4659 
4660  memset(&th_v, 0, sizeof(th_v));
4661  memset(&f, 0, sizeof(f));
4662  memset(&ssn, 0, sizeof(ssn));
4663 
4664  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4665  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4666 
4667  FLOW_INITIALIZE(&f);
4668  f.protoctx = (void *)&ssn;
4669  f.proto = IPPROTO_TCP;
4670  f.flags |= FLOW_IPV4;
4671 
4672  p1->flow = &f;
4673  p1->flowflags |= FLOW_PKT_TOSERVER;
4674  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4675  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4676  p2->flow = &f;
4677  p2->flowflags |= FLOW_PKT_TOSERVER;
4678  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4679  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4680  f.alproto = ALPROTO_HTTP1;
4681 
4682  StreamTcpInitConfig(true);
4683 
4684  de_ctx = DetectEngineCtxInit();
4685  if (de_ctx == NULL)
4686  goto end;
4687 
4688  de_ctx->flags |= DE_QUIET;
4689 
4690  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4691  "(msg:\"http host test\"; "
4692  "content:\"body1this\"; http_raw_host; nocase; "
4693  "sid:1;)");
4694  if (de_ctx->sig_list == NULL)
4695  goto end;
4696 
4697  SigGroupBuild(de_ctx);
4698  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4699 
4700  int r = AppLayerParserParse(
4701  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4702  if (r != 0) {
4703  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4704  result = 0;
4705  goto end;
4706  }
4707 
4708  http_state = f.alstate;
4709  if (http_state == NULL) {
4710  printf("no http state: \n");
4711  result = 0;
4712  goto end;
4713  }
4714 
4715  /* do detect */
4716  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4717 
4718  if ((PacketAlertCheck(p1, 1))) {
4719  printf("sid 1 didn't match but should have\n");
4720  goto end;
4721  }
4722 
4723  r = AppLayerParserParse(
4724  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4725  if (r != 0) {
4726  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
4727  result = 0;
4728  goto end;
4729  }
4730 
4731  /* do detect */
4732  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4733 
4734  if (!(PacketAlertCheck(p2, 1))) {
4735  printf("sid 1 didn't match but should have");
4736  goto end;
4737  }
4738 
4739  result = 1;
4740 end:
4741  if (alp_tctx != NULL)
4742  AppLayerParserThreadCtxFree(alp_tctx);
4743  if (de_ctx != NULL)
4744  DetectEngineCtxFree(de_ctx);
4745 
4746  StreamTcpFreeConfig(true);
4747  FLOW_DESTROY(&f);
4748  UTHFreePackets(&p1, 1);
4749  UTHFreePackets(&p2, 1);
4750  return result;
4751 }
4752 
4753 /**
4754  * \test Test that the http_raw_host content matches against a http request
4755  * which holds the content.
4756  */
4757 static int DetectEngineHttpHRHTest01(void)
4758 {
4759  TcpSession ssn;
4760  Packet *p = NULL;
4761  ThreadVars th_v;
4762  DetectEngineCtx *de_ctx = NULL;
4763  DetectEngineThreadCtx *det_ctx = NULL;
4764  HtpState *http_state = NULL;
4765  Flow f;
4766  uint8_t http_buf[] =
4767  "GET /index.html HTTP/1.0\r\n"
4768  "Host: CONNECT\r\n"
4769  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
4770  uint32_t http_len = sizeof(http_buf) - 1;
4771  int result = 0;
4772  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4773 
4774  memset(&th_v, 0, sizeof(th_v));
4775  memset(&f, 0, sizeof(f));
4776  memset(&ssn, 0, sizeof(ssn));
4777 
4778  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4779 
4780  FLOW_INITIALIZE(&f);
4781  f.protoctx = (void *)&ssn;
4782  f.proto = IPPROTO_TCP;
4783  f.flags |= FLOW_IPV4;
4784  p->flow = &f;
4785  p->flowflags |= FLOW_PKT_TOSERVER;
4786  p->flowflags |= FLOW_PKT_ESTABLISHED;
4787  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4788  f.alproto = ALPROTO_HTTP1;
4789 
4790  StreamTcpInitConfig(true);
4791 
4792  de_ctx = DetectEngineCtxInit();
4793  if (de_ctx == NULL)
4794  goto end;
4795 
4796  de_ctx->flags |= DE_QUIET;
4797 
4798  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4799  "(msg:\"http host header test\"; "
4800  "content:\"CONNECT\"; http_raw_host; "
4801  "sid:1;)");
4802  if (de_ctx->sig_list == NULL)
4803  goto end;
4804 
4805  SigGroupBuild(de_ctx);
4806  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4807 
4808  int r = AppLayerParserParse(
4809  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
4810  if (r != 0) {
4811  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4812  result = 0;
4813  goto end;
4814  }
4815 
4816  http_state = f.alstate;
4817  if (http_state == NULL) {
4818  printf("no http state: ");
4819  result = 0;
4820  goto end;
4821  }
4822 
4823  /* do detect */
4824  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4825 
4826  if (!(PacketAlertCheck(p, 1))) {
4827  printf("sid 1 didn't match but should have: ");
4828  goto end;
4829  }
4830 
4831  result = 1;
4832 
4833 end:
4834  if (alp_tctx != NULL)
4835  AppLayerParserThreadCtxFree(alp_tctx);
4836  if (de_ctx != NULL)
4837  DetectEngineCtxFree(de_ctx);
4838 
4839  StreamTcpFreeConfig(true);
4840  FLOW_DESTROY(&f);
4841  UTHFreePackets(&p, 1);
4842  return result;
4843 }
4844 
4845 /**
4846  * \test Test that the http_raw_host content matches against a http request
4847  * which holds the content.
4848  */
4849 static int DetectEngineHttpHRHTest02(void)
4850 {
4851  TcpSession ssn;
4852  Packet *p = NULL;
4853  ThreadVars th_v;
4854  DetectEngineCtx *de_ctx = NULL;
4855  DetectEngineThreadCtx *det_ctx = NULL;
4856  HtpState *http_state = NULL;
4857  Flow f;
4858  uint8_t http_buf[] =
4859  "GET /index.html HTTP/1.0\r\n"
4860  "Host: CONNECT\r\n"
4861  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
4862  uint32_t http_len = sizeof(http_buf) - 1;
4863  int result = 0;
4864  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4865 
4866  memset(&th_v, 0, sizeof(th_v));
4867  memset(&f, 0, sizeof(f));
4868  memset(&ssn, 0, sizeof(ssn));
4869 
4870  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4871 
4872  FLOW_INITIALIZE(&f);
4873  f.protoctx = (void *)&ssn;
4874  f.proto = IPPROTO_TCP;
4875  f.flags |= FLOW_IPV4;
4876  p->flow = &f;
4877  p->flowflags |= FLOW_PKT_TOSERVER;
4878  p->flowflags |= FLOW_PKT_ESTABLISHED;
4879  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4880  f.alproto = ALPROTO_HTTP1;
4881 
4882  StreamTcpInitConfig(true);
4883 
4884  de_ctx = DetectEngineCtxInit();
4885  if (de_ctx == NULL)
4886  goto end;
4887 
4888  de_ctx->flags |= DE_QUIET;
4889 
4890  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4891  "(msg:\"http host header test\"; "
4892  "content:\"CO\"; depth:4; http_raw_host; "
4893  "sid:1;)");
4894  if (de_ctx->sig_list == NULL)
4895  goto end;
4896 
4897  SigGroupBuild(de_ctx);
4898  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4899 
4900  int r = AppLayerParserParse(
4901  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
4902  if (r != 0) {
4903  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4904  result = 0;
4905  goto end;
4906  }
4907 
4908  http_state = f.alstate;
4909  if (http_state == NULL) {
4910  printf("no http state: ");
4911  result = 0;
4912  goto end;
4913  }
4914 
4915  /* do detect */
4916  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4917 
4918  if (!(PacketAlertCheck(p, 1))) {
4919  printf("sid 1 didn't match but should have: ");
4920  goto end;
4921  }
4922 
4923  result = 1;
4924 
4925 end:
4926  if (alp_tctx != NULL)
4927  AppLayerParserThreadCtxFree(alp_tctx);
4928  if (de_ctx != NULL)
4929  DetectEngineCtxFree(de_ctx);
4930 
4931  StreamTcpFreeConfig(true);
4932  FLOW_DESTROY(&f);
4933  UTHFreePackets(&p, 1);
4934  return result;
4935 }
4936 
4937 /**
4938  * \test Test that the http_raw_host content matches against a http request
4939  * which holds the content.
4940  */
4941 static int DetectEngineHttpHRHTest03(void)
4942 {
4943  TcpSession ssn;
4944  Packet *p = NULL;
4945  ThreadVars th_v;
4946  DetectEngineCtx *de_ctx = NULL;
4947  DetectEngineThreadCtx *det_ctx = NULL;
4948  HtpState *http_state = NULL;
4949  Flow f;
4950  uint8_t http_buf[] =
4951  "GET /index.html HTTP/1.0\r\n"
4952  "Host: CONNECT\r\n"
4953  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
4954  uint32_t http_len = sizeof(http_buf) - 1;
4955  int result = 0;
4956  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4957 
4958  memset(&th_v, 0, sizeof(th_v));
4959  memset(&f, 0, sizeof(f));
4960  memset(&ssn, 0, sizeof(ssn));
4961 
4962  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4963 
4964  FLOW_INITIALIZE(&f);
4965  f.protoctx = (void *)&ssn;
4966  f.proto = IPPROTO_TCP;
4967  f.flags |= FLOW_IPV4;
4968  p->flow = &f;
4969  p->flowflags |= FLOW_PKT_TOSERVER;
4970  p->flowflags |= FLOW_PKT_ESTABLISHED;
4971  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4972  f.alproto = ALPROTO_HTTP1;
4973 
4974  StreamTcpInitConfig(true);
4975 
4976  de_ctx = DetectEngineCtxInit();
4977  if (de_ctx == NULL)
4978  goto end;
4979 
4980  de_ctx->flags |= DE_QUIET;
4981 
4982  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4983  "(msg:\"http_raw_host header test\"; "
4984  "content:!\"ECT\"; depth:4; http_raw_host; "
4985  "sid:1;)");
4986  if (de_ctx->sig_list == NULL)
4987  goto end;
4988 
4989  SigGroupBuild(de_ctx);
4990  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4991 
4992  int r = AppLayerParserParse(
4993  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
4994  if (r != 0) {
4995  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4996  result = 0;
4997  goto end;
4998  }
4999 
5000  http_state = f.alstate;
5001  if (http_state == NULL) {
5002  printf("no http state: ");
5003  result = 0;
5004  goto end;
5005  }
5006 
5007  /* do detect */
5008  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5009 
5010  if (!(PacketAlertCheck(p, 1))) {
5011  printf("sid 1 didn't match but should have: ");
5012  goto end;
5013  }
5014 
5015  result = 1;
5016 
5017 end:
5018  if (alp_tctx != NULL)
5019  AppLayerParserThreadCtxFree(alp_tctx);
5020  if (de_ctx != NULL)
5021  DetectEngineCtxFree(de_ctx);
5022 
5023  StreamTcpFreeConfig(true);
5024  FLOW_DESTROY(&f);
5025  UTHFreePackets(&p, 1);
5026  return result;
5027 }
5028 
5029 /**
5030  * \test Test that the http_raw_host content matches against a http request
5031  * which holds the content.
