suricata
detect-http-method.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /** \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  *
29  * \brief Handle HTTP method match
30  *
31  */
32 
33 #include "../suricata-common.h"
34 #include "../suricata.h"
35 #include "../flow-util.h"
36 #include "../flow.h"
37 #include "../app-layer-parser.h"
38 
39 #include "../util-unittest.h"
40 #include "../util-unittest-helper.h"
41 #include "../app-layer.h"
42 #include "../app-layer-htp.h"
43 #include "../app-layer-protos.h"
44 #include "../detect-isdataat.h"
45 #include "../detect-engine-build.h"
46 #include "../detect-engine-alert.h"
47 
48 /**
49  * \test Test that the http_method content matches against a http request
50  * which holds the content.
51  */
52 static int DetectEngineHttpMethodTest01(void)
53 {
54  TcpSession ssn;
55  Packet *p = NULL;
56  ThreadVars th_v;
57  DetectEngineCtx *de_ctx = NULL;
58  DetectEngineThreadCtx *det_ctx = NULL;
59  HtpState *http_state = NULL;
60  Flow f;
61  uint8_t http_buf[] =
62  "GET /index.html HTTP/1.0\r\n"
63  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
64  uint32_t http_len = sizeof(http_buf) - 1;
65  int result = 0;
66  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
67 
68  memset(&th_v, 0, sizeof(th_v));
69  memset(&f, 0, sizeof(f));
70  memset(&ssn, 0, sizeof(ssn));
71 
72  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
73 
74  FLOW_INITIALIZE(&f);
75  f.protoctx = (void *)&ssn;
76  f.proto = IPPROTO_TCP;
77  f.flags |= FLOW_IPV4;
78  p->flow = &f;
79  p->flowflags |= FLOW_PKT_TOSERVER;
80  p->flowflags |= FLOW_PKT_ESTABLISHED;
81  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
82  f.alproto = ALPROTO_HTTP1;
83 
84  StreamTcpInitConfig(true);
85 
86  de_ctx = DetectEngineCtxInit();
87  if (de_ctx == NULL)
88  goto end;
89 
90  de_ctx->flags |= DE_QUIET;
91 
92  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
93  "(msg:\"http header test\"; "
94  "content:\"GET\"; http_method; "
95  "sid:1;)");
96  if (de_ctx->sig_list == NULL)
97  goto end;
98 
99  SigGroupBuild(de_ctx);
100  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
101 
102  int r = AppLayerParserParse(
103  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
104  if (r != 0) {
105  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
106  result = 0;
107  goto end;
108  }
109 
110  http_state = f.alstate;
111  if (http_state == NULL) {
112  printf("no http state: ");
113  result = 0;
114  goto end;
115  }
116 
117  /* do detect */
118  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
119 
120  if (!(PacketAlertCheck(p, 1))) {
121  printf("sid 1 didn't match but should have: ");
122  goto end;
123  }
124 
125  result = 1;
126 
127 end:
128  if (alp_tctx != NULL)
129  AppLayerParserThreadCtxFree(alp_tctx);
130  if (de_ctx != NULL)
131  DetectEngineCtxFree(de_ctx);
132 
133  StreamTcpFreeConfig(true);
134  FLOW_DESTROY(&f);
135  UTHFreePackets(&p, 1);
136  return result;
137 }
138 
139 /**
140  * \test Test that the http_method content matches against a http request
141  * which holds the content.
142  */
143 static int DetectEngineHttpMethodTest02(void)
144 {
145  TcpSession ssn;
146  Packet *p = NULL;
147  ThreadVars th_v;
148  DetectEngineCtx *de_ctx = NULL;
149  DetectEngineThreadCtx *det_ctx = NULL;
150  HtpState *http_state = NULL;
151  Flow f;
152  uint8_t http_buf[] =
153  "CONNECT /index.html HTTP/1.0\r\n"
154  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
155  uint32_t http_len = sizeof(http_buf) - 1;
156  int result = 0;
157  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
158 
159  memset(&th_v, 0, sizeof(th_v));
160  memset(&f, 0, sizeof(f));
161  memset(&ssn, 0, sizeof(ssn));
162 
163  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
164 
165  FLOW_INITIALIZE(&f);
166  f.protoctx = (void *)&ssn;
167  f.proto = IPPROTO_TCP;
168  f.flags |= FLOW_IPV4;
169  p->flow = &f;
170  p->flowflags |= FLOW_PKT_TOSERVER;
171  p->flowflags |= FLOW_PKT_ESTABLISHED;
172  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
173  f.alproto = ALPROTO_HTTP1;
174 
175  StreamTcpInitConfig(true);
176 
177  de_ctx = DetectEngineCtxInit();
178  if (de_ctx == NULL)
179  goto end;
180 
181  de_ctx->flags |= DE_QUIET;
182 
183  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
184  "(msg:\"http header test\"; "
185  "content:\"CO\"; depth:4; http_method; "
186  "sid:1;)");
187  if (de_ctx->sig_list == NULL)
188  goto end;
189 
190  SigGroupBuild(de_ctx);
191  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
192 
193  int r = AppLayerParserParse(
194  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
195  if (r != 0) {
196  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
197  result = 0;
198  goto end;
199  }
200 
201  http_state = f.alstate;
202  if (http_state == NULL) {
203  printf("no http state: ");
204  result = 0;
205  goto end;
206  }
207 
208  /* do detect */
209  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
210 
211  if (!(PacketAlertCheck(p, 1))) {
212  printf("sid 1 didn't match but should have: ");
213  goto end;
214  }
215 
216  result = 1;
217 
218 end:
219  if (alp_tctx != NULL)
220  AppLayerParserThreadCtxFree(alp_tctx);
221  if (de_ctx != NULL)
222  DetectEngineCtxFree(de_ctx);
223 
224  StreamTcpFreeConfig(true);
225  FLOW_DESTROY(&f);
226  UTHFreePackets(&p, 1);
227  return result;
228 }
229 
230 /**
231  * \test Test that the http_method content matches against a http request
232  * which holds the content.
233  */
234 static int DetectEngineHttpMethodTest03(void)
235 {
236  TcpSession ssn;
237  Packet *p = NULL;
238  ThreadVars th_v;
239  DetectEngineCtx *de_ctx = NULL;
240  DetectEngineThreadCtx *det_ctx = NULL;
241  HtpState *http_state = NULL;
242  Flow f;
243  uint8_t http_buf[] =
244  "CONNECT /index.html HTTP/1.0\r\n"
245  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
246  uint32_t http_len = sizeof(http_buf) - 1;
247  int result = 0;
248  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
249 
250  memset(&th_v, 0, sizeof(th_v));
251  memset(&f, 0, sizeof(f));
252  memset(&ssn, 0, sizeof(ssn));
253 
254  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
255 
256  FLOW_INITIALIZE(&f);
257  f.protoctx = (void *)&ssn;
258  f.proto = IPPROTO_TCP;
259  f.flags |= FLOW_IPV4;
260  p->flow = &f;
261  p->flowflags |= FLOW_PKT_TOSERVER;
262  p->flowflags |= FLOW_PKT_ESTABLISHED;
263  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
264  f.alproto = ALPROTO_HTTP1;
265 
266  StreamTcpInitConfig(true);
267 
268  de_ctx = DetectEngineCtxInit();
269  if (de_ctx == NULL)
270  goto end;
271 
272  de_ctx->flags |= DE_QUIET;
273 
274  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
275  "(msg:\"http header test\"; "
276  "content:!\"ECT\"; depth:4; http_method; "
277  "sid:1;)");
278  if (de_ctx->sig_list == NULL)
279  goto end;
280 
281  SigGroupBuild(de_ctx);
282  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
283 
284  int r = AppLayerParserParse(
285  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
286  if (r != 0) {
287  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
288  result = 0;
289  goto end;
290  }
291 
292  http_state = f.alstate;
293  if (http_state == NULL) {
294  printf("no http state: ");
295  result = 0;
296  goto end;
297  }
298 
299  /* do detect */
300  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
301 
302  if (!(PacketAlertCheck(p, 1))) {
303  printf("sid 1 didn't match but should have: ");
304  goto end;
305  }
306 
307  result = 1;
308 
309 end:
310  if (alp_tctx != NULL)
311  AppLayerParserThreadCtxFree(alp_tctx);
312  if (de_ctx != NULL)
313  DetectEngineCtxFree(de_ctx);
314 
315  StreamTcpFreeConfig(true);
316  FLOW_DESTROY(&f);
317  UTHFreePackets(&p, 1);
318  return result;
319 }
320 
321 /**
322  * \test Test that the http_method content matches against a http request
323  * which holds the content.
