suricata
detect-http-method.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /** \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  *
29  * \brief Handle HTTP method match
30  *
31  */
32 
33 #include "../suricata-common.h"
34 #include "../suricata.h"
35 #include "../flow-util.h"
36 #include "../flow.h"
37 #include "../app-layer-parser.h"
38 
39 #include "../util-unittest.h"
40 #include "../util-unittest-helper.h"
41 #include "../app-layer.h"
42 #include "../app-layer-htp.h"
43 #include "../app-layer-protos.h"
44 #include "../detect-isdataat.h"
45 #include "../detect-engine-build.h"
46 #include "../detect-engine-alert.h"
47 
48 /**
49  * \test Test that the http_method content matches against a http request
50  * which holds the content.
51  */
52 static int DetectEngineHttpMethodTest01(void)
53 {
54  TcpSession ssn;
55  Packet *p = NULL;
56  ThreadVars th_v;
57  DetectEngineCtx *de_ctx = NULL;
58  DetectEngineThreadCtx *det_ctx = NULL;
59  HtpState *http_state = NULL;
60  Flow f;
61  uint8_t http_buf[] =
62  "GET /index.html HTTP/1.0\r\n"
63  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
64  uint32_t http_len = sizeof(http_buf) - 1;
65  int result = 0;
66  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
67 
68  memset(&th_v, 0, sizeof(th_v));
69  memset(&f, 0, sizeof(f));
70  memset(&ssn, 0, sizeof(ssn));
71 
72  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
73 
74  FLOW_INITIALIZE(&f);
75  f.protoctx = (void *)&ssn;
76  f.proto = IPPROTO_TCP;
77  f.flags |= FLOW_IPV4;
78  p->flow = &f;
79  p->flowflags |= FLOW_PKT_TOSERVER;
80  p->flowflags |= FLOW_PKT_ESTABLISHED;
81  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
82  f.alproto = ALPROTO_HTTP1;
83 
84  StreamTcpInitConfig(true);
85 
86  de_ctx = DetectEngineCtxInit();
87  if (de_ctx == NULL)
88  goto end;
89 
90  de_ctx->flags |= DE_QUIET;
91 
92  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
93  "(msg:\"http header test\"; "
94  "content:\"GET\"; http_method; "
95  "sid:1;)");
96  if (de_ctx->sig_list == NULL)
97  goto end;
98 
99  SigGroupBuild(de_ctx);
100  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
101 
102  int r = AppLayerParserParse(
103  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
104  if (r != 0) {
105  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
106  result = 0;
107  goto end;
108  }
109 
110  http_state = f.alstate;
111  if (http_state == NULL) {
112  printf("no http state: ");
113  result = 0;
114  goto end;
115  }
116 
117  /* do detect */
118  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
119 
120  if (!(PacketAlertCheck(p, 1))) {
121  printf("sid 1 didn't match but should have: ");
122  goto end;
123  }
124 
125  result = 1;
126 
127 end:
128  if (alp_tctx != NULL)
129  AppLayerParserThreadCtxFree(alp_tctx);
130  if (de_ctx != NULL)
131  DetectEngineCtxFree(de_ctx);
132 
133  StreamTcpFreeConfig(true);
134  FLOW_DESTROY(&f);
135  UTHFreePackets(&p, 1);
136  return result;
137 }
138 
139 /**
140  * \test Test that the http_method content matches against a http request
141  * which holds the content.
142  */
143 static int DetectEngineHttpMethodTest02(void)
144 {
145  TcpSession ssn;
146  Packet *p = NULL;
147  ThreadVars th_v;
148  DetectEngineCtx *de_ctx = NULL;
149  DetectEngineThreadCtx *det_ctx = NULL;
150  HtpState *http_state = NULL;
151  Flow f;
152  uint8_t http_buf[] =
153  "CONNECT /index.html HTTP/1.0\r\n"
154  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
155  uint32_t http_len = sizeof(http_buf) - 1;
156  int result = 0;
157  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
158 
159  memset(&th_v, 0, sizeof(th_v));
160  memset(&f, 0, sizeof(f));
161  memset(&ssn, 0, sizeof(ssn));
162 
163  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
164 
165  FLOW_INITIALIZE(&f);
166  f.protoctx = (void *)&ssn;
167  f.proto = IPPROTO_TCP;
168  f.flags |= FLOW_IPV4;
169  p->flow = &f;
170  p->flowflags |= FLOW_PKT_TOSERVER;
171  p->flowflags |= FLOW_PKT_ESTABLISHED;
172  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
173  f.alproto = ALPROTO_HTTP1;
174 
175  StreamTcpInitConfig(true);
176 
177  de_ctx = DetectEngineCtxInit();
178  if (de_ctx == NULL)
179  goto end;
180 
181  de_ctx->flags |= DE_QUIET;
182 
183  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
184  "(msg:\"http header test\"; "
185  "content:\"CO\"; depth:4; http_method; "
186  "sid:1;)");
187  if (de_ctx->sig_list == NULL)
188  goto end;
189 
190  SigGroupBuild(de_ctx);
191  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
192 
193  int r = AppLayerParserParse(
194  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
195  if (r != 0) {
196  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
197  result = 0;
198  goto end;
199  }
200 
201  http_state = f.alstate;
202  if (http_state == NULL) {
203  printf("no http state: ");
204  result = 0;
205  goto end;
206  }
207 
208  /* do detect */
209  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
210 
211  if (!(PacketAlertCheck(p, 1))) {
212  printf("sid 1 didn't match but should have: ");
213  goto end;
214  }
215 
216  result = 1;
217 
218 end:
219  if (alp_tctx != NULL)
220  AppLayerParserThreadCtxFree(alp_tctx);
221  if (de_ctx != NULL)
222  DetectEngineCtxFree(de_ctx);
223 
224  StreamTcpFreeConfig(true);
225  FLOW_DESTROY(&f);
226  UTHFreePackets(&p, 1);
227  return result;
228 }
229 
230 /**
231  * \test Test that the http_method content matches against a http request
232  * which holds the content.
233  */
234 static int DetectEngineHttpMethodTest03(void)
235 {
236  TcpSession ssn;
237  Packet *p = NULL;
238  ThreadVars th_v;
239  DetectEngineCtx *de_ctx = NULL;
240  DetectEngineThreadCtx *det_ctx = NULL;
241  HtpState *http_state = NULL;
242  Flow f;
243  uint8_t http_buf[] =
244  "CONNECT /index.html HTTP/1.0\r\n"
245  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
246  uint32_t http_len = sizeof(http_buf) - 1;
247  int result = 0;
248  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
249 
250  memset(&th_v, 0, sizeof(th_v));
251  memset(&f, 0, sizeof(f));
252  memset(&ssn, 0, sizeof(ssn));
253 
254  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
255 
256  FLOW_INITIALIZE(&f);
257  f.protoctx = (void *)&ssn;
258  f.proto = IPPROTO_TCP;
259  f.flags |= FLOW_IPV4;
260  p->flow = &f;
261  p->flowflags |= FLOW_PKT_TOSERVER;
262  p->flowflags |= FLOW_PKT_ESTABLISHED;
263  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
264  f.alproto = ALPROTO_HTTP1;
265 
266  StreamTcpInitConfig(true);
267 
268  de_ctx = DetectEngineCtxInit();
269  if (de_ctx == NULL)
270  goto end;
271 
272  de_ctx->flags |= DE_QUIET;
273 
274  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
275  "(msg:\"http header test\"; "
276  "content:!\"ECT\"; depth:4; http_method; "
277  "sid:1;)");
278  if (de_ctx->sig_list == NULL)
279  goto end;
280 
281  SigGroupBuild(de_ctx);
282  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
283 
284  int r = AppLayerParserParse(
285  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
286  if (r != 0) {
287  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
288  result = 0;
289  goto end;
290  }
291 
292  http_state = f.alstate;
293  if (http_state == NULL) {
294  printf("no http state: ");
295  result = 0;
296  goto end;
297  }
298 
299  /* do detect */
300  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
301 
302  if (!(PacketAlertCheck(p, 1))) {
303  printf("sid 1 didn't match but should have: ");
304  goto end;
305  }
306 
307  result = 1;
308 
309 end:
310  if (alp_tctx != NULL)
311  AppLayerParserThreadCtxFree(alp_tctx);
312  if (de_ctx != NULL)
313  DetectEngineCtxFree(de_ctx);
314 
315  StreamTcpFreeConfig(true);
316  FLOW_DESTROY(&f);
317  UTHFreePackets(&p, 1);
318  return result;
319 }
320 
321 /**
322  * \test Test that the http_method content matches against a http request
323  * which holds the content.