5032  */
5033 static int DetectEngineHttpHRHTest04(void)
5034 {
5035  TcpSession ssn;
5036  Packet *p = NULL;
5037  ThreadVars th_v;
5038  DetectEngineCtx *de_ctx = NULL;
5039  DetectEngineThreadCtx *det_ctx = NULL;
5040  HtpState *http_state = NULL;
5041  Flow f;
5042  uint8_t http_buf[] =
5043  "GET /index.html HTTP/1.0\r\n"
5044  "Host: CONNECT\r\n"
5045  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
5046  uint32_t http_len = sizeof(http_buf) - 1;
5047  int result = 0;
5048  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5049 
5050  memset(&th_v, 0, sizeof(th_v));
5051  memset(&f, 0, sizeof(f));
5052  memset(&ssn, 0, sizeof(ssn));
5053 
5054  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5055 
5056  FLOW_INITIALIZE(&f);
5057  f.protoctx = (void *)&ssn;
5058  f.proto = IPPROTO_TCP;
5059  f.flags |= FLOW_IPV4;
5060  p->flow = &f;
5061  p->flowflags |= FLOW_PKT_TOSERVER;
5062  p->flowflags |= FLOW_PKT_ESTABLISHED;
5063  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5064  f.alproto = ALPROTO_HTTP1;
5065 
5066  StreamTcpInitConfig(true);
5067 
5068  de_ctx = DetectEngineCtxInit();
5069  if (de_ctx == NULL)
5070  goto end;
5071 
5072  de_ctx->flags |= DE_QUIET;
5073 
5074  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5075  "(msg:\"http host header test\"; "
5076  "content:\"ECT\"; depth:4; http_raw_host; "
5077  "sid:1;)");
5078  if (de_ctx->sig_list == NULL)
5079  goto end;
5080 
5081  SigGroupBuild(de_ctx);
5082  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5083 
5084  int r = AppLayerParserParse(
5085  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
5086  if (r != 0) {
5087  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5088  result = 0;
5089  goto end;
5090  }
5091 
5092  http_state = f.alstate;
5093  if (http_state == NULL) {
5094  printf("no http state: ");
5095  result = 0;
5096  goto end;
5097  }
5098 
5099  /* do detect */
5100  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5101 
5102  if (PacketAlertCheck(p, 1)) {
5103  printf("sid 1 matched but shouldn't have: ");
5104  goto end;
5105  }
5106 
5107  result = 1;
5108 
5109 end:
5110  if (alp_tctx != NULL)
5111  AppLayerParserThreadCtxFree(alp_tctx);
5112  if (de_ctx != NULL)
5113  DetectEngineCtxFree(de_ctx);
5114 
5115  StreamTcpFreeConfig(true);
5116  FLOW_DESTROY(&f);
5117  UTHFreePackets(&p, 1);
5118  return result;
5119 }
5120 
5121 /**
5122  * \test Test that the http_raw_host content matches against a http request
5123  * which holds the content.
5124  */
5125 static int DetectEngineHttpHRHTest05(void)
5126 {
5127  TcpSession ssn;
5128  Packet *p = NULL;
5129  ThreadVars th_v;
5130  DetectEngineCtx *de_ctx = NULL;
5131  DetectEngineThreadCtx *det_ctx = NULL;
5132  HtpState *http_state = NULL;
5133  Flow f;
5134  uint8_t http_buf[] =
5135  "GET /index.html HTTP/1.0\r\n"
5136  "Host: CONNECT\r\n"
5137  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
5138  uint32_t http_len = sizeof(http_buf) - 1;
5139  int result = 0;
5140  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5141 
5142  memset(&th_v, 0, sizeof(th_v));
5143  memset(&f, 0, sizeof(f));
5144  memset(&ssn, 0, sizeof(ssn));
5145 
5146  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5147 
5148  FLOW_INITIALIZE(&f);
5149  f.protoctx = (void *)&ssn;
5150  f.proto = IPPROTO_TCP;
5151  f.flags |= FLOW_IPV4;
5152  p->flow = &f;
5153  p->flowflags |= FLOW_PKT_TOSERVER;
5154  p->flowflags |= FLOW_PKT_ESTABLISHED;
5155  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5156  f.alproto = ALPROTO_HTTP1;
5157 
5158  StreamTcpInitConfig(true);
5159 
5160  de_ctx = DetectEngineCtxInit();
5161  if (de_ctx == NULL)
5162  goto end;
5163 
5164  de_ctx->flags |= DE_QUIET;
5165 
5166  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5167  "(msg:\"http host header test\"; "
5168  "content:!\"CON\"; depth:4; http_raw_host; "
5169  "sid:1;)");
5170  if (de_ctx->sig_list == NULL)
5171  goto end;
5172 
5173  SigGroupBuild(de_ctx);
5174  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5175 
5176  int r = AppLayerParserParse(
5177  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
5178  if (r != 0) {
5179  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5180  result = 0;
5181  goto end;
5182  }
5183 
5184  http_state = f.alstate;
5185  if (http_state == NULL) {
5186  printf("no http state: ");
5187  result = 0;
5188  goto end;
5189  }
5190 
5191  /* do detect */
5192  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5193 
5194  if (PacketAlertCheck(p, 1)) {
5195  printf("sid 1 matched but shouldn't have: ");
5196  goto end;
5197  }
5198 
5199  result = 1;
5200 
5201 end:
5202  if (alp_tctx != NULL)
5203  AppLayerParserThreadCtxFree(alp_tctx);
5204  if (de_ctx != NULL)
5205  DetectEngineCtxFree(de_ctx);
5206 
5207  StreamTcpFreeConfig(true);
5208  FLOW_DESTROY(&f);
5209  UTHFreePackets(&p, 1);
5210  return result;
5211 }
5212 
5213 /**
5214  * \test Test that the http_raw_host header content matches against a http request
5215  * which holds the content.
5216  */
5217 static int DetectEngineHttpHRHTest06(void)
5218 {
5219  TcpSession ssn;
5220  Packet *p = NULL;
5221  ThreadVars th_v;
5222  DetectEngineCtx *de_ctx = NULL;
5223  DetectEngineThreadCtx *det_ctx = NULL;
5224  HtpState *http_state = NULL;
5225  Flow f;
5226  uint8_t http_buf[] =
5227  "GET /index.html HTTP/1.0\r\n"
5228  "Host: CONNECT\r\n"
5229  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
5230  uint32_t http_len = sizeof(http_buf) - 1;
5231  int result = 0;
5232  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5233 
5234  memset(&th_v, 0, sizeof(th_v));
5235  memset(&f, 0, sizeof(f));
5236  memset(&ssn, 0, sizeof(ssn));
5237 
5238  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5239 
5240  FLOW_INITIALIZE(&f);
5241  f.protoctx = (void *)&ssn;
5242  f.proto = IPPROTO_TCP;
5243  f.flags |= FLOW_IPV4;
5244  p->flow = &f;
5245  p->flowflags |= FLOW_PKT_TOSERVER;
5246  p->flowflags |= FLOW_PKT_ESTABLISHED;
5247  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5248  f.alproto = ALPROTO_HTTP1;
5249 
5250  StreamTcpInitConfig(true);
5251 
5252  de_ctx = DetectEngineCtxInit();
5253  if (de_ctx == NULL)
5254  goto end;
5255 
5256  de_ctx->flags |= DE_QUIET;
5257 
5258  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5259  "(msg:\"http host header test\"; "
5260  "content:\"ECT\"; offset:3; http_raw_host; "
5261  "sid:1;)");
5262  if (de_ctx->sig_list == NULL)
5263  goto end;
5264 
5265  SigGroupBuild(de_ctx);
5266  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5267 
5268  int r = AppLayerParserParse(
5269  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
5270  if (r != 0) {
5271  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5272  result = 0;
5273  goto end;
5274  }
5275 
5276  http_state = f.alstate;
5277  if (http_state == NULL) {
5278  printf("no http state: ");
5279  result = 0;
5280  goto end;
5281  }
5282 
5283  /* do detect */
5284  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5285 
5286  if (!(PacketAlertCheck(p, 1))) {
5287  printf("sid 1 didn't match but should have: ");
5288  goto end;
5289  }
5290 
5291  result = 1;
5292 
5293 end:
5294  if (alp_tctx != NULL)
5295  AppLayerParserThreadCtxFree(alp_tctx);
5296  if (de_ctx != NULL)
5297  DetectEngineCtxFree(de_ctx);
5298 
5299  StreamTcpFreeConfig(true);
5300  FLOW_DESTROY(&f);
5301  UTHFreePackets(&p, 1);
5302  return result;
5303 }
5304 
5305 /**
5306  * \test Test that the http_raw_host content matches against a http request
5307  * which holds the content.