324  */
325 static int DetectEngineHttpMethodTest04(void)
326 {
327  TcpSession ssn;
328  Packet *p = NULL;
329  ThreadVars th_v;
330  DetectEngineCtx *de_ctx = NULL;
331  DetectEngineThreadCtx *det_ctx = NULL;
332  HtpState *http_state = NULL;
333  Flow f;
334  uint8_t http_buf[] =
335  "CONNECT /index.html HTTP/1.0\r\n"
336  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
337  uint32_t http_len = sizeof(http_buf) - 1;
338  int result = 0;
339  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
340 
341  memset(&th_v, 0, sizeof(th_v));
342  memset(&f, 0, sizeof(f));
343  memset(&ssn, 0, sizeof(ssn));
344 
345  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
346 
347  FLOW_INITIALIZE(&f);
348  f.protoctx = (void *)&ssn;
349  f.proto = IPPROTO_TCP;
350  f.flags |= FLOW_IPV4;
351  p->flow = &f;
352  p->flowflags |= FLOW_PKT_TOSERVER;
353  p->flowflags |= FLOW_PKT_ESTABLISHED;
354  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
355  f.alproto = ALPROTO_HTTP1;
356 
357  StreamTcpInitConfig(true);
358 
359  de_ctx = DetectEngineCtxInit();
360  if (de_ctx == NULL)
361  goto end;
362 
363  de_ctx->flags |= DE_QUIET;
364 
365  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
366  "(msg:\"http header test\"; "
367  "content:\"ECT\"; depth:4; http_method; "
368  "sid:1;)");
369  if (de_ctx->sig_list == NULL)
370  goto end;
371 
372  SigGroupBuild(de_ctx);
373  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
374 
375  int r = AppLayerParserParse(
376  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
377  if (r != 0) {
378  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
379  result = 0;
380  goto end;
381  }
382 
383  http_state = f.alstate;
384  if (http_state == NULL) {
385  printf("no http state: ");
386  result = 0;
387  goto end;
388  }
389 
390  /* do detect */
391  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
392 
393  if (PacketAlertCheck(p, 1)) {
394  printf("sid 1 matched but shouldn't have: ");
395  goto end;
396  }
397 
398  result = 1;
399 
400 end:
401  if (alp_tctx != NULL)
402  AppLayerParserThreadCtxFree(alp_tctx);
403  if (de_ctx != NULL)
404  DetectEngineCtxFree(de_ctx);
405 
406  StreamTcpFreeConfig(true);
407  FLOW_DESTROY(&f);
408  UTHFreePackets(&p, 1);
409  return result;
410 }
411 
412 /**
413  * \test Test that the http_method content matches against a http request
414  * which holds the content.
415  */
416 static int DetectEngineHttpMethodTest05(void)
417 {
418  TcpSession ssn;
419  Packet *p = NULL;
420  ThreadVars th_v;
421  DetectEngineCtx *de_ctx = NULL;
422  DetectEngineThreadCtx *det_ctx = NULL;
423  HtpState *http_state = NULL;
424  Flow f;
425  uint8_t http_buf[] =
426  "CONNECT /index.html HTTP/1.0\r\n"
427  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
428  uint32_t http_len = sizeof(http_buf) - 1;
429  int result = 0;
430  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
431 
432  memset(&th_v, 0, sizeof(th_v));
433  memset(&f, 0, sizeof(f));
434  memset(&ssn, 0, sizeof(ssn));
435 
436  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
437 
438  FLOW_INITIALIZE(&f);
439  f.protoctx = (void *)&ssn;
440  f.proto = IPPROTO_TCP;
441  f.flags |= FLOW_IPV4;
442  p->flow = &f;
443  p->flowflags |= FLOW_PKT_TOSERVER;
444  p->flowflags |= FLOW_PKT_ESTABLISHED;
445  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
446  f.alproto = ALPROTO_HTTP1;
447 
448  StreamTcpInitConfig(true);
449 
450  de_ctx = DetectEngineCtxInit();
451  if (de_ctx == NULL)
452  goto end;
453 
454  de_ctx->flags |= DE_QUIET;
455 
456  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
457  "(msg:\"http header test\"; "
458  "content:!\"CON\"; depth:4; http_method; "
459  "sid:1;)");
460  if (de_ctx->sig_list == NULL)
461  goto end;
462 
463  SigGroupBuild(de_ctx);
464  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
465 
466  int r = AppLayerParserParse(
467  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
468  if (r != 0) {
469  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
470  result = 0;
471  goto end;
472  }
473 
474  http_state = f.alstate;
475  if (http_state == NULL) {
476  printf("no http state: ");
477  result = 0;
478  goto end;
479  }
480 
481  /* do detect */
482  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
483 
484  if (PacketAlertCheck(p, 1)) {
485  printf("sid 1 matched but shouldn't have: ");
486  goto end;
487  }
488 
489  result = 1;
490 
491 end:
492  if (alp_tctx != NULL)
493  AppLayerParserThreadCtxFree(alp_tctx);
494  if (de_ctx != NULL)
495  DetectEngineCtxFree(de_ctx);
496 
497  StreamTcpFreeConfig(true);
498  FLOW_DESTROY(&f);
499  UTHFreePackets(&p, 1);
500  return result;
501 }
502 
503 /**
504  * \test Test that the http_method content matches against a http request
505  * which holds the content.
506  */
507 static int DetectEngineHttpMethodTest06(void)
508 {
509  TcpSession ssn;
510  Packet *p = NULL;
511  ThreadVars th_v;
512  DetectEngineCtx *de_ctx = NULL;
513  DetectEngineThreadCtx *det_ctx = NULL;
514  HtpState *http_state = NULL;
515  Flow f;
516  uint8_t http_buf[] =
517  "CONNECT /index.html HTTP/1.0\r\n"
518  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
519  uint32_t http_len = sizeof(http_buf) - 1;
520  int result = 0;
521  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
522 
523  memset(&th_v, 0, sizeof(th_v));
524  memset(&f, 0, sizeof(f));
525  memset(&ssn, 0, sizeof(ssn));
526 
527  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
528 
529  FLOW_INITIALIZE(&f);
530  f.protoctx = (void *)&ssn;
531  f.proto = IPPROTO_TCP;
532  f.flags |= FLOW_IPV4;
533  p->flow = &f;
534  p->flowflags |= FLOW_PKT_TOSERVER;
535  p->flowflags |= FLOW_PKT_ESTABLISHED;
536  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
537  f.alproto = ALPROTO_HTTP1;
538 
539  StreamTcpInitConfig(true);
540 
541  de_ctx = DetectEngineCtxInit();
542  if (de_ctx == NULL)
543  goto end;
544 
545  de_ctx->flags |= DE_QUIET;
546 
547  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
548  "(msg:\"http header test\"; "
549  "content:\"ECT\"; offset:3; http_method; "
550  "sid:1;)");
551  if (de_ctx->sig_list == NULL)
552  goto end;
553 
554  SigGroupBuild(de_ctx);
555  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
556 
557  int r = AppLayerParserParse(
558  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
559  if (r != 0) {
560  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
561  result = 0;
562  goto end;
563  }
564 
565  http_state = f.alstate;
566  if (http_state == NULL) {
567  printf("no http state: ");
568  result = 0;
569  goto end;
570  }
571 
572  /* do detect */
573  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
574 
575  if (!(PacketAlertCheck(p, 1))) {
576  printf("sid 1 didn't match but should have: ");
577  goto end;
578  }
579 
580  result = 1;
581 
582 end:
583  if (alp_tctx != NULL)
584  AppLayerParserThreadCtxFree(alp_tctx);
585  if (de_ctx != NULL)
586  DetectEngineCtxFree(de_ctx);
587 
588  StreamTcpFreeConfig(true);
589  FLOW_DESTROY(&f);
590  UTHFreePackets(&p, 1);
591  return result;
592 }
593 
594 /**
595  * \test Test that the http_method content matches against a http request
596  * which holds the content.
597  */
598 static int DetectEngineHttpMethodTest07(void)
599 {
600  TcpSession ssn;
601  Packet *p = NULL;
602  ThreadVars th_v;
603  DetectEngineCtx *de_ctx = NULL;
604  DetectEngineThreadCtx *det_ctx = NULL;
605  HtpState *http_state = NULL;
606  Flow f;
607  uint8_t http_buf[] =
608  "CONNECT /index.html HTTP/1.0\r\n"
609  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
610  uint32_t http_len = sizeof(http_buf) - 1;
611  int result = 0;
612  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
613 
614  memset(&th_v, 0, sizeof(th_v));
615  memset(&f, 0, sizeof(f));
616  memset(&ssn, 0, sizeof(ssn));
617 
618  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
619 
620  FLOW_INITIALIZE(&f);
621  f.protoctx = (void *)&ssn;
622  f.proto = IPPROTO_TCP;
623  f.flags |= FLOW_IPV4;
624  p->flow = &f;
625  p->flowflags |= FLOW_PKT_TOSERVER;
626  p->flowflags |= FLOW_PKT_ESTABLISHED;
627  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
628  f.alproto = ALPROTO_HTTP1;
629 
630  StreamTcpInitConfig(true);
631 
632  de_ctx = DetectEngineCtxInit();
633  if (de_ctx == NULL)
634  goto end;
635 
636  de_ctx->flags |= DE_QUIET;
637 
638  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
639  "(msg:\"http header test\"; "
640  "content:!\"CO\"; offset:3; http_method; "
641  "sid:1;)");
642  if (de_ctx->sig_list == NULL)
643  goto end;
644 
645  SigGroupBuild(de_ctx);
646  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
647 
648  int r = AppLayerParserParse(
649  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
650  if (r != 0) {
651  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
652  result = 0;
653  goto end;
654  }
655 
656  http_state = f.alstate;
657  if (http_state == NULL) {
658  printf("no http state: ");
659  result = 0;
660  goto end;
661  }
662 
663  /* do detect */
664  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
665 
666  if (!(PacketAlertCheck(p, 1))) {
667  printf("sid 1 didn't match but should have: ");
668  goto end;
669  }
670 
671  result = 1;
672 
673 end:
674  if (alp_tctx != NULL)
675  AppLayerParserThreadCtxFree(alp_tctx);
676  if (de_ctx != NULL)
677  DetectEngineCtxFree(de_ctx);
678 
679  StreamTcpFreeConfig(true);
680  FLOW_DESTROY(&f);
681  UTHFreePackets(&p, 1);
682  return result;
683 }
684 
685 /**
686  * \test Test that the http_method content matches against a http request
687  * which holds the content.