324  */
325 static int DetectEngineHttpMethodTest04(void)
326 {
327  TcpSession ssn;
328  Packet *p = NULL;
329  ThreadVars th_v;
330  DetectEngineCtx *de_ctx = NULL;
331  DetectEngineThreadCtx *det_ctx = NULL;
332  HtpState *http_state = NULL;
333  Flow f;
334  uint8_t http_buf[] =
335  "CONNECT /index.html HTTP/1.0\r\n"
336  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
337  uint32_t http_len = sizeof(http_buf) - 1;
338  int result = 0;
339  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
340 
341  memset(&th_v, 0, sizeof(th_v));
342  memset(&f, 0, sizeof(f));
343  memset(&ssn, 0, sizeof(ssn));
344 
345  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
346 
347  FLOW_INITIALIZE(&f);
348  f.protoctx = (void *)&ssn;
349  f.proto = IPPROTO_TCP;
350  f.flags |= FLOW_IPV4;
351  p->flow = &f;
352  p->flowflags |= FLOW_PKT_TOSERVER;
353  p->flowflags |= FLOW_PKT_ESTABLISHED;
354  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
355  f.alproto = ALPROTO_HTTP1;
356 
357  StreamTcpInitConfig(true);
358 
359  de_ctx = DetectEngineCtxInit();
360  if (de_ctx == NULL)
361  goto end;
362 
363  de_ctx->flags |= DE_QUIET;
364 
365  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
366  "(msg:\"http header test\"; "
367  "content:\"ECT\"; depth:4; http_method; "
368  "sid:1;)");
369  if (de_ctx->sig_list == NULL)
370  goto end;
371 
372  SigGroupBuild(de_ctx);
373  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
374 
375  int r = AppLayerParserParse(
376  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
377  if (r != 0) {
378  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
379  result = 0;
380  goto end;
381  }
382 
383  http_state = f.alstate;
384  if (http_state == NULL) {
385  printf("no http state: ");
386  result = 0;
387  goto end;
388  }
389 
390  /* do detect */
391  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
392 
393  if (PacketAlertCheck(p, 1)) {
394  printf("sid 1 matched but shouldn't have: ");
395  goto end;
396  }
397 
398  result = 1;
399 
400 end:
401  if (alp_tctx != NULL)
402  AppLayerParserThreadCtxFree(alp_tctx);
403  if (de_ctx != NULL)
404  DetectEngineCtxFree(de_ctx);
405 
406  StreamTcpFreeConfig(true);
407  FLOW_DESTROY(&f);
408  UTHFreePackets(&p, 1);
409  return result;
410 }
411 
412 /**
413  * \test Test that the http_method content matches against a http request
414  * which holds the content.
415  */
416 static int DetectEngineHttpMethodTest05(void)
417 {
418  TcpSession ssn;
419  Packet *p = NULL;
420  ThreadVars th_v;
421  DetectEngineCtx *de_ctx = NULL;
422  DetectEngineThreadCtx *det_ctx = NULL;
423  HtpState *http_state = NULL;
424  Flow f;
425  uint8_t http_buf[] =
426  "CONNECT /index.html HTTP/1.0\r\n"
427  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
428  uint32_t http_len = sizeof(http_buf) - 1;
429  int result = 0;
430  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
431 
432  memset(&th_v, 0, sizeof(th_v));
433  memset(&f, 0, sizeof(f));
434  memset(&ssn, 0, sizeof(ssn));
435 
436  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
437 
438  FLOW_INITIALIZE(&f);
439  f.protoctx = (void *)&ssn;
440  f.proto = IPPROTO_TCP;
441  f.flags |= FLOW_IPV4;
442  p->flow = &f;
443  p->flowflags |= FLOW_PKT_TOSERVER;
444  p->flowflags |= FLOW_PKT_ESTABLISHED;
445  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
446  f.alproto = ALPROTO_HTTP1;
447 
448  StreamTcpInitConfig(true);
449 
450  de_ctx = DetectEngineCtxInit();
451  if (de_ctx == NULL)
452  goto end;
453 
454  de_ctx->flags |= DE_QUIET;
455 
456  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
457  "(msg:\"http header test\"; "
458  "content:!\"CON\"; depth:4; http_method; "
459  "sid:1;)");
460  if (de_ctx->sig_list == NULL)
461  goto end;
462 
463  SigGroupBuild(de_ctx);
464  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
465 
466  int r = AppLayerParserParse(
467  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
468  if (r != 0) {
469  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
470  result = 0;
471  goto end;
472  }
473 
474  http_state = f.alstate;
475  if (http_state == NULL) {
476  printf("no http state: ");
477  result = 0;
478  goto end;
479  }
480 
481  /* do detect */
482  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
483 
484  if (PacketAlertCheck(p, 1)) {
485  printf("sid 1 matched but shouldn't have: ");
486  goto end;
487  }
488 
489  result = 1;
490 
491 end:
492  if (alp_tctx != NULL)
493  AppLayerParserThreadCtxFree(alp_tctx);
494  if (de_ctx != NULL)
495  DetectEngineCtxFree(de_ctx);
496 
497  StreamTcpFreeConfig(true);
498  FLOW_DESTROY(&f);
499  UTHFreePackets(&p, 1);
500  return result;
501 }
502 
503 /**
504  * \test Test that the http_method content matches against a http request
505  * which holds the content.
506  */
507 static int DetectEngineHttpMethodTest06(void)
508 {
509  TcpSession ssn;
510  Packet *p = NULL;
511  ThreadVars th_v;
512  DetectEngineCtx *de_ctx = NULL;
513  DetectEngineThreadCtx *det_ctx = NULL;
514  HtpState *http_state = NULL;
515  Flow f;
516  uint8_t http_buf[] =
517  "CONNECT /index.html HTTP/1.0\r\n"
518  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
519  uint32_t http_len = sizeof(http_buf) - 1;
520  int result = 0;
521  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
522 
523  memset(&th_v, 0, sizeof(th_v));
524  memset(&f, 0, sizeof(f));
525  memset(&ssn, 0, sizeof(ssn));
526 
527  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
528 
529  FLOW_INITIALIZE(&f);
530  f.protoctx = (void *)&ssn;
531  f.proto = IPPROTO_TCP;
532  f.flags |= FLOW_IPV4;
533  p->flow = &f;
534  p->flowflags |= FLOW_PKT_TOSERVER;
535  p->flowflags |= FLOW_PKT_ESTABLISHED;
536  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
537  f.alproto = ALPROTO_HTTP1;
538 
539  StreamTcpInitConfig(true);
540 
541  de_ctx = DetectEngineCtxInit();
542  if (de_ctx == NULL)
543  goto end;
544 
545  de_ctx->flags |= DE_QUIET;
546 
547  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
548  "(msg:\"http header test\"; "
549  "content:\"ECT\"; offset:3; http_method; "
550  "sid:1;)");
551  if (de_ctx->sig_list == NULL)
552  goto end;
553 
554  SigGroupBuild(de_ctx);
555  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
556 
557  int r = AppLayerParserParse(
558  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
559  if (r != 0) {
560  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
561  result = 0;
562  goto end;
563  }
564 
565  http_state = f.alstate;
566  if (http_state == NULL) {
567  printf("no http state: ");
568  result = 0;
569  goto end;
570  }
571 
572  /* do detect */
573  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
574 
575  if (!(PacketAlertCheck(p, 1))) {
576  printf("sid 1 didn't match but should have: ");
577  goto end;
578  }
579 
580  result = 1;
581 
582 end:
583  if (alp_tctx != NULL)
584  AppLayerParserThreadCtxFree(alp_tctx);
585  if (de_ctx != NULL)
586  DetectEngineCtxFree(de_ctx);
587 
588  StreamTcpFreeConfig(true);
589  FLOW_DESTROY(&f);
590  UTHFreePackets(&p, 1);
591  return result;
592 }
593 
594 /**
595  * \test Test that the http_method content matches against a http request
596  * which holds the content.