5308  */
5309 static int DetectEngineHttpHRHTest07(void)
5310 {
5311  TcpSession ssn;
5312  Packet *p = NULL;
5313  ThreadVars th_v;
5314  DetectEngineCtx *de_ctx = NULL;
5315  DetectEngineThreadCtx *det_ctx = NULL;
5316  HtpState *http_state = NULL;
5317  Flow f;
5318  uint8_t http_buf[] =
5319  "GET /index.html HTTP/1.0\r\n"
5320  "Host: CONNECT\r\n"
5321  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
5322  uint32_t http_len = sizeof(http_buf) - 1;
5323  int result = 0;
5324  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5325 
5326  memset(&th_v, 0, sizeof(th_v));
5327  memset(&f, 0, sizeof(f));
5328  memset(&ssn, 0, sizeof(ssn));
5329 
5330  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5331 
5332  FLOW_INITIALIZE(&f);
5333  f.protoctx = (void *)&ssn;
5334  f.proto = IPPROTO_TCP;
5335  f.flags |= FLOW_IPV4;
5336  p->flow = &f;
5337  p->flowflags |= FLOW_PKT_TOSERVER;
5338  p->flowflags |= FLOW_PKT_ESTABLISHED;
5339  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5340  f.alproto = ALPROTO_HTTP1;
5341 
5342  StreamTcpInitConfig(true);
5343 
5344  de_ctx = DetectEngineCtxInit();
5345  if (de_ctx == NULL)
5346  goto end;
5347 
5348  de_ctx->flags |= DE_QUIET;
5349 
5350  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5351  "(msg:\"http host header test\"; "
5352  "content:!\"CO\"; offset:3; http_raw_host; "
5353  "sid:1;)");
5354  if (de_ctx->sig_list == NULL)
5355  goto end;
5356 
5357  SigGroupBuild(de_ctx);
5358  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5359 
5360  int r = AppLayerParserParse(
5361  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
5362  if (r != 0) {
5363  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5364  result = 0;
5365  goto end;
5366  }
5367 
5368  http_state = f.alstate;
5369  if (http_state == NULL) {
5370  printf("no http state: ");
5371  result = 0;
5372  goto end;
5373  }
5374 
5375  /* do detect */
5376  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5377 
5378  if (!(PacketAlertCheck(p, 1))) {
5379  printf("sid 1 didn't match but should have: ");
5380  goto end;
5381  }
5382 
5383  result = 1;
5384 
5385 end:
5386  if (alp_tctx != NULL)
5387  AppLayerParserThreadCtxFree(alp_tctx);
5388  if (de_ctx != NULL)
5389  DetectEngineCtxFree(de_ctx);
5390 
5391  StreamTcpFreeConfig(true);
5392  FLOW_DESTROY(&f);
5393  UTHFreePackets(&p, 1);
5394  return result;
5395 }
5396 
5397 /**
5398  * \test Test that the http_raw_host header content matches against a http request
5399  * which holds the content.
5400  */
5401 static int DetectEngineHttpHRHTest08(void)
5402 {
5403  TcpSession ssn;
5404  Packet *p = NULL;
5405  ThreadVars th_v;
5406  DetectEngineCtx *de_ctx = NULL;
5407  DetectEngineThreadCtx *det_ctx = NULL;
5408  HtpState *http_state = NULL;
5409  Flow f;
5410  uint8_t http_buf[] =
5411  "GET /index.html HTTP/1.0\r\n"
5412  "Host: CONNECT\r\n"
5413  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
5414  uint32_t http_len = sizeof(http_buf) - 1;
5415  int result = 0;
5416  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5417 
5418  memset(&th_v, 0, sizeof(th_v));
5419  memset(&f, 0, sizeof(f));
5420  memset(&ssn, 0, sizeof(ssn));
5421 
5422  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5423 
5424  FLOW_INITIALIZE(&f);
5425  f.protoctx = (void *)&ssn;
5426  f.proto = IPPROTO_TCP;
5427  f.flags |= FLOW_IPV4;
5428  p->flow = &f;
5429  p->flowflags |= FLOW_PKT_TOSERVER;
5430  p->flowflags |= FLOW_PKT_ESTABLISHED;
5431  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5432  f.alproto = ALPROTO_HTTP1;
5433 
5434  StreamTcpInitConfig(true);
5435 
5436  de_ctx = DetectEngineCtxInit();
5437  if (de_ctx == NULL)
5438  goto end;
5439 
5440  de_ctx->flags |= DE_QUIET;
5441 
5442  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5443  "(msg:\"http host header test\"; "
5444  "content:!\"ECT\"; offset:3; http_raw_host; "
5445  "sid:1;)");
5446  if (de_ctx->sig_list == NULL)
5447  goto end;
5448 
5449  SigGroupBuild(de_ctx);
5450  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5451 
5452  int r = AppLayerParserParse(
5453  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
5454  if (r != 0) {
5455  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5456  result = 0;
5457  goto end;
5458  }
5459 
5460  http_state = f.alstate;
5461  if (http_state == NULL) {
5462  printf("no http state: ");
5463  result = 0;
5464  goto end;
5465  }
5466 
5467  /* do detect */
5468  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5469 
5470  if (PacketAlertCheck(p, 1)) {
5471  printf("sid 1 matched but shouldn't have: ");
5472  goto end;
5473  }
5474 
5475  result = 1;
5476 
5477 end:
5478  if (alp_tctx != NULL)
5479  AppLayerParserThreadCtxFree(alp_tctx);
5480  if (de_ctx != NULL)
5481  DetectEngineCtxFree(de_ctx);
5482 
5483  StreamTcpFreeConfig(true);
5484  FLOW_DESTROY(&f);
5485  UTHFreePackets(&p, 1);
5486  return result;
5487 }
5488 
5489 /**
5490  * \test Test that the http_raw_host header content matches against a http request
5491  * which holds the content.
5492  */
5493 static int DetectEngineHttpHRHTest09(void)
5494 {
5495  TcpSession ssn;
5496  Packet *p = NULL;
5497  ThreadVars th_v;
5498  DetectEngineCtx *de_ctx = NULL;
5499  DetectEngineThreadCtx *det_ctx = NULL;
5500  HtpState *http_state = NULL;
5501  Flow f;
5502  uint8_t http_buf[] =
5503  "GET /index.html HTTP/1.0\r\n"
5504  "Host: CONNECT\r\n"
5505  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
5506  uint32_t http_len = sizeof(http_buf) - 1;
5507  int result = 0;
5508  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5509 
5510  memset(&th_v, 0, sizeof(th_v));
5511  memset(&f, 0, sizeof(f));
5512  memset(&ssn, 0, sizeof(ssn));
5513 
5514  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5515 
5516  FLOW_INITIALIZE(&f);
5517  f.protoctx = (void *)&ssn;
5518  f.proto = IPPROTO_TCP;
5519  f.flags |= FLOW_IPV4;
5520  p->flow = &f;
5521  p->flowflags |= FLOW_PKT_TOSERVER;
5522  p->flowflags |= FLOW_PKT_ESTABLISHED;
5523  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5524  f.alproto = ALPROTO_HTTP1;
5525 
5526  StreamTcpInitConfig(true);
5527 
5528  de_ctx = DetectEngineCtxInit();
5529  if (de_ctx == NULL)
5530  goto end;
5531 
5532  de_ctx->flags |= DE_QUIET;
5533 
5534  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5535  "(msg:\"http host header test\"; "
5536  "content:\"CON\"; offset:3; http_raw_host; "
5537  "sid:1;)");
5538  if (de_ctx->sig_list == NULL)
5539  goto end;
5540 
5541  SigGroupBuild(de_ctx);
5542  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5543 
5544  int r = AppLayerParserParse(
5545  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
5546  if (r != 0) {
5547  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5548  result = 0;
5549  goto end;
5550  }
5551 
5552  http_state = f.alstate;
5553  if (http_state == NULL) {
5554  printf("no http state: ");
5555  result = 0;
5556  goto end;
5557  }
5558 
5559  /* do detect */
5560  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5561 
5562  if (PacketAlertCheck(p, 1)) {
5563  printf("sid 1 matched but shouldn't have: ");
5564  goto end;
5565  }
5566 
5567  result = 1;
5568 
5569 end:
5570  if (alp_tctx != NULL)
5571  AppLayerParserThreadCtxFree(alp_tctx);
5572  if (de_ctx != NULL)
5573  DetectEngineCtxFree(de_ctx);
5574 
5575  StreamTcpFreeConfig(true);
5576  FLOW_DESTROY(&f);
5577  UTHFreePackets(&p, 1);
5578  return result;
5579 }
5580 
5581 /**
5582  * \test Test that the http_raw_host header content matches against a http request
5583  * which holds the content.
5584  */
5585 static int DetectEngineHttpHRHTest10(void)
5586 {
5587  TcpSession ssn;
5588  Packet *p = NULL;
5589  ThreadVars th_v;
5590  DetectEngineCtx *de_ctx = NULL;
5591  DetectEngineThreadCtx *det_ctx = NULL;
5592  HtpState *http_state = NULL;
5593  Flow f;
5594  uint8_t http_buf[] =
5595  "GET /index.html HTTP/1.0\r\n"
5596  "Host: CONNECT\r\n"
5597  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
5598  uint32_t http_len = sizeof(http_buf) - 1;
5599  int result = 0;
5600  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5601 
5602  memset(&th_v, 0, sizeof(th_v));
5603  memset(&f, 0, sizeof(f));
5604  memset(&ssn, 0, sizeof(ssn));
5605 
5606  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5607 
5608  FLOW_INITIALIZE(&f);
5609  f.protoctx = (void *)&ssn;
5610  f.proto = IPPROTO_TCP;
5611  f.flags |= FLOW_IPV4;
5612  p->flow = &f;
5613  p->flowflags |= FLOW_PKT_TOSERVER;
5614  p->flowflags |= FLOW_PKT_ESTABLISHED;
5615  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5616  f.alproto = ALPROTO_HTTP1;
5617 
5618  StreamTcpInitConfig(true);
5619 
5620  de_ctx = DetectEngineCtxInit();
5621  if (de_ctx == NULL)
5622  goto end;
5623 
5624  de_ctx->flags |= DE_QUIET;
5625 
5626  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5627  "(msg:\"http_raw_host header test\"; "
5628  "content:\"CO\"; http_raw_host; "
5629  "content:\"EC\"; within:4; http_raw_host; "
5630  "sid:1;)");
5631  if (de_ctx->sig_list == NULL)
5632  goto end;
5633 
5634  SigGroupBuild(de_ctx);
5635  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5636 
5637  int r = AppLayerParserParse(
5638  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
5639  if (r != 0) {
5640  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5641  result = 0;
5642  goto end;
5643  }
5644 
5645  http_state = f.alstate;
5646  if (http_state == NULL) {
5647  printf("no http state: ");
5648  result = 0;
5649  goto end;
5650  }
5651 
5652  /* do detect */
5653  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5654 
5655  if (!PacketAlertCheck(p, 1)) {
5656  printf("sid 1 didn't match but should have: ");
5657  goto end;
5658  }
5659 
5660  result = 1;
5661 
5662 end:
5663  if (alp_tctx != NULL)
5664  AppLayerParserThreadCtxFree(alp_tctx);
5665  if (de_ctx != NULL)
5666  DetectEngineCtxFree(de_ctx);
5667 
5668  StreamTcpFreeConfig(true);
5669  FLOW_DESTROY(&f);
5670  UTHFreePackets(&p, 1);
5671  return result;
5672 }
5673 
5674 /**
5675  * \test Test that the http_raw_host header content matches against a http request
5676  * which holds the content.