688  */
689 static int DetectEngineHttpMethodTest08(void)
690 {
691  TcpSession ssn;
692  Packet *p = NULL;
693  ThreadVars th_v;
694  DetectEngineCtx *de_ctx = NULL;
695  DetectEngineThreadCtx *det_ctx = NULL;
696  HtpState *http_state = NULL;
697  Flow f;
698  uint8_t http_buf[] =
699  "CONNECT /index.html HTTP/1.0\r\n"
700  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
701  uint32_t http_len = sizeof(http_buf) - 1;
702  int result = 0;
703  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
704 
705  memset(&th_v, 0, sizeof(th_v));
706  memset(&f, 0, sizeof(f));
707  memset(&ssn, 0, sizeof(ssn));
708 
709  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
710 
711  FLOW_INITIALIZE(&f);
712  f.protoctx = (void *)&ssn;
713  f.proto = IPPROTO_TCP;
714  f.flags |= FLOW_IPV4;
715  p->flow = &f;
716  p->flowflags |= FLOW_PKT_TOSERVER;
717  p->flowflags |= FLOW_PKT_ESTABLISHED;
718  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
719  f.alproto = ALPROTO_HTTP1;
720 
721  StreamTcpInitConfig(true);
722 
723  de_ctx = DetectEngineCtxInit();
724  if (de_ctx == NULL)
725  goto end;
726 
727  de_ctx->flags |= DE_QUIET;
728 
729  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
730  "(msg:\"http header test\"; "
731  "content:!\"ECT\"; offset:3; http_method; "
732  "sid:1;)");
733  if (de_ctx->sig_list == NULL)
734  goto end;
735 
736  SigGroupBuild(de_ctx);
737  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
738 
739  int r = AppLayerParserParse(
740  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
741  if (r != 0) {
742  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
743  result = 0;
744  goto end;
745  }
746 
747  http_state = f.alstate;
748  if (http_state == NULL) {
749  printf("no http state: ");
750  result = 0;
751  goto end;
752  }
753 
754  /* do detect */
755  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
756 
757  if (PacketAlertCheck(p, 1)) {
758  printf("sid 1 matched but shouldn't have: ");
759  goto end;
760  }
761 
762  result = 1;
763 
764 end:
765  if (alp_tctx != NULL)
766  AppLayerParserThreadCtxFree(alp_tctx);
767  if (de_ctx != NULL)
768  DetectEngineCtxFree(de_ctx);
769 
770  StreamTcpFreeConfig(true);
771  FLOW_DESTROY(&f);
772  UTHFreePackets(&p, 1);
773  return result;
774 }
775 
776 /**
777  * \test Test that the http_method content matches against a http request
778  * which holds the content.
779  */
780 static int DetectEngineHttpMethodTest09(void)
781 {
782  TcpSession ssn;
783  Packet *p = NULL;
784  ThreadVars th_v;
785  DetectEngineCtx *de_ctx = NULL;
786  DetectEngineThreadCtx *det_ctx = NULL;
787  HtpState *http_state = NULL;
788  Flow f;
789  uint8_t http_buf[] =
790  "CONNECT /index.html HTTP/1.0\r\n"
791  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
792  uint32_t http_len = sizeof(http_buf) - 1;
793  int result = 0;
794  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
795 
796  memset(&th_v, 0, sizeof(th_v));
797  memset(&f, 0, sizeof(f));
798  memset(&ssn, 0, sizeof(ssn));
799 
800  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
801 
802  FLOW_INITIALIZE(&f);
803  f.protoctx = (void *)&ssn;
804  f.proto = IPPROTO_TCP;
805  f.flags |= FLOW_IPV4;
806  p->flow = &f;
807  p->flowflags |= FLOW_PKT_TOSERVER;
808  p->flowflags |= FLOW_PKT_ESTABLISHED;
809  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
810  f.alproto = ALPROTO_HTTP1;
811 
812  StreamTcpInitConfig(true);
813 
814  de_ctx = DetectEngineCtxInit();
815  if (de_ctx == NULL)
816  goto end;
817 
818  de_ctx->flags |= DE_QUIET;
819 
820  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
821  "(msg:\"http header test\"; "
822  "content:\"CON\"; offset:3; http_method; "
823  "sid:1;)");
824  if (de_ctx->sig_list == NULL)
825  goto end;
826 
827  SigGroupBuild(de_ctx);
828  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
829 
830  int r = AppLayerParserParse(
831  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
832  if (r != 0) {
833  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
834  result = 0;
835  goto end;
836  }
837 
838  http_state = f.alstate;
839  if (http_state == NULL) {
840  printf("no http state: ");
841  result = 0;
842  goto end;
843  }
844 
845  /* do detect */
846  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
847 
848  if (PacketAlertCheck(p, 1)) {
849  printf("sid 1 matched but shouldn't have: ");
850  goto end;
851  }
852 
853  result = 1;
854 
855 end:
856  if (alp_tctx != NULL)
857  AppLayerParserThreadCtxFree(alp_tctx);
858  if (de_ctx != NULL)
859  DetectEngineCtxFree(de_ctx);
860 
861  StreamTcpFreeConfig(true);
862  FLOW_DESTROY(&f);
863  UTHFreePackets(&p, 1);
864  return result;
865 }
866 
867 /**
868  * \test Test that the http_method content matches against a http request
869  * which holds the content.
870  */
871 static int DetectEngineHttpMethodTest10(void)
872 {
873  TcpSession ssn;
874  Packet *p = NULL;
875  ThreadVars th_v;
876  DetectEngineCtx *de_ctx = NULL;
877  DetectEngineThreadCtx *det_ctx = NULL;
878  HtpState *http_state = NULL;
879  Flow f;
880  uint8_t http_buf[] =
881  "CONNECT /index.html HTTP/1.0\r\n"
882  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
883  uint32_t http_len = sizeof(http_buf) - 1;
884  int result = 0;
885  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
886 
887  memset(&th_v, 0, sizeof(th_v));
888  memset(&f, 0, sizeof(f));
889  memset(&ssn, 0, sizeof(ssn));
890 
891  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
892 
893  FLOW_INITIALIZE(&f);
894  f.protoctx = (void *)&ssn;
895  f.proto = IPPROTO_TCP;
896  f.flags |= FLOW_IPV4;
897  p->flow = &f;
898  p->flowflags |= FLOW_PKT_TOSERVER;
899  p->flowflags |= FLOW_PKT_ESTABLISHED;
900  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
901  f.alproto = ALPROTO_HTTP1;
902 
903  StreamTcpInitConfig(true);
904 
905  de_ctx = DetectEngineCtxInit();
906  if (de_ctx == NULL)
907  goto end;
908 
909  de_ctx->flags |= DE_QUIET;
910 
911  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
912  "(msg:\"http header test\"; "
913  "content:\"CO\"; http_method; "
914  "content:\"EC\"; within:4; http_method; "
915  "sid:1;)");
916  if (de_ctx->sig_list == NULL)
917  goto end;
918 
919  SigGroupBuild(de_ctx);
920  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
921 
922  int r = AppLayerParserParse(
923  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
924  if (r != 0) {
925  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
926  result = 0;
927  goto end;
928  }
929 
930  http_state = f.alstate;
931  if (http_state == NULL) {
932  printf("no http state: ");
933  result = 0;
934  goto end;
935  }
936 
937  /* do detect */
938  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
939 
940  if (!PacketAlertCheck(p, 1)) {
941  printf("sid 1 didn't match but should have: ");
942  goto end;
943  }
944 
945  result = 1;
946 
947 end:
948  if (alp_tctx != NULL)
949  AppLayerParserThreadCtxFree(alp_tctx);
950  if (de_ctx != NULL)
951  DetectEngineCtxFree(de_ctx);
952 
953  StreamTcpFreeConfig(true);
954  FLOW_DESTROY(&f);
955  UTHFreePackets(&p, 1);
956  return result;
957 }
958 
959 /**
960  * \test Test that the http_method content matches against a http request
961  * which holds the content.