597  */
598 static int DetectEngineHttpMethodTest07(void)
599 {
600  TcpSession ssn;
601  Packet *p = NULL;
602  ThreadVars th_v;
603  DetectEngineCtx *de_ctx = NULL;
604  DetectEngineThreadCtx *det_ctx = NULL;
605  HtpState *http_state = NULL;
606  Flow f;
607  uint8_t http_buf[] =
608  "CONNECT /index.html HTTP/1.0\r\n"
609  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
610  uint32_t http_len = sizeof(http_buf) - 1;
611  int result = 0;
612  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
613 
614  memset(&th_v, 0, sizeof(th_v));
615  memset(&f, 0, sizeof(f));
616  memset(&ssn, 0, sizeof(ssn));
617 
618  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
619 
620  FLOW_INITIALIZE(&f);
621  f.protoctx = (void *)&ssn;
622  f.proto = IPPROTO_TCP;
623  f.flags |= FLOW_IPV4;
624  p->flow = &f;
625  p->flowflags |= FLOW_PKT_TOSERVER;
626  p->flowflags |= FLOW_PKT_ESTABLISHED;
627  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
628  f.alproto = ALPROTO_HTTP1;
629 
630  StreamTcpInitConfig(true);
631 
632  de_ctx = DetectEngineCtxInit();
633  if (de_ctx == NULL)
634  goto end;
635 
636  de_ctx->flags |= DE_QUIET;
637 
638  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
639  "(msg:\"http header test\"; "
640  "content:!\"CO\"; offset:3; http_method; "
641  "sid:1;)");
642  if (de_ctx->sig_list == NULL)
643  goto end;
644 
645  SigGroupBuild(de_ctx);
646  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
647 
648  int r = AppLayerParserParse(
649  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
650  if (r != 0) {
651  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
652  result = 0;
653  goto end;
654  }
655 
656  http_state = f.alstate;
657  if (http_state == NULL) {
658  printf("no http state: ");
659  result = 0;
660  goto end;
661  }
662 
663  /* do detect */
664  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
665 
666  if (!(PacketAlertCheck(p, 1))) {
667  printf("sid 1 didn't match but should have: ");
668  goto end;
669  }
670 
671  result = 1;
672 
673 end:
674  if (alp_tctx != NULL)
675  AppLayerParserThreadCtxFree(alp_tctx);
676  if (de_ctx != NULL)
677  DetectEngineCtxFree(de_ctx);
678 
679  StreamTcpFreeConfig(true);
680  FLOW_DESTROY(&f);
681  UTHFreePackets(&p, 1);
682  return result;
683 }
684 
685 /**
686  * \test Test that the http_method content matches against a http request
687  * which holds the content.
688  */
689 static int DetectEngineHttpMethodTest08(void)
690 {
691  TcpSession ssn;
692  Packet *p = NULL;
693  ThreadVars th_v;
694  DetectEngineCtx *de_ctx = NULL;
695  DetectEngineThreadCtx *det_ctx = NULL;
696  HtpState *http_state = NULL;
697  Flow f;
698  uint8_t http_buf[] =
699  "CONNECT /index.html HTTP/1.0\r\n"
700  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
701  uint32_t http_len = sizeof(http_buf) - 1;
702  int result = 0;
703  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
704 
705  memset(&th_v, 0, sizeof(th_v));
706  memset(&f, 0, sizeof(f));
707  memset(&ssn, 0, sizeof(ssn));
708 
709  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
710 
711  FLOW_INITIALIZE(&f);
712  f.protoctx = (void *)&ssn;
713  f.proto = IPPROTO_TCP;
714  f.flags |= FLOW_IPV4;
715  p->flow = &f;
716  p->flowflags |= FLOW_PKT_TOSERVER;
717  p->flowflags |= FLOW_PKT_ESTABLISHED;
718  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
719  f.alproto = ALPROTO_HTTP1;
720 
721  StreamTcpInitConfig(true);
722 
723  de_ctx = DetectEngineCtxInit();
724  if (de_ctx == NULL)
725  goto end;
726 
727  de_ctx->flags |= DE_QUIET;
728 
729  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
730  "(msg:\"http header test\"; "
731  "content:!\"ECT\"; offset:3; http_method; "
732  "sid:1;)");
733  if (de_ctx->sig_list == NULL)
734  goto end;
735 
736  SigGroupBuild(de_ctx);
737  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
738 
739  int r = AppLayerParserParse(
740  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
741  if (r != 0) {
742  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
743  result = 0;
744  goto end;
745  }
746 
747  http_state = f.alstate;
748  if (http_state == NULL) {
749  printf("no http state: ");
750  result = 0;
751  goto end;
752  }
753 
754  /* do detect */
755  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
756 
757  if (PacketAlertCheck(p, 1)) {
758  printf("sid 1 matched but shouldn't have: ");
759  goto end;
760  }
761 
762  result = 1;
763 
764 end:
765  if (alp_tctx != NULL)
766  AppLayerParserThreadCtxFree(alp_tctx);
767  if (de_ctx != NULL)
768  DetectEngineCtxFree(de_ctx);
769 
770  StreamTcpFreeConfig(true);
771  FLOW_DESTROY(&f);
772  UTHFreePackets(&p, 1);
773  return result;
774 }
775 
776 /**
777  * \test Test that the http_method content matches against a http request
778  * which holds the content.
779  */
780 static int DetectEngineHttpMethodTest09(void)
781 {
782  TcpSession ssn;
783  Packet *p = NULL;
784  ThreadVars th_v;
785  DetectEngineCtx *de_ctx = NULL;
786  DetectEngineThreadCtx *det_ctx = NULL;
787  HtpState *http_state = NULL;
788  Flow f;
789  uint8_t http_buf[] =
790  "CONNECT /index.html HTTP/1.0\r\n"
791  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
792  uint32_t http_len = sizeof(http_buf) - 1;
793  int result = 0;
794  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
795 
796  memset(&th_v, 0, sizeof(th_v));
797  memset(&f, 0, sizeof(f));
798  memset(&ssn, 0, sizeof(ssn));
799 
800  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
801 
802  FLOW_INITIALIZE(&f);
803  f.protoctx = (void *)&ssn;
804  f.proto = IPPROTO_TCP;
805  f.flags |= FLOW_IPV4;
806  p->flow = &f;
807  p->flowflags |= FLOW_PKT_TOSERVER;
808  p->flowflags |= FLOW_PKT_ESTABLISHED;
809  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
810  f.alproto = ALPROTO_HTTP1;
811 
812  StreamTcpInitConfig(true);
813 
814  de_ctx = DetectEngineCtxInit();
815  if (de_ctx == NULL)
816  goto end;
817 
818  de_ctx->flags |= DE_QUIET;
819 
820  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
821  "(msg:\"http header test\"; "
822  "content:\"CON\"; offset:3; http_method; "
823  "sid:1;)");
824  if (de_ctx->sig_list == NULL)
825  goto end;
826 
827  SigGroupBuild(de_ctx);
828  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
829 
830  int r = AppLayerParserParse(
831  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
832  if (r != 0) {
833  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
834  result = 0;
835  goto end;
836  }
837 
838  http_state = f.alstate;
839  if (http_state == NULL) {
840  printf("no http state: ");
841  result = 0;
842  goto end;
843  }
844 
845  /* do detect */
846  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
847 
848  if (PacketAlertCheck(p, 1)) {
849  printf("sid 1 matched but shouldn't have: ");
850  goto end;
851  }
852 
853  result = 1;
854 
855 end:
856  if (alp_tctx != NULL)
857  AppLayerParserThreadCtxFree(alp_tctx);
858  if (de_ctx != NULL)
859  DetectEngineCtxFree(de_ctx);
860 
861  StreamTcpFreeConfig(true);
862  FLOW_DESTROY(&f);
863  UTHFreePackets(&p, 1);
864  return result;
865 }
866 
867 /**
868  * \test Test that the http_method content matches against a http request
869  * which holds the content.
870  */
871 static int DetectEngineHttpMethodTest10(void)
872 {
873  TcpSession ssn;
874  Packet *p = NULL;
875  ThreadVars th_v;
876  DetectEngineCtx *de_ctx = NULL;
877  DetectEngineThreadCtx *det_ctx = NULL;
878  HtpState *http_state = NULL;
879  Flow f;
880  uint8_t http_buf[] =
881  "CONNECT /index.html HTTP/1.0\r\n"
882  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
883  uint32_t http_len = sizeof(http_buf) - 1;
884  int result = 0;
885  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
886 
887  memset(&th_v, 0, sizeof(th_v));
888  memset(&f, 0, sizeof(f));
889  memset(&ssn, 0, sizeof(ssn));
890 
891  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
892 
893  FLOW_INITIALIZE(&f);
894  f.protoctx = (void *)&ssn;
895  f.proto = IPPROTO_TCP;
896  f.flags |= FLOW_IPV4;
897  p->flow = &f;
898  p->flowflags |= FLOW_PKT_TOSERVER;
899  p->flowflags |= FLOW_PKT_ESTABLISHED;
900  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
901  f.alproto = ALPROTO_HTTP1;
902 
903  StreamTcpInitConfig(true);
904 
905  de_ctx = DetectEngineCtxInit();
906  if (de_ctx == NULL)
907  goto end;
908 
909  de_ctx->flags |= DE_QUIET;
910 
911  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
912  "(msg:\"http header test\"; "
913  "content:\"CO\"; http_method; "
914  "content:\"EC\"; within:4; http_method; "
915  "sid:1;)");
916  if (de_ctx->sig_list == NULL)
917  goto end;
918 
919  SigGroupBuild(de_ctx);
920  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
921 
922  int r = AppLayerParserParse(
923  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
924  if (r != 0) {
925  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
926  result = 0;
927  goto end;
928  }
929 
930  http_state = f.alstate;
931  if (http_state == NULL) {
932  printf("no http state: ");
933  result = 0;
934  goto end;
935  }
936 
937  /* do detect */
938  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
939 
940  if (!PacketAlertCheck(p, 1)) {
941  printf("sid 1 didn't match but should have: ");
942  goto end;
943  }
944 
945  result = 1;
946 
947 end:
948  if (alp_tctx != NULL)
949  AppLayerParserThreadCtxFree(alp_tctx);
950  if (de_ctx != NULL)
951  DetectEngineCtxFree(de_ctx);
952 
953  StreamTcpFreeConfig(true);
954  FLOW_DESTROY(&f);
955  UTHFreePackets(&p, 1);
956  return result;
957 }
958 
959 /**
960  * \test Test that the http_method content matches against a http request
961  * which holds the content.
