suricata
detect-http-raw-header.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /** \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * \brief Handle HTTP raw header match.
31  *
32  */
33 
34 #include "../suricata-common.h"
35 #include "../suricata.h"
36 #include "../decode.h"
37 
38 #include "../detect.h"
39 #include "../detect-engine.h"
40 #include "../detect-isdataat.h"
41 #include "../detect-pcre.h"
42 #include "../detect-engine-build.h"
43 #include "../detect-engine-alert.h"
44 
45 #include "../stream-tcp.h"
46 #include "../app-layer.h"
47 #include "../app-layer-htp.h"
48 #include "../app-layer-protos.h"
49 #include "../app-layer-parser.h"
50 
51 #include "../util-unittest.h"
52 #include "../util-unittest-helper.h"
53 #include "../util-validate.h"
54 
55 /***********************************Unittests**********************************/
56 
57 #ifdef UNITTESTS
58 
59 /**
60  * \test Test parser accepting valid rules and rejecting invalid rules
61  */
62 static int DetectHttpRawHeaderParserTest01(void)
63 {
64  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; http_raw_header; sid:1;)", true));
65  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; nocase; http_raw_header; sid:1;)", true));
66  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; endswith; http_raw_header; sid:1;)", true));
67  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; http_raw_header; sid:1;)", true));
68  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; endswith; http_raw_header; sid:1;)", true));
69 
70  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; rawbytes; http_raw_header; sid:1;)", false));
71  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_server; http_raw_header; sid:1;)", false));
72  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_server; content:\"abc\"; http_raw_header; sid:1;)", false));
73  PASS;
74 }
75 
76 /**
77  * \test Test parser accepting valid rules and rejecting invalid rules
78  */
79 static int DetectHttpRawHeaderParserTest02(void)
80 {
81  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; sid:1;)", true));
82  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; nocase; sid:1;)", true));
83  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; endswith; sid:1;)", true));
84  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; startswith; sid:1;)", true));
85  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; startswith; endswith; sid:1;)", true));
86  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; bsize:10; sid:1;)", true));
87 
88  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; rawbytes; sid:1;)", false));
89  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_server; http.header.raw; sid:1;)", false));
90  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; sid:1;)", false));
91  PASS;
92 }
93 
94 /**
95  *\test Test that the http_header content matches against a http request
96  * which holds the content.
97  */
98 static int DetectEngineHttpRawHeaderTest01(void)
99 {
100  TcpSession ssn;
101  Packet *p = NULL;
102  ThreadVars th_v;
103  DetectEngineCtx *de_ctx = NULL;
104  DetectEngineThreadCtx *det_ctx = NULL;
105  HtpState *http_state = NULL;
106  Flow f;
107  uint8_t http_buf[] =
108  "GET /index.html HTTP/1.0\r\n"
109  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
110  uint32_t http_len = sizeof(http_buf) - 1;
111  int result = 0;
112  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
113 
114  memset(&th_v, 0, sizeof(th_v));
115  memset(&f, 0, sizeof(f));
116  memset(&ssn, 0, sizeof(ssn));
117 
118  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
119 
120  FLOW_INITIALIZE(&f);
121  f.protoctx = (void *)&ssn;
122  f.proto = IPPROTO_TCP;
123  f.flags |= FLOW_IPV4;
124  p->flow = &f;
125  p->flowflags |= FLOW_PKT_TOSERVER;
126  p->flowflags |= FLOW_PKT_ESTABLISHED;
127  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
128  f.alproto = ALPROTO_HTTP1;
129 
130  StreamTcpInitConfig(true);
131 
132  de_ctx = DetectEngineCtxInit();
133  if (de_ctx == NULL)
134  goto end;
135 
136  de_ctx->flags |= DE_QUIET;
137 
138  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
139  "(msg:\"http header test\"; flow:to_server; "
140  "content:\"one\"; http_raw_header; "
141  "sid:1;)");
142  if (de_ctx->sig_list == NULL)
143  goto end;
144 
145  SigGroupBuild(de_ctx);
146  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
147 
148  int r = AppLayerParserParse(
149  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
150  if (r != 0) {
151  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
152  result = 0;
153  goto end;
154  }
155 
156  http_state = f.alstate;
157  if (http_state == NULL) {
158  printf("no http state: ");
159  result = 0;
160  goto end;
161  }
162 
163  /* do detect */
164  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
165 
166  if (!(PacketAlertCheck(p, 1))) {
167  printf("sid 1 didn't match but should have: ");
168  goto end;
169  }
170 
171  result = 1;
172 end:
173  if (alp_tctx != NULL)
174  AppLayerParserThreadCtxFree(alp_tctx);
175  if (de_ctx != NULL)
176  DetectEngineCtxFree(de_ctx);
177 
178  StreamTcpFreeConfig(true);
179  FLOW_DESTROY(&f);
180  UTHFreePackets(&p, 1);
181  return result;
182 }
183 
184 /**
185  *\test Test that the http_header content matches against a http request
186  * which holds the content.
187  */
188 static int DetectEngineHttpRawHeaderTest02(void)
189 {
190  TcpSession ssn;
191  Packet *p = NULL;
192  ThreadVars th_v;
193  DetectEngineCtx *de_ctx = NULL;
194  DetectEngineThreadCtx *det_ctx = NULL;
195  HtpState *http_state = NULL;
196  Flow f;
197  uint8_t http_buf[] =
198  "GET /index.html HTTP/1.0\r\n"
199  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
200  uint32_t http_len = sizeof(http_buf) - 1;
201  int result = 0;
202  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
203 
204  memset(&th_v, 0, sizeof(th_v));
205  memset(&f, 0, sizeof(f));
206  memset(&ssn, 0, sizeof(ssn));
207 
208  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
209 
210  FLOW_INITIALIZE(&f);
211  f.protoctx = (void *)&ssn;
212  f.proto = IPPROTO_TCP;
213  f.flags |= FLOW_IPV4;
214  p->flow = &f;
215  p->flowflags |= FLOW_PKT_TOSERVER;
216  p->flowflags |= FLOW_PKT_ESTABLISHED;
217  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
218  f.alproto = ALPROTO_HTTP1;
219 
220  StreamTcpInitConfig(true);
221 
222  de_ctx = DetectEngineCtxInit();
223  if (de_ctx == NULL)
224  goto end;
225 
226  de_ctx->flags |= DE_QUIET;
227 
228  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
229  "(msg:\"http header test\"; flow:to_server; "
230  "content:\"one\"; depth:15; http_raw_header; "
231  "sid:1;)");
232  if (de_ctx->sig_list == NULL)
233  goto end;
234 
235  SigGroupBuild(de_ctx);
236  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
237 
238  int r = AppLayerParserParse(
239  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
240  if (r != 0) {
241  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
242  result = 0;
243  goto end;
244  }
245 
246  http_state = f.alstate;
247  if (http_state == NULL) {
248  printf("no http state: ");
249  result = 0;
250  goto end;
251  }
252 
253  /* do detect */
254  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
255 
256  if (!(PacketAlertCheck(p, 1))) {
257  printf("sid 1 didn't match but should have: ");
258  goto end;
259  }
260 
261  result = 1;
262 end:
263  if (alp_tctx != NULL)
264  AppLayerParserThreadCtxFree(alp_tctx);
265  if (de_ctx != NULL)
266  DetectEngineCtxFree(de_ctx);
267 
268  StreamTcpFreeConfig(true);
269  FLOW_DESTROY(&f);
270  UTHFreePackets(&p, 1);
271  return result;
272 }
273 
274 /**
275  *\test Test that the http_header content matches against a http request
276  * which holds the content.
277  */
278 static int DetectEngineHttpRawHeaderTest03(void)
279 {
280  TcpSession ssn;
281  Packet *p = NULL;
282  ThreadVars th_v;
283  DetectEngineCtx *de_ctx = NULL;
284  DetectEngineThreadCtx *det_ctx = NULL;
285  HtpState *http_state = NULL;
286  Flow f;
287  uint8_t http_buf[] =
288  "GET /index.html HTTP/1.0\r\n"
289  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
290  uint32_t http_len = sizeof(http_buf) - 1;
291  int result = 0;
292  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
293 
294  memset(&th_v, 0, sizeof(th_v));
295  memset(&f, 0, sizeof(f));
296  memset(&ssn, 0, sizeof(ssn));
297 
298  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
299 
300  FLOW_INITIALIZE(&f);
301  f.protoctx = (void *)&ssn;
302  f.proto = IPPROTO_TCP;
303  f.flags |= FLOW_IPV4;
304  p->flow = &f;
305  p->flowflags |= FLOW_PKT_TOSERVER;
306  p->flowflags |= FLOW_PKT_ESTABLISHED;
307  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
308  f.alproto = ALPROTO_HTTP1;
309 
310  StreamTcpInitConfig(true);
311 
312  de_ctx = DetectEngineCtxInit();
313  if (de_ctx == NULL)
314  goto end;
315 
316  de_ctx->flags |= DE_QUIET;
317 
318  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
319  "(msg:\"http header test\"; flow:to_server; "
320  "content:!\"one\"; depth:5; http_raw_header; "
321  "sid:1;)");
322  if (de_ctx->sig_list == NULL)
323  goto end;
324 
325  SigGroupBuild(de_ctx);
326  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
327 
328  int r = AppLayerParserParse(
329  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
330  if (r != 0) {
331  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
332  result = 0;
333  goto end;
334  }
335 
336  http_state = f.alstate;
337  if (http_state == NULL) {
338  printf("no http state: ");
339  result = 0;
340  goto end;
341  }
342 
343  /* do detect */
344  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
345 
346  if (!(PacketAlertCheck(p, 1))) {
347  printf("sid 1 didn't match but should have: ");
348  goto end;
349  }
350 
351  result = 1;
352 end:
353  if (alp_tctx != NULL)
354  AppLayerParserThreadCtxFree(alp_tctx);
355  if (de_ctx != NULL)
356  DetectEngineCtxFree(de_ctx);
357 
358  StreamTcpFreeConfig(true);
359  FLOW_DESTROY(&f);
360  UTHFreePackets(&p, 1);
361  return result;
362 }
363 
364 /**
365  *\test Test that the http_header content matches against a http request
366  * which holds the content.
367  */
368 static int DetectEngineHttpRawHeaderTest04(void)
369 {
370  TcpSession ssn;
371  Packet *p = NULL;
372  ThreadVars th_v;
373  DetectEngineCtx *de_ctx = NULL;
374  DetectEngineThreadCtx *det_ctx = NULL;
375  HtpState *http_state = NULL;
376  Flow f;
377  uint8_t http_buf[] =
378  "GET /index.html HTTP/1.0\r\n"
379  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
380  uint32_t http_len = sizeof(http_buf) - 1;
381  int result = 0;
382  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
383 
384  memset(&th_v, 0, sizeof(th_v));
385  memset(&f, 0, sizeof(f));
386  memset(&ssn, 0, sizeof(ssn));
387 
388  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
389 
390  FLOW_INITIALIZE(&f);
391  f.protoctx = (void *)&ssn;
392  f.proto = IPPROTO_TCP;
393  f.flags |= FLOW_IPV4;
394  p->flow = &f;
395  p->flowflags |= FLOW_PKT_TOSERVER;
396  p->flowflags |= FLOW_PKT_ESTABLISHED;
397  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
398  f.alproto = ALPROTO_HTTP1;
399 
400  StreamTcpInitConfig(true);
401 
402  de_ctx = DetectEngineCtxInit();
403  if (de_ctx == NULL)
404  goto end;
405 
406  de_ctx->flags |= DE_QUIET;
407 
408  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
409  "(msg:\"http header test\"; flow:to_server; "
410  "content:\"one\"; depth:5; http_raw_header; "
411  "sid:1;)");
412  if (de_ctx->sig_list == NULL)
413  goto end;
414 
415  SigGroupBuild(de_ctx);
416  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
417 
418  int r = AppLayerParserParse(
419  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
420  if (r != 0) {
421  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
422  result = 0;
423  goto end;
424  }
425 
426  http_state = f.alstate;
427  if (http_state == NULL) {
428  printf("no http state: ");
429  result = 0;
430  goto end;
431  }
432 
433  /* do detect */
434  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
435 
436  if (PacketAlertCheck(p, 1)) {
437  printf("sid 1 matched but shouldn't have: ");
438  goto end;
439  }
440 
441  result = 1;
442 end:
443  if (alp_tctx != NULL)
444  AppLayerParserThreadCtxFree(alp_tctx);
445  if (de_ctx != NULL)
446  DetectEngineCtxFree(de_ctx);
447 
448  StreamTcpFreeConfig(true);
449  FLOW_DESTROY(&f);
450  UTHFreePackets(&p, 1);
451  return result;
452 }
453 
454 /**
455  *\test Test that the http_header content matches against a http request
456  * which holds the content.