962  */
963 static int DetectEngineHttpMethodTest11(void)
964 {
965  TcpSession ssn;
966  Packet *p = NULL;
967  ThreadVars th_v;
968  DetectEngineCtx *de_ctx = NULL;
969  DetectEngineThreadCtx *det_ctx = NULL;
970  HtpState *http_state = NULL;
971  Flow f;
972  uint8_t http_buf[] =
973  "CONNECT /index.html HTTP/1.0\r\n"
974  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
975  uint32_t http_len = sizeof(http_buf) - 1;
976  int result = 0;
977  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
978 
979  memset(&th_v, 0, sizeof(th_v));
980  memset(&f, 0, sizeof(f));
981  memset(&ssn, 0, sizeof(ssn));
982 
983  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
984 
985  FLOW_INITIALIZE(&f);
986  f.protoctx = (void *)&ssn;
987  f.proto = IPPROTO_TCP;
988  f.flags |= FLOW_IPV4;
989  p->flow = &f;
990  p->flowflags |= FLOW_PKT_TOSERVER;
991  p->flowflags |= FLOW_PKT_ESTABLISHED;
992  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
993  f.alproto = ALPROTO_HTTP1;
994 
995  StreamTcpInitConfig(true);
996 
997  de_ctx = DetectEngineCtxInit();
998  if (de_ctx == NULL)
999  goto end;
1000 
1001  de_ctx->flags |= DE_QUIET;
1002 
1003  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1004  "(msg:\"http header test\"; "
1005  "content:\"CO\"; http_method; "
1006  "content:!\"EC\"; within:3; http_method; "
1007  "sid:1;)");
1008  if (de_ctx->sig_list == NULL)
1009  goto end;
1010 
1011  SigGroupBuild(de_ctx);
1012  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1013 
1014  int r = AppLayerParserParse(
1015  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1016  if (r != 0) {
1017  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1018  result = 0;
1019  goto end;
1020  }
1021 
1022  http_state = f.alstate;
1023  if (http_state == NULL) {
1024  printf("no http state: ");
1025  result = 0;
1026  goto end;
1027  }
1028 
1029  /* do detect */
1030  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1031 
1032  if (!PacketAlertCheck(p, 1)) {
1033  printf("sid 1 didn't match but should have: ");
1034  goto end;
1035  }
1036 
1037  result = 1;
1038 
1039 end:
1040  if (alp_tctx != NULL)
1041  AppLayerParserThreadCtxFree(alp_tctx);
1042  if (de_ctx != NULL)
1043  DetectEngineCtxFree(de_ctx);
1044 
1045  StreamTcpFreeConfig(true);
1046  FLOW_DESTROY(&f);
1047  UTHFreePackets(&p, 1);
1048  return result;
1049 }
1050 
1051 /**
1052  * \test Test that the http_method content matches against a http request
1053  * which holds the content.
1054  */
1055 static int DetectEngineHttpMethodTest12(void)
1056 {
1057  TcpSession ssn;
1058  Packet *p = NULL;
1059  ThreadVars th_v;
1060  DetectEngineCtx *de_ctx = NULL;
1061  DetectEngineThreadCtx *det_ctx = NULL;
1062  HtpState *http_state = NULL;
1063  Flow f;
1064  uint8_t http_buf[] =
1065  "CONNECT /index.html HTTP/1.0\r\n"
1066  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1067  uint32_t http_len = sizeof(http_buf) - 1;
1068  int result = 0;
1069  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1070 
1071  memset(&th_v, 0, sizeof(th_v));
1072  memset(&f, 0, sizeof(f));
1073  memset(&ssn, 0, sizeof(ssn));
1074 
1075  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1076 
1077  FLOW_INITIALIZE(&f);
1078  f.protoctx = (void *)&ssn;
1079  f.proto = IPPROTO_TCP;
1080  f.flags |= FLOW_IPV4;
1081  p->flow = &f;
1082  p->flowflags |= FLOW_PKT_TOSERVER;
1083  p->flowflags |= FLOW_PKT_ESTABLISHED;
1084  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1085  f.alproto = ALPROTO_HTTP1;
1086 
1087  StreamTcpInitConfig(true);
1088 
1089  de_ctx = DetectEngineCtxInit();
1090  if (de_ctx == NULL)
1091  goto end;
1092 
1093  de_ctx->flags |= DE_QUIET;
1094 
1095  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1096  "(msg:\"http header test\"; "
1097  "content:\"CO\"; http_method; "
1098  "content:\"EC\"; within:3; http_method; "
1099  "sid:1;)");
1100  if (de_ctx->sig_list == NULL)
1101  goto end;
1102 
1103  SigGroupBuild(de_ctx);
1104  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1105 
1106  int r = AppLayerParserParse(
1107  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1108  if (r != 0) {
1109  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1110  result = 0;
1111  goto end;
1112  }
1113 
1114  http_state = f.alstate;
1115  if (http_state == NULL) {
1116  printf("no http state: ");
1117  result = 0;
1118  goto end;
1119  }
1120 
1121  /* do detect */
1122  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1123 
1124  if (PacketAlertCheck(p, 1)) {
1125  printf("sid 1 matched but shouldn't have: ");
1126  goto end;
1127  }
1128 
1129  result = 1;
1130 
1131 end:
1132  if (alp_tctx != NULL)
1133  AppLayerParserThreadCtxFree(alp_tctx);
1134  if (de_ctx != NULL)
1135  DetectEngineCtxFree(de_ctx);
1136 
1137  StreamTcpFreeConfig(true);
1138  FLOW_DESTROY(&f);
1139  UTHFreePackets(&p, 1);
1140  return result;
1141 }
1142 
1143 /**
1144  * \test Test that the http_method content matches against a http request
1145  * which holds the content.
1146  */
1147 static int DetectEngineHttpMethodTest13(void)
1148 {
1149  TcpSession ssn;
1150  Packet *p = NULL;
1151  ThreadVars th_v;
1152  DetectEngineCtx *de_ctx = NULL;
1153  DetectEngineThreadCtx *det_ctx = NULL;
1154  HtpState *http_state = NULL;
1155  Flow f;
1156  uint8_t http_buf[] =
1157  "CONNECT /index.html HTTP/1.0\r\n"
1158  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1159  uint32_t http_len = sizeof(http_buf) - 1;
1160  int result = 0;
1161  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1162 
1163  memset(&th_v, 0, sizeof(th_v));
1164  memset(&f, 0, sizeof(f));
1165  memset(&ssn, 0, sizeof(ssn));
1166 
1167  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1168 
1169  FLOW_INITIALIZE(&f);
1170  f.protoctx = (void *)&ssn;
1171  f.proto = IPPROTO_TCP;
1172  f.flags |= FLOW_IPV4;
1173  p->flow = &f;
1174  p->flowflags |= FLOW_PKT_TOSERVER;
1175  p->flowflags |= FLOW_PKT_ESTABLISHED;
1176  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1177  f.alproto = ALPROTO_HTTP1;
1178 
1179  StreamTcpInitConfig(true);
1180 
1181  de_ctx = DetectEngineCtxInit();
1182  if (de_ctx == NULL)
1183  goto end;
1184 
1185  de_ctx->flags |= DE_QUIET;
1186 
1187  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1188  "(msg:\"http header test\"; "
1189  "content:\"CO\"; http_method; "
1190  "content:!\"EC\"; within:4; http_method; "
1191  "sid:1;)");
1192  if (de_ctx->sig_list == NULL)
1193  goto end;
1194 
1195  SigGroupBuild(de_ctx);
1196  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1197 
1198  int r = AppLayerParserParse(
1199  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1200  if (r != 0) {
1201  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1202  result = 0;
1203  goto end;
1204  }
1205 
1206  http_state = f.alstate;
1207  if (http_state == NULL) {
1208  printf("no http state: ");
1209  result = 0;
1210  goto end;
1211  }
1212 
1213  /* do detect */
1214  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1215 
1216  if (PacketAlertCheck(p, 1)) {
1217  printf("sid 1 matched but shouldn't have: ");
1218  goto end;
1219  }
1220 
1221  result = 1;
1222 
1223 end:
1224  if (alp_tctx != NULL)
1225  AppLayerParserThreadCtxFree(alp_tctx);
1226  if (de_ctx != NULL)
1227  DetectEngineCtxFree(de_ctx);
1228 
1229  StreamTcpFreeConfig(true);
1230  FLOW_DESTROY(&f);
1231  UTHFreePackets(&p, 1);
1232  return result;
1233 }
1234 
1235 /**
1236  * \test Test that the http_method content matches against a http request
1237  * which holds the content.