962  */
963 static int DetectEngineHttpMethodTest11(void)
964 {
965  TcpSession ssn;
966  Packet *p = NULL;
967  ThreadVars th_v;
968  DetectEngineCtx *de_ctx = NULL;
969  DetectEngineThreadCtx *det_ctx = NULL;
970  HtpState *http_state = NULL;
971  Flow f;
972  uint8_t http_buf[] =
973  "CONNECT /index.html HTTP/1.0\r\n"
974  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
975  uint32_t http_len = sizeof(http_buf) - 1;
976  int result = 0;
977  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
978 
979  memset(&th_v, 0, sizeof(th_v));
980  memset(&f, 0, sizeof(f));
981  memset(&ssn, 0, sizeof(ssn));
982 
983  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
984 
985  FLOW_INITIALIZE(&f);
986  f.protoctx = (void *)&ssn;
987  f.proto = IPPROTO_TCP;
988  f.flags |= FLOW_IPV4;
989  p->flow = &f;
990  p->flowflags |= FLOW_PKT_TOSERVER;
991  p->flowflags |= FLOW_PKT_ESTABLISHED;
992  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
993  f.alproto = ALPROTO_HTTP1;
994 
995  StreamTcpInitConfig(true);
996 
997  de_ctx = DetectEngineCtxInit();
998  if (de_ctx == NULL)
999  goto end;
1000 
1001  de_ctx->flags |= DE_QUIET;
1002 
1003  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1004  "(msg:\"http header test\"; "
1005  "content:\"CO\"; http_method; "
1006  "content:!\"EC\"; within:3; http_method; "
1007  "sid:1;)");
1008  if (de_ctx->sig_list == NULL)
1009  goto end;
1010 
1011  SigGroupBuild(de_ctx);
1012  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1013 
1014  int r = AppLayerParserParse(
1015  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1016  if (r != 0) {
1017  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1018  result = 0;
1019  goto end;
1020  }
1021 
1022  http_state = f.alstate;
1023  if (http_state == NULL) {
1024  printf("no http state: ");
1025  result = 0;
1026  goto end;
1027  }
1028 
1029  /* do detect */
1030  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1031 
1032  if (!PacketAlertCheck(p, 1)) {
1033  printf("sid 1 didn't match but should have: ");
1034  goto end;
1035  }
1036 
1037  result = 1;
1038 
1039 end:
1040  if (alp_tctx != NULL)
1041  AppLayerParserThreadCtxFree(alp_tctx);
1042  if (de_ctx != NULL)
1043  DetectEngineCtxFree(de_ctx);
1044 
1045  StreamTcpFreeConfig(true);
1046  FLOW_DESTROY(&f);
1047  UTHFreePackets(&p, 1);
1048  return result;
1049 }
1050 
1051 /**
1052  * \test Test that the http_method content matches against a http request
1053  * which holds the content.
1054  */
1055 static int DetectEngineHttpMethodTest12(void)
1056 {
1057  TcpSession ssn;
1058  Packet *p = NULL;
1059  ThreadVars th_v;
1060  DetectEngineCtx *de_ctx = NULL;
1061  DetectEngineThreadCtx *det_ctx = NULL;
1062  HtpState *http_state = NULL;
1063  Flow f;
1064  uint8_t http_buf[] =
1065  "CONNECT /index.html HTTP/1.0\r\n"
1066  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1067  uint32_t http_len = sizeof(http_buf) - 1;
1068  int result = 0;
1069  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1070 
1071  memset(&th_v, 0, sizeof(th_v));
1072  memset(&f, 0, sizeof(f));
1073  memset(&ssn, 0, sizeof(ssn));
1074 
1075  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1076 
1077  FLOW_INITIALIZE(&f);
1078  f.protoctx = (void *)&ssn;
1079  f.proto = IPPROTO_TCP;
1080  f.flags |= FLOW_IPV4;
1081  p->flow = &f;
1082  p->flowflags |= FLOW_PKT_TOSERVER;
1083  p->flowflags |= FLOW_PKT_ESTABLISHED;
1084  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1085  f.alproto = ALPROTO_HTTP1;
1086 
1087  StreamTcpInitConfig(true);
1088 
1089  de_ctx = DetectEngineCtxInit();
1090  if (de_ctx == NULL)
1091  goto end;
1092 
1093  de_ctx->flags |= DE_QUIET;
1094 
1095  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1096  "(msg:\"http header test\"; "
1097  "content:\"CO\"; http_method; "
1098  "content:\"EC\"; within:3; http_method; "
1099  "sid:1;)");
1100  if (de_ctx->sig_list == NULL)
1101  goto end;
1102 
1103  SigGroupBuild(de_ctx);
1104  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1105 
1106  int r = AppLayerParserParse(
1107  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1108  if (r != 0) {
1109  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1110  result = 0;
1111  goto end;
1112  }
1113 
1114  http_state = f.alstate;
1115  if (http_state == NULL) {
1116  printf("no http state: ");
1117  result = 0;
1118  goto end;
1119  }
1120 
1121  /* do detect */
1122  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1123 
1124  if (PacketAlertCheck(p, 1)) {
1125  printf("sid 1 matched but shouldn't have: ");
1126  goto end;
1127  }
1128 
1129  result = 1;
1130 
1131 end:
1132  if (alp_tctx != NULL)
1133  AppLayerParserThreadCtxFree(alp_tctx);
1134  if (de_ctx != NULL)
1135  DetectEngineCtxFree(de_ctx);
1136 
1137  StreamTcpFreeConfig(true);
1138  FLOW_DESTROY(&f);
1139  UTHFreePackets(&p, 1);
1140  return result;
1141 }
1142 
1143 /**
1144  * \test Test that the http_method content matches against a http request
1145  * which holds the content.
1146  */
1147 static int DetectEngineHttpMethodTest13(void)
1148 {
1149  TcpSession ssn;
1150  Packet *p = NULL;
1151  ThreadVars th_v;
1152  DetectEngineCtx *de_ctx = NULL;
1153  DetectEngineThreadCtx *det_ctx = NULL;
1154  HtpState *http_state = NULL;
1155  Flow f;
1156  uint8_t http_buf[] =
1157  "CONNECT /index.html HTTP/1.0\r\n"
1158  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1159  uint32_t http_len = sizeof(http_buf) - 1;
1160  int result = 0;
1161  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1162 
1163  memset(&th_v, 0, sizeof(th_v));
1164  memset(&f, 0, sizeof(f));
1165  memset(&ssn, 0, sizeof(ssn));
1166 
1167  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1168 
1169  FLOW_INITIALIZE(&f);
1170  f.protoctx = (void *)&ssn;
1171  f.proto = IPPROTO_TCP;
1172  f.flags |= FLOW_IPV4;
1173  p->flow = &f;
1174  p->flowflags |= FLOW_PKT_TOSERVER;
1175  p->flowflags |= FLOW_PKT_ESTABLISHED;
1176  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1177  f.alproto = ALPROTO_HTTP1;
1178 
1179  StreamTcpInitConfig(true);
1180 
1181  de_ctx = DetectEngineCtxInit();
1182  if (de_ctx == NULL)
1183  goto end;
1184 
1185  de_ctx->flags |= DE_QUIET;
1186 
1187  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1188  "(msg:\"http header test\"; "
1189  "content:\"CO\"; http_method; "
1190  "content:!\"EC\"; within:4; http_method; "
1191  "sid:1;)");
1192  if (de_ctx->sig_list == NULL)
1193  goto end;
1194 
1195  SigGroupBuild(de_ctx);
1196  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1197 
1198  int r = AppLayerParserParse(
1199  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1200  if (r != 0) {
1201  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1202  result = 0;
1203  goto end;
1204  }
1205 
1206  http_state = f.alstate;
1207  if (http_state == NULL) {
1208  printf("no http state: ");
1209  result = 0;
1210  goto end;
1211  }
1212 
1213  /* do detect */
1214  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1215 
1216  if (PacketAlertCheck(p, 1)) {
1217  printf("sid 1 matched but shouldn't have: ");
1218  goto end;
1219  }
1220 
1221  result = 1;
1222 
1223 end:
1224  if (alp_tctx != NULL)
1225  AppLayerParserThreadCtxFree(alp_tctx);
1226  if (de_ctx != NULL)
1227  DetectEngineCtxFree(de_ctx);
1228 
1229  StreamTcpFreeConfig(true);
1230  FLOW_DESTROY(&f);
1231  UTHFreePackets(&p, 1);
1232  return result;
1233 }
1234 
1235 /**
1236  * \test Test that the http_method content matches against a http request
1237  * which holds the content.