457  */
458 static int DetectEngineHttpRawHeaderTest05(void)
459 {
460  TcpSession ssn;
461  Packet *p = NULL;
462  ThreadVars th_v;
463  DetectEngineCtx *de_ctx = NULL;
464  DetectEngineThreadCtx *det_ctx = NULL;
465  HtpState *http_state = NULL;
466  Flow f;
467  uint8_t http_buf[] =
468  "GET /index.html HTTP/1.0\r\n"
469  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
470  uint32_t http_len = sizeof(http_buf) - 1;
471  int result = 0;
472  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
473 
474  memset(&th_v, 0, sizeof(th_v));
475  memset(&f, 0, sizeof(f));
476  memset(&ssn, 0, sizeof(ssn));
477 
478  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
479 
480  FLOW_INITIALIZE(&f);
481  f.protoctx = (void *)&ssn;
482  f.proto = IPPROTO_TCP;
483  f.flags |= FLOW_IPV4;
484  p->flow = &f;
485  p->flowflags |= FLOW_PKT_TOSERVER;
486  p->flowflags |= FLOW_PKT_ESTABLISHED;
487  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
488  f.alproto = ALPROTO_HTTP1;
489 
490  StreamTcpInitConfig(true);
491 
492  de_ctx = DetectEngineCtxInit();
493  if (de_ctx == NULL)
494  goto end;
495 
496  de_ctx->flags |= DE_QUIET;
497 
498  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
499  "(msg:\"http header test\"; flow:to_server; "
500  "content:!\"one\"; depth:15; http_raw_header; "
501  "sid:1;)");
502  if (de_ctx->sig_list == NULL)
503  goto end;
504 
505  SigGroupBuild(de_ctx);
506  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
507 
508  int r = AppLayerParserParse(
509  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
510  if (r != 0) {
511  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
512  result = 0;
513  goto end;
514  }
515 
516  http_state = f.alstate;
517  if (http_state == NULL) {
518  printf("no http state: ");
519  result = 0;
520  goto end;
521  }
522 
523  /* do detect */
524  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
525 
526  if (PacketAlertCheck(p, 1)) {
527  printf("sid 1 matched but shouldn't have: ");
528  goto end;
529  }
530 
531  result = 1;
532 end:
533  if (alp_tctx != NULL)
534  AppLayerParserThreadCtxFree(alp_tctx);
535  if (de_ctx != NULL)
536  DetectEngineCtxFree(de_ctx);
537 
538  StreamTcpFreeConfig(true);
539  FLOW_DESTROY(&f);
540  UTHFreePackets(&p, 1);
541  return result;
542 }
543 
544 /**
545  *\test Test that the http_header content matches against a http request
546  * which holds the content.
547  */
548 static int DetectEngineHttpRawHeaderTest06(void)
549 {
550  TcpSession ssn;
551  Packet *p = NULL;
552  ThreadVars th_v;
553  DetectEngineCtx *de_ctx = NULL;
554  DetectEngineThreadCtx *det_ctx = NULL;
555  HtpState *http_state = NULL;
556  Flow f;
557  uint8_t http_buf[] =
558  "GET /index.html HTTP/1.0\r\n"
559  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
560  uint32_t http_len = sizeof(http_buf) - 1;
561  int result = 0;
562  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
563 
564  memset(&th_v, 0, sizeof(th_v));
565  memset(&f, 0, sizeof(f));
566  memset(&ssn, 0, sizeof(ssn));
567 
568  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
569 
570  FLOW_INITIALIZE(&f);
571  f.protoctx = (void *)&ssn;
572  f.proto = IPPROTO_TCP;
573  f.flags |= FLOW_IPV4;
574  p->flow = &f;
575  p->flowflags |= FLOW_PKT_TOSERVER;
576  p->flowflags |= FLOW_PKT_ESTABLISHED;
577  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
578  f.alproto = ALPROTO_HTTP1;
579 
580  StreamTcpInitConfig(true);
581 
582  de_ctx = DetectEngineCtxInit();
583  if (de_ctx == NULL)
584  goto end;
585 
586  de_ctx->flags |= DE_QUIET;
587 
588  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
589  "(msg:\"http header test\"; flow:to_server; "
590  "content:\"one\"; offset:10; http_raw_header; "
591  "sid:1;)");
592  if (de_ctx->sig_list == NULL)
593  goto end;
594 
595  SigGroupBuild(de_ctx);
596  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
597 
598  int r = AppLayerParserParse(
599  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
600  if (r != 0) {
601  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
602  result = 0;
603  goto end;
604  }
605 
606  http_state = f.alstate;
607  if (http_state == NULL) {
608  printf("no http state: ");
609  result = 0;
610  goto end;
611  }
612 
613  /* do detect */
614  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
615 
616  if (!(PacketAlertCheck(p, 1))) {
617  printf("sid 1 didn't match but should have: ");
618  goto end;
619  }
620 
621  result = 1;
622 end:
623  if (alp_tctx != NULL)
624  AppLayerParserThreadCtxFree(alp_tctx);
625  if (de_ctx != NULL)
626  DetectEngineCtxFree(de_ctx);
627 
628  StreamTcpFreeConfig(true);
629  FLOW_DESTROY(&f);
630  UTHFreePackets(&p, 1);
631  return result;
632 }
633 
634 /**
635  *\test Test that the http_header content matches against a http request
636  * which holds the content.
637  */
638 static int DetectEngineHttpRawHeaderTest07(void)
639 {
640  TcpSession ssn;
641  Packet *p = NULL;
642  ThreadVars th_v;
643  DetectEngineCtx *de_ctx = NULL;
644  DetectEngineThreadCtx *det_ctx = NULL;
645  HtpState *http_state = NULL;
646  Flow f;
647  uint8_t http_buf[] =
648  "GET /index.html HTTP/1.0\r\n"
649  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
650  uint32_t http_len = sizeof(http_buf) - 1;
651  int result = 0;
652  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
653 
654  memset(&th_v, 0, sizeof(th_v));
655  memset(&f, 0, sizeof(f));
656  memset(&ssn, 0, sizeof(ssn));
657 
658  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
659 
660  FLOW_INITIALIZE(&f);
661  f.protoctx = (void *)&ssn;
662  f.proto = IPPROTO_TCP;
663  f.flags |= FLOW_IPV4;
664  p->flow = &f;
665  p->flowflags |= FLOW_PKT_TOSERVER;
666  p->flowflags |= FLOW_PKT_ESTABLISHED;
667  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
668  f.alproto = ALPROTO_HTTP1;
669 
670  StreamTcpInitConfig(true);
671 
672  de_ctx = DetectEngineCtxInit();
673  if (de_ctx == NULL)
674  goto end;
675 
676  de_ctx->flags |= DE_QUIET;
677 
678  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
679  "(msg:\"http header test\"; flow:to_server; "
680  "content:!\"one\"; offset:15; http_raw_header; "
681  "sid:1;)");
682  if (de_ctx->sig_list == NULL)
683  goto end;
684 
685  SigGroupBuild(de_ctx);
686  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
687 
688  int r = AppLayerParserParse(
689  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
690  if (r != 0) {
691  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
692  result = 0;
693  goto end;
694  }
695 
696  http_state = f.alstate;
697  if (http_state == NULL) {
698  printf("no http state: ");
699  result = 0;
700  goto end;
701  }
702 
703  /* do detect */
704  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
705 
706  if (!(PacketAlertCheck(p, 1))) {
707  printf("sid 1 didn't match but should have: ");
708  goto end;
709  }
710 
711  result = 1;
712 end:
713  if (alp_tctx != NULL)
714  AppLayerParserThreadCtxFree(alp_tctx);
715  if (de_ctx != NULL)
716  DetectEngineCtxFree(de_ctx);
717 
718  StreamTcpFreeConfig(true);
719  FLOW_DESTROY(&f);
720  UTHFreePackets(&p, 1);
721  return result;
722 }
723 
724 /**
725  *\test Test that the http_header content matches against a http request
726  * which holds the content.
727  */
728 static int DetectEngineHttpRawHeaderTest08(void)
729 {
730  TcpSession ssn;
731  Packet *p = NULL;
732  ThreadVars th_v;
733  DetectEngineCtx *de_ctx = NULL;
734  DetectEngineThreadCtx *det_ctx = NULL;
735  HtpState *http_state = NULL;
736  Flow f;
737  uint8_t http_buf[] =
738  "GET /index.html HTTP/1.0\r\n"
739  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
740  uint32_t http_len = sizeof(http_buf) - 1;
741  int result = 0;
742  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
743 
744  memset(&th_v, 0, sizeof(th_v));
745  memset(&f, 0, sizeof(f));
746  memset(&ssn, 0, sizeof(ssn));
747 
748  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
749 
750  FLOW_INITIALIZE(&f);
751  f.protoctx = (void *)&ssn;
752  f.proto = IPPROTO_TCP;
753  f.flags |= FLOW_IPV4;
754  p->flow = &f;
755  p->flowflags |= FLOW_PKT_TOSERVER;
756  p->flowflags |= FLOW_PKT_ESTABLISHED;
757  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
758  f.alproto = ALPROTO_HTTP1;
759 
760  StreamTcpInitConfig(true);
761 
762  de_ctx = DetectEngineCtxInit();
763  if (de_ctx == NULL)
764  goto end;
765 
766  de_ctx->flags |= DE_QUIET;
767 
768  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
769  "(msg:\"http header test\"; flow:to_server; "
770  "content:\"one\"; offset:15; http_raw_header; "
771  "sid:1;)");
772  if (de_ctx->sig_list == NULL)
773  goto end;
774 
775  SigGroupBuild(de_ctx);
776  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
777 
778  int r = AppLayerParserParse(
779  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
780  if (r != 0) {
781  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
782  result = 0;
783  goto end;
784  }
785 
786  http_state = f.alstate;
787  if (http_state == NULL) {
788  printf("no http state: ");
789  result = 0;
790  goto end;
791  }
792 
793  /* do detect */
794  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
795 
796  if (PacketAlertCheck(p, 1)) {
797  printf("sid 1 matched but shouldn't have: ");
798  goto end;
799  }
800 
801  result = 1;
802 end:
803  if (alp_tctx != NULL)
804  AppLayerParserThreadCtxFree(alp_tctx);
805  if (de_ctx != NULL)
806  DetectEngineCtxFree(de_ctx);
807 
808  StreamTcpFreeConfig(true);
809  FLOW_DESTROY(&f);
810  UTHFreePackets(&p, 1);
811  return result;
812 }
813 
814 /**
815  *\test Test that the http_header content matches against a http request
816  * which holds the content.