1238  */
1239 static int DetectEngineHttpMethodTest14(void)
1240 {
1241  TcpSession ssn;
1242  Packet *p = NULL;
1243  ThreadVars th_v;
1244  DetectEngineCtx *de_ctx = NULL;
1245  DetectEngineThreadCtx *det_ctx = NULL;
1246  HtpState *http_state = NULL;
1247  Flow f;
1248  uint8_t http_buf[] =
1249  "CONNECT /index.html HTTP/1.0\r\n"
1250  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1251  uint32_t http_len = sizeof(http_buf) - 1;
1252  int result = 0;
1253  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1254 
1255  memset(&th_v, 0, sizeof(th_v));
1256  memset(&f, 0, sizeof(f));
1257  memset(&ssn, 0, sizeof(ssn));
1258 
1259  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1260 
1261  FLOW_INITIALIZE(&f);
1262  f.protoctx = (void *)&ssn;
1263  f.proto = IPPROTO_TCP;
1264  f.flags |= FLOW_IPV4;
1265  p->flow = &f;
1266  p->flowflags |= FLOW_PKT_TOSERVER;
1267  p->flowflags |= FLOW_PKT_ESTABLISHED;
1268  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1269  f.alproto = ALPROTO_HTTP1;
1270 
1271  StreamTcpInitConfig(true);
1272 
1273  de_ctx = DetectEngineCtxInit();
1274  if (de_ctx == NULL)
1275  goto end;
1276 
1277  de_ctx->flags |= DE_QUIET;
1278 
1279  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1280  "(msg:\"http header test\"; "
1281  "content:\"CO\"; http_method; "
1282  "content:\"EC\"; distance:2; http_method; "
1283  "sid:1;)");
1284  if (de_ctx->sig_list == NULL)
1285  goto end;
1286 
1287  SigGroupBuild(de_ctx);
1288  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1289 
1290  int r = AppLayerParserParse(
1291  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1292  if (r != 0) {
1293  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1294  result = 0;
1295  goto end;
1296  }
1297 
1298  http_state = f.alstate;
1299  if (http_state == NULL) {
1300  printf("no http state: ");
1301  result = 0;
1302  goto end;
1303  }
1304 
1305  /* do detect */
1306  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1307 
1308  if (!PacketAlertCheck(p, 1)) {
1309  printf("sid 1 didn't match but should have: ");
1310  goto end;
1311  }
1312 
1313  result = 1;
1314 
1315 end:
1316  if (alp_tctx != NULL)
1317  AppLayerParserThreadCtxFree(alp_tctx);
1318  if (de_ctx != NULL)
1319  DetectEngineCtxFree(de_ctx);
1320 
1321  StreamTcpFreeConfig(true);
1322  FLOW_DESTROY(&f);
1323  UTHFreePackets(&p, 1);
1324  return result;
1325 }
1326 
1327 /**
1328  * \test Test that the http_method content matches against a http request
1329  * which holds the content.
1330  */
1331 static int DetectEngineHttpMethodTest15(void)
1332 {
1333  TcpSession ssn;
1334  Packet *p = NULL;
1335  ThreadVars th_v;
1336  DetectEngineCtx *de_ctx = NULL;
1337  DetectEngineThreadCtx *det_ctx = NULL;
1338  HtpState *http_state = NULL;
1339  Flow f;
1340  uint8_t http_buf[] =
1341  "CONNECT /index.html HTTP/1.0\r\n"
1342  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1343  uint32_t http_len = sizeof(http_buf) - 1;
1344  int result = 0;
1345  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1346 
1347  memset(&th_v, 0, sizeof(th_v));
1348  memset(&f, 0, sizeof(f));
1349  memset(&ssn, 0, sizeof(ssn));
1350 
1351  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1352 
1353  FLOW_INITIALIZE(&f);
1354  f.protoctx = (void *)&ssn;
1355  f.proto = IPPROTO_TCP;
1356  f.flags |= FLOW_IPV4;
1357  p->flow = &f;
1358  p->flowflags |= FLOW_PKT_TOSERVER;
1359  p->flowflags |= FLOW_PKT_ESTABLISHED;
1360  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1361  f.alproto = ALPROTO_HTTP1;
1362 
1363  StreamTcpInitConfig(true);
1364 
1365  de_ctx = DetectEngineCtxInit();
1366  if (de_ctx == NULL)
1367  goto end;
1368 
1369  de_ctx->flags |= DE_QUIET;
1370 
1371  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1372  "(msg:\"http header test\"; "
1373  "content:\"CO\"; http_method; "
1374  "content:!\"EC\"; distance:3; http_method; "
1375  "sid:1;)");
1376  if (de_ctx->sig_list == NULL)
1377  goto end;
1378 
1379  SigGroupBuild(de_ctx);
1380  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1381 
1382  int r = AppLayerParserParse(
1383  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1384  if (r != 0) {
1385  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1386  result = 0;
1387  goto end;
1388  }
1389 
1390  http_state = f.alstate;
1391  if (http_state == NULL) {
1392  printf("no http state: ");
1393  result = 0;
1394  goto end;
1395  }
1396 
1397  /* do detect */
1398  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1399 
1400  if (!PacketAlertCheck(p, 1)) {
1401  printf("sid 1 didn't match but should have: ");
1402  goto end;
1403  }
1404 
1405  result = 1;
1406 
1407 end:
1408  if (alp_tctx != NULL)
1409  AppLayerParserThreadCtxFree(alp_tctx);
1410  if (de_ctx != NULL)
1411  DetectEngineCtxFree(de_ctx);
1412 
1413  StreamTcpFreeConfig(true);
1414  FLOW_DESTROY(&f);
1415  UTHFreePackets(&p, 1);
1416  return result;
1417 }
1418 
1419 /**
1420  * \test Test that the http_method content matches against a http request
1421  * which holds the content.
1422  */
1423 static int DetectEngineHttpMethodTest16(void)
1424 {
1425  TcpSession ssn;
1426  Packet *p = NULL;
1427  ThreadVars th_v;
1428  DetectEngineCtx *de_ctx = NULL;
1429  DetectEngineThreadCtx *det_ctx = NULL;
1430  HtpState *http_state = NULL;
1431  Flow f;
1432  uint8_t http_buf[] =
1433  "CONNECT /index.html HTTP/1.0\r\n"
1434  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1435  uint32_t http_len = sizeof(http_buf) - 1;
1436  int result = 0;
1437  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1438 
1439  memset(&th_v, 0, sizeof(th_v));
1440  memset(&f, 0, sizeof(f));
1441  memset(&ssn, 0, sizeof(ssn));
1442 
1443  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1444 
1445  FLOW_INITIALIZE(&f);
1446  f.protoctx = (void *)&ssn;
1447  f.proto = IPPROTO_TCP;
1448  f.flags |= FLOW_IPV4;
1449  p->flow = &f;
1450  p->flowflags |= FLOW_PKT_TOSERVER;
1451  p->flowflags |= FLOW_PKT_ESTABLISHED;
1452  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1453  f.alproto = ALPROTO_HTTP1;
1454 
1455  StreamTcpInitConfig(true);
1456 
1457  de_ctx = DetectEngineCtxInit();
1458  if (de_ctx == NULL)
1459  goto end;
1460 
1461  de_ctx->flags |= DE_QUIET;
1462 
1463  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1464  "(msg:\"http header test\"; "
1465  "content:\"CO\"; http_method; "
1466  "content:\"EC\"; distance:3; http_method; "
1467  "sid:1;)");
1468  if (de_ctx->sig_list == NULL)
1469  goto end;
1470 
1471  SigGroupBuild(de_ctx);
1472  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1473 
1474  int r = AppLayerParserParse(
1475  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1476  if (r != 0) {
1477  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1478  result = 0;
1479  goto end;
1480  }
1481 
1482  http_state = f.alstate;
1483  if (http_state == NULL) {
1484  printf("no http state: ");
1485  result = 0;
1486  goto end;
1487  }
1488 
1489  /* do detect */
1490  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1491 
1492  if (PacketAlertCheck(p, 1)) {
1493  printf("sid 1 matched but shouldn't have: ");
1494  goto end;
1495  }
1496 
1497  result = 1;
1498 
1499 end:
1500  if (alp_tctx != NULL)
1501  AppLayerParserThreadCtxFree(alp_tctx);
1502  if (de_ctx != NULL)
1503  DetectEngineCtxFree(de_ctx);
1504 
1505  StreamTcpFreeConfig(true);
1506  FLOW_DESTROY(&f);
1507  UTHFreePackets(&p, 1);
1508  return result;
1509 }
1510 
1511 /**
1512  * \test Test that the http_method content matches against a http request
1513  * which holds the content.