5677  */
5678 static int DetectEngineHttpHRHTest11(void)
5679 {
5680  TcpSession ssn;
5681  Packet *p = NULL;
5682  ThreadVars th_v;
5683  DetectEngineCtx *de_ctx = NULL;
5684  DetectEngineThreadCtx *det_ctx = NULL;
5685  HtpState *http_state = NULL;
5686  Flow f;
5687  uint8_t http_buf[] =
5688  "GET /index.html HTTP/1.0\r\n"
5689  "Host: CONNECT\r\n"
5690  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
5691  uint32_t http_len = sizeof(http_buf) - 1;
5692  int result = 0;
5693  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5694 
5695  memset(&th_v, 0, sizeof(th_v));
5696  memset(&f, 0, sizeof(f));
5697  memset(&ssn, 0, sizeof(ssn));
5698 
5699  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5700 
5701  FLOW_INITIALIZE(&f);
5702  f.protoctx = (void *)&ssn;
5703  f.proto = IPPROTO_TCP;
5704  f.flags |= FLOW_IPV4;
5705  p->flow = &f;
5706  p->flowflags |= FLOW_PKT_TOSERVER;
5707  p->flowflags |= FLOW_PKT_ESTABLISHED;
5708  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5709  f.alproto = ALPROTO_HTTP1;
5710 
5711  StreamTcpInitConfig(true);
5712 
5713  de_ctx = DetectEngineCtxInit();
5714  if (de_ctx == NULL)
5715  goto end;
5716 
5717  de_ctx->flags |= DE_QUIET;
5718 
5719  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5720  "(msg:\"http_raw_host header test\"; "
5721  "content:\"CO\"; http_raw_host; "
5722  "content:!\"EC\"; within:3; http_raw_host; "
5723  "sid:1;)");
5724  if (de_ctx->sig_list == NULL)
5725  goto end;
5726 
5727  SigGroupBuild(de_ctx);
5728  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5729 
5730  int r = AppLayerParserParse(
5731  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
5732  if (r != 0) {
5733  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5734  result = 0;
5735  goto end;
5736  }
5737 
5738  http_state = f.alstate;
5739  if (http_state == NULL) {
5740  printf("no http state: ");
5741  result = 0;
5742  goto end;
5743  }
5744 
5745  /* do detect */
5746  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5747 
5748  if (!PacketAlertCheck(p, 1)) {
5749  printf("sid 1 didn't match but should have: ");
5750  goto end;
5751  }
5752 
5753  result = 1;
5754 
5755 end:
5756  if (alp_tctx != NULL)
5757  AppLayerParserThreadCtxFree(alp_tctx);
5758  if (de_ctx != NULL)
5759  DetectEngineCtxFree(de_ctx);
5760 
5761  StreamTcpFreeConfig(true);
5762  FLOW_DESTROY(&f);
5763  UTHFreePackets(&p, 1);
5764  return result;
5765 }
5766 
5767 /**
5768  * \test Test that the http_raw_host header content matches against a http request
5769  * which holds the content.
5770  */
5771 static int DetectEngineHttpHRHTest12(void)
5772 {
5773  TcpSession ssn;
5774  Packet *p = NULL;
5775  ThreadVars th_v;
5776  DetectEngineCtx *de_ctx = NULL;
5777  DetectEngineThreadCtx *det_ctx = NULL;
5778  HtpState *http_state = NULL;
5779  Flow f;
5780  uint8_t http_buf[] =
5781  "GET /index.html HTTP/1.0\r\n"
5782  "Host: CONNECT\r\n"
5783  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
5784  uint32_t http_len = sizeof(http_buf) - 1;
5785  int result = 0;
5786  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5787 
5788  memset(&th_v, 0, sizeof(th_v));
5789  memset(&f, 0, sizeof(f));
5790  memset(&ssn, 0, sizeof(ssn));
5791 
5792  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5793 
5794  FLOW_INITIALIZE(&f);
5795  f.protoctx = (void *)&ssn;
5796  f.proto = IPPROTO_TCP;
5797  f.flags |= FLOW_IPV4;
5798  p->flow = &f;
5799  p->flowflags |= FLOW_PKT_TOSERVER;
5800  p->flowflags |= FLOW_PKT_ESTABLISHED;
5801  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5802  f.alproto = ALPROTO_HTTP1;
5803 
5804  StreamTcpInitConfig(true);
5805 
5806  de_ctx = DetectEngineCtxInit();
5807  if (de_ctx == NULL)
5808  goto end;
5809 
5810  de_ctx->flags |= DE_QUIET;
5811 
5812  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5813  "(msg:\"http_raw_host header test\"; "
5814  "content:\"CO\"; http_raw_host; "
5815  "content:\"EC\"; within:3; http_raw_host; "
5816  "sid:1;)");
5817  if (de_ctx->sig_list == NULL)
5818  goto end;
5819 
5820  SigGroupBuild(de_ctx);
5821  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5822 
5823  int r = AppLayerParserParse(
5824  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
5825  if (r != 0) {
5826  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5827  result = 0;
5828  goto end;
5829  }
5830 
5831  http_state = f.alstate;
5832  if (http_state == NULL) {
5833  printf("no http state: ");
5834  result = 0;
5835  goto end;
5836  }
5837 
5838  /* do detect */
5839  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5840 
5841  if (PacketAlertCheck(p, 1)) {
5842  printf("sid 1 matched but shouldn't have: ");
5843  goto end;
5844  }
5845 
5846  result = 1;
5847 
5848 end:
5849  if (alp_tctx != NULL)
5850  AppLayerParserThreadCtxFree(alp_tctx);
5851  if (de_ctx != NULL)
5852  DetectEngineCtxFree(de_ctx);
5853 
5854  StreamTcpFreeConfig(true);
5855  FLOW_DESTROY(&f);
5856  UTHFreePackets(&p, 1);
5857  return result;
5858 }
5859 
5860 /**
5861  * \test Test that the http_raw_host header content matches against a http request
5862  * which holds the content.
5863  */
5864 static int DetectEngineHttpHRHTest13(void)
5865 {
5866  TcpSession ssn;
5867  Packet *p = NULL;
5868  ThreadVars th_v;
5869  DetectEngineCtx *de_ctx = NULL;
5870  DetectEngineThreadCtx *det_ctx = NULL;
5871  HtpState *http_state = NULL;
5872  Flow f;
5873  uint8_t http_buf[] =
5874  "GET /index.html HTTP/1.0\r\n"
5875  "Host: CONNECT\r\n"
5876  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
5877  uint32_t http_len = sizeof(http_buf) - 1;
5878  int result = 0;
5879  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5880 
5881  memset(&th_v, 0, sizeof(th_v));
5882  memset(&f, 0, sizeof(f));
5883  memset(&ssn, 0, sizeof(ssn));
5884 
5885  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5886 
5887  FLOW_INITIALIZE(&f);
5888  f.protoctx = (void *)&ssn;
5889  f.proto = IPPROTO_TCP;
5890  f.flags |= FLOW_IPV4;
5891  p->flow = &f;
5892  p->flowflags |= FLOW_PKT_TOSERVER;
5893  p->flowflags |= FLOW_PKT_ESTABLISHED;
5894  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5895  f.alproto = ALPROTO_HTTP1;
5896 
5897  StreamTcpInitConfig(true);
5898 
5899  de_ctx = DetectEngineCtxInit();
5900  if (de_ctx == NULL)
5901  goto end;
5902 
5903  de_ctx->flags |= DE_QUIET;
5904 
5905  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5906  "(msg:\"http_raw_host header test\"; "
5907  "content:\"CO\"; http_raw_host; "
5908  "content:!\"EC\"; within:4; http_raw_host; "
5909  "sid:1;)");
5910  if (de_ctx->sig_list == NULL)
5911  goto end;
5912 
5913  SigGroupBuild(de_ctx);
5914  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5915 
5916  int r = AppLayerParserParse(
5917  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
5918  if (r != 0) {
5919  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5920  result = 0;
5921  goto end;
5922  }
5923 
5924  http_state = f.alstate;
5925  if (http_state == NULL) {
5926  printf("no http state: ");
5927  result = 0;
5928  goto end;
5929  }
5930 
5931  /* do detect */
5932  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5933 
5934  if (PacketAlertCheck(p, 1)) {
5935  printf("sid 1 matched but shouldn't have: ");
5936  goto end;
5937  }
5938 
5939  result = 1;
5940 
5941 end:
5942  if (alp_tctx != NULL)
5943  AppLayerParserThreadCtxFree(alp_tctx);
5944  if (de_ctx != NULL)
5945  DetectEngineCtxFree(de_ctx);
5946 
5947  StreamTcpFreeConfig(true);
5948  FLOW_DESTROY(&f);
5949  UTHFreePackets(&p, 1);
5950  return result;
5951 }
5952 
5953 /**
5954  * \test Test that the http_raw_host header content matches against a http request
5955  * which holds the content.