817  */
818 static int DetectEngineHttpRawHeaderTest09(void)
819 {
820  TcpSession ssn;
821  Packet *p = NULL;
822  ThreadVars th_v;
823  DetectEngineCtx *de_ctx = NULL;
824  DetectEngineThreadCtx *det_ctx = NULL;
825  HtpState *http_state = NULL;
826  Flow f;
827  uint8_t http_buf[] =
828  "GET /index.html HTTP/1.0\r\n"
829  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
830  uint32_t http_len = sizeof(http_buf) - 1;
831  int result = 0;
832  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
833 
834  memset(&th_v, 0, sizeof(th_v));
835  memset(&f, 0, sizeof(f));
836  memset(&ssn, 0, sizeof(ssn));
837 
838  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
839 
840  FLOW_INITIALIZE(&f);
841  f.protoctx = (void *)&ssn;
842  f.proto = IPPROTO_TCP;
843  f.flags |= FLOW_IPV4;
844  p->flow = &f;
845  p->flowflags |= FLOW_PKT_TOSERVER;
846  p->flowflags |= FLOW_PKT_ESTABLISHED;
847  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
848  f.alproto = ALPROTO_HTTP1;
849 
850  StreamTcpInitConfig(true);
851 
852  de_ctx = DetectEngineCtxInit();
853  if (de_ctx == NULL)
854  goto end;
855 
856  de_ctx->flags |= DE_QUIET;
857 
858  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
859  "(msg:\"http header test\"; flow:to_server; "
860  "content:!\"one\"; offset:10; http_raw_header; "
861  "sid:1;)");
862  if (de_ctx->sig_list == NULL)
863  goto end;
864 
865  SigGroupBuild(de_ctx);
866  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
867 
868  int r = AppLayerParserParse(
869  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
870  if (r != 0) {
871  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
872  result = 0;
873  goto end;
874  }
875 
876  http_state = f.alstate;
877  if (http_state == NULL) {
878  printf("no http state: ");
879  result = 0;
880  goto end;
881  }
882 
883  /* do detect */
884  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
885 
886  if (PacketAlertCheck(p, 1)) {
887  printf("sid 1 matched but shouldn't have: ");
888  goto end;
889  }
890 
891  result = 1;
892 end:
893  if (alp_tctx != NULL)
894  AppLayerParserThreadCtxFree(alp_tctx);
895  if (de_ctx != NULL)
896  DetectEngineCtxFree(de_ctx);
897 
898  StreamTcpFreeConfig(true);
899  FLOW_DESTROY(&f);
900  UTHFreePackets(&p, 1);
901  return result;
902 }
903 
904 /**
905  *\test Test that the http_header content matches against a http request
906  * which holds the content.
907  */
908 static int DetectEngineHttpRawHeaderTest10(void)
909 {
910  TcpSession ssn;
911  Packet *p = NULL;
912  ThreadVars th_v;
913  DetectEngineCtx *de_ctx = NULL;
914  DetectEngineThreadCtx *det_ctx = NULL;
915  HtpState *http_state = NULL;
916  Flow f;
917  uint8_t http_buf[] =
918  "GET /index.html HTTP/1.0\r\n"
919  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
920  uint32_t http_len = sizeof(http_buf) - 1;
921  int result = 0;
922  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
923 
924  memset(&th_v, 0, sizeof(th_v));
925  memset(&f, 0, sizeof(f));
926  memset(&ssn, 0, sizeof(ssn));
927 
928  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
929 
930  FLOW_INITIALIZE(&f);
931  f.protoctx = (void *)&ssn;
932  f.proto = IPPROTO_TCP;
933  f.flags |= FLOW_IPV4;
934  p->flow = &f;
935  p->flowflags |= FLOW_PKT_TOSERVER;
936  p->flowflags |= FLOW_PKT_ESTABLISHED;
937  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
938  f.alproto = ALPROTO_HTTP1;
939 
940  StreamTcpInitConfig(true);
941 
942  de_ctx = DetectEngineCtxInit();
943  if (de_ctx == NULL)
944  goto end;
945 
946  de_ctx->flags |= DE_QUIET;
947 
948  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
949  "(msg:\"http header test\"; flow:to_server; "
950  "content:\"one\"; http_raw_header; content:\"three\"; http_raw_header; within:10; "
951  "sid:1;)");
952  if (de_ctx->sig_list == NULL)
953  goto end;
954 
955  SigGroupBuild(de_ctx);
956  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
957 
958  int r = AppLayerParserParse(
959  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
960  if (r != 0) {
961  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
962  result = 0;
963  goto end;
964  }
965 
966  http_state = f.alstate;
967  if (http_state == NULL) {
968  printf("no http state: ");
969  result = 0;
970  goto end;
971  }
972 
973  /* do detect */
974  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
975 
976  if (!(PacketAlertCheck(p, 1))) {
977  printf("sid 1 didn't match but should have: ");
978  goto end;
979  }
980 
981  result = 1;
982 end:
983  if (alp_tctx != NULL)
984  AppLayerParserThreadCtxFree(alp_tctx);
985  if (de_ctx != NULL)
986  DetectEngineCtxFree(de_ctx);
987 
988  StreamTcpFreeConfig(true);
989  FLOW_DESTROY(&f);
990  UTHFreePackets(&p, 1);
991  return result;
992 }
993 
994 /**
995  *\test Test that the http_header content matches against a http request
996  * which holds the content.
997  */
998 static int DetectEngineHttpRawHeaderTest11(void)
999 {
1000  TcpSession ssn;
1001  Packet *p = NULL;
1002  ThreadVars th_v;
1003  DetectEngineCtx *de_ctx = NULL;
1004  DetectEngineThreadCtx *det_ctx = NULL;
1005  HtpState *http_state = NULL;
1006  Flow f;
1007  uint8_t http_buf[] =
1008  "GET /index.html HTTP/1.0\r\n"
1009  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1010  uint32_t http_len = sizeof(http_buf) - 1;
1011  int result = 0;
1012  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1013 
1014  memset(&th_v, 0, sizeof(th_v));
1015  memset(&f, 0, sizeof(f));
1016  memset(&ssn, 0, sizeof(ssn));
1017 
1018  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1019 
1020  FLOW_INITIALIZE(&f);
1021  f.protoctx = (void *)&ssn;
1022  f.proto = IPPROTO_TCP;
1023  f.flags |= FLOW_IPV4;
1024  p->flow = &f;
1025  p->flowflags |= FLOW_PKT_TOSERVER;
1026  p->flowflags |= FLOW_PKT_ESTABLISHED;
1027  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1028  f.alproto = ALPROTO_HTTP1;
1029 
1030  StreamTcpInitConfig(true);
1031 
1032  de_ctx = DetectEngineCtxInit();
1033  if (de_ctx == NULL)
1034  goto end;
1035 
1036  de_ctx->flags |= DE_QUIET;
1037 
1038  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1039  "(msg:\"http header test\"; flow:to_server; "
1040  "content:\"one\"; http_raw_header; content:!\"three\"; http_raw_header; within:5; "
1041  "sid:1;)");
1042  if (de_ctx->sig_list == NULL)
1043  goto end;
1044 
1045  SigGroupBuild(de_ctx);
1046  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1047 
1048  int r = AppLayerParserParse(
1049  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1050  if (r != 0) {
1051  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1052  result = 0;
1053  goto end;
1054  }
1055 
1056  http_state = f.alstate;
1057  if (http_state == NULL) {
1058  printf("no http state: ");
1059  result = 0;
1060  goto end;
1061  }
1062 
1063  /* do detect */
1064  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1065 
1066  if (!(PacketAlertCheck(p, 1))) {
1067  printf("sid 1 didn't match but should have: ");
1068  goto end;
1069  }
1070 
1071  result = 1;
1072 end:
1073  if (alp_tctx != NULL)
1074  AppLayerParserThreadCtxFree(alp_tctx);
1075  if (de_ctx != NULL)
1076  DetectEngineCtxFree(de_ctx);
1077 
1078  StreamTcpFreeConfig(true);
1079  FLOW_DESTROY(&f);
1080  UTHFreePackets(&p, 1);
1081  return result;
1082 }
1083 
1084 /**
1085  *\test Test that the http_header content matches against a http request
1086  * which holds the content.
1087  */
1088 static int DetectEngineHttpRawHeaderTest12(void)
1089 {
1090  TcpSession ssn;
1091  Packet *p = NULL;
1092  ThreadVars th_v;
1093  DetectEngineCtx *de_ctx = NULL;
1094  DetectEngineThreadCtx *det_ctx = NULL;
1095  HtpState *http_state = NULL;
1096  Flow f;
1097  uint8_t http_buf[] =
1098  "GET /index.html HTTP/1.0\r\n"
1099  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1100  uint32_t http_len = sizeof(http_buf) - 1;
1101  int result = 0;
1102  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1103 
1104  memset(&th_v, 0, sizeof(th_v));
1105  memset(&f, 0, sizeof(f));
1106  memset(&ssn, 0, sizeof(ssn));
1107 
1108  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1109 
1110  FLOW_INITIALIZE(&f);
1111  f.protoctx = (void *)&ssn;
1112  f.proto = IPPROTO_TCP;
1113  f.flags |= FLOW_IPV4;
1114  p->flow = &f;
1115  p->flowflags |= FLOW_PKT_TOSERVER;
1116  p->flowflags |= FLOW_PKT_ESTABLISHED;
1117  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1118  f.alproto = ALPROTO_HTTP1;
1119 
1120  StreamTcpInitConfig(true);
1121 
1122  de_ctx = DetectEngineCtxInit();
1123  if (de_ctx == NULL)
1124  goto end;
1125 
1126  de_ctx->flags |= DE_QUIET;
1127 
1128  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1129  "(msg:\"http header test\"; flow:to_server; "
1130  "content:\"one\"; http_raw_header; content:!\"three\"; http_raw_header; within:10; "
1131  "sid:1;)");
1132  if (de_ctx->sig_list == NULL)
1133  goto end;
1134 
1135  SigGroupBuild(de_ctx);
1136  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1137 
1138  int r = AppLayerParserParse(
1139  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1140  if (r != 0) {
1141  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1142  result = 0;
1143  goto end;
1144  }
1145 
1146  http_state = f.alstate;
1147  if (http_state == NULL) {
1148  printf("no http state: ");
1149  result = 0;
1150  goto end;
1151  }
1152 
1153  /* do detect */
1154  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1155 
1156  if (PacketAlertCheck(p, 1)) {
1157  printf("sid 1 matched but shouldn't have: ");
1158  goto end;
1159  }
1160 
1161  result = 1;
1162 end:
1163  if (alp_tctx != NULL)
1164  AppLayerParserThreadCtxFree(alp_tctx);
1165  if (de_ctx != NULL)
1166  DetectEngineCtxFree(de_ctx);
1167 
1168  StreamTcpFreeConfig(true);
1169  FLOW_DESTROY(&f);
1170  UTHFreePackets(&p, 1);
1171  return result;
1172 }
1173 
1174 /**
1175  *\test Test that the http_header content matches against a http request
1176  * which holds the content.
1177  */
1178 static int DetectEngineHttpRawHeaderTest13(void)
1179 {
1180  TcpSession ssn;
1181  Packet *p = NULL;
1182  ThreadVars th_v;
1183  DetectEngineCtx *de_ctx = NULL;
1184  DetectEngineThreadCtx *det_ctx = NULL;
1185  HtpState *http_state = NULL;
1186  Flow f;
1187  uint8_t http_buf[] =
1188  "GET /index.html HTTP/1.0\r\n"
1189  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1190  uint32_t http_len = sizeof(http_buf) - 1;
1191  int result = 0;
1192  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1193 
1194  memset(&th_v, 0, sizeof(th_v));
1195  memset(&f, 0, sizeof(f));
1196  memset(&ssn, 0, sizeof(ssn));
1197 
1198  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1199 
1200  FLOW_INITIALIZE(&f);
1201  f.protoctx = (void *)&ssn;
1202  f.proto = IPPROTO_TCP;
1203  f.flags |= FLOW_IPV4;
1204  p->flow = &f;
1205  p->flowflags |= FLOW_PKT_TOSERVER;
1206  p->flowflags |= FLOW_PKT_ESTABLISHED;
1207  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1208  f.alproto = ALPROTO_HTTP1;
1209 
1210  StreamTcpInitConfig(true);
1211 
1212  de_ctx = DetectEngineCtxInit();
1213  if (de_ctx == NULL)
1214  goto end;
1215 
1216  de_ctx->flags |= DE_QUIET;
1217 
1218  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1219  "(msg:\"http header test\"; flow:to_server; "
1220  "content:\"one\"; http_raw_header; content:\"three\"; http_raw_header; within:5; "
1221  "sid:1;)");
1222  if (de_ctx->sig_list == NULL)
1223  goto end;
1224 
1225  SigGroupBuild(de_ctx);
1226  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1227 
1228  int r = AppLayerParserParse(
1229  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1230  if (r != 0) {
1231  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1232  result = 0;
1233  goto end;
1234  }
1235 
1236  http_state = f.alstate;
1237  if (http_state == NULL) {
1238  printf("no http state: ");
1239  result = 0;
1240  goto end;
1241  }
1242 
1243  /* do detect */
1244  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1245 
1246  if (PacketAlertCheck(p, 1)) {
1247  printf("sid 1 matched but shouldn't have: ");
1248  goto end;
1249  }
1250 
1251  result = 1;
1252 end:
1253  if (alp_tctx != NULL)
1254  AppLayerParserThreadCtxFree(alp_tctx);
1255  if (de_ctx != NULL)
1256  DetectEngineCtxFree(de_ctx);
1257 
1258  StreamTcpFreeConfig(true);
1259  FLOW_DESTROY(&f);
1260  UTHFreePackets(&p, 1);
1261  return result;
1262 }
1263 
1264 /**
1265  *\test Test that the http_header content matches against a http request
1266  * which holds the content.