1514  */
1515 static int DetectEngineHttpMethodTest17(void)
1516 {
1517  TcpSession ssn;
1518  Packet *p = NULL;
1519  ThreadVars th_v;
1520  DetectEngineCtx *de_ctx = NULL;
1521  DetectEngineThreadCtx *det_ctx = NULL;
1522  HtpState *http_state = NULL;
1523  Flow f;
1524  uint8_t http_buf[] =
1525  "CONNECT /index.html HTTP/1.0\r\n"
1526  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1527  uint32_t http_len = sizeof(http_buf) - 1;
1528  int result = 0;
1529  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1530 
1531  memset(&th_v, 0, sizeof(th_v));
1532  memset(&f, 0, sizeof(f));
1533  memset(&ssn, 0, sizeof(ssn));
1534 
1535  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1536 
1537  FLOW_INITIALIZE(&f);
1538  f.protoctx = (void *)&ssn;
1539  f.proto = IPPROTO_TCP;
1540  f.flags |= FLOW_IPV4;
1541  p->flow = &f;
1542  p->flowflags |= FLOW_PKT_TOSERVER;
1543  p->flowflags |= FLOW_PKT_ESTABLISHED;
1544  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1545  f.alproto = ALPROTO_HTTP1;
1546 
1547  StreamTcpInitConfig(true);
1548 
1549  de_ctx = DetectEngineCtxInit();
1550  if (de_ctx == NULL)
1551  goto end;
1552 
1553  de_ctx->flags |= DE_QUIET;
1554 
1555  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1556  "(msg:\"http header test\"; "
1557  "content:\"CO\"; http_method; "
1558  "content:!\"EC\"; distance:2; http_method; "
1559  "sid:1;)");
1560  if (de_ctx->sig_list == NULL)
1561  goto end;
1562 
1563  SigGroupBuild(de_ctx);
1564  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1565 
1566  int r = AppLayerParserParse(
1567  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1568  if (r != 0) {
1569  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1570  result = 0;
1571  goto end;
1572  }
1573 
1574  http_state = f.alstate;
1575  if (http_state == NULL) {
1576  printf("no http state: ");
1577  result = 0;
1578  goto end;
1579  }
1580 
1581  /* do detect */
1582  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1583 
1584  if (PacketAlertCheck(p, 1)) {
1585  printf("sid 1 matched but shouldn't have: ");
1586  goto end;
1587  }
1588 
1589  result = 1;
1590 
1591 end:
1592  if (alp_tctx != NULL)
1593  AppLayerParserThreadCtxFree(alp_tctx);
1594  if (de_ctx != NULL)
1595  DetectEngineCtxFree(de_ctx);
1596 
1597  StreamTcpFreeConfig(true);
1598  FLOW_DESTROY(&f);
1599  UTHFreePackets(&p, 1);
1600  return result;
1601 }
1602 
1603 /** \test Check a signature with content */
1604 static int DetectHttpMethodTest01(void)
1605 {
1606  DetectEngineCtx *de_ctx = NULL;
1607  int result = 0;
1608 
1609  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1610  goto end;
1611 
1612  de_ctx->flags |= DE_QUIET;
1613  de_ctx->sig_list = SigInit(de_ctx,
1614  "alert tcp any any -> any any "
1615  "(msg:\"Testing http_method\"; "
1616  "content:\"GET\"; "
1617  "http_method; sid:1;)");
1618 
1619  if (de_ctx->sig_list != NULL) {
1620  result = 1;
1621  } else {
1622  printf("sig parse failed: ");
1623  }
1624 
1625  end:
1626  if (de_ctx != NULL)
1627  DetectEngineCtxFree(de_ctx);
1628  return result;
1629 }
1630 
1631 /** \test Check a signature without content (fail) */
1632 static int DetectHttpMethodTest02(void)
1633 {
1634  DetectEngineCtx *de_ctx = NULL;
1635  int result = 0;
1636 
1637  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1638  goto end;
1639 
1640  de_ctx->flags |= DE_QUIET;
1641  de_ctx->sig_list = SigInit(de_ctx,
1642  "alert tcp any any -> any any "
1643  "(msg:\"Testing http_method\"; "
1644  "http_method; sid:1;)");
1645 
1646  if (de_ctx->sig_list == NULL) {
1647  result = 1;
1648  }
1649 
1650  end:
1651  if (de_ctx != NULL)
1652  DetectEngineCtxFree(de_ctx);
1653  return result;
1654 }
1655 
1656 /** \test Check a signature with parameter (fail) */
1657 static int DetectHttpMethodTest03(void)
1658 {
1659  DetectEngineCtx *de_ctx = NULL;
1660  int result = 0;
1661 
1662  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1663  goto end;
1664 
1665  de_ctx->flags |= DE_QUIET;
1666  de_ctx->sig_list = SigInit(de_ctx,
1667  "alert tcp any any -> any any "
1668  "(msg:\"Testing http_method\"; "
1669  "content:\"foobar\"; "
1670  "http_method:\"GET\"; sid:1;)");
1671 
1672  if (de_ctx->sig_list == NULL) {
1673  result = 1;
1674  }
1675 
1676  end:
1677  if (de_ctx != NULL)
1678  DetectEngineCtxFree(de_ctx);
1679  return result;
1680 }
1681 
1682 /** \test Check a signature with fast_pattern (should work) */
1683 static int DetectHttpMethodTest04(void)
1684 {
1685  DetectEngineCtx *de_ctx = NULL;
1686  int result = 0;
1687 
1688  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1689  goto end;
1690 
1691  de_ctx->flags |= DE_QUIET;
1692  de_ctx->sig_list = SigInit(de_ctx,
1693  "alert tcp any any -> any any "
1694  "(msg:\"Testing http_method\"; "
1695  "content:\"GET\"; "
1696  "fast_pattern; "
1697  "http_method; sid:1;)");
1698 
1699  if (de_ctx->sig_list != NULL) {
1700  result = 1;
1701  }
1702 
1703  end:
1704  if (de_ctx != NULL)
1705  DetectEngineCtxFree(de_ctx);
1706  return result;
1707 }
1708 
1709 /** \test Check a signature with rawbytes (fail) */
1710 static int DetectHttpMethodTest05(void)
1711 {
1712  DetectEngineCtx *de_ctx = NULL;
1713  int result = 0;
1714 
1715  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1716  goto end;
1717 
1718  de_ctx->flags |= DE_QUIET;
1719  de_ctx->sig_list = SigInit(de_ctx,
1720  "alert tcp any any -> any any "
1721  "(msg:\"Testing http_method\"; "
1722  "content:\"GET\"; "
1723  "rawbytes; "
1724  "http_method; sid:1;)");
1725 
1726  if (de_ctx->sig_list == NULL) {
1727  result = 1;
1728  }
1729 
1730  end:
1731  if (de_ctx != NULL)
1732  DetectEngineCtxFree(de_ctx);
1733  return result;
1734 }
1735 
1736 /** \test setting the nocase flag */
1737 static int DetectHttpMethodTest12(void)
1738 {
1739  DetectEngineCtx *de_ctx = NULL;
1740  int result = 0;
1741 
1742  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1743  goto end;
1744 
1745  de_ctx->flags |= DE_QUIET;
1746 
1747  if (DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1748  "(content:\"one\"; http_method; nocase; sid:1;)") == NULL) {
1749  printf("DetectEngineAppend == NULL: ");
1750  goto end;
1751  }
1752  if (DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1753  "(content:\"one\"; nocase; http_method; sid:2;)") == NULL) {
1754  printf("DetectEngineAppend == NULL: ");
1755  goto end;
1756  }
1757 
1758  if (de_ctx->sig_list->sm_lists[g_http_method_buffer_id] == NULL) {
1759  printf("de_ctx->sig_list->sm_lists[g_http_method_buffer_id] == NULL: ");
1760  goto end;
1761  }
1762 
1763  DetectContentData *hmd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx;
1764  DetectContentData *hmd2 = (DetectContentData *)de_ctx->sig_list->next->sm_lists_tail[g_http_method_buffer_id]->ctx;
1765 
1766  if (!(hmd1->flags & DETECT_CONTENT_NOCASE)) {
1767  printf("nocase flag not set on sig 1: ");
1768  goto end;
1769  }
1770 
1771  if (!(hmd2->flags & DETECT_CONTENT_NOCASE)) {
1772  printf("nocase flag not set on sig 2: ");
1773  goto end;
1774  }
1775  result = 1;
1776 
1777  end:
1778  DetectEngineCtxFree(de_ctx);
1779  return result;
1780 }
1781 
1782 /** \test Check a signature with method + within and pcre with /M (should work) */
1783 static int DetectHttpMethodTest13(void)
1784 {
1785  DetectEngineCtx *de_ctx = NULL;
1786  int result = 0;
1787 
1788  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1789  goto end;
1790 
1791  de_ctx->flags |= DE_QUIET;
1792  de_ctx->sig_list = SigInit(de_ctx,
1793  "alert tcp any any -> any any "
1794  "(msg:\"Testing http_method\"; "
1795  "pcre:\"/HE/M\"; "
1796  "content:\"AD\"; "
1797  "within:2; http_method; sid:1;)");
1798 
1799  if (de_ctx->sig_list != NULL) {
1800  result = 1;
1801  }
1802 
1803  end:
1804  if (de_ctx != NULL)
1805  DetectEngineCtxFree(de_ctx);
1806  return result;
1807 }
1808 
1809 /** \test Check a signature with method + within and pcre without /M (should fail) */
1810 static int DetectHttpMethodTest14(void)
1811 {
1812  DetectEngineCtx *de_ctx = NULL;
1813  int result = 0;
1814 
1815  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1816  goto end;
1817 
1818  de_ctx->flags |= DE_QUIET;
1819  de_ctx->sig_list = SigInit(de_ctx,
1820  "alert tcp any any -> any any "
1821  "(msg:\"Testing http_method\"; "
1822  "pcre:\"/HE/\"; "
1823  "content:\"AD\"; "
1824  "http_method; within:2; sid:1;)");
1825 
1826  if (de_ctx->sig_list != NULL) {
1827  result = 1;
1828  }
1829 
1830  end:
1831  if (de_ctx != NULL)
1832  DetectEngineCtxFree(de_ctx);
1833  return result;
1834 }
1835 
1836 /** \test Check a signature with method + within and pcre with /M (should work) */
1837 static int DetectHttpMethodTest15(void)
1838 {
1839  DetectEngineCtx *de_ctx = NULL;
1840  int result = 0;