5956  */
5957 static int DetectEngineHttpHRHTest14(void)
5958 {
5959  TcpSession ssn;
5960  Packet *p = NULL;
5961  ThreadVars th_v;
5962  DetectEngineCtx *de_ctx = NULL;
5963  DetectEngineThreadCtx *det_ctx = NULL;
5964  HtpState *http_state = NULL;
5965  Flow f;
5966  uint8_t http_buf[] =
5967  "GET /index.html HTTP/1.0\r\n"
5968  "Host: CONNECT\r\n"
5969  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
5970  uint32_t http_len = sizeof(http_buf) - 1;
5971  int result = 0;
5972  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5973 
5974  memset(&th_v, 0, sizeof(th_v));
5975  memset(&f, 0, sizeof(f));
5976  memset(&ssn, 0, sizeof(ssn));
5977 
5978  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5979 
5980  FLOW_INITIALIZE(&f);
5981  f.protoctx = (void *)&ssn;
5982  f.proto = IPPROTO_TCP;
5983  f.flags |= FLOW_IPV4;
5984  p->flow = &f;
5985  p->flowflags |= FLOW_PKT_TOSERVER;
5986  p->flowflags |= FLOW_PKT_ESTABLISHED;
5987  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5988  f.alproto = ALPROTO_HTTP1;
5989 
5990  StreamTcpInitConfig(true);
5991 
5992  de_ctx = DetectEngineCtxInit();
5993  if (de_ctx == NULL)
5994  goto end;
5995 
5996  de_ctx->flags |= DE_QUIET;
5997 
5998  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5999  "(msg:\"http_raw_host header test\"; "
6000  "content:\"CO\"; http_raw_host; "
6001  "content:\"EC\"; distance:2; http_raw_host; "
6002  "sid:1;)");
6003  if (de_ctx->sig_list == NULL)
6004  goto end;
6005 
6006  SigGroupBuild(de_ctx);
6007  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6008 
6009  int r = AppLayerParserParse(
6010  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
6011  if (r != 0) {
6012  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6013  result = 0;
6014  goto end;
6015  }
6016 
6017  http_state = f.alstate;
6018  if (http_state == NULL) {
6019  printf("no http state: ");
6020  result = 0;
6021  goto end;
6022  }
6023 
6024  /* do detect */
6025  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
6026 
6027  if (!PacketAlertCheck(p, 1)) {
6028  printf("sid 1 didn't match but should have: ");
6029  goto end;
6030  }
6031 
6032  result = 1;
6033 
6034 end:
6035  if (alp_tctx != NULL)
6036  AppLayerParserThreadCtxFree(alp_tctx);
6037  if (de_ctx != NULL)
6038  DetectEngineCtxFree(de_ctx);
6039 
6040  StreamTcpFreeConfig(true);
6041  FLOW_DESTROY(&f);
6042  UTHFreePackets(&p, 1);
6043  return result;
6044 }
6045 
6046 /**
6047  * \test Test that the http_raw_host header content matches against a http request
6048  * which holds the content.
6049  */
6050 static int DetectEngineHttpHRHTest15(void)
6051 {
6052  TcpSession ssn;
6053  Packet *p = NULL;
6054  ThreadVars th_v;
6055  DetectEngineCtx *de_ctx = NULL;
6056  DetectEngineThreadCtx *det_ctx = NULL;
6057  HtpState *http_state = NULL;
6058  Flow f;
6059  uint8_t http_buf[] =
6060  "GET /index.html HTTP/1.0\r\n"
6061  "Host: CONNECT\r\n"
6062  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
6063  uint32_t http_len = sizeof(http_buf) - 1;
6064  int result = 0;
6065  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
6066 
6067  memset(&th_v, 0, sizeof(th_v));
6068  memset(&f, 0, sizeof(f));
6069  memset(&ssn, 0, sizeof(ssn));
6070 
6071  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6072 
6073  FLOW_INITIALIZE(&f);
6074  f.protoctx = (void *)&ssn;
6075  f.proto = IPPROTO_TCP;
6076  f.flags |= FLOW_IPV4;
6077  p->flow = &f;
6078  p->flowflags |= FLOW_PKT_TOSERVER;
6079  p->flowflags |= FLOW_PKT_ESTABLISHED;
6080  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6081  f.alproto = ALPROTO_HTTP1;
6082 
6083  StreamTcpInitConfig(true);
6084 
6085  de_ctx = DetectEngineCtxInit();
6086  if (de_ctx == NULL)
6087  goto end;
6088 
6089  de_ctx->flags |= DE_QUIET;
6090 
6091  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
6092  "(msg:\"http_raw_host header test\"; "
6093  "content:\"CO\"; http_raw_host; "
6094  "content:!\"EC\"; distance:3; http_raw_host; "
6095  "sid:1;)");
6096  if (de_ctx->sig_list == NULL)
6097  goto end;
6098 
6099  SigGroupBuild(de_ctx);
6100  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6101 
6102  int r = AppLayerParserParse(
6103  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
6104  if (r != 0) {
6105  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6106  result = 0;
6107  goto end;
6108  }
6109 
6110  http_state = f.alstate;
6111  if (http_state == NULL) {
6112  printf("no http state: ");
6113  result = 0;
6114  goto end;
6115  }
6116 
6117  /* do detect */
6118  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
6119 
6120  if (!PacketAlertCheck(p, 1)) {
6121  printf("sid 1 didn't match but should have: ");
6122  goto end;
6123  }
6124 
6125  result = 1;
6126 
6127 end:
6128  if (alp_tctx != NULL)
6129  AppLayerParserThreadCtxFree(alp_tctx);
6130  if (de_ctx != NULL)
6131  DetectEngineCtxFree(de_ctx);
6132 
6133  StreamTcpFreeConfig(true);
6134  FLOW_DESTROY(&f);
6135  UTHFreePackets(&p, 1);
6136  return result;
6137 }
6138 
6139 /**
6140  * \test Test that the http_raw_host header content matches against a http request
6141  * which holds the content.
6142  */
6143 static int DetectEngineHttpHRHTest16(void)
6144 {
6145  TcpSession ssn;
6146  Packet *p = NULL;
6147  ThreadVars th_v;
6148  DetectEngineCtx *de_ctx = NULL;
6149  DetectEngineThreadCtx *det_ctx = NULL;
6150  HtpState *http_state = NULL;
6151  Flow f;
6152  uint8_t http_buf[] =
6153  "GET /index.html HTTP/1.0\r\n"
6154  "Host: CONNECT\r\n"
6155  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
6156  uint32_t http_len = sizeof(http_buf) - 1;
6157  int result = 0;
6158  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
6159 
6160  memset(&th_v, 0, sizeof(th_v));
6161  memset(&f, 0, sizeof(f));
6162  memset(&ssn, 0, sizeof(ssn));
6163 
6164  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6165 
6166  FLOW_INITIALIZE(&f);
6167  f.protoctx = (void *)&ssn;
6168  f.proto = IPPROTO_TCP;
6169  f.flags |= FLOW_IPV4;
6170  p->flow = &f;
6171  p->flowflags |= FLOW_PKT_TOSERVER;
6172  p->flowflags |= FLOW_PKT_ESTABLISHED;
6173  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6174  f.alproto = ALPROTO_HTTP1;
6175 
6176  StreamTcpInitConfig(true);
6177 
6178  de_ctx = DetectEngineCtxInit();
6179  if (de_ctx == NULL)
6180  goto end;
6181 
6182  de_ctx->flags |= DE_QUIET;
6183 
6184  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
6185  "(msg:\"http_raw_host header test\"; "
6186  "content:\"CO\"; http_raw_host; "
6187  "content:\"EC\"; distance:3; http_raw_host; "
6188  "sid:1;)");
6189  if (de_ctx->sig_list == NULL)
6190  goto end;
6191 
6192  SigGroupBuild(de_ctx);
6193  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6194 
6195  int r = AppLayerParserParse(
6196  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
6197  if (r != 0) {
6198  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6199  result = 0;
6200  goto end;
6201  }
6202 
6203  http_state = f.alstate;
6204  if (http_state == NULL) {
6205  printf("no http state: ");
6206  result = 0;
6207  goto end;
6208  }
6209 
6210  /* do detect */
6211  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
6212 
6213  if (PacketAlertCheck(p, 1)) {
6214  printf("sid 1 matched but shouldn't have: ");
6215  goto end;
6216  }
6217 
6218  result = 1;
6219 
6220 end:
6221  if (alp_tctx != NULL)
6222  AppLayerParserThreadCtxFree(alp_tctx);
6223  if (de_ctx != NULL)
6224  DetectEngineCtxFree(de_ctx);
6225 
6226  StreamTcpFreeConfig(true);
6227  FLOW_DESTROY(&f);
6228  UTHFreePackets(&p, 1);
6229  return result;
6230 }
6231 
6232 /**
6233  * \test Test that the http_raw_host header content matches against a http request
6234  * which holds the content.