1267  */
1268 static int DetectEngineHttpRawHeaderTest14(void)
1269 {
1270  TcpSession ssn;
1271  Packet *p = NULL;
1272  ThreadVars th_v;
1273  DetectEngineCtx *de_ctx = NULL;
1274  DetectEngineThreadCtx *det_ctx = NULL;
1275  HtpState *http_state = NULL;
1276  Flow f;
1277  uint8_t http_buf[] =
1278  "GET /index.html HTTP/1.0\r\n"
1279  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1280  uint32_t http_len = sizeof(http_buf) - 1;
1281  int result = 0;
1282  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1283 
1284  memset(&th_v, 0, sizeof(th_v));
1285  memset(&f, 0, sizeof(f));
1286  memset(&ssn, 0, sizeof(ssn));
1287 
1288  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1289 
1290  FLOW_INITIALIZE(&f);
1291  f.protoctx = (void *)&ssn;
1292  f.proto = IPPROTO_TCP;
1293  f.flags |= FLOW_IPV4;
1294  p->flow = &f;
1295  p->flowflags |= FLOW_PKT_TOSERVER;
1296  p->flowflags |= FLOW_PKT_ESTABLISHED;
1297  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1298  f.alproto = ALPROTO_HTTP1;
1299 
1300  StreamTcpInitConfig(true);
1301 
1302  de_ctx = DetectEngineCtxInit();
1303  if (de_ctx == NULL)
1304  goto end;
1305 
1306  de_ctx->flags |= DE_QUIET;
1307 
1308  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1309  "(msg:\"http header test\"; flow:to_server; "
1310  "content:\"one\"; http_raw_header; content:\"five\"; http_raw_header; distance:7; "
1311  "sid:1;)");
1312  if (de_ctx->sig_list == NULL)
1313  goto end;
1314 
1315  SigGroupBuild(de_ctx);
1316  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1317 
1318  int r = AppLayerParserParse(
1319  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1320  if (r != 0) {
1321  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1322  result = 0;
1323  goto end;
1324  }
1325 
1326  http_state = f.alstate;
1327  if (http_state == NULL) {
1328  printf("no http state: ");
1329  result = 0;
1330  goto end;
1331  }
1332 
1333  /* do detect */
1334  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1335 
1336  if (!(PacketAlertCheck(p, 1))) {
1337  printf("sid 1 didn't match but should have: ");
1338  goto end;
1339  }
1340 
1341  result = 1;
1342 end:
1343  if (alp_tctx != NULL)
1344  AppLayerParserThreadCtxFree(alp_tctx);
1345  if (de_ctx != NULL)
1346  DetectEngineCtxFree(de_ctx);
1347 
1348  StreamTcpFreeConfig(true);
1349  FLOW_DESTROY(&f);
1350  UTHFreePackets(&p, 1);
1351  return result;
1352 }
1353 
1354 /**
1355  *\test Test that the http_header content matches against a http request
1356  * which holds the content.
1357  */
1358 static int DetectEngineHttpRawHeaderTest15(void)
1359 {
1360  TcpSession ssn;
1361  Packet *p = NULL;
1362  ThreadVars th_v;
1363  DetectEngineCtx *de_ctx = NULL;
1364  DetectEngineThreadCtx *det_ctx = NULL;
1365  HtpState *http_state = NULL;
1366  Flow f;
1367  uint8_t http_buf[] =
1368  "GET /index.html HTTP/1.0\r\n"
1369  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1370  uint32_t http_len = sizeof(http_buf) - 1;
1371  int result = 0;
1372  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1373 
1374  memset(&th_v, 0, sizeof(th_v));
1375  memset(&f, 0, sizeof(f));
1376  memset(&ssn, 0, sizeof(ssn));
1377 
1378  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1379 
1380  FLOW_INITIALIZE(&f);
1381  f.protoctx = (void *)&ssn;
1382  f.proto = IPPROTO_TCP;
1383  f.flags |= FLOW_IPV4;
1384  p->flow = &f;
1385  p->flowflags |= FLOW_PKT_TOSERVER;
1386  p->flowflags |= FLOW_PKT_ESTABLISHED;
1387  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1388  f.alproto = ALPROTO_HTTP1;
1389 
1390  StreamTcpInitConfig(true);
1391 
1392  de_ctx = DetectEngineCtxInit();
1393  if (de_ctx == NULL)
1394  goto end;
1395 
1396  de_ctx->flags |= DE_QUIET;
1397 
1398  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1399  "(msg:\"http header test\"; flow:to_server; "
1400  "content:\"one\"; http_raw_header; content:!\"five\"; http_raw_header; distance:15; "
1401  "sid:1;)");
1402  if (de_ctx->sig_list == NULL)
1403  goto end;
1404 
1405  SigGroupBuild(de_ctx);
1406  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1407 
1408  int r = AppLayerParserParse(
1409  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1410  if (r != 0) {
1411  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1412  result = 0;
1413  goto end;
1414  }
1415 
1416  http_state = f.alstate;
1417  if (http_state == NULL) {
1418  printf("no http state: ");
1419  result = 0;
1420  goto end;
1421  }
1422 
1423  /* do detect */
1424  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1425 
1426  if (!(PacketAlertCheck(p, 1))) {
1427  printf("sid 1 didn't match but should have: ");
1428  goto end;
1429  }
1430 
1431  result = 1;
1432 end:
1433  if (alp_tctx != NULL)
1434  AppLayerParserThreadCtxFree(alp_tctx);
1435  if (de_ctx != NULL)
1436  DetectEngineCtxFree(de_ctx);
1437 
1438  StreamTcpFreeConfig(true);
1439  FLOW_DESTROY(&f);
1440  UTHFreePackets(&p, 1);
1441  return result;
1442 }
1443 
1444 /**
1445  *\test Test that the http_header content matches against a http request
1446  * which holds the content.
1447  */
1448 static int DetectEngineHttpRawHeaderTest16(void)
1449 {
1450  TcpSession ssn;
1451  Packet *p = NULL;
1452  ThreadVars th_v;
1453  DetectEngineCtx *de_ctx = NULL;
1454  DetectEngineThreadCtx *det_ctx = NULL;
1455  HtpState *http_state = NULL;
1456  Flow f;
1457  uint8_t http_buf[] =
1458  "GET /index.html HTTP/1.0\r\n"
1459  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1460  uint32_t http_len = sizeof(http_buf) - 1;
1461  int result = 0;
1462  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1463 
1464  memset(&th_v, 0, sizeof(th_v));
1465  memset(&f, 0, sizeof(f));
1466  memset(&ssn, 0, sizeof(ssn));
1467 
1468  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1469 
1470  FLOW_INITIALIZE(&f);
1471  f.protoctx = (void *)&ssn;
1472  f.proto = IPPROTO_TCP;
1473  f.flags |= FLOW_IPV4;
1474  p->flow = &f;
1475  p->flowflags |= FLOW_PKT_TOSERVER;
1476  p->flowflags |= FLOW_PKT_ESTABLISHED;
1477  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1478  f.alproto = ALPROTO_HTTP1;
1479 
1480  StreamTcpInitConfig(true);
1481 
1482  de_ctx = DetectEngineCtxInit();
1483  if (de_ctx == NULL)
1484  goto end;
1485 
1486  de_ctx->flags |= DE_QUIET;
1487 
1488  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1489  "(msg:\"http header test\"; flow:to_server; "
1490  "content:\"one\"; http_raw_header; content:!\"five\"; http_raw_header; distance:7; "
1491  "sid:1;)");
1492  if (de_ctx->sig_list == NULL)
1493  goto end;
1494 
1495  SigGroupBuild(de_ctx);
1496  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1497 
1498  int r = AppLayerParserParse(
1499  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1500  if (r != 0) {
1501  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1502  result = 0;
1503  goto end;
1504  }
1505 
1506  http_state = f.alstate;
1507  if (http_state == NULL) {
1508  printf("no http state: ");
1509  result = 0;
1510  goto end;
1511  }
1512 
1513  /* do detect */
1514  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1515 
1516  if (PacketAlertCheck(p, 1)) {
1517  printf("sid 1 matched but shouldn't have: ");
1518  goto end;
1519  }
1520 
1521  result = 1;
1522 end:
1523  if (alp_tctx != NULL)
1524  AppLayerParserThreadCtxFree(alp_tctx);
1525  if (de_ctx != NULL)
1526  DetectEngineCtxFree(de_ctx);
1527 
1528  StreamTcpFreeConfig(true);
1529  FLOW_DESTROY(&f);
1530  UTHFreePackets(&p, 1);
1531  return result;
1532 }
1533 
1534 /**
1535  *\test Test that the http_header content matches against a http request
1536  * which holds the content.