1238  */
1239 static int DetectEngineHttpMethodTest14(void)
1240 {
1241  TcpSession ssn;
1242  Packet *p = NULL;
1243  ThreadVars th_v;
1244  DetectEngineCtx *de_ctx = NULL;
1245  DetectEngineThreadCtx *det_ctx = NULL;
1246  HtpState *http_state = NULL;
1247  Flow f;
1248  uint8_t http_buf[] =
1249  "CONNECT /index.html HTTP/1.0\r\n"
1250  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1251  uint32_t http_len = sizeof(http_buf) - 1;
1252  int result = 0;
1253  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1254 
1255  memset(&th_v, 0, sizeof(th_v));
1256  memset(&f, 0, sizeof(f));
1257  memset(&ssn, 0, sizeof(ssn));
1258 
1259  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1260 
1261  FLOW_INITIALIZE(&f);
1262  f.protoctx = (void *)&ssn;
1263  f.proto = IPPROTO_TCP;
1264  f.flags |= FLOW_IPV4;
1265  p->flow = &f;
1266  p->flowflags |= FLOW_PKT_TOSERVER;
1267  p->flowflags |= FLOW_PKT_ESTABLISHED;
1268  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1269  f.alproto = ALPROTO_HTTP1;
1270 
1271  StreamTcpInitConfig(true);
1272 
1273  de_ctx = DetectEngineCtxInit();
1274  if (de_ctx == NULL)
1275  goto end;
1276 
1277  de_ctx->flags |= DE_QUIET;
1278 
1279  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1280  "(msg:\"http header test\"; "
1281  "content:\"CO\"; http_method; "
1282  "content:\"EC\"; distance:2; http_method; "
1283  "sid:1;)");
1284  if (de_ctx->sig_list == NULL)
1285  goto end;
1286 
1287  SigGroupBuild(de_ctx);
1288  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1289 
1290  int r = AppLayerParserParse(
1291  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1292  if (r != 0) {
1293  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1294  result = 0;
1295  goto end;
1296  }
1297 
1298  http_state = f.alstate;
1299  if (http_state == NULL) {
1300  printf("no http state: ");
1301  result = 0;
1302  goto end;
1303  }
1304 
1305  /* do detect */
1306  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1307 
1308  if (!PacketAlertCheck(p, 1)) {
1309  printf("sid 1 didn't match but should have: ");
1310  goto end;
1311  }
1312 
1313  result = 1;
1314 
1315 end:
1316  if (alp_tctx != NULL)
1317  AppLayerParserThreadCtxFree(alp_tctx);
1318  if (de_ctx != NULL)
1319  DetectEngineCtxFree(de_ctx);
1320 
1321  StreamTcpFreeConfig(true);
1322  FLOW_DESTROY(&f);
1323  UTHFreePackets(&p, 1);
1324  return result;
1325 }
1326 
1327 /**
1328  * \test Test that the http_method content matches against a http request
1329  * which holds the content.
1330  */
1331 static int DetectEngineHttpMethodTest15(void)
1332 {
1333  TcpSession ssn;
1334  Packet *p = NULL;
1335  ThreadVars th_v;
1336  DetectEngineCtx *de_ctx = NULL;
1337  DetectEngineThreadCtx *det_ctx = NULL;
1338  HtpState *http_state = NULL;
1339  Flow f;
1340  uint8_t http_buf[] =
1341  "CONNECT /index.html HTTP/1.0\r\n"
1342  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1343  uint32_t http_len = sizeof(http_buf) - 1;
1344  int result = 0;
1345  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1346 
1347  memset(&th_v, 0, sizeof(th_v));
1348  memset(&f, 0, sizeof(f));
1349  memset(&ssn, 0, sizeof(ssn));
1350 
1351  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1352 
1353  FLOW_INITIALIZE(&f);
1354  f.protoctx = (void *)&ssn;
1355  f.proto = IPPROTO_TCP;
1356  f.flags |= FLOW_IPV4;
1357  p->flow = &f;
1358  p->flowflags |= FLOW_PKT_TOSERVER;
1359  p->flowflags |= FLOW_PKT_ESTABLISHED;
1360  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1361  f.alproto = ALPROTO_HTTP1;
1362 
1363  StreamTcpInitConfig(true);
1364 
1365  de_ctx = DetectEngineCtxInit();
1366  if (de_ctx == NULL)
1367  goto end;
1368 
1369  de_ctx->flags |= DE_QUIET;
1370 
1371  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1372  "(msg:\"http header test\"; "
1373  "content:\"CO\"; http_method; "
1374  "content:!\"EC\"; distance:3; http_method; "
1375  "sid:1;)");
1376  if (de_ctx->sig_list == NULL)
1377  goto end;
1378 
1379  SigGroupBuild(de_ctx);
1380  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1381 
1382  int r = AppLayerParserParse(
1383  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1384  if (r != 0) {
1385  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1386  result = 0;
1387  goto end;
1388  }
1389 
1390  http_state = f.alstate;
1391  if (http_state == NULL) {
1392  printf("no http state: ");
1393  result = 0;
1394  goto end;
1395  }
1396 
1397  /* do detect */
1398  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1399 
1400  if (!PacketAlertCheck(p, 1)) {
1401  printf("sid 1 didn't match but should have: ");
1402  goto end;
1403  }
1404 
1405  result = 1;
1406 
1407 end:
1408  if (alp_tctx != NULL)
1409  AppLayerParserThreadCtxFree(alp_tctx);
1410  if (de_ctx != NULL)
1411  DetectEngineCtxFree(de_ctx);
1412 
1413  StreamTcpFreeConfig(true);
1414  FLOW_DESTROY(&f);
1415  UTHFreePackets(&p, 1);
1416  return result;
1417 }
1418 
1419 /**
1420  * \test Test that the http_method content matches against a http request
1421  * which holds the content.
1422  */
1423 static int DetectEngineHttpMethodTest16(void)
1424 {
1425  TcpSession ssn;
1426  Packet *p = NULL;
1427  ThreadVars th_v;
1428  DetectEngineCtx *de_ctx = NULL;
1429  DetectEngineThreadCtx *det_ctx = NULL;
1430  HtpState *http_state = NULL;
1431  Flow f;
1432  uint8_t http_buf[] =
1433  "CONNECT /index.html HTTP/1.0\r\n"
1434  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1435  uint32_t http_len = sizeof(http_buf) - 1;
1436  int result = 0;
1437  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1438 
1439  memset(&th_v, 0, sizeof(th_v));
1440  memset(&f, 0, sizeof(f));
1441  memset(&ssn, 0, sizeof(ssn));
1442 
1443  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1444 
1445  FLOW_INITIALIZE(&f);
1446  f.protoctx = (void *)&ssn;
1447  f.proto = IPPROTO_TCP;
1448  f.flags |= FLOW_IPV4;
1449  p->flow = &f;
1450  p->flowflags |= FLOW_PKT_TOSERVER;
1451  p->flowflags |= FLOW_PKT_ESTABLISHED;
1452  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1453  f.alproto = ALPROTO_HTTP1;
1454 
1455  StreamTcpInitConfig(true);
1456 
1457  de_ctx = DetectEngineCtxInit();
1458  if (de_ctx == NULL)
1459  goto end;
1460 
1461  de_ctx->flags |= DE_QUIET;
1462 
1463  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1464  "(msg:\"http header test\"; "
1465  "content:\"CO\"; http_method; "
1466  "content:\"EC\"; distance:3; http_method; "
1467  "sid:1;)");
1468  if (de_ctx->sig_list == NULL)
1469  goto end;
1470 
1471  SigGroupBuild(de_ctx);
1472  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1473 
1474  int r = AppLayerParserParse(
1475  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1476  if (r != 0) {
1477  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1478  result = 0;
1479  goto end;
1480  }
1481 
1482  http_state = f.alstate;
1483  if (http_state == NULL) {
1484  printf("no http state: ");
1485  result = 0;
1486  goto end;
1487  }
1488 
1489  /* do detect */
1490  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1491 
1492  if (PacketAlertCheck(p, 1)) {
1493  printf("sid 1 matched but shouldn't have: ");
1494  goto end;
1495  }
1496 
1497  result = 1;
1498 
1499 end:
1500  if (alp_tctx != NULL)
1501  AppLayerParserThreadCtxFree(alp_tctx);
1502  if (de_ctx != NULL)
1503  DetectEngineCtxFree(de_ctx);
1504 
1505  StreamTcpFreeConfig(true);
1506  FLOW_DESTROY(&f);
1507  UTHFreePackets(&p, 1);
1508  return result;
1509 }
1510 
1511 /**
1512  * \test Test that the http_method content matches against a http request
1513  * which holds the content.