6235  */
6236 static int DetectEngineHttpHRHTest17(void)
6237 {
6238  TcpSession ssn;
6239  Packet *p = NULL;
6240  ThreadVars th_v;
6241  DetectEngineCtx *de_ctx = NULL;
6242  DetectEngineThreadCtx *det_ctx = NULL;
6243  HtpState *http_state = NULL;
6244  Flow f;
6245  uint8_t http_buf[] =
6246  "GET /index.html HTTP/1.0\r\n"
6247  "Host: CONNECT\r\n"
6248  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
6249  uint32_t http_len = sizeof(http_buf) - 1;
6250  int result = 0;
6251  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
6252 
6253  memset(&th_v, 0, sizeof(th_v));
6254  memset(&f, 0, sizeof(f));
6255  memset(&ssn, 0, sizeof(ssn));
6256 
6257  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6258 
6259  FLOW_INITIALIZE(&f);
6260  f.protoctx = (void *)&ssn;
6261  f.proto = IPPROTO_TCP;
6262  f.flags |= FLOW_IPV4;
6263  p->flow = &f;
6264  p->flowflags |= FLOW_PKT_TOSERVER;
6265  p->flowflags |= FLOW_PKT_ESTABLISHED;
6266  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6267  f.alproto = ALPROTO_HTTP1;
6268 
6269  StreamTcpInitConfig(true);
6270 
6271  de_ctx = DetectEngineCtxInit();
6272  if (de_ctx == NULL)
6273  goto end;
6274 
6275  de_ctx->flags |= DE_QUIET;
6276 
6277  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
6278  "(msg:\"http_raw_host header test\"; "
6279  "content:\"CO\"; http_raw_host; "
6280  "content:!\"EC\"; distance:2; http_raw_host; "
6281  "sid:1;)");
6282  if (de_ctx->sig_list == NULL)
6283  goto end;
6284 
6285  SigGroupBuild(de_ctx);
6286  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6287 
6288  int r = AppLayerParserParse(
6289  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
6290  if (r != 0) {
6291  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6292  result = 0;
6293  goto end;
6294  }
6295 
6296  http_state = f.alstate;
6297  if (http_state == NULL) {
6298  printf("no http state: ");
6299  result = 0;
6300  goto end;
6301  }
6302 
6303  /* do detect */
6304  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
6305 
6306  if (PacketAlertCheck(p, 1)) {
6307  printf("sid 1 matched but shouldn't have: ");
6308  goto end;
6309  }
6310 
6311  result = 1;
6312 
6313 end:
6314  if (alp_tctx != NULL)
6315  AppLayerParserThreadCtxFree(alp_tctx);
6316  if (de_ctx != NULL)
6317  DetectEngineCtxFree(de_ctx);
6318 
6319  StreamTcpFreeConfig(true);
6320  FLOW_DESTROY(&f);
6321  UTHFreePackets(&p, 1);
6322  return result;
6323 }
6324 
6325 static int DetectEngineHttpHRHTest18(void)
6326 {
6327  TcpSession ssn;
6328  Packet *p = NULL;
6329  ThreadVars th_v;
6330  DetectEngineCtx *de_ctx = NULL;
6331  DetectEngineThreadCtx *det_ctx = NULL;
6332  HtpState *http_state = NULL;
6333  Flow f;
6334  uint8_t http_buf[] =
6335  "GET /index.html HTTP/1.0\r\n"
6336  "Host: www.kaboom.com:8080\r\n"
6337  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
6338  uint32_t http_len = sizeof(http_buf) - 1;
6339  int result = 0;
6340  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
6341 
6342  memset(&th_v, 0, sizeof(th_v));
6343  memset(&f, 0, sizeof(f));
6344  memset(&ssn, 0, sizeof(ssn));
6345 
6346  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6347 
6348  FLOW_INITIALIZE(&f);
6349  f.protoctx = (void *)&ssn;
6350  f.proto = IPPROTO_TCP;
6351  f.flags |= FLOW_IPV4;
6352  p->flow = &f;
6353  p->flowflags |= FLOW_PKT_TOSERVER;
6354  p->flowflags |= FLOW_PKT_ESTABLISHED;
6355  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6356  f.alproto = ALPROTO_HTTP1;
6357 
6358  StreamTcpInitConfig(true);
6359 
6360  de_ctx = DetectEngineCtxInit();
6361  if (de_ctx == NULL)
6362  goto end;
6363 
6364  de_ctx->flags |= DE_QUIET;
6365 
6366  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
6367  "(msg:\"http_raw_host header test\"; "
6368  "content:\"kaboom\"; http_raw_host; nocase; "
6369  "sid:1;)");
6370  if (de_ctx->sig_list == NULL)
6371  goto end;
6372 
6373  SigGroupBuild(de_ctx);
6374  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6375 
6376  int r = AppLayerParserParse(
6377  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
6378  if (r != 0) {
6379  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6380  result = 0;
6381  goto end;
6382  }
6383 
6384  http_state = f.alstate;
6385  if (http_state == NULL) {
6386  printf("no http state: ");
6387  result = 0;
6388  goto end;
6389  }
6390 
6391  /* do detect */
6392  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
6393 
6394  if (!PacketAlertCheck(p, 1)) {
6395  printf("sid 1 didn't match but should have: ");
6396  goto end;
6397  }
6398 
6399  result = 1;
6400 
6401 end:
6402  if (alp_tctx != NULL)
6403  AppLayerParserThreadCtxFree(alp_tctx);
6404  if (de_ctx != NULL)
6405  DetectEngineCtxFree(de_ctx);
6406 
6407  StreamTcpFreeConfig(true);
6408  FLOW_DESTROY(&f);
6409  UTHFreePackets(&p, 1);
6410  return result;
6411 }
6412 
6413 static int DetectEngineHttpHRHTest19(void)
6414 {
6415  TcpSession ssn;
6416  Packet *p = NULL;
6417  ThreadVars th_v;
6418  DetectEngineCtx *de_ctx = NULL;
6419  DetectEngineThreadCtx *det_ctx = NULL;
6420  HtpState *http_state = NULL;
6421  Flow f;
6422  uint8_t http_buf[] =
6423  "GET /index.html HTTP/1.0\r\n"
6424  "Host: www.kaboom.com:8080\r\n"
6425  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
6426  uint32_t http_len = sizeof(http_buf) - 1;
6427  int result = 0;
6428  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
6429 
6430  memset(&th_v, 0, sizeof(th_v));
6431  memset(&f, 0, sizeof(f));
6432  memset(&ssn, 0, sizeof(ssn));
6433 
6434  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6435 
6436  FLOW_INITIALIZE(&f);
6437  f.protoctx = (void *)&ssn;
6438  f.proto = IPPROTO_TCP;
6439  f.flags |= FLOW_IPV4;
6440  p->flow = &f;
6441  p->flowflags |= FLOW_PKT_TOSERVER;
6442  p->flowflags |= FLOW_PKT_ESTABLISHED;
6443  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6444  f.alproto = ALPROTO_HTTP1;
6445 
6446  StreamTcpInitConfig(true);
6447 
6448  de_ctx = DetectEngineCtxInit();
6449  if (de_ctx == NULL)
6450  goto end;
6451 
6452  de_ctx->flags |= DE_QUIET;
6453 
6454  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
6455  "(msg:\"http_raw_host header test\"; "
6456  "content:\"kaboom\"; http_raw_host; nocase; "
6457  "sid:1;)");
6458  if (de_ctx->sig_list == NULL)
6459  goto end;
6460 
6461  SigGroupBuild(de_ctx);
6462  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6463 
6464  int r = AppLayerParserParse(
6465  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
6466  if (r != 0) {
6467  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6468  result = 0;
6469  goto end;
6470  }
6471 
6472  http_state = f.alstate;
6473  if (http_state == NULL) {
6474  printf("no http state: ");
6475  result = 0;
6476  goto end;
6477  }
6478 
6479  /* do detect */
6480  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
6481 
6482  if (!PacketAlertCheck(p, 1)) {
6483  printf("sid 1 didn't match but should have: ");
6484  goto end;
6485  }
6486 
6487  result = 1;
6488 
6489 end:
6490  if (alp_tctx != NULL)
6491  AppLayerParserThreadCtxFree(alp_tctx);
6492  if (de_ctx != NULL)
6493  DetectEngineCtxFree(de_ctx);
6494 
6495  StreamTcpFreeConfig(true);
6496  FLOW_DESTROY(&f);
6497  UTHFreePackets(&p, 1);
6498  return result;
6499 }
6500 
6501 static int DetectEngineHttpHRHTest20(void)
6502 {
6503  TcpSession ssn;
6504  Packet *p = NULL;
6505  ThreadVars th_v;
6506  DetectEngineCtx *de_ctx = NULL;
6507  DetectEngineThreadCtx *det_ctx = NULL;
6508  HtpState *http_state = NULL;
6509  Flow f;
6510  uint8_t http_buf[] =
6511  "GET /index.html HTTP/1.0\r\n"
6512  "Host: www.kaboom.com:8080\r\n"
6513  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
6514  uint32_t http_len = sizeof(http_buf) - 1;
6515  int result = 0;
6516  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
6517 
6518  memset(&th_v, 0, sizeof(th_v));
6519  memset(&f, 0, sizeof(f));
6520  memset(&ssn, 0, sizeof(ssn));
6521 
6522  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6523 
6524  FLOW_INITIALIZE(&f);
6525  f.protoctx = (void *)&ssn;
6526  f.proto = IPPROTO_TCP;
6527  f.flags |= FLOW_IPV4;
6528  p->flow = &f;
6529  p->flowflags |= FLOW_PKT_TOSERVER;
6530  p->flowflags |= FLOW_PKT_ESTABLISHED;
6531  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6532  f.alproto = ALPROTO_HTTP1;
6533 
6534  StreamTcpInitConfig(true);
6535 
6536  de_ctx = DetectEngineCtxInit();
6537  if (de_ctx == NULL)
6538  goto end;
6539 
6540  de_ctx->flags |= DE_QUIET;
6541 
6542  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
6543  "(msg:\"http_raw_host header test\"; "
6544  "content:\"8080\"; http_raw_host; nocase; "
6545  "sid:1;)");
6546  if (de_ctx->sig_list == NULL)
6547  goto end;
6548 
6549  SigGroupBuild(de_ctx);
6550  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6551 
6552  int r = AppLayerParserParse(
6553  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
6554  if (r != 0) {
6555  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6556  result = 0;
6557  goto end;
6558  }
6559 
6560  http_state = f.alstate;
6561  if (http_state == NULL) {
6562  printf("no http state: ");
6563  result = 0;
6564  goto end;
6565  }
6566 
6567  /* do detect */
6568  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
6569 
6570  if (!PacketAlertCheck(p, 1)) {
6571  printf("sid 1 didn't match but it should have: ");
6572  goto end;
6573  }
6574 
6575  result = 1;
6576 
6577 end:
6578  if (alp_tctx != NULL)
6579  AppLayerParserThreadCtxFree(alp_tctx);
6580  if (de_ctx != NULL)
6581  DetectEngineCtxFree(de_ctx);
6582 
6583  StreamTcpFreeConfig(true);
6584  FLOW_DESTROY(&f);
6585  UTHFreePackets(&p, 1);
6586  return result;
6587 }
6588 
6589 static int DetectEngineHttpHRHTest21(void)
6590 {
6591  TcpSession ssn;
6592  Packet *p = NULL;
6593  ThreadVars th_v;
6594  DetectEngineCtx *de_ctx = NULL;
6595  DetectEngineThreadCtx *det_ctx = NULL;
6596  HtpState *http_state = NULL;
6597  Flow f;
6598  uint8_t http_buf[] =
6599  "GET http://www.kaboom.com/index.html HTTP/1.0\r\n"