1537  */
1538 static int DetectEngineHttpRawHeaderTest17(void)
1539 {
1540  TcpSession ssn;
1541  Packet *p = NULL;
1542  ThreadVars th_v;
1543  DetectEngineCtx *de_ctx = NULL;
1544  DetectEngineThreadCtx *det_ctx = NULL;
1545  HtpState *http_state = NULL;
1546  Flow f;
1547  uint8_t http_buf[] =
1548  "GET /index.html HTTP/1.0\r\n"
1549  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1550  uint32_t http_len = sizeof(http_buf) - 1;
1551  int result = 0;
1552  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1553 
1554  memset(&th_v, 0, sizeof(th_v));
1555  memset(&f, 0, sizeof(f));
1556  memset(&ssn, 0, sizeof(ssn));
1557 
1558  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1559 
1560  FLOW_INITIALIZE(&f);
1561  f.protoctx = (void *)&ssn;
1562  f.proto = IPPROTO_TCP;
1563  f.flags |= FLOW_IPV4;
1564  p->flow = &f;
1565  p->flowflags |= FLOW_PKT_TOSERVER;
1566  p->flowflags |= FLOW_PKT_ESTABLISHED;
1567  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1568  f.alproto = ALPROTO_HTTP1;
1569 
1570  StreamTcpInitConfig(true);
1571 
1572  de_ctx = DetectEngineCtxInit();
1573  if (de_ctx == NULL)
1574  goto end;
1575 
1576  de_ctx->flags |= DE_QUIET;
1577 
1578  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1579  "(msg:\"http header test\"; flow:to_server; "
1580  "content:\"one\"; http_raw_header; content:\"five\"; http_raw_header; distance:15; "
1581  "sid:1;)");
1582  if (de_ctx->sig_list == NULL)
1583  goto end;
1584 
1585  SigGroupBuild(de_ctx);
1586  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1587 
1588  int r = AppLayerParserParse(
1589  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1590  if (r != 0) {
1591  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1592  result = 0;
1593  goto end;
1594  }
1595 
1596  http_state = f.alstate;
1597  if (http_state == NULL) {
1598  printf("no http state: ");
1599  result = 0;
1600  goto end;
1601  }
1602 
1603  /* do detect */
1604  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1605 
1606  if (PacketAlertCheck(p, 1)) {
1607  printf("sid 1 matched but shouldn't have: ");
1608  goto end;
1609  }
1610 
1611  result = 1;
1612 end:
1613  if (alp_tctx != NULL)
1614  AppLayerParserThreadCtxFree(alp_tctx);
1615  if (de_ctx != NULL)
1616  DetectEngineCtxFree(de_ctx);
1617 
1618  StreamTcpFreeConfig(true);
1619  FLOW_DESTROY(&f);
1620  UTHFreePackets(&p, 1);
1621  return result;
1622 }
1623 
1624 static int DetectEngineHttpRawHeaderTest20(void)
1625 {
1626  TcpSession ssn;
1627  ThreadVars th_v;
1628  DetectEngineThreadCtx *det_ctx = NULL;
1629  Flow f;
1630  uint8_t http1_buf[] =
1631  "GET /index.html HTTP/1.0\r\n"
1632  "Host: This_is_dummy_body1";
1633  uint8_t http2_buf[] =
1634  "This_is_dummy_message_body2\r\n"
1635  "\r\n";
1636  uint32_t http1_len = sizeof(http1_buf) - 1;
1637  uint32_t http2_len = sizeof(http2_buf) - 1;
1638  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1639  FAIL_IF_NULL(alp_tctx);
1640 
1641  memset(&th_v, 0, sizeof(th_v));
1642  memset(&f, 0, sizeof(f));
1643  memset(&ssn, 0, sizeof(ssn));
1644 
1645  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1646  FAIL_IF_NULL(p1);
1647  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1648  FAIL_IF_NULL(p2);
1649 
1650  FLOW_INITIALIZE(&f);
1651  f.protoctx = (void *)&ssn;
1652  f.proto = IPPROTO_TCP;
1653  f.flags |= FLOW_IPV4;
1654 
1655  p1->flow = &f;
1656  p1->flowflags |= FLOW_PKT_TOSERVER;
1657  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1658  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1659  p2->flow = &f;
1660  p2->flowflags |= FLOW_PKT_TOSERVER;
1661  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1662  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1663  f.alproto = ALPROTO_HTTP1;
1664 
1665  StreamTcpInitConfig(true);
1666 
1667  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1668  FAIL_IF_NULL(de_ctx);
1669  de_ctx->flags |= DE_QUIET;
1670 
1671  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1672  "(flow:to_server; pcre:/body1/D; "
1673  "content:!\"dummy\"; http_raw_header; within:7; "
1674  "sid:1;)");
1675  FAIL_IF_NULL(s);
1676 
1677  SigGroupBuild(de_ctx);
1678  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1679  FAIL_IF_NULL(det_ctx);
1680 
1681  int r = AppLayerParserParse(
1682  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1683  FAIL_IF_NOT(r == 0);
1684 
1685  HtpState *http_state = f.alstate;
1686  FAIL_IF_NULL(http_state);
1687 
1688  /* do detect */
1689  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1690  FAIL_IF(PacketAlertCheck(p1, 1));
1691 
1692  r = AppLayerParserParse(
1693  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1694  FAIL_IF_NOT(r == 0);
1695 
1696  /* do detect */
1697  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1698 
1699  FAIL_IF(!PacketAlertCheck(p2, 1));
1700 
1701  AppLayerParserThreadCtxFree(alp_tctx);
1702  DetectEngineCtxFree(de_ctx);
1703 
1704  StreamTcpFreeConfig(true);
1705  FLOW_DESTROY(&f);
1706  UTHFreePackets(&p1, 1);
1707  UTHFreePackets(&p2, 1);
1708 
1709  PASS;
1710 }
1711 
1712 static int DetectEngineHttpRawHeaderTest21(void)
1713 {
1714  TcpSession ssn;
1715  Packet *p1 = NULL;
1716  Packet *p2 = NULL;
1717  ThreadVars th_v;
1718  DetectEngineCtx *de_ctx = NULL;
1719  DetectEngineThreadCtx *det_ctx = NULL;
1720  HtpState *http_state = NULL;
1721  Flow f;
1722  uint8_t http1_buf[] =
1723  "GET /index.html HTTP/1.0\r\n"
1724  "Host: This_is_dummy_body1";
1725  uint8_t http2_buf[] =
1726  "This_is_dummy_message_body2\r\n"
1727  "\r\n";
1728  uint32_t http1_len = sizeof(http1_buf) - 1;
1729  uint32_t http2_len = sizeof(http2_buf) - 1;
1730  int result = 0;
1731  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1732 
1733  memset(&th_v, 0, sizeof(th_v));
1734  memset(&f, 0, sizeof(f));
1735  memset(&ssn, 0, sizeof(ssn));
1736 
1737  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1738  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1739 
1740  FLOW_INITIALIZE(&f);
1741  f.protoctx = (void *)&ssn;
1742  f.proto = IPPROTO_TCP;
1743  f.flags |= FLOW_IPV4;
1744 
1745  p1->flow = &f;
1746  p1->flowflags |= FLOW_PKT_TOSERVER;
1747  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1748  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1749  p2->flow = &f;
1750  p2->flowflags |= FLOW_PKT_TOSERVER;
1751  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1752  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1753  f.alproto = ALPROTO_HTTP1;
1754 
1755  StreamTcpInitConfig(true);
1756 
1757  de_ctx = DetectEngineCtxInit();
1758  if (de_ctx == NULL)
1759  goto end;
1760 
1761  de_ctx->flags |= DE_QUIET;
1762 
1763  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1764  "(msg:\"http client body test\"; flow:to_server; "
1765  "pcre:/body1/D; "
1766  "content:!\"dummy\"; within:7; http_raw_header; "
1767  "sid:1;)");
1768  if (de_ctx->sig_list == NULL)
1769  goto end;
1770 
1771  SigGroupBuild(de_ctx);
1772  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1773 
1774  int r = AppLayerParserParse(
1775  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1776  if (r != 0) {
1777  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1778  result = 0;
1779  goto end;
1780  }
1781 
1782  http_state = f.alstate;
1783  if (http_state == NULL) {
1784  printf("no http state: \n");
1785  result = 0;
1786  goto end;
1787  }
1788 
1789  /* do detect */
1790  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1791 
1792  if (PacketAlertCheck(p1, 1)) {
1793  printf("sid 1 matched but shouldn't have\n");
1794  goto end;
1795  }
1796 
1797  r = AppLayerParserParse(
1798  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1799  if (r != 0) {
1800  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1801  result = 0;
1802  goto end;
1803  }
1804 
1805  /* do detect */
1806  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1807 
1808  if (!PacketAlertCheck(p2, 1)) {
1809  printf("sid 1 didn't match but shouldn't have");
1810  goto end;
1811  }
1812 
1813  result = 1;
1814 
1815 end:
1816  if (alp_tctx != NULL)
1817  AppLayerParserThreadCtxFree(alp_tctx);
1818  if (de_ctx != NULL)
1819  DetectEngineCtxFree(de_ctx);
1820 
1821  StreamTcpFreeConfig(true);
1822  FLOW_DESTROY(&f);
1823  UTHFreePackets(&p1, 1);
1824  UTHFreePackets(&p2, 1);
1825  return result;
1826 }
1827 
1828 static int DetectEngineHttpRawHeaderTest22(void)
1829 {
1830  TcpSession ssn;
1831  Packet *p1 = NULL;
1832  Packet *p2 = NULL;
1833  ThreadVars th_v;
1834  DetectEngineCtx *de_ctx = NULL;
1835  DetectEngineThreadCtx *det_ctx = NULL;
1836  HtpState *http_state = NULL;
1837  Flow f;
1838  uint8_t http1_buf[] =
1839  "GET /index.html HTTP/1.0\r\n"
1840  "Host: This_is_dummy_body1";
1841  uint8_t http2_buf[] =
1842  "This_is_dummy_message_body2\r\n"
1843  "\r\n";
1844  uint32_t http1_len = sizeof(http1_buf) - 1;
1845  uint32_t http2_len = sizeof(http2_buf) - 1;
1846  int result = 0;
1847  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1848 
1849  memset(&th_v, 0, sizeof(th_v));
1850  memset(&f, 0, sizeof(f));
1851  memset(&ssn, 0, sizeof(ssn));
1852 
1853  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1854  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1855 
1856  FLOW_INITIALIZE(&f);
1857  f.protoctx = (void *)&ssn;
1858  f.proto = IPPROTO_TCP;
1859  f.flags |= FLOW_IPV4;
1860 
1861  p1->flow = &f;
1862  p1->flowflags |= FLOW_PKT_TOSERVER;
1863  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1864  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1865  p2->flow = &f;
1866  p2->flowflags |= FLOW_PKT_TOSERVER;
1867  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1868  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1869  f.alproto = ALPROTO_HTTP1;
1870 
1871  StreamTcpInitConfig(true);
1872 
1873  de_ctx = DetectEngineCtxInit();
1874  if (de_ctx == NULL)
1875  goto end;
1876 
1877  de_ctx->flags |= DE_QUIET;
1878 
1879  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1880  "(msg:\"http client body test\"; flow:to_server; "
1881  "pcre:/body1/D; "
1882  "content:!\"dummy\"; distance:3; http_raw_header; "
1883  "sid:1;)");
1884  if (de_ctx->sig_list == NULL)
1885  goto end;
1886 
1887  SigGroupBuild(de_ctx);
1888  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1889 
1890  int r = AppLayerParserParse(
1891  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1892  if (r != 0) {
1893  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1894  result = 0;
1895  goto end;
1896  }
1897 
1898  http_state = f.alstate;
1899  if (http_state == NULL) {
1900  printf("no http state: \n");
1901  result = 0;
1902  goto end;
1903  }
1904 
1905  /* do detect */
1906  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1907 
1908  if (PacketAlertCheck(p1, 1)) {
1909  printf("sid 1 matched but shouldn't have\n");
1910  goto end;
1911  }
1912 
1913  r = AppLayerParserParse(
1914  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1915  if (r != 0) {
1916  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1917  result = 0;
1918  goto end;
1919  }
1920 
1921  /* do detect */
1922  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1923 
1924  if (PacketAlertCheck(p2, 1)) {
1925  printf("sid 1 matched but shouldn't have");
1926  goto end;
1927  }
1928 
1929  result = 1;
1930 
1931 end:
1932  if (alp_tctx != NULL)
1933  AppLayerParserThreadCtxFree(alp_tctx);
1934  if (de_ctx != NULL)
1935  DetectEngineCtxFree(de_ctx);
1936 
1937  StreamTcpFreeConfig(true);
1938  FLOW_DESTROY(&f);
1939  UTHFreePackets(&p1, 1);
1940  UTHFreePackets(&p2, 1);
1941  return result;
1942 }
1943 
1944 static int DetectEngineHttpRawHeaderTest23(void)
1945 {
1946  TcpSession ssn;
1947  Packet *p1 = NULL;
1948  Packet *p2 = NULL;
1949  ThreadVars th_v;
1950  DetectEngineCtx *de_ctx = NULL;
1951  DetectEngineThreadCtx *det_ctx = NULL;