1514  */
1515 static int DetectEngineHttpMethodTest17(void)
1516 {
1517  TcpSession ssn;
1518  Packet *p = NULL;
1519  ThreadVars th_v;
1520  DetectEngineCtx *de_ctx = NULL;
1521  DetectEngineThreadCtx *det_ctx = NULL;
1522  HtpState *http_state = NULL;
1523  Flow f;
1524  uint8_t http_buf[] =
1525  "CONNECT /index.html HTTP/1.0\r\n"
1526  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1527  uint32_t http_len = sizeof(http_buf) - 1;
1528  int result = 0;
1529  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1530 
1531  memset(&th_v, 0, sizeof(th_v));
1532  memset(&f, 0, sizeof(f));
1533  memset(&ssn, 0, sizeof(ssn));
1534 
1535  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1536 
1537  FLOW_INITIALIZE(&f);
1538  f.protoctx = (void *)&ssn;
1539  f.proto = IPPROTO_TCP;
1540  f.flags |= FLOW_IPV4;
1541  p->flow = &f;
1542  p->flowflags |= FLOW_PKT_TOSERVER;
1543  p->flowflags |= FLOW_PKT_ESTABLISHED;
1544  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1545  f.alproto = ALPROTO_HTTP1;
1546 
1547  StreamTcpInitConfig(true);
1548 
1549  de_ctx = DetectEngineCtxInit();
1550  if (de_ctx == NULL)
1551  goto end;
1552 
1553  de_ctx->flags |= DE_QUIET;
1554 
1555  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1556  "(msg:\"http header test\"; "
1557  "content:\"CO\"; http_method; "
1558  "content:!\"EC\"; distance:2; http_method; "
1559  "sid:1;)");
1560  if (de_ctx->sig_list == NULL)
1561  goto end;
1562 
1563  SigGroupBuild(de_ctx);
1564  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1565 
1566  int r = AppLayerParserParse(
1567  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1568  if (r != 0) {
1569  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1570  result = 0;
1571  goto end;
1572  }
1573 
1574  http_state = f.alstate;
1575  if (http_state == NULL) {
1576  printf("no http state: ");
1577  result = 0;
1578  goto end;
1579  }
1580 
1581  /* do detect */
1582  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1583 
1584  if (PacketAlertCheck(p, 1)) {
1585  printf("sid 1 matched but shouldn't have: ");
1586  goto end;
1587  }
1588 
1589  result = 1;
1590 
1591 end:
1592  if (alp_tctx != NULL)
1593  AppLayerParserThreadCtxFree(alp_tctx);
1594  if (de_ctx != NULL)
1595  DetectEngineCtxFree(de_ctx);
1596 
1597  StreamTcpFreeConfig(true);
1598  FLOW_DESTROY(&f);
1599  UTHFreePackets(&p, 1);
1600  return result;
1601 }
1602 
1603 /** \test Check a signature with content */
1604 static int DetectHttpMethodTest01(void)
1605 {
1606  DetectEngineCtx *de_ctx = NULL;
1607  int result = 0;
1608 
1609  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1610  goto end;
1611 
1612  de_ctx->flags |= DE_QUIET;
1613  de_ctx->sig_list = SigInit(de_ctx,
1614  "alert tcp any any -> any any "
1615  "(msg:\"Testing http_method\"; "
1616  "content:\"GET\"; "
1617  "http_method; sid:1;)");
1618 
1619  if (de_ctx->sig_list != NULL) {
1620  result = 1;
1621  } else {
1622  printf("sig parse failed: ");
1623  }
1624 
1625  end:
1626  if (de_ctx != NULL)
1627  DetectEngineCtxFree(de_ctx);
1628  return result;
1629 }
1630 
1631 /** \test Check a signature without content (fail) */
1632 static int DetectHttpMethodTest02(void)
1633 {
1634  DetectEngineCtx *de_ctx = NULL;
1635  int result = 0;
1636 
1637  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1638  goto end;
1639 
1640  de_ctx->flags |= DE_QUIET;
1641  de_ctx->sig_list = SigInit(de_ctx,
1642  "alert tcp any any -> any any "
1643  "(msg:\"Testing http_method\"; "
1644  "http_method; sid:1;)");
1645 
1646  if (de_ctx->sig_list == NULL) {
1647  result = 1;
1648  }
1649 
1650  end:
1651  if (de_ctx != NULL)
1652  DetectEngineCtxFree(de_ctx);
1653  return result;
1654 }
1655 
1656 /** \test Check a signature with parameter (fail) */
1657 static int DetectHttpMethodTest03(void)
1658 {
1659  DetectEngineCtx *de_ctx = NULL;
1660  int result = 0;
1661 
1662  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1663  goto end;
1664 
1665  de_ctx->flags |= DE_QUIET;
1666  de_ctx->sig_list = SigInit(de_ctx,
1667  "alert tcp any any -> any any "
1668  "(msg:\"Testing http_method\"; "
1669  "content:\"foobar\"; "
1670  "http_method:\"GET\"; sid:1;)");
1671 
1672  if (de_ctx->sig_list == NULL) {
1673  result = 1;
1674  }
1675 
1676  end:
1677  if (de_ctx != NULL)
1678  DetectEngineCtxFree(de_ctx);
1679  return result;
1680 }
1681 
1682 /** \test Check a signature with fast_pattern (should work) */
1683 static int DetectHttpMethodTest04(void)
1684 {
1685  DetectEngineCtx *de_ctx = NULL;
1686  int result = 0;
1687 
1688  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1689  goto end;
1690 
1691  de_ctx->flags |= DE_QUIET;
1692  de_ctx->sig_list = SigInit(de_ctx,
1693  "alert tcp any any -> any any "
1694  "(msg:\"Testing http_method\"; "
1695  "content:\"GET\"; "
1696  "fast_pattern; "
1697  "http_method; sid:1;)");
1698 
1699  if (de_ctx->sig_list != NULL) {
1700  result = 1;
1701  }
1702 
1703  end:
1704  if (de_ctx != NULL)
1705  DetectEngineCtxFree(de_ctx);
1706  return result;
1707 }
1708 
1709 /** \test Check a signature with rawbytes (fail) */
1710 static int DetectHttpMethodTest05(void)
1711 {
1712  DetectEngineCtx *de_ctx = NULL;
1713  int result = 0;
1714 
1715  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1716  goto end;
1717 
1718  de_ctx->flags |= DE_QUIET;
1719  de_ctx->sig_list = SigInit(de_ctx,
1720  "alert tcp any any -> any any "
1721  "(msg:\"Testing http_method\"; "
1722  "content:\"GET\"; "
1723  "rawbytes; "
1724  "http_method; sid:1;)");
1725 
1726  if (de_ctx->sig_list == NULL) {
1727  result = 1;
1728  }
1729 
1730  end:
1731  if (de_ctx != NULL)
1732  DetectEngineCtxFree(de_ctx);
1733  return result;
1734 }
1735 
1736 /** \test Check a signature with an known request method */
1737 static int DetectHttpMethodSigTest01(void)
1738 {
1739  int result = 0;
1740  Flow f;
1741  uint8_t httpbuf1[] = "GET / HTTP/1.0\r\n"
1742  "Host: foo.bar.tld\r\n"
1743  "\r\n";
1744  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1745  TcpSession ssn;
1746  Packet *p = NULL;
1747  Signature *s = NULL;
1748  ThreadVars th_v;
1749  DetectEngineThreadCtx *det_ctx;
1750  HtpState *http_state = NULL;
1751  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1752 
1753  memset(&th_v, 0, sizeof(th_v));
1754  memset(&f, 0, sizeof(f));
1755  memset(&ssn, 0, sizeof(ssn));
1756 
1757  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1758 
1759  FLOW_INITIALIZE(&f);
1760  f.protoctx = (void *)&ssn;
1761  f.proto = IPPROTO_TCP;
1762  f.flags |= FLOW_IPV4;
1763 
1764  p->flow = &f;
1765  p->flowflags |= FLOW_PKT_TOSERVER;
1766  p->flowflags |= FLOW_PKT_ESTABLISHED;
1767  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1768  f.alproto = ALPROTO_HTTP1;
1769 
1770  StreamTcpInitConfig(true);
1771 
1772  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1773  if (de_ctx == NULL) {
1774  goto end;
1775  }
1776 
1777  de_ctx->flags |= DE_QUIET;
1778 
1779  s = de_ctx->sig_list = SigInit(de_ctx,
1780  "alert tcp any any -> any any "
1781  "(msg:\"Testing http_method\"; "
1782  "content:\"GET\"; "
1783  "http_method; sid:1;)");
1784  if (s == NULL) {
1785  goto end;
1786  }
1787 
1788  s = s->next = SigInit(de_ctx,
1789  "alert tcp any any -> any any "
1790  "(msg:\"Testing http_method\"; "