6600  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
6601  uint32_t http_len = sizeof(http_buf) - 1;
6602  int result = 0;
6603  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
6604 
6605  memset(&th_v, 0, sizeof(th_v));
6606  memset(&f, 0, sizeof(f));
6607  memset(&ssn, 0, sizeof(ssn));
6608 
6609  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6610 
6611  FLOW_INITIALIZE(&f);
6612  f.protoctx = (void *)&ssn;
6613  f.proto = IPPROTO_TCP;
6614  f.flags |= FLOW_IPV4;
6615  p->flow = &f;
6616  p->flowflags |= FLOW_PKT_TOSERVER;
6617  p->flowflags |= FLOW_PKT_ESTABLISHED;
6618  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6619  f.alproto = ALPROTO_HTTP1;
6620 
6621  StreamTcpInitConfig(true);
6622 
6623  de_ctx = DetectEngineCtxInit();
6624  if (de_ctx == NULL)
6625  goto end;
6626 
6627  de_ctx->flags |= DE_QUIET;
6628 
6629  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
6630  "(msg:\"http_raw_host header test\"; "
6631  "content:\"kaboom\"; http_raw_host; nocase; "
6632  "sid:1;)");
6633  if (de_ctx->sig_list == NULL)
6634  goto end;
6635 
6636  SigGroupBuild(de_ctx);
6637  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6638 
6639  int r = AppLayerParserParse(
6640  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
6641  if (r != 0) {
6642  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6643  result = 0;
6644  goto end;
6645  }
6646 
6647  http_state = f.alstate;
6648  if (http_state == NULL) {
6649  printf("no http state: ");
6650  result = 0;
6651  goto end;
6652  }
6653 
6654  /* do detect */
6655  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
6656 
6657  if (!PacketAlertCheck(p, 1)) {
6658  printf("sid 1 didn't match but should have: ");
6659  goto end;
6660  }
6661 
6662  result = 1;
6663 
6664 end:
6665  if (alp_tctx != NULL)
6666  AppLayerParserThreadCtxFree(alp_tctx);
6667  if (de_ctx != NULL)
6668  DetectEngineCtxFree(de_ctx);
6669 
6670  StreamTcpFreeConfig(true);
6671  FLOW_DESTROY(&f);
6672  UTHFreePackets(&p, 1);
6673  return result;
6674 }
6675 
6676 static int DetectEngineHttpHRHTest22(void)
6677 {
6678  TcpSession ssn;
6679  Packet *p = NULL;
6680  ThreadVars th_v;
6681  DetectEngineCtx *de_ctx = NULL;
6682  DetectEngineThreadCtx *det_ctx = NULL;
6683  HtpState *http_state = NULL;
6684  Flow f;
6685  uint8_t http_buf[] =
6686  "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
6687  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
6688  uint32_t http_len = sizeof(http_buf) - 1;
6689  int result = 0;
6690  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
6691 
6692  memset(&th_v, 0, sizeof(th_v));
6693  memset(&f, 0, sizeof(f));
6694  memset(&ssn, 0, sizeof(ssn));
6695 
6696  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6697 
6698  FLOW_INITIALIZE(&f);
6699  f.protoctx = (void *)&ssn;
6700  f.proto = IPPROTO_TCP;
6701  f.flags |= FLOW_IPV4;
6702  p->flow = &f;
6703  p->flowflags |= FLOW_PKT_TOSERVER;
6704  p->flowflags |= FLOW_PKT_ESTABLISHED;
6705  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6706  f.alproto = ALPROTO_HTTP1;
6707 
6708  StreamTcpInitConfig(true);
6709 
6710  de_ctx = DetectEngineCtxInit();
6711  if (de_ctx == NULL)
6712  goto end;
6713 
6714  de_ctx->flags |= DE_QUIET;
6715 
6716  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
6717  "(msg:\"http_raw_host header test\"; "
6718  "content:\"kaboom\"; http_raw_host; nocase; "
6719  "sid:1;)");
6720  if (de_ctx->sig_list == NULL)
6721  goto end;
6722 
6723  SigGroupBuild(de_ctx);
6724  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6725 
6726  int r = AppLayerParserParse(
6727  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
6728  if (r != 0) {
6729  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6730  result = 0;
6731  goto end;
6732  }
6733 
6734  http_state = f.alstate;
6735  if (http_state == NULL) {
6736  printf("no http state: ");
6737  result = 0;
6738  goto end;
6739  }
6740 
6741  /* do detect */
6742  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
6743 
6744  if (!PacketAlertCheck(p, 1)) {
6745  printf("sid 1 didn't match but should have: ");
6746  goto end;
6747  }
6748 
6749  result = 1;
6750 
6751 end:
6752  if (alp_tctx != NULL)
6753  AppLayerParserThreadCtxFree(alp_tctx);
6754  if (de_ctx != NULL)
6755  DetectEngineCtxFree(de_ctx);
6756 
6757  StreamTcpFreeConfig(true);
6758  FLOW_DESTROY(&f);
6759  UTHFreePackets(&p, 1);
6760  return result;
6761 }
6762 
6763 static int DetectEngineHttpHRHTest23(void)
6764 {
6765  TcpSession ssn;
6766  Packet *p = NULL;
6767  ThreadVars th_v;
6768  DetectEngineCtx *de_ctx = NULL;
6769  DetectEngineThreadCtx *det_ctx = NULL;
6770  HtpState *http_state = NULL;
6771  Flow f;
6772  uint8_t http_buf[] =
6773  "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
6774  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
6775  uint32_t http_len = sizeof(http_buf) - 1;
6776  int result = 0;
6777  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
6778 
6779  memset(&th_v, 0, sizeof(th_v));
6780  memset(&f, 0, sizeof(f));
6781  memset(&ssn, 0, sizeof(ssn));
6782 
6783  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6784 
6785  FLOW_INITIALIZE(&f);
6786  f.protoctx = (void *)&ssn;
6787  f.proto = IPPROTO_TCP;
6788  f.flags |= FLOW_IPV4;
6789  p->flow = &f;
6790  p->flowflags |= FLOW_PKT_TOSERVER;
6791  p->flowflags |= FLOW_PKT_ESTABLISHED;
6792  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6793  f.alproto = ALPROTO_HTTP1;
6794 
6795  StreamTcpInitConfig(true);
6796 
6797  de_ctx = DetectEngineCtxInit();
6798  if (de_ctx == NULL)
6799  goto end;
6800 
6801  de_ctx->flags |= DE_QUIET;
6802 
6803  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
6804  "(msg:\"http_raw_host header test\"; "
6805  "content:\"8080\"; http_raw_host; nocase; "
6806  "sid:1;)");
6807  if (de_ctx->sig_list == NULL)
6808  goto end;
6809 
6810  SigGroupBuild(de_ctx);
6811  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6812 
6813  int r = AppLayerParserParse(
6814  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
6815  if (r != 0) {
6816  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6817  result = 0;
6818  goto end;
6819  }
6820 
6821  http_state = f.alstate;
6822  if (http_state == NULL) {
6823  printf("no http state: ");
6824  result = 0;
6825  goto end;
6826  }
6827 
6828  /* do detect */
6829  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
6830 
6831  if (PacketAlertCheck(p, 1)) {
6832  printf("sid 1 matched but it shouldn't have: ");
6833  goto end;
6834  }
6835 
6836  result = 1;
6837 
6838 end:
6839  if (alp_tctx != NULL)
6840  AppLayerParserThreadCtxFree(alp_tctx);
6841  if (de_ctx != NULL)
6842  DetectEngineCtxFree(de_ctx);
6843 
6844  StreamTcpFreeConfig(true);
6845  FLOW_DESTROY(&f);
6846  UTHFreePackets(&p, 1);
6847  return result;
6848 }
6849 
6850 static int DetectEngineHttpHRHTest24(void)
6851 {
6852  TcpSession ssn;
6853  Packet *p = NULL;
6854  ThreadVars th_v;
6855  DetectEngineCtx *de_ctx = NULL;
6856  DetectEngineThreadCtx *det_ctx = NULL;
6857  HtpState *http_state = NULL;
6858  Flow f;
6859  uint8_t http_buf[] =
6860  "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
6861  "Host: www.rabbit.com\r\n"
6862  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
6863  uint32_t http_len = sizeof(http_buf) - 1;
6864  int result = 0;
6865  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
6866 
6867  memset(&th_v, 0, sizeof(th_v));
6868  memset(&f, 0, sizeof(f));
6869  memset(&ssn, 0, sizeof(ssn));
6870 
6871  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6872 
6873  FLOW_INITIALIZE(&f);
6874  f.protoctx = (void *)&ssn;
6875  f.proto = IPPROTO_TCP;
6876  f.flags |= FLOW_IPV4;
6877  p->flow = &f;
6878  p->flowflags |= FLOW_PKT_TOSERVER;
6879  p->flowflags |= FLOW_PKT_ESTABLISHED;
6880  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6881  f.alproto = ALPROTO_HTTP1;
6882 
6883  StreamTcpInitConfig(true);
6884 
6885  de_ctx = DetectEngineCtxInit();
6886  if (de_ctx == NULL)
6887  goto end;
6888 
6889  de_ctx->flags |= DE_QUIET;
6890 
6891  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
6892  "(msg:\"http_raw_host header test\"; "
6893  "content:\"kaboom\"; http_raw_host; nocase; "
6894  "sid:1;)");
6895  if (de_ctx->sig_list == NULL)
6896  goto end;
6897 
6898  SigGroupBuild(de_ctx);
6899  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6900 
6901  int r = AppLayerParserParse(
6902  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
6903  if (r != 0) {
6904  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6905  result = 0;
6906  goto end;
6907  }
6908 
6909  http_state = f.alstate;
6910  if (http_state == NULL) {
6911  printf("no http state: ");
6912  result = 0;
6913  goto end;
6914  }
6915 
6916  /* do detect */
6917  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
6918 
6919  if (!PacketAlertCheck(p, 1)) {
6920  printf("sid 1 didn't match but it should have: ");
6921  goto end;
6922  }
6923 
6924  result = 1;
6925 
6926 end:
6927  if (alp_tctx != NULL)
6928  AppLayerParserThreadCtxFree(alp_tctx);
6929  if (de_ctx != NULL)
6930  DetectEngineCtxFree(de_ctx);
6931 
6932  StreamTcpFreeConfig(true);
6933  FLOW_DESTROY(&f);
6934  UTHFreePackets(&p, 1);
6935  return result;
6936 }
6937 
6938 static int DetectEngineHttpHRHTest25(void)
6939 {
6940  TcpSession ssn;
6941  Packet *p = NULL;
6942  ThreadVars th_v;
6943  DetectEngineCtx *de_ctx = NULL;
6944  DetectEngineThreadCtx *det_ctx = NULL;
6945  HtpState *http_state = NULL;
6946  Flow f;
6947  uint8_t http_buf[] =
6948  "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
6949  "Host: www.rabbit.com\r\n"
6950  "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
6951  uint32_t http_len = sizeof(http_buf) - 1;
6952  int result = 0;
6953  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
6954 
6955  memset(&th_v, 0, sizeof(th_v));
6956  memset(&f, 0, sizeof(f));
6957  memset(&ssn, 0, sizeof(ssn));
6958 