1952  HtpState *http_state = NULL;
1953  Flow f;
1954  uint8_t http1_buf[] =
1955  "GET /index.html HTTP/1.0\r\n"
1956  "Host: This_is_dummy_body1";
1957  uint8_t http2_buf[] =
1958  "This_is_dummy_message_body2\r\n"
1959  "\r\n";
1960  uint32_t http1_len = sizeof(http1_buf) - 1;
1961  uint32_t http2_len = sizeof(http2_buf) - 1;
1962  int result = 0;
1963  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1964 
1965  memset(&th_v, 0, sizeof(th_v));
1966  memset(&f, 0, sizeof(f));
1967  memset(&ssn, 0, sizeof(ssn));
1968 
1969  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1970  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1971 
1972  FLOW_INITIALIZE(&f);
1973  f.protoctx = (void *)&ssn;
1974  f.proto = IPPROTO_TCP;
1975  f.flags |= FLOW_IPV4;
1976 
1977  p1->flow = &f;
1978  p1->flowflags |= FLOW_PKT_TOSERVER;
1979  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1980  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1981  p2->flow = &f;
1982  p2->flowflags |= FLOW_PKT_TOSERVER;
1983  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1984  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1985  f.alproto = ALPROTO_HTTP1;
1986 
1987  StreamTcpInitConfig(true);
1988 
1989  de_ctx = DetectEngineCtxInit();
1990  if (de_ctx == NULL)
1991  goto end;
1992 
1993  de_ctx->flags |= DE_QUIET;
1994 
1995  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1996  "(msg:\"http client body test\"; flow:to_server; "
1997  "pcre:/body1/D; "
1998  "content:!\"dummy\"; distance:13; http_raw_header; "
1999  "sid:1;)");
2000  if (de_ctx->sig_list == NULL)
2001  goto end;
2002 
2003  SigGroupBuild(de_ctx);
2004  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2005 
2006  int r = AppLayerParserParse(
2007  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2008  if (r != 0) {
2009  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2010  result = 0;
2011  goto end;
2012  }
2013 
2014  http_state = f.alstate;
2015  if (http_state == NULL) {
2016  printf("no http state: \n");
2017  result = 0;
2018  goto end;
2019  }
2020 
2021  /* do detect */
2022  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2023 
2024  if (PacketAlertCheck(p1, 1)) {
2025  printf("sid 1 matched but shouldn't have\n");
2026  goto end;
2027  }
2028 
2029  r = AppLayerParserParse(
2030  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2031  if (r != 0) {
2032  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2033  result = 0;
2034  goto end;
2035  }
2036 
2037  /* do detect */
2038  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2039 
2040  if (!PacketAlertCheck(p2, 1)) {
2041  printf("sid 1 didn't match but should have");
2042  goto end;
2043  }
2044 
2045  result = 1;
2046 
2047 end:
2048  if (alp_tctx != NULL)
2049  AppLayerParserThreadCtxFree(alp_tctx);
2050  if (de_ctx != NULL)
2051  DetectEngineCtxFree(de_ctx);
2052 
2053  StreamTcpFreeConfig(true);
2054  FLOW_DESTROY(&f);
2055  UTHFreePackets(&p1, 1);
2056  UTHFreePackets(&p2, 1);
2057  return result;
2058 }
2059 
2060 static int DetectEngineHttpRawHeaderTest24(void)
2061 {
2062  TcpSession ssn;
2063  Packet *p1 = NULL;
2064  Packet *p2 = NULL;
2065  ThreadVars th_v;
2066  DetectEngineCtx *de_ctx = NULL;
2067  DetectEngineThreadCtx *det_ctx = NULL;
2068  HtpState *http_state = NULL;
2069  Flow f;
2070  uint8_t http1_buf[] =
2071  "GET /index.html HTTP/1.0\r\n"
2072  "Host: This_is_dummy_body1";
2073  uint8_t http2_buf[] =
2074  "This_is_dummy_message_body2\r\n"
2075  "\r\n";
2076  uint32_t http1_len = sizeof(http1_buf) - 1;
2077  uint32_t http2_len = sizeof(http2_buf) - 1;
2078  int result = 0;
2079  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2080 
2081  memset(&th_v, 0, sizeof(th_v));
2082  memset(&f, 0, sizeof(f));
2083  memset(&ssn, 0, sizeof(ssn));
2084 
2085  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2086  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2087 
2088  FLOW_INITIALIZE(&f);
2089  f.protoctx = (void *)&ssn;
2090  f.proto = IPPROTO_TCP;
2091  f.flags |= FLOW_IPV4;
2092 
2093  p1->flow = &f;
2094  p1->flowflags |= FLOW_PKT_TOSERVER;
2095  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2096  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2097  p2->flow = &f;
2098  p2->flowflags |= FLOW_PKT_TOSERVER;
2099  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2100  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2101  f.alproto = ALPROTO_HTTP1;
2102 
2103  StreamTcpInitConfig(true);
2104 
2105  de_ctx = DetectEngineCtxInit();
2106  if (de_ctx == NULL)
2107  goto end;
2108 
2109  de_ctx->flags |= DE_QUIET;
2110 
2111  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2112  "(msg:\"http client body test\"; flow:to_server; "
2113  "pcre:/body1/D; "
2114  "content:\"dummy\"; within:15; http_raw_header; "
2115  "sid:1;)");
2116  if (de_ctx->sig_list == NULL)
2117  goto end;
2118 
2119  SigGroupBuild(de_ctx);
2120  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2121 
2122  int r = AppLayerParserParse(
2123  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2124  if (r != 0) {
2125  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2126  result = 0;
2127  goto end;
2128  }
2129 
2130  http_state = f.alstate;
2131  if (http_state == NULL) {
2132  printf("no http state: \n");
2133  result = 0;
2134  goto end;
2135  }
2136 
2137  /* do detect */
2138  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2139 
2140  if (PacketAlertCheck(p1, 1)) {
2141  printf("sid 1 matched but shouldn't have\n");
2142  goto end;
2143  }
2144 
2145  r = AppLayerParserParse(
2146  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2147  if (r != 0) {
2148  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2149  result = 0;
2150  goto end;
2151  }
2152 
2153  /* do detect */
2154  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2155 
2156  if (!PacketAlertCheck(p2, 1)) {
2157  printf("sid 1 didn't match but should have");
2158  goto end;
2159  }
2160 
2161  result = 1;
2162 
2163 end:
2164  if (alp_tctx != NULL)
2165  AppLayerParserThreadCtxFree(alp_tctx);
2166  if (de_ctx != NULL)
2167  DetectEngineCtxFree(de_ctx);
2168 
2169  StreamTcpFreeConfig(true);
2170  FLOW_DESTROY(&f);
2171  UTHFreePackets(&p1, 1);
2172  UTHFreePackets(&p2, 1);
2173  return result;
2174 }
2175 
2176 static int DetectEngineHttpRawHeaderTest25(void)
2177 {
2178  TcpSession ssn;
2179  Packet *p1 = NULL;
2180  Packet *p2 = NULL;
2181  ThreadVars th_v;
2182  DetectEngineCtx *de_ctx = NULL;
2183  DetectEngineThreadCtx *det_ctx = NULL;
2184  HtpState *http_state = NULL;
2185  Flow f;
2186  uint8_t http1_buf[] =
2187  "GET /index.html HTTP/1.0\r\n"
2188  "Host: This_is_dummy_body1";
2189  uint8_t http2_buf[] =
2190  "This_is_dummy_message_body2\r\n"
2191  "\r\n";
2192  uint32_t http1_len = sizeof(http1_buf) - 1;
2193  uint32_t http2_len = sizeof(http2_buf) - 1;
2194  int result = 0;
2195  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2196 
2197  memset(&th_v, 0, sizeof(th_v));
2198  memset(&f, 0, sizeof(f));
2199  memset(&ssn, 0, sizeof(ssn));
2200 
2201  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2202  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2203 
2204  FLOW_INITIALIZE(&f);
2205  f.protoctx = (void *)&ssn;
2206  f.proto = IPPROTO_TCP;
2207  f.flags |= FLOW_IPV4;
2208 
2209  p1->flow = &f;
2210  p1->flowflags |= FLOW_PKT_TOSERVER;
2211  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2212  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2213  p2->flow = &f;
2214  p2->flowflags |= FLOW_PKT_TOSERVER;
2215  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2216  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2217  f.alproto = ALPROTO_HTTP1;
2218 
2219  StreamTcpInitConfig(true);
2220 
2221  de_ctx = DetectEngineCtxInit();
2222  if (de_ctx == NULL)
2223  goto end;
2224 
2225  de_ctx->flags |= DE_QUIET;
2226 
2227  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2228  "(msg:\"http client body test\"; flow:to_server; "
2229  "pcre:/body1/D; "
2230  "content:\"dummy\"; within:10; http_raw_header; "
2231  "sid:1;)");
2232  if (de_ctx->sig_list == NULL)
2233  goto end;
2234 
2235  SigGroupBuild(de_ctx);
2236  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2237 
2238  int r = AppLayerParserParse(
2239  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2240  if (r != 0) {
2241  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2242  result = 0;
2243  goto end;
2244  }
2245 
2246  http_state = f.alstate;
2247  if (http_state == NULL) {
2248  printf("no http state: \n");
2249  result = 0;
2250  goto end;
2251  }
2252 
2253  /* do detect */
2254  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2255 
2256  if (PacketAlertCheck(p1, 1)) {
2257  printf("sid 1 matched but shouldn't have\n");
2258  goto end;
2259  }
2260 
2261  r = AppLayerParserParse(
2262  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2263  if (r != 0) {
2264  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2265  result = 0;
2266  goto end;
2267  }
2268 
2269  /* do detect */
2270  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2271 
2272  if (PacketAlertCheck(p2, 1)) {
2273  printf("sid 1 matched but shouldn't have");
2274  goto end;
2275  }
2276 
2277  result = 1;
2278 
2279 end:
2280  if (alp_tctx != NULL)
2281  AppLayerParserThreadCtxFree(alp_tctx);
2282  if (de_ctx != NULL)
2283  DetectEngineCtxFree(de_ctx);
2284 
2285  StreamTcpFreeConfig(true);
2286  FLOW_DESTROY(&f);
2287  UTHFreePackets(&p1, 1);
2288  UTHFreePackets(&p2, 1);
2289  return result;
2290 }
2291 
2292 static int DetectEngineHttpRawHeaderTest26(void)
2293 {
2294  TcpSession ssn;
2295  Packet *p1 = NULL;
2296  Packet *p2 = NULL;
2297  ThreadVars th_v;
2298  DetectEngineCtx *de_ctx = NULL;
2299  DetectEngineThreadCtx *det_ctx = NULL;
2300  HtpState *http_state = NULL;
2301  Flow f;
2302  uint8_t http1_buf[] =
2303  "GET /index.html HTTP/1.0\r\n"
2304  "Host: This_is_dummy_body1";
2305  uint8_t http2_buf[] =
2306  "This_is_dummy_message_body2\r\n"
2307  "\r\n";
2308  uint32_t http1_len = sizeof(http1_buf) - 1;
2309  uint32_t http2_len = sizeof(http2_buf) - 1;
2310  int result = 0;
2311  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2312 
2313  memset(&th_v, 0, sizeof(th_v));
2314  memset(&f, 0, sizeof(f));
2315  memset(&ssn, 0, sizeof(ssn));
2316 
2317  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2318  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2319 
2320  FLOW_INITIALIZE(&f);
2321  f.protoctx = (void *)&ssn;
2322  f.proto = IPPROTO_TCP;
2323  f.flags |= FLOW_IPV4;
2324 
2325  p1->flow = &f;
2326  p1->flowflags |= FLOW_PKT_TOSERVER;
2327  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2328  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2329  p2->flow = &f;
2330  p2->flowflags |= FLOW_PKT_TOSERVER;
2331  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2332  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2333  f.alproto = ALPROTO_HTTP1;
2334 
2335  StreamTcpInitConfig(true);
2336 
2337  de_ctx = DetectEngineCtxInit();
2338  if (de_ctx == NULL)
2339  goto end;
2340 
2341  de_ctx->flags |= DE_QUIET;
2342 
2343  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2344  "(msg:\"http client body test\"; flow:to_server; "
2345  "pcre:/body1/D; "
2346  "content:\"dummy\"; distance:8; http_raw_header; "
2347  "sid:1;)");
2348  if (de_ctx->sig_list == NULL)
2349  goto end;
2350 
2351  SigGroupBuild(de_ctx);
2352  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2353 
2354  int r = AppLayerParserParse(
2355  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2356  if (r != 0) {
2357  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2358  result = 0;
2359  goto end;
2360  }
2361 
2362  http_state = f.alstate;
2363  if (http_state == NULL) {
2364  printf("no http state: \n");