1841 
1842  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1843  goto end;
1844 
1845  de_ctx->flags |= DE_QUIET;
1846  de_ctx->sig_list = SigInit(de_ctx,
1847  "alert tcp any any -> any any "
1848  "(msg:\"Testing http_method\"; "
1849  "pcre:\"/HE/M\"; "
1850  "content:\"AD\"; "
1851  "http_method; within:2; sid:1;)");
1852 
1853  if (de_ctx->sig_list != NULL) {
1854  result = 1;
1855  }
1856 
1857  end:
1858  if (de_ctx != NULL)
1859  DetectEngineCtxFree(de_ctx);
1860  return result;
1861 }
1862 /** \test Check a signature with an known request method */
1863 static int DetectHttpMethodSigTest01(void)
1864 {
1865  int result = 0;
1866  Flow f;
1867  uint8_t httpbuf1[] = "GET / HTTP/1.0\r\n"
1868  "Host: foo.bar.tld\r\n"
1869  "\r\n";
1870  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1871  TcpSession ssn;
1872  Packet *p = NULL;
1873  Signature *s = NULL;
1874  ThreadVars th_v;
1875  DetectEngineThreadCtx *det_ctx;
1876  HtpState *http_state = NULL;
1877  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1878 
1879  memset(&th_v, 0, sizeof(th_v));
1880  memset(&f, 0, sizeof(f));
1881  memset(&ssn, 0, sizeof(ssn));
1882 
1883  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1884 
1885  FLOW_INITIALIZE(&f);
1886  f.protoctx = (void *)&ssn;
1887  f.proto = IPPROTO_TCP;
1888  f.flags |= FLOW_IPV4;
1889 
1890  p->flow = &f;
1891  p->flowflags |= FLOW_PKT_TOSERVER;
1892  p->flowflags |= FLOW_PKT_ESTABLISHED;
1893  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1894  f.alproto = ALPROTO_HTTP1;
1895 
1896  StreamTcpInitConfig(true);
1897 
1898  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1899  if (de_ctx == NULL) {
1900  goto end;
1901  }
1902 
1903  de_ctx->flags |= DE_QUIET;
1904 
1905  s = de_ctx->sig_list = SigInit(de_ctx,
1906  "alert tcp any any -> any any "
1907  "(msg:\"Testing http_method\"; "
1908  "content:\"GET\"; "
1909  "http_method; sid:1;)");
1910  if (s == NULL) {
1911  goto end;
1912  }
1913 
1914  s = s->next = SigInit(de_ctx,
1915  "alert tcp any any -> any any "
1916  "(msg:\"Testing http_method\"; "
1917  "content:\"POST\"; "
1918  "http_method; sid:2;)");
1919  if (s == NULL) {
1920  goto end;
1921  }
1922 
1923  SigGroupBuild(de_ctx);
1924  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1925 
1926  int r = AppLayerParserParse(
1927  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1928  if (r != 0) {
1929  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1930  goto end;
1931  }
1932 
1933  http_state = f.alstate;
1934  if (http_state == NULL) {
1935  SCLogDebug("no http state: ");
1936  goto end;
1937  }
1938 
1939  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1940 
1941  if (!(PacketAlertCheck(p, 1))) {
1942  goto end;
1943  }
1944  if (PacketAlertCheck(p, 2)) {
1945  goto end;
1946  }
1947 
1948  result = 1;
1949 
1950 end:
1951  if (alp_tctx != NULL)
1952  AppLayerParserThreadCtxFree(alp_tctx);
1953  if (de_ctx != NULL)
1954  DetectEngineCtxFree(de_ctx);
1955 
1956  StreamTcpFreeConfig(true);
1957  FLOW_DESTROY(&f);
1958  UTHFreePackets(&p, 1);
1959  return result;
1960 }
1961 
1962 /** \test Check a signature with an unknown request method */
1963 static int DetectHttpMethodSigTest02(void)
1964 {
1965  int result = 0;
1966  Flow f;
1967  uint8_t httpbuf1[] = "FOO / HTTP/1.0\r\n"
1968  "Host: foo.bar.tld\r\n"
1969  "\r\n";
1970  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1971  TcpSession ssn;
1972  Packet *p = NULL;
1973  Signature *s = NULL;
1974  ThreadVars th_v;
1975  DetectEngineThreadCtx *det_ctx = NULL;
1976  HtpState *http_state = NULL;
1977  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1978 
1979  memset(&th_v, 0, sizeof(th_v));
1980  memset(&f, 0, sizeof(f));
1981  memset(&ssn, 0, sizeof(ssn));
1982 
1983  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1984 
1985  FLOW_INITIALIZE(&f);
1986  f.protoctx = (void *)&ssn;
1987  f.proto = IPPROTO_TCP;
1988  f.flags |= FLOW_IPV4;
1989 
1990  p->flow = &f;
1991  p->flowflags |= FLOW_PKT_TOSERVER;
1992  p->flowflags |= FLOW_PKT_ESTABLISHED;
1993  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1994  f.alproto = ALPROTO_HTTP1;
1995 
1996  StreamTcpInitConfig(true);
1997 
1998  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1999  if (de_ctx == NULL) {
2000  goto end;
2001  }
2002 
2003  de_ctx->flags |= DE_QUIET;
2004 
2005  s = de_ctx->sig_list = SigInit(de_ctx,
2006  "alert tcp any any -> any any "
2007  "(msg:\"Testing http_method\"; "
2008  "content:\"FOO\"; "
2009  "http_method; sid:1;)");
2010  if (s == NULL) {
2011  goto end;
2012  }
2013 
2014  s = s->next = SigInit(de_ctx,
2015  "alert tcp any any -> any any "
2016  "(msg:\"Testing http_method\"; "
2017  "content:\"BAR\"; "
2018  "http_method; sid:2;)");
2019  if (s == NULL) {
2020  goto end;
2021  }
2022 
2023  SigGroupBuild(de_ctx);
2024  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2025 
2026  int r = AppLayerParserParse(
2027  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2028  if (r != 0) {
2029  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2030  goto end;
2031  }
2032 
2033  http_state = f.alstate;
2034  if (http_state == NULL) {
2035  SCLogDebug("no http state: ");
2036  goto end;
2037  }
2038 
2039  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2040 
2041  if (!(PacketAlertCheck(p, 1))) {
2042  goto end;
2043  }
2044  if (PacketAlertCheck(p, 2)) {
2045  goto end;
2046  }
2047 
2048  result = 1;
2049 
2050 end:
2051  if (alp_tctx != NULL)
2052  AppLayerParserThreadCtxFree(alp_tctx);
2053  if (det_ctx != NULL)
2054  DetectEngineThreadCtxDeinit(&th_v, (void *) det_ctx);
2055  if (de_ctx != NULL)
2056  DetectEngineCtxFree(de_ctx);
2057 
2058  StreamTcpFreeConfig(true);
2059  FLOW_DESTROY(&f);
2060  UTHFreePackets(&p, 1);
2061  return result;
2062 }
2063 
2064 /** \test Check a signature against an unparsable request */
2065 static int DetectHttpMethodSigTest03(void)
2066 {
2067  int result = 0;
2068  Flow f;
2069  uint8_t httpbuf1[] = " ";
2070  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2071  TcpSession ssn;
2072  Packet *p = NULL;
2073  Signature *s = NULL;
2074  ThreadVars th_v;
2075  DetectEngineThreadCtx *det_ctx;
2076  HtpState *http_state = NULL;
2077  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2078 
2079  memset(&th_v, 0, sizeof(th_v));
2080  memset(&f, 0, sizeof(f));
2081  memset(&ssn, 0, sizeof(ssn));
2082 
2083  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2084 
2085  FLOW_INITIALIZE(&f);
2086  f.protoctx = (void *)&ssn;
2087  f.proto = IPPROTO_TCP;
2088  f.flags |= FLOW_IPV4;
2089 
2090  p->flow = &f;
2091  p->flowflags |= FLOW_PKT_TOSERVER;
2092  p->flowflags |= FLOW_PKT_ESTABLISHED;
2093  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2094  f.alproto = ALPROTO_HTTP1;
2095 
2096  StreamTcpInitConfig(true);
2097 
2098  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2099  if (de_ctx == NULL) {
2100  goto end;
2101  }
2102 
2103  de_ctx->flags |= DE_QUIET;
2104 
2105  s = de_ctx->sig_list = SigInit(de_ctx,
2106  "alert tcp any any -> any any "
2107  "(msg:\"Testing http_method\"; "
2108  "content:\"GET\"; "
2109  "http_method; sid:1;)");
2110  if (s == NULL) {
2111  SCLogDebug("Bad signature");
2112  goto end;
2113  }
2114 
2115  SigGroupBuild(de_ctx);
2116  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2117 
2118  int r = AppLayerParserParse(
2119  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2120  if (r != 0) {
2121  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2122  goto end;
2123  }
2124 
2125  http_state = f.alstate;
2126  if (http_state == NULL) {
2127  SCLogDebug("no http state: ");
2128  goto end;
2129  }
2130 
2131  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2132 
2133  if (PacketAlertCheck(p, 1)) {
2134  goto end;
2135  }
2136 
2137  result = 1;
2138 
2139 end:
2140  if (alp_tctx != NULL)
2141  AppLayerParserThreadCtxFree(alp_tctx);
2142  if (de_ctx != NULL)
2143  DetectEngineCtxFree(de_ctx);
2144 
2145  StreamTcpFreeConfig(true);
2146  FLOW_DESTROY(&f);
2147  UTHFreePackets(&p, 1);
2148  return result;
2149 }
2150 
2151 /** \test Check a signature with an request method and negation of the same */
2152 static int DetectHttpMethodSigTest04(void)
2153 {
2154  int result = 0;
2155  Flow f;
2156  uint8_t httpbuf1[] = "GET / HTTP/1.0\r\n"
2157  "Host: foo.bar.tld\r\n"
2158  "\r\n";
2159  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2160  TcpSession ssn;
2161  Packet *p = NULL;
2162  Signature *s = NULL;
2163  ThreadVars th_v;
2164  DetectEngineThreadCtx *det_ctx = NULL;
2165  HtpState *http_state = NULL;
2166  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2167 
2168  memset(&th_v, 0, sizeof(th_v));
2169  memset(&f, 0, sizeof(f));
2170  memset(&ssn, 0, sizeof(ssn));