6959  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6960 
6961  FLOW_INITIALIZE(&f);
6962  f.protoctx = (void *)&ssn;
6963  f.proto = IPPROTO_TCP;
6964  f.flags |= FLOW_IPV4;
6965  p->flow = &f;
6966  p->flowflags |= FLOW_PKT_TOSERVER;
6967  p->flowflags |= FLOW_PKT_ESTABLISHED;
6968  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6969  f.alproto = ALPROTO_HTTP1;
6970 
6971  StreamTcpInitConfig(true);
6972 
6973  de_ctx = DetectEngineCtxInit();
6974  if (de_ctx == NULL)
6975  goto end;
6976 
6977  de_ctx->flags |= DE_QUIET;
6978 
6979  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
6980  "(msg:\"http_raw_host header test\"; "
6981  "content:\"rabbit\"; http_raw_host; nocase; "
6982  "sid:1;)");
6983  if (de_ctx->sig_list == NULL)
6984  goto end;
6985 
6986  SigGroupBuild(de_ctx);
6987  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6988 
6989  int r = AppLayerParserParse(
6990  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
6991  if (r != 0) {
6992  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6993  result = 0;
6994  goto end;
6995  }
6996 
6997  http_state = f.alstate;
6998  if (http_state == NULL) {
6999  printf("no http state: ");
7000  result = 0;
7001  goto end;
7002  }
7003 
7004  /* do detect */
7005  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
7006 
7007  if (PacketAlertCheck(p, 1)) {
7008  printf("sid 1 matched but it shouldn't have: ");
7009  goto end;
7010  }
7011 
7012  result = 1;
7013 
7014 end:
7015  if (alp_tctx != NULL)
7016  AppLayerParserThreadCtxFree(alp_tctx);
7017  if (de_ctx != NULL)
7018  DetectEngineCtxFree(de_ctx);
7019 
7020  StreamTcpFreeConfig(true);
7021  FLOW_DESTROY(&f);
7022  UTHFreePackets(&p, 1);
7023  return result;
7024 }
7025 
7026 void DetectHttpHHRegisterTests(void)
7027 {
7028  UtRegisterTest("DetectHttpHHTest01", DetectHttpHHTest01);
7029  UtRegisterTest("DetectHttpHHTest02", DetectHttpHHTest02);
7030  UtRegisterTest("DetectHttpHHTest03", DetectHttpHHTest03);
7031  UtRegisterTest("DetectHttpHHTest04", DetectHttpHHTest04);
7032  UtRegisterTest("DetectHttpHHTest05", DetectHttpHHTest05);
7033  UtRegisterTest("DetectHttpHHTest05a", DetectHttpHHTest05a);
7034  UtRegisterTest("DetectHttpHHTest06", DetectHttpHHTest06);
7035  UtRegisterTest("DetectHttpHHTest07", DetectHttpHHTest07);
7036  UtRegisterTest("DetectHttpHHTest08", DetectHttpHHTest08);
7037  UtRegisterTest("DetectHttpHHTest09", DetectHttpHHTest09);
7038  UtRegisterTest("DetectHttpHHTest10", DetectHttpHHTest10);
7039  UtRegisterTest("DetectHttpHHTest11", DetectHttpHHTest11);
7040  UtRegisterTest("DetectHttpHHTest12", DetectHttpHHTest12);
7041  UtRegisterTest("DetectHttpHHTest13", DetectHttpHHTest13);
7042  UtRegisterTest("DetectHttpHHTest14", DetectHttpHHTest14);
7043 
7044  UtRegisterTest("DetectEngineHttpHHTest01", DetectEngineHttpHHTest01);
7045  UtRegisterTest("DetectEngineHttpHHTest02", DetectEngineHttpHHTest02);
7046  UtRegisterTest("DetectEngineHttpHHTest03", DetectEngineHttpHHTest03);
7047  UtRegisterTest("DetectEngineHttpHHTest04", DetectEngineHttpHHTest04);
7048  UtRegisterTest("DetectEngineHttpHHTest05", DetectEngineHttpHHTest05);
7049  UtRegisterTest("DetectEngineHttpHHTest06", DetectEngineHttpHHTest06);
7050  UtRegisterTest("DetectEngineHttpHHTest07", DetectEngineHttpHHTest07);
7051  UtRegisterTest("DetectEngineHttpHHTest08", DetectEngineHttpHHTest08);
7052  UtRegisterTest("DetectEngineHttpHHTest09", DetectEngineHttpHHTest09);
7053  UtRegisterTest("DetectEngineHttpHHTest10", DetectEngineHttpHHTest10);
7054  UtRegisterTest("DetectEngineHttpHHTest11", DetectEngineHttpHHTest11);
7055  UtRegisterTest("DetectEngineHttpHHTest12", DetectEngineHttpHHTest12);
7056  UtRegisterTest("DetectEngineHttpHHTest13", DetectEngineHttpHHTest13);
7057  UtRegisterTest("DetectEngineHttpHHTest14", DetectEngineHttpHHTest14);
7058  UtRegisterTest("DetectEngineHttpHHTest15", DetectEngineHttpHHTest15);
7059  UtRegisterTest("DetectEngineHttpHHTest16", DetectEngineHttpHHTest16);
7060  UtRegisterTest("DetectEngineHttpHHTest17", DetectEngineHttpHHTest17);
7061  UtRegisterTest("DetectEngineHttpHHTest18", DetectEngineHttpHHTest18);
7062  UtRegisterTest("DetectEngineHttpHHTest19", DetectEngineHttpHHTest19);
7063  UtRegisterTest("DetectEngineHttpHHTest20", DetectEngineHttpHHTest20);
7064  UtRegisterTest("DetectEngineHttpHHTest21", DetectEngineHttpHHTest21);
7065  UtRegisterTest("DetectEngineHttpHHTest22", DetectEngineHttpHHTest22);
7066  UtRegisterTest("DetectEngineHttpHHTest23", DetectEngineHttpHHTest23);
7067  UtRegisterTest("DetectEngineHttpHHTest24", DetectEngineHttpHHTest24);
7068  UtRegisterTest("DetectEngineHttpHHTest25", DetectEngineHttpHHTest25);
7069 
7070  UtRegisterTest("DetectHttpHRHTest06", DetectHttpHRHTest06);
7071  UtRegisterTest("DetectHttpHRHTest07", DetectHttpHRHTest07);
7072  UtRegisterTest("DetectHttpHRHTest08", DetectHttpHRHTest08);
7073  UtRegisterTest("DetectHttpHRHTest09", DetectHttpHRHTest09);
7074  UtRegisterTest("DetectHttpHRHTest10", DetectHttpHRHTest10);
7075  UtRegisterTest("DetectHttpHRHTest11", DetectHttpHRHTest11);
7076  UtRegisterTest("DetectHttpHRHTest12", DetectHttpHRHTest12);
7077  UtRegisterTest("DetectHttpHRHTest13", DetectHttpHRHTest13);
7078  UtRegisterTest("DetectHttpHRHTest14", DetectHttpHRHTest14);
7079 
7080  UtRegisterTest("DetectHttpHRHTest37", DetectHttpHRHTest37);
7081 
7082  UtRegisterTest("DetectEngineHttpHRHTest01", DetectEngineHttpHRHTest01);
7083  UtRegisterTest("DetectEngineHttpHRHTest02", DetectEngineHttpHRHTest02);
7084  UtRegisterTest("DetectEngineHttpHRHTest03", DetectEngineHttpHRHTest03);
7085  UtRegisterTest("DetectEngineHttpHRHTest04", DetectEngineHttpHRHTest04);
7086  UtRegisterTest("DetectEngineHttpHRHTest05", DetectEngineHttpHRHTest05);
7087  UtRegisterTest("DetectEngineHttpHRHTest06", DetectEngineHttpHRHTest06);
7088  UtRegisterTest("DetectEngineHttpHRHTest07", DetectEngineHttpHRHTest07);
7089  UtRegisterTest("DetectEngineHttpHRHTest08", DetectEngineHttpHRHTest08);
7090  UtRegisterTest("DetectEngineHttpHRHTest09", DetectEngineHttpHRHTest09);
7091  UtRegisterTest("DetectEngineHttpHRHTest10", DetectEngineHttpHRHTest10);
7092  UtRegisterTest("DetectEngineHttpHRHTest11", DetectEngineHttpHRHTest11);
7093  UtRegisterTest("DetectEngineHttpHRHTest12", DetectEngineHttpHRHTest12);
7094  UtRegisterTest("DetectEngineHttpHRHTest13", DetectEngineHttpHRHTest13);
7095  UtRegisterTest("DetectEngineHttpHRHTest14", DetectEngineHttpHRHTest14);
7096  UtRegisterTest("DetectEngineHttpHRHTest15", DetectEngineHttpHRHTest15);
7097  UtRegisterTest("DetectEngineHttpHRHTest16", DetectEngineHttpHRHTest16);
7098  UtRegisterTest("DetectEngineHttpHRHTest17", DetectEngineHttpHRHTest17);
7099  UtRegisterTest("DetectEngineHttpHRHTest18", DetectEngineHttpHRHTest18);
7100  UtRegisterTest("DetectEngineHttpHRHTest19", DetectEngineHttpHRHTest19);
7101  UtRegisterTest("DetectEngineHttpHRHTest20", DetectEngineHttpHRHTest20);
7102  UtRegisterTest("DetectEngineHttpHRHTest21", DetectEngineHttpHRHTest21);
7103  UtRegisterTest("DetectEngineHttpHRHTest22", DetectEngineHttpHRHTest22);
7104  UtRegisterTest("DetectEngineHttpHRHTest23", DetectEngineHttpHRHTest23);
7105  UtRegisterTest("DetectEngineHttpHRHTest24", DetectEngineHttpHRHTest24);
7106  UtRegisterTest("DetectEngineHttpHRHTest25", DetectEngineHttpHRHTest25);
7107 }
7108 
7109 /**
7110  * @}
7111  */
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1022
flow-util.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Flow_::proto
uint8_t proto
Definition: flow.h:373
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:290
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:474
Flow_
Flow data structure.
Definition: flow.h:351
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:839
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2533
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:312
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
DE_QUIET
#define DE_QUIET
Definition: detect.h:324
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:340
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1897
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:54
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2620
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:468
Flow_::protoctx
void * protoctx
Definition: flow.h:441
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:601
util-unittest.h
HtpState_
Definition: app-layer-htp.h:244
util-unittest-helper.h
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:463
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
app-layer-htp.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1095
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
DetectHttpHHRegisterTests
void DetectHttpHHRegisterTests(void)
Definition: detect-http-host.c:7026
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2314
app-layer-parser.h
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2218
Packet_
Definition: decode.h:437
detect-engine-build.h
detect-engine-alert.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:291
Packet_::flow
struct Flow_ * flow
Definition: decode.h:476
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3244
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:794
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1292
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3454
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:847
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:448
Flow_::alstate
void * alstate
Definition: flow.h:476
Flow_::flags
uint32_t flags
Definition: flow.h:421
Signature_
Signature container.
Definition: detect.h:596
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:225
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2494
app-layer-protos.h
suricata.h
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:841
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:65
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1107
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1019
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:431