2365  result = 0;
2366  goto end;
2367  }
2368 
2369  /* do detect */
2370  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2371 
2372  if (PacketAlertCheck(p1, 1)) {
2373  printf("sid 1 matched but shouldn't have\n");
2374  goto end;
2375  }
2376 
2377  r = AppLayerParserParse(
2378  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2379  if (r != 0) {
2380  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2381  result = 0;
2382  goto end;
2383  }
2384 
2385  /* do detect */
2386  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2387 
2388  if (!PacketAlertCheck(p2, 1)) {
2389  printf("sid 1 didn't match but should have");
2390  goto end;
2391  }
2392 
2393  result = 1;
2394 
2395 end:
2396  if (de_ctx != NULL)
2397  DetectEngineCtxFree(de_ctx);
2398 
2399  StreamTcpFreeConfig(true);
2400  FLOW_DESTROY(&f);
2401  UTHFreePackets(&p1, 1);
2402  UTHFreePackets(&p2, 1);
2403  return result;
2404 }
2405 
2406 static int DetectEngineHttpRawHeaderTest27(void)
2407 {
2408  TcpSession ssn;
2409  Packet *p1 = NULL;
2410  Packet *p2 = NULL;
2411  ThreadVars th_v;
2412  DetectEngineCtx *de_ctx = NULL;
2413  DetectEngineThreadCtx *det_ctx = NULL;
2414  HtpState *http_state = NULL;
2415  Flow f;
2416  uint8_t http1_buf[] =
2417  "GET /index.html HTTP/1.0\r\n"
2418  "Host: This_is_dummy_body1";
2419  uint8_t http2_buf[] =
2420  "This_is_dummy_message_body2\r\n"
2421  "\r\n";
2422  uint32_t http1_len = sizeof(http1_buf) - 1;
2423  uint32_t http2_len = sizeof(http2_buf) - 1;
2424  int result = 0;
2425  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2426 
2427  memset(&th_v, 0, sizeof(th_v));
2428  memset(&f, 0, sizeof(f));
2429  memset(&ssn, 0, sizeof(ssn));
2430 
2431  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2432  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2433 
2434  FLOW_INITIALIZE(&f);
2435  f.protoctx = (void *)&ssn;
2436  f.proto = IPPROTO_TCP;
2437  f.flags |= FLOW_IPV4;
2438 
2439  p1->flow = &f;
2440  p1->flowflags |= FLOW_PKT_TOSERVER;
2441  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2442  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2443  p2->flow = &f;
2444  p2->flowflags |= FLOW_PKT_TOSERVER;
2445  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2446  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2447  f.alproto = ALPROTO_HTTP1;
2448 
2449  StreamTcpInitConfig(true);
2450 
2451  de_ctx = DetectEngineCtxInit();
2452  if (de_ctx == NULL)
2453  goto end;
2454 
2455  de_ctx->flags |= DE_QUIET;
2456 
2457  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2458  "(msg:\"http client body test\"; flow:to_server; "
2459  "pcre:/body1/D; "
2460  "content:\"dummy\"; distance:14; http_raw_header; "
2461  "sid:1;)");
2462  if (de_ctx->sig_list == NULL)
2463  goto end;
2464 
2465  SigGroupBuild(de_ctx);
2466  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2467 
2468  int r = AppLayerParserParse(
2469  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2470  if (r != 0) {
2471  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2472  result = 0;
2473  goto end;
2474  }
2475 
2476  http_state = f.alstate;
2477  if (http_state == NULL) {
2478  printf("no http state: \n");
2479  result = 0;
2480  goto end;
2481  }
2482 
2483  /* do detect */
2484  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2485 
2486  if (PacketAlertCheck(p1, 1)) {
2487  printf("sid 1 matched but shouldn't have\n");
2488  goto end;
2489  }
2490 
2491  r = AppLayerParserParse(
2492  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2493  if (r != 0) {
2494  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2495  result = 0;
2496  goto end;
2497  }
2498 
2499  /* do detect */
2500  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2501 
2502  if (PacketAlertCheck(p2, 1)) {
2503  printf("sid 1 matched but shouldn't have");
2504  goto end;
2505  }
2506 
2507  result = 1;
2508 
2509 end:
2510  if (alp_tctx != NULL)
2511  AppLayerParserThreadCtxFree(alp_tctx);
2512  if (de_ctx != NULL)
2513  DetectEngineCtxFree(de_ctx);
2514 
2515  StreamTcpFreeConfig(true);
2516  FLOW_DESTROY(&f);
2517  UTHFreePackets(&p1, 1);
2518  UTHFreePackets(&p2, 1);
2519  return result;
2520 }
2521 
2522 static int DetectEngineHttpRawHeaderTest28(void)
2523 {
2524  TcpSession ssn;
2525  Packet *p1 = NULL;
2526  Packet *p2 = NULL;
2527  ThreadVars th_v;
2528  DetectEngineCtx *de_ctx = NULL;
2529  DetectEngineThreadCtx *det_ctx = NULL;
2530  HtpState *http_state = NULL;
2531  Flow f;
2532  uint8_t http_buf1[] =
2533  "GET /index.html HTTP/1.0\r\n"
2534  "Host: www.openinfosecfoundation.org\r\n"
2535  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2536  "\r\n";
2537  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
2538  uint8_t http_buf2[] =
2539  "HTTP/1.0 200 ok\r\n"
2540  "Content-Type: text/html\r\n"
2541  "Content-Length: 6\r\n"
2542  "\r\n"
2543  "abcdef";
2544  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
2545  int result = 0;
2546  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2547 
2548  memset(&th_v, 0, sizeof(th_v));
2549  memset(&f, 0, sizeof(f));
2550  memset(&ssn, 0, sizeof(ssn));
2551 
2552  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2553  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2554 
2555  FLOW_INITIALIZE(&f);
2556  f.protoctx = (void *)&ssn;
2557  f.proto = IPPROTO_TCP;
2558  f.flags |= FLOW_IPV4;
2559 
2560  p1->flow = &f;
2561  p1->flowflags |= FLOW_PKT_TOSERVER;
2562  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2563  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2564  p2->flow = &f;
2565  p2->flowflags |= FLOW_PKT_TOCLIENT;
2566  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2567  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2568  f.alproto = ALPROTO_HTTP1;
2569 
2570  StreamTcpInitConfig(true);
2571 
2572  de_ctx = DetectEngineCtxInit();
2573  if (de_ctx == NULL)
2574  goto end;
2575 
2576  de_ctx->flags |= DE_QUIET;
2577 
2578  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2579  "(msg:\"http header test\"; flow:to_client; "
2580  "content:\"Content-Length: 6\"; http_raw_header; "
2581  "sid:1;)");
2582  if (de_ctx->sig_list == NULL)
2583  goto end;
2584 
2585  SigGroupBuild(de_ctx);
2586  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2587 
2588  int r = AppLayerParserParse(
2589  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
2590  if (r != 0) {
2591  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2592  result = 0;
2593  goto end;
2594  }
2595 
2596  http_state = f.alstate;
2597  if (http_state == NULL) {
2598  printf("no http state: \n");
2599  result = 0;
2600  goto end;
2601  }
2602 
2603  /* do detect */
2604  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2605 
2606  if (PacketAlertCheck(p1, 1)) {
2607  printf("sid 1 matched but shouldn't have\n");
2608  goto end;
2609  }
2610 
2611  r = AppLayerParserParse(
2612  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_buf2_len);
2613  if (r != 0) {
2614  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2615  result = 0;
2616  goto end;
2617  }
2618 
2619  /* do detect */
2620  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2621 
2622  if (!PacketAlertCheck(p2, 1)) {
2623  printf("sid 1 didn't match but should have");
2624  goto end;
2625  }
2626 
2627  result = 1;
2628 
2629 end:
2630  if (alp_tctx != NULL)
2631  AppLayerParserThreadCtxFree(alp_tctx);
2632  if (de_ctx != NULL)
2633  DetectEngineCtxFree(de_ctx);
2634 
2635  StreamTcpFreeConfig(true);
2636  FLOW_DESTROY(&f);
2637  UTHFreePackets(&p1, 1);
2638  UTHFreePackets(&p2, 1);
2639  return result;
2640 }
2641 
2642 static int DetectEngineHttpRawHeaderTest29(void)
2643 {
2644  TcpSession ssn;
2645  Packet *p1 = NULL;
2646  Packet *p2 = NULL;
2647  ThreadVars th_v;
2648  DetectEngineCtx *de_ctx = NULL;
2649  DetectEngineThreadCtx *det_ctx = NULL;
2650  HtpState *http_state = NULL;
2651  Flow f;
2652  uint8_t http_buf1[] =
2653  "GET /index.html HTTP/1.0\r\n"
2654  "Host: www.openinfosecfoundation.org\r\n"
2655  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2656  "\r\n";
2657  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
2658  uint8_t http_buf2[] =
2659  "HTTP/1.0 200 ok\r\n"
2660  "Content-Type: text/html\r\n"
2661  "Content-Length: 6\r\n"
2662  "\r\n"
2663  "abcdef";
2664  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
2665  int result = 0;
2666  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2667 
2668  memset(&th_v, 0, sizeof(th_v));
2669  memset(&f, 0, sizeof(f));
2670  memset(&ssn, 0, sizeof(ssn));
2671 
2672  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2673  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2674 
2675  FLOW_INITIALIZE(&f);
2676  f.protoctx = (void *)&ssn;
2677  f.proto = IPPROTO_TCP;
2678  f.flags |= FLOW_IPV4;
2679 
2680  p1->flow = &f;
2681  p1->flowflags |= FLOW_PKT_TOSERVER;
2682  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2683  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2684  p2->flow = &f;
2685  p2->flowflags |= FLOW_PKT_TOCLIENT;
2686  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2687  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2688  f.alproto = ALPROTO_HTTP1;
2689 
2690  StreamTcpInitConfig(true);
2691 
2692  de_ctx = DetectEngineCtxInit();
2693  if (de_ctx == NULL)
2694  goto end;
2695 
2696  de_ctx->flags |= DE_QUIET;
2697 
2698  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2699  "(msg:\"http header test\"; flow:to_client; "
2700  "content:\"Content-Length: 7\"; http_raw_header; "
2701  "sid:1;)");
2702  if (de_ctx->sig_list == NULL)
2703  goto end;
2704 
2705  SigGroupBuild(de_ctx);
2706  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2707 
2708  int r = AppLayerParserParse(
2709  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
2710  if (r != 0) {
2711  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2712  result = 0;
2713  goto end;
2714  }
2715 
2716  http_state = f.alstate;
2717  if (http_state == NULL) {
2718  printf("no http state: \n");
2719  result = 0;
2720  goto end;
2721  }
2722 
2723  /* do detect */
2724  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2725 
2726  if (PacketAlertCheck(p1, 1)) {
2727  printf("sid 1 matched but shouldn't have\n");
2728  goto end;
2729  }
2730 
2731  r = AppLayerParserParse(
2732  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_buf2_len);
2733  if (r != 0) {
2734  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2735  result = 0;
2736  goto end;
2737  }
2738 
2739  /* do detect */
2740  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2741 
2742  if (PacketAlertCheck(p2, 1)) {
2743  printf("sid 1 matched but shouldn't have");
2744  goto end;
2745  }
2746 
2747  result = 1;
2748 
2749 end:
2750  if (alp_tctx != NULL)
2751  AppLayerParserThreadCtxFree(alp_tctx);
2752  if (de_ctx != NULL)
2753  DetectEngineCtxFree(de_ctx);
2754 
2755  StreamTcpFreeConfig(true);
2756  FLOW_DESTROY(&f);
2757  UTHFreePackets(&p1, 1);
2758  UTHFreePackets(&p2, 1);
2759  return result;
2760 }
2761 
2762 #if 0
2763 
2764 static int DetectEngineHttpRawHeaderTest30(void)
2765 {
2766  int result = 0;
2767  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2768 
2769  if (de_ctx == NULL) {
2770  goto end;
2771  }
2772 
2773  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
2774  "(msg:\"http header test\"; "
2775  "content:\"Content-Length: 6\"; http_raw_header; "
2776  "content:\"User-Agent: Mozilla\"; http_raw_header; "
2777  "sid:1;)");
2778  if (de_ctx->sig_list != NULL) {
2779  goto end;
2780  }
2781 
2782  result = 1;
2783 
2784  end:
2785  if (de_ctx != NULL)
2786  SigCleanSignatures(de_ctx);
2787  if (de_ctx != NULL)
2788  DetectEngineCtxFree(de_ctx);
2789  return result;
2790 }
2791 
2792 #endif /* #if 0 */
2793 
2794 /**
2795  * \test Trailing headers.
2796  */
2797 static int DetectEngineHttpRawHeaderTest31(void)
2798 {
2799  TcpSession ssn;
2800  Packet *p1 = NULL;
2801  ThreadVars th_v;
2802  DetectEngineCtx *de_ctx = NULL;
2803  DetectEngineThreadCtx *det_ctx = NULL;
2804  HtpState *http_state = NULL;
2805  Flow f;
2806  uint8_t http1_buf[] =
2807  "GET /index.html HTTP/1.0\r\n"
2808  "host: boom\r\n"
2809  "Transfer-Encoding: chunked\r\n"
2810  "\r\n"
2811  "13\r\n"
2812  "This is dummy body1\r\n"
2813  "0\r\n"
2814  "Dummy-Header: kaboom\r\n"
2815  "\r\n";
2816  uint32_t http1_len = sizeof(http1_buf) - 1;
2817  int result = 0;
2818  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2819 
2820  memset(&th_v, 0, sizeof(th_v));
2821  memset(&f, 0, sizeof(f));
2822  memset(&ssn, 0, sizeof(ssn));
2823 
2824  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2825 
2826  FLOW_INITIALIZE(&f);
2827  f.protoctx = (void *)&ssn;
2828  f.proto = IPPROTO_TCP;
2829  f.flags |= FLOW_IPV4;
2830 
2831  p1->flow = &f;
2832  p1->flowflags |= FLOW_PKT_TOSERVER;
2833  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2834  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2835  f.alproto = ALPROTO_HTTP1;
2836 
2837  StreamTcpInitConfig(true);
2838 
2839  de_ctx = DetectEngineCtxInit();
2840  if (de_ctx == NULL)
2841  goto end;
2842 
2843  de_ctx->flags |= DE_QUIET;
2844 
2845  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2846  "(flow:to_server; "
2847  "content:\"Dummy\"; http_raw_header; "
2848  "sid:1;)");
2849  if (de_ctx->sig_list == NULL)
2850  goto end;
2851 
2852  SigGroupBuild(de_ctx);
2853  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2854 
2855  int r = AppLayerParserParse(
2856  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2857  if (r != 0) {
2858  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2859  result = 0;
2860  goto end;
2861  }
2862 
2863  http_state = f.alstate;
2864  if (http_state == NULL) {
2865  printf("no http state: \n");
2866  result = 0;
2867  goto end;
2868  }
2869 
2870  /* do detect */
2871  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2872 
2873  if (!(PacketAlertCheck(p1, 1))) {
2874  printf("sid 1 didn't match but should have: ");
2875  goto end;
2876  }
2877 
2878  result = 1;
2879 
2880 end:
2881  if (alp_tctx != NULL)
2882  AppLayerParserThreadCtxFree(alp_tctx);
2883  if (de_ctx != NULL)
2884  DetectEngineCtxFree(de_ctx);
2885 
2886  StreamTcpFreeConfig(true);
2887  FLOW_DESTROY(&f);
2888  UTHFreePackets(&p1, 1);
2889  return result;
2890 }
2891 
2892 /**
2893  * \test Trailing headers.
2894  */
2895 static int DetectEngineHttpRawHeaderTest32(void)
2896 {
2897  TcpSession ssn;
2898  Packet *p1 = NULL;
2899  Packet *p2 = NULL;
2900  ThreadVars th_v;
2901  DetectEngineCtx *de_ctx = NULL;
2902  DetectEngineThreadCtx *det_ctx = NULL;
2903  HtpState *http_state = NULL;
2904  Flow f;
2905  uint8_t http1_buf[] =
2906  "GET /index.html HTTP/1.0\r\n"
2907  "host: boom\r\n"
2908  "Transfer-Encoding: chunked\r\n"
2909  "\r\n"
2910  "13\r\n"
2911  "This is dummy body1\r\n"
2912  "0\r\n";
2913  uint8_t http2_buf[] =
2914  "Dummy-Header: kaboom\r\n"
2915  "\r\n";
2916  uint32_t http1_len = sizeof(http1_buf) - 1;
2917  uint32_t http2_len = sizeof(http2_buf) - 1;
2918  int result = 0;
2919  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2920 
2921  memset(&th_v, 0, sizeof(th_v));
2922  memset(&f, 0, sizeof(f));
2923  memset(&ssn, 0, sizeof(ssn));
2924 
2925  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2926  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2927 
2928  FLOW_INITIALIZE(&f);
2929  f.protoctx = (void *)&ssn;
2930  f.proto = IPPROTO_TCP;
2931  f.flags |= FLOW_IPV4;
2932 
2933  p1->flow = &f;
2934  p1->flowflags |= FLOW_PKT_TOSERVER;
2935  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2936  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2937  p2->flow = &f;
2938  p2->flowflags |= FLOW_PKT_TOSERVER;
2939  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2940  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2941  f.alproto = ALPROTO_HTTP1;
2942 
2943  StreamTcpInitConfig(true);
2944 
2945  de_ctx = DetectEngineCtxInit();
2946  if (de_ctx == NULL)
2947  goto end;
2948 
2949  de_ctx->flags |= DE_QUIET;
2950 
2951  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2952  "(flow:to_server; "
2953  "content:\"Dummy\"; http_raw_header; "
2954  "sid:1;)");
2955  if (de_ctx->sig_list == NULL)
2956  goto end;
2957 
2958  SigGroupBuild(de_ctx);
2959  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2960 
2961  int r = AppLayerParserParse(
2962  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2963  if (r != 0) {
2964  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2965  result = 0;
2966  goto end;
2967  }
2968 
2969  http_state = f.alstate;
2970  if (http_state == NULL) {
2971  printf("no http state: \n");
2972  result = 0;
2973  goto end;
2974  }
2975 
2976  /* do detect */
2977  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2978 
2979  if (PacketAlertCheck(p1, 1)) {
2980  printf("sid 1 matched but shouldn't have\n");
2981  goto end;
2982  }
2983 
2984  r = AppLayerParserParse(
2985  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2986  if (r != 0) {
2987  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2988  result = 0;
2989  goto end;
2990  }
2991 
2992  /* do detect */
2993  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2994 
2995  if (!PacketAlertCheck(p2, 1)) {
2996  printf("sid 1 didn't match but should have\n");
2997  goto end;
2998  }
2999 
3000  result = 1;
3001 
3002 end:
3003  if (alp_tctx != NULL)
3004  AppLayerParserThreadCtxFree(alp_tctx);
3005  if (de_ctx != NULL)
3006  DetectEngineCtxFree(de_ctx);
3007 
3008  StreamTcpFreeConfig(true);
3009  FLOW_DESTROY(&f);
3010  UTHFreePackets(&p1, 1);
3011  UTHFreePackets(&p2, 1);
3012  return result;
3013 }
3014 
3015 /**
3016  *\test Test that the http_header content matches against a http request
3017  * which holds the content.
3018  */
3019 static int DetectHttpRawHeaderTest06(void)
3020 {
3021  TcpSession ssn;
3022  Packet *p = NULL;
3023  ThreadVars th_v;
3024  DetectEngineCtx *de_ctx = NULL;
3025  DetectEngineThreadCtx *det_ctx = NULL;
3026  HtpState *http_state = NULL;
3027  Flow f;
3028  uint8_t http_buf[] =
3029  "GET /index.html HTTP/1.0\r\n"
3030  "Host: www.openinfosecfoundation.org\r\n"
3031  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3032  "Content-Type: text/html\r\n"
3033  "Content-Length: 26\r\n"
3034  "\r\n"
3035  "This is dummy message body\r\n";
3036  uint32_t http_len = sizeof(http_buf) - 1;
3037  int result = 0;
3038  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3039 
3040  memset(&th_v, 0, sizeof(th_v));
3041  memset(&f, 0, sizeof(f));
3042  memset(&ssn, 0, sizeof(ssn));
3043 
3044  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3045 
3046  FLOW_INITIALIZE(&f);
3047  f.protoctx = (void *)&ssn;
3048  f.proto = IPPROTO_TCP;
3049  f.flags |= FLOW_IPV4;
3050  p->flow = &f;
3051  p->flowflags |= FLOW_PKT_TOSERVER;
3052  p->flowflags |= FLOW_PKT_ESTABLISHED;
3053  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3054  f.alproto = ALPROTO_HTTP1;
3055 
3056  StreamTcpInitConfig(true);
3057 
3058  de_ctx = DetectEngineCtxInit();
3059  if (de_ctx == NULL)
3060  goto end;
3061 
3062  de_ctx->flags |= DE_QUIET;
3063 
3064  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3065  "(msg:\"http header test\"; flow:to_server; "
3066  "content:\"Content-Type: text/html\"; http_raw_header; "
3067  "sid:1;)");
3068  if (de_ctx->sig_list == NULL)
3069  goto end;
3070 
3071  SigGroupBuild(de_ctx);
3072  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3073 
3074  int r = AppLayerParserParse(
3075  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
3076  if (r != 0) {
3077  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3078  result = 0;
3079  goto end;
3080  }
3081 
3082  http_state = f.alstate;
3083  if (http_state == NULL) {
3084  printf("no http state: ");
3085  result = 0;
3086  goto end;
3087  }
3088 
3089  /* do detect */
3090  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3091 
3092  if (!(PacketAlertCheck(p, 1))) {
3093  printf("sid 1 didn't match but should have: ");
3094  goto end;
3095  }
3096 
3097  result = 1;
3098 end:
3099  if (alp_tctx != NULL)
3100  AppLayerParserThreadCtxFree(alp_tctx);
3101  if (de_ctx != NULL)
3102  DetectEngineCtxFree(de_ctx);
3103 
3104  StreamTcpFreeConfig(true);
3105  FLOW_DESTROY(&f);
3106  UTHFreePackets(&p, 1);
3107  return result;
3108 }
3109 
3110 /**
3111  *\test Test that the http_header content matches against a http request
3112  * which holds the content.
3113  */
3114 static int DetectHttpRawHeaderTest07(void)
3115 {
3116  TcpSession ssn;
3117  Packet *p1 = NULL;
3118  Packet *p2 = NULL;
3119  ThreadVars th_v;
3120  DetectEngineCtx *de_ctx = NULL;
3121  DetectEngineThreadCtx *det_ctx = NULL;
3122  HtpState *http_state = NULL;
3123  Flow f;
3124  uint8_t http1_buf[] =
3125  "GET /index.html HTTP/1.0\r\n"
3126  "Host: www.openinfosecfoundation.org\r\n"
3127  "User-Agent: Mozi";
3128  uint8_t http2_buf[] =
3129  "lla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\nContent-Type: text/html\r\n"
3130  "Content-Length: 67\r\n"
3131  "\r\n"
3132  "This is dummy message body1";
3133  uint32_t http1_len = sizeof(http1_buf) - 1;
3134  uint32_t http2_len = sizeof(http2_buf) - 1;
3135  int result = 0;
3136  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3137 
3138  memset(&th_v, 0, sizeof(th_v));
3139  memset(&f, 0, sizeof(f));
3140  memset(&ssn, 0, sizeof(ssn));
3141 
3142  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3143  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3144 
3145  FLOW_INITIALIZE(&f);
3146  f.protoctx = (void *)&ssn;
3147  f.proto = IPPROTO_TCP;
3148  f.flags |= FLOW_IPV4;
3149  p1->flow = &f;
3150  p1->flowflags |= FLOW_PKT_TOSERVER;
3151  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3152  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3153  p2->flow = &f;
3154  p2->flowflags |= FLOW_PKT_TOSERVER;
3155  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3156  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3157  f.alproto = ALPROTO_HTTP1;
3158 
3159  StreamTcpInitConfig(true);
3160 
3161  de_ctx = DetectEngineCtxInit();
3162  if (de_ctx == NULL)
3163  goto end;
3164 
3165  de_ctx->flags |= DE_QUIET;
3166 
3167  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3168  "(msg:\"http header test\"; flow:to_server; "
3169  "content:\"Mozilla\"; http_raw_header; "
3170  "sid:1;)");
3171  if (de_ctx->sig_list == NULL)