2171 
2172  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2173 
2174  FLOW_INITIALIZE(&f);
2175  f.protoctx = (void *)&ssn;
2176  f.proto = IPPROTO_TCP;
2177  f.flags |= FLOW_IPV4;
2178 
2179  p->flow = &f;
2180  p->flowflags |= FLOW_PKT_TOSERVER;
2181  p->flowflags |= FLOW_PKT_ESTABLISHED;
2182  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2183  f.alproto = ALPROTO_HTTP1;
2184 
2185  StreamTcpInitConfig(true);
2186 
2187  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2188  if (de_ctx == NULL) {
2189  goto end;
2190  }
2191 
2192  de_ctx->flags |= DE_QUIET;
2193 
2194  s = de_ctx->sig_list = SigInit(de_ctx,
2195  "alert tcp any any -> any any (msg:\"Testing http_method\"; "
2196  "content:\"GET\"; http_method; sid:1;)");
2197  if (s == NULL) {
2198  goto end;
2199  }
2200 
2201  s = s->next = SigInit(de_ctx,
2202  "alert tcp any any -> any any (msg:\"Testing http_method\"; "
2203  "content:!\"GET\"; http_method; sid:2;)");
2204  if (s == NULL) {
2205  goto end;
2206  }
2207 
2208  SigGroupBuild(de_ctx);
2209  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2210 
2211  int r = AppLayerParserParse(
2212  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2213  if (r != 0) {
2214  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2215  goto end;
2216  }
2217 
2218  http_state = f.alstate;
2219  if (http_state == NULL) {
2220  SCLogDebug("no http state: ");
2221  goto end;
2222  }
2223 
2224  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2225 
2226  if (!(PacketAlertCheck(p, 1))) {
2227  printf("sid 1 didn't match but should have: ");
2228  goto end;
2229  }
2230  if (PacketAlertCheck(p, 2)) {
2231  printf("sid 2 matched but shouldn't have: ");
2232  goto end;
2233  }
2234 
2235  result = 1;
2236 
2237 end:
2238  if (alp_tctx != NULL)
2239  AppLayerParserThreadCtxFree(alp_tctx);
2240  if (det_ctx != NULL) {
2241  DetectEngineThreadCtxDeinit(&th_v, (void *) det_ctx);
2242  }
2243  if (de_ctx != NULL) {
2244  DetectEngineCtxFree(de_ctx);
2245  }
2246 
2247  StreamTcpFreeConfig(true);
2248  FLOW_DESTROY(&f);
2249  UTHFreePackets(&p, 1);
2250  return result;
2251 }
2252 
2253 static int DetectHttpMethodIsdataatParseTest(void)
2254 {
2255  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2256  FAIL_IF_NULL(de_ctx);
2257  de_ctx->flags |= DE_QUIET;
2258 
2259  Signature *s = DetectEngineAppendSig(de_ctx,
2260  "alert tcp any any -> any any ("
2261  "content:\"one\"; http_method; "
2262  "isdataat:!4,relative; sid:1;)");
2263  FAIL_IF_NULL(s);
2264 
2265  SigMatch *sm = s->init_data->smlists_tail[g_http_method_buffer_id];
2266  FAIL_IF_NULL(sm);
2267  FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
2268 
2269  DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
2270  FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
2271  FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
2272  FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
2273 
2274  DetectEngineCtxFree(de_ctx);
2275  PASS;
2276 }
2277 
2278 /**
2279  * \brief this function registers unit tests for DetectHttpMethod
2280  */
2281 void DetectHttpMethodRegisterTests(void)
2282 {
2283  UtRegisterTest("DetectHttpMethodTest01", DetectHttpMethodTest01);
2284  UtRegisterTest("DetectHttpMethodTest02", DetectHttpMethodTest02);
2285  UtRegisterTest("DetectHttpMethodTest03", DetectHttpMethodTest03);
2286  UtRegisterTest("DetectHttpMethodTest04", DetectHttpMethodTest04);
2287  UtRegisterTest("DetectHttpMethodTest05", DetectHttpMethodTest05);
2288  UtRegisterTest("DetectHttpMethodTest12 -- nocase flag",
2289  DetectHttpMethodTest12);
2290  UtRegisterTest("DetectHttpMethodTest13", DetectHttpMethodTest13);
2291  UtRegisterTest("DetectHttpMethodTest14", DetectHttpMethodTest14);
2292  UtRegisterTest("DetectHttpMethodTest15", DetectHttpMethodTest15);
2293  UtRegisterTest("DetectHttpMethodSigTest01", DetectHttpMethodSigTest01);
2294  UtRegisterTest("DetectHttpMethodSigTest02", DetectHttpMethodSigTest02);
2295  UtRegisterTest("DetectHttpMethodSigTest03", DetectHttpMethodSigTest03);
2296  UtRegisterTest("DetectHttpMethodSigTest04", DetectHttpMethodSigTest04);
2297 
2298  UtRegisterTest("DetectHttpMethodIsdataatParseTest",
2299  DetectHttpMethodIsdataatParseTest);
2300  UtRegisterTest("DetectEngineHttpMethodTest01",
2301  DetectEngineHttpMethodTest01);
2302  UtRegisterTest("DetectEngineHttpMethodTest02",
2303  DetectEngineHttpMethodTest02);
2304  UtRegisterTest("DetectEngineHttpMethodTest03",
2305  DetectEngineHttpMethodTest03);
2306  UtRegisterTest("DetectEngineHttpMethodTest04",
2307  DetectEngineHttpMethodTest04);
2308  UtRegisterTest("DetectEngineHttpMethodTest05",
2309  DetectEngineHttpMethodTest05);
2310  UtRegisterTest("DetectEngineHttpMethodTest06",
2311  DetectEngineHttpMethodTest06);
2312  UtRegisterTest("DetectEngineHttpMethodTest07",
2313  DetectEngineHttpMethodTest07);
2314  UtRegisterTest("DetectEngineHttpMethodTest08",
2315  DetectEngineHttpMethodTest08);
2316  UtRegisterTest("DetectEngineHttpMethodTest09",
2317  DetectEngineHttpMethodTest09);
2318  UtRegisterTest("DetectEngineHttpMethodTest10",
2319  DetectEngineHttpMethodTest10);
2320  UtRegisterTest("DetectEngineHttpMethodTest11",
2321  DetectEngineHttpMethodTest11);
2322  UtRegisterTest("DetectEngineHttpMethodTest12",
2323  DetectEngineHttpMethodTest12);
2324  UtRegisterTest("DetectEngineHttpMethodTest13",
2325  DetectEngineHttpMethodTest13);
2326  UtRegisterTest("DetectEngineHttpMethodTest14",
2327  DetectEngineHttpMethodTest14);
2328  UtRegisterTest("DetectEngineHttpMethodTest15",
2329  DetectEngineHttpMethodTest15);
2330  UtRegisterTest("DetectEngineHttpMethodTest16",
2331  DetectEngineHttpMethodTest16);
2332  UtRegisterTest("DetectEngineHttpMethodTest17",
2333  DetectEngineHttpMethodTest17);
2334 }
2335 
2336 /**
2337  * @}
2338  */
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1003
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Flow_::proto
uint8_t proto
Definition: flow.h:379
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:463
Flow_
Flow data structure.
Definition: flow.h:357
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2442
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:314
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:227
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1809
DetectIsdataatData_
Definition: detect-isdataat.h:35
DetectContentData_
Definition: detect-content.h:86
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2434
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:459
Flow_::protoctx
void * protoctx
Definition: flow.h:447
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
HtpState_
Definition: app-layer-htp.h:244
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
Signature_::next
struct Signature_ * next
Definition: detect.h:614
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:536
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:356
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:40
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1025
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2129
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
DetectHttpMethodRegisterTests
void DetectHttpMethodRegisterTests(void)
this function registers unit tests for DetectHttpMethod
Definition: detect-http-method.c:2281
Packet_
Definition: decode.h:428
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:97
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:611
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1951
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:293
Packet_::flow
struct Flow_ * flow
Definition: decode.h:465
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3153
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:668
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1323
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3367
SigMatch_::type
uint16_t type
Definition: detect.h:314
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:791
ISDATAAT_NEGATED
#define ISDATAAT_NEGATED
Definition: detect-isdataat.h:29
Flow_::alstate
void * alstate
Definition: flow.h:482
Flow_::flags
uint32_t flags
Definition: flow.h:427
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:313
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:82
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:229
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2403
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:786
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:66
TcpSession_
Definition: stream-tcp-private.h:272
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:456
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:129
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1000
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468