1791  "content:\"POST\"; "
1792  "http_method; sid:2;)");
1793  if (s == NULL) {
1794  goto end;
1795  }
1796 
1797  SigGroupBuild(de_ctx);
1798  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1799 
1800  int r = AppLayerParserParse(
1801  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1802  if (r != 0) {
1803  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1804  goto end;
1805  }
1806 
1807  http_state = f.alstate;
1808  if (http_state == NULL) {
1809  SCLogDebug("no http state: ");
1810  goto end;
1811  }
1812 
1813  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1814 
1815  if (!(PacketAlertCheck(p, 1))) {
1816  goto end;
1817  }
1818  if (PacketAlertCheck(p, 2)) {
1819  goto end;
1820  }
1821 
1822  result = 1;
1823 
1824 end:
1825  if (alp_tctx != NULL)
1826  AppLayerParserThreadCtxFree(alp_tctx);
1827  if (de_ctx != NULL)
1828  DetectEngineCtxFree(de_ctx);
1829 
1830  StreamTcpFreeConfig(true);
1831  FLOW_DESTROY(&f);
1832  UTHFreePackets(&p, 1);
1833  return result;
1834 }
1835 
1836 /** \test Check a signature with an unknown request method */
1837 static int DetectHttpMethodSigTest02(void)
1838 {
1839  int result = 0;
1840  Flow f;
1841  uint8_t httpbuf1[] = "FOO / HTTP/1.0\r\n"
1842  "Host: foo.bar.tld\r\n"
1843  "\r\n";
1844  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1845  TcpSession ssn;
1846  Packet *p = NULL;
1847  Signature *s = NULL;
1848  ThreadVars th_v;
1849  DetectEngineThreadCtx *det_ctx = NULL;
1850  HtpState *http_state = NULL;
1851  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1852 
1853  memset(&th_v, 0, sizeof(th_v));
1854  memset(&f, 0, sizeof(f));
1855  memset(&ssn, 0, sizeof(ssn));
1856 
1857  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1858 
1859  FLOW_INITIALIZE(&f);
1860  f.protoctx = (void *)&ssn;
1861  f.proto = IPPROTO_TCP;
1862  f.flags |= FLOW_IPV4;
1863 
1864  p->flow = &f;
1865  p->flowflags |= FLOW_PKT_TOSERVER;
1866  p->flowflags |= FLOW_PKT_ESTABLISHED;
1867  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1868  f.alproto = ALPROTO_HTTP1;
1869 
1870  StreamTcpInitConfig(true);
1871 
1872  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1873  if (de_ctx == NULL) {
1874  goto end;
1875  }
1876 
1877  de_ctx->flags |= DE_QUIET;
1878 
1879  s = de_ctx->sig_list = SigInit(de_ctx,
1880  "alert tcp any any -> any any "
1881  "(msg:\"Testing http_method\"; "
1882  "content:\"FOO\"; "
1883  "http_method; sid:1;)");
1884  if (s == NULL) {
1885  goto end;
1886  }
1887 
1888  s = s->next = SigInit(de_ctx,
1889  "alert tcp any any -> any any "
1890  "(msg:\"Testing http_method\"; "
1891  "content:\"BAR\"; "
1892  "http_method; sid:2;)");
1893  if (s == NULL) {
1894  goto end;
1895  }
1896 
1897  SigGroupBuild(de_ctx);
1898  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1899 
1900  int r = AppLayerParserParse(
1901  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1902  if (r != 0) {
1903  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1904  goto end;
1905  }
1906 
1907  http_state = f.alstate;
1908  if (http_state == NULL) {
1909  SCLogDebug("no http state: ");
1910  goto end;
1911  }
1912 
1913  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1914 
1915  if (!(PacketAlertCheck(p, 1))) {
1916  goto end;
1917  }
1918  if (PacketAlertCheck(p, 2)) {
1919  goto end;
1920  }
1921 
1922  result = 1;
1923 
1924 end:
1925  if (alp_tctx != NULL)
1926  AppLayerParserThreadCtxFree(alp_tctx);
1927  if (det_ctx != NULL)
1928  DetectEngineThreadCtxDeinit(&th_v, (void *) det_ctx);
1929  if (de_ctx != NULL)
1930  DetectEngineCtxFree(de_ctx);
1931 
1932  StreamTcpFreeConfig(true);
1933  FLOW_DESTROY(&f);
1934  UTHFreePackets(&p, 1);
1935  return result;
1936 }
1937 
1938 /** \test Check a signature against an unparsable request */
1939 static int DetectHttpMethodSigTest03(void)
1940 {
1941  int result = 0;
1942  Flow f;
1943  uint8_t httpbuf1[] = " ";
1944  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1945  TcpSession ssn;
1946  Packet *p = NULL;
1947  Signature *s = NULL;
1948  ThreadVars th_v;
1949  DetectEngineThreadCtx *det_ctx;
1950  HtpState *http_state = NULL;
1951  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1952 
1953  memset(&th_v, 0, sizeof(th_v));
1954  memset(&f, 0, sizeof(f));
1955  memset(&ssn, 0, sizeof(ssn));
1956 
1957  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1958 
1959  FLOW_INITIALIZE(&f);
1960  f.protoctx = (void *)&ssn;
1961  f.proto = IPPROTO_TCP;
1962  f.flags |= FLOW_IPV4;
1963 
1964  p->flow = &f;
1965  p->flowflags |= FLOW_PKT_TOSERVER;
1966  p->flowflags |= FLOW_PKT_ESTABLISHED;
1967  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1968  f.alproto = ALPROTO_HTTP1;
1969 
1970  StreamTcpInitConfig(true);
1971 
1972  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1973  if (de_ctx == NULL) {
1974  goto end;
1975  }
1976 
1977  de_ctx->flags |= DE_QUIET;
1978 
1979  s = de_ctx->sig_list = SigInit(de_ctx,
1980  "alert tcp any any -> any any "
1981  "(msg:\"Testing http_method\"; "
1982  "content:\"GET\"; "
1983  "http_method; sid:1;)");
1984  if (s == NULL) {
1985  SCLogDebug("Bad signature");
1986  goto end;
1987  }
1988 
1989  SigGroupBuild(de_ctx);
1990  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1991 
1992  int r = AppLayerParserParse(
1993  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1994  if (r != 0) {
1995  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1996  goto end;
1997  }
1998 
1999  http_state = f.alstate;
2000  if (http_state == NULL) {
2001  SCLogDebug("no http state: ");
2002  goto end;
2003  }
2004 
2005  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2006 
2007  if (PacketAlertCheck(p, 1)) {
2008  goto end;
2009  }
2010 
2011  result = 1;
2012 
2013 end:
2014  if (alp_tctx != NULL)
2015  AppLayerParserThreadCtxFree(alp_tctx);
2016  if (de_ctx != NULL)
2017  DetectEngineCtxFree(de_ctx);
2018 
2019  StreamTcpFreeConfig(true);
2020  FLOW_DESTROY(&f);
2021  UTHFreePackets(&p, 1);
2022  return result;
2023 }
2024 
2025 /** \test Check a signature with an request method and negation of the same */
2026 static int DetectHttpMethodSigTest04(void)
2027 {
2028  int result = 0;
2029  Flow f;
2030  uint8_t httpbuf1[] = "GET / HTTP/1.0\r\n"
2031  "Host: foo.bar.tld\r\n"
2032  "\r\n";
2033  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2034  TcpSession ssn;
2035  Packet *p = NULL;
2036  Signature *s = NULL;
2037  ThreadVars th_v;
2038  DetectEngineThreadCtx *det_ctx = NULL;
2039  HtpState *http_state = NULL;
2040  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2041 
2042  memset(&th_v, 0, sizeof(th_v));
2043  memset(&f, 0, sizeof(f));
2044  memset(&ssn, 0, sizeof(ssn));
2045 
2046  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2047 
2048  FLOW_INITIALIZE(&f);
2049  f.protoctx = (void *)&ssn;
2050  f.proto = IPPROTO_TCP;
2051  f.flags |= FLOW_IPV4;
2052 
2053  p->flow = &f;
2054  p->flowflags |= FLOW_PKT_TOSERVER;
2055  p->flowflags |= FLOW_PKT_ESTABLISHED;
2056  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2057  f.alproto = ALPROTO_HTTP1;
2058 
2059  StreamTcpInitConfig(true);
2060 
2061  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2062  if (de_ctx == NULL) {
2063  goto end;
2064  }
2065 
2066  de_ctx->flags |= DE_QUIET;
2067 
2068  s = de_ctx->sig_list = SigInit(de_ctx,
2069  "alert tcp any any -> any any (msg:\"Testing http_method\"; "
2070  "content:\"GET\"; http_method; sid:1;)");
2071  if (s == NULL) {
2072  goto end;
2073  }
2074 
2075  s = s->next = SigInit(de_ctx,
2076  "alert tcp any any -> any any (msg:\"Testing http_method\"; "
2077  "content:!\"GET\"; http_method; sid:2;)");
2078  if (s == NULL) {
2079  goto end;
2080  }
2081 
2082  SigGroupBuild(de_ctx);
2083  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2084 
2085  int r = AppLayerParserParse(
2086  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2087  if (r != 0) {
2088  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2089  goto end;
2090  }
2091 
2092  http_state = f.alstate;
2093  if (http_state == NULL) {
2094  SCLogDebug("no http state: ");
2095  goto end;
2096  }
2097 
2098  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2099 
2100  if (!(PacketAlertCheck(p, 1))) {
2101  printf("sid 1 didn't match but should have: ");
2102  goto end;
2103  }
2104  if (PacketAlertCheck(p, 2)) {
2105  printf("sid 2 matched but shouldn't have: ");
2106  goto end;
2107  }
2108 
2109  result = 1;
2110 
2111 end:
2112  if (alp_tctx != NULL)
2113  AppLayerParserThreadCtxFree(alp_tctx);
2114  if (det_ctx != NULL) {
2115  DetectEngineThreadCtxDeinit(&th_v, (void *) det_ctx);
2116  }
2117  if (de_ctx != NULL) {
2118  DetectEngineCtxFree(de_ctx);
2119  }
2120 
2121  StreamTcpFreeConfig(true);
2122  FLOW_DESTROY(&f);
2123  UTHFreePackets(&p, 1);
2124  return result;
2125 }
2126 
2127 static int DetectHttpMethodIsdataatParseTest(void)
2128 {
2129  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2130  FAIL_IF_NULL(de_ctx);
2131  de_ctx->flags |= DE_QUIET;
2132 
2133  Signature *s = DetectEngineAppendSig(de_ctx,
2134  "alert tcp any any -> any any ("
2135  "content:\"one\"; http_method; "
2136  "isdataat:!4,relative; sid:1;)");
2137  FAIL_IF_NULL(s);
2138 
2139  SigMatch *sm = DetectBufferGetLastSigMatch(s, g_http_method_buffer_id);
2140  FAIL_IF_NULL(sm);
2141  FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
2142 
2143  DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
2144  FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
2145  FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
2146  FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
2147 
2148  DetectEngineCtxFree(de_ctx);
2149  PASS;
2150 }
2151 
2152 /**
2153  * \brief this function registers unit tests for DetectHttpMethod
2154  */
2155 void DetectHttpMethodRegisterTests(void)
2156 {
2157  UtRegisterTest("DetectHttpMethodTest01", DetectHttpMethodTest01);
2158  UtRegisterTest("DetectHttpMethodTest02", DetectHttpMethodTest02);
2159  UtRegisterTest("DetectHttpMethodTest03", DetectHttpMethodTest03);
2160  UtRegisterTest("DetectHttpMethodTest04", DetectHttpMethodTest04);
2161  UtRegisterTest("DetectHttpMethodTest05", DetectHttpMethodTest05);
2162  UtRegisterTest("DetectHttpMethodSigTest01", DetectHttpMethodSigTest01);
2163  UtRegisterTest("DetectHttpMethodSigTest02", DetectHttpMethodSigTest02);
2164  UtRegisterTest("DetectHttpMethodSigTest03", DetectHttpMethodSigTest03);
2165  UtRegisterTest("DetectHttpMethodSigTest04", DetectHttpMethodSigTest04);
2166 
2167  UtRegisterTest("DetectHttpMethodIsdataatParseTest",
2168  DetectHttpMethodIsdataatParseTest);
2169  UtRegisterTest("DetectEngineHttpMethodTest01",
2170  DetectEngineHttpMethodTest01);
2171  UtRegisterTest("DetectEngineHttpMethodTest02",
2172  DetectEngineHttpMethodTest02);
2173  UtRegisterTest("DetectEngineHttpMethodTest03",
2174  DetectEngineHttpMethodTest03);
2175  UtRegisterTest("DetectEngineHttpMethodTest04",
2176  DetectEngineHttpMethodTest04);
2177  UtRegisterTest("DetectEngineHttpMethodTest05",
2178  DetectEngineHttpMethodTest05);
2179  UtRegisterTest("DetectEngineHttpMethodTest06",
2180  DetectEngineHttpMethodTest06);
2181  UtRegisterTest("DetectEngineHttpMethodTest07",
2182  DetectEngineHttpMethodTest07);
2183  UtRegisterTest("DetectEngineHttpMethodTest08",
2184  DetectEngineHttpMethodTest08);
2185  UtRegisterTest("DetectEngineHttpMethodTest09",
2186  DetectEngineHttpMethodTest09);
2187  UtRegisterTest("DetectEngineHttpMethodTest10",
2188  DetectEngineHttpMethodTest10);
2189  UtRegisterTest("DetectEngineHttpMethodTest11",
2190  DetectEngineHttpMethodTest11);
2191  UtRegisterTest("DetectEngineHttpMethodTest12",
2192  DetectEngineHttpMethodTest12);
2193  UtRegisterTest("DetectEngineHttpMethodTest13",
2194  DetectEngineHttpMethodTest13);
2195  UtRegisterTest("DetectEngineHttpMethodTest14",
2196  DetectEngineHttpMethodTest14);
2197  UtRegisterTest("DetectEngineHttpMethodTest15",
2198  DetectEngineHttpMethodTest15);
2199  UtRegisterTest("DetectEngineHttpMethodTest16",
2200  DetectEngineHttpMethodTest16);
2201  UtRegisterTest("DetectEngineHttpMethodTest17",
2202  DetectEngineHttpMethodTest17);
2203 }
2204 
2205 /**
2206  * @}
2207  */
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1266
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:34
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:275
Flow_::proto
uint8_t proto
Definition: flow.h:378
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
Flow_
Flow data structure.
Definition: flow.h:356
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2641
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:233
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2420
DetectIsdataatData_
Definition: detect-isdataat.h:32
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3437
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
Flow_::protoctx
void * protoctx
Definition: flow.h:441
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
HtpState_
Definition: app-layer-htp.h:181
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
Signature_::next
struct Signature_ * next
Definition: detect.h:750
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectBufferGetLastSigMatch
SigMatch * DetectBufferGetLastSigMatch(const Signature *s, const uint32_t buf_id)
Definition: detect-engine-buffer.c:167
DetectEngineThreadCtx_
Definition: detect.h:1244
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3372
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3095
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
DetectHttpMethodRegisterTests
void DetectHttpMethodRegisterTests(void)
this function registers unit tests for DetectHttpMethod
Definition: detect-http-method.c:2155
Packet_
Definition: decode.h:501
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2204
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1291
SigMatch_::type
uint16_t type
Definition: detect.h:357
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3608
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:941
ISDATAAT_NEGATED
#define ISDATAAT_NEGATED
Definition: detect-isdataat.h:29
Flow_::alstate
void * alstate
Definition: flow.h:479
Flow_::flags
uint32_t flags
Definition: flow.h:421
Signature_
Signature container.
Definition: detect.h:668
SigMatch_
a single match condition for a signature
Definition: detect.h:356
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:93
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:235
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2602
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1262
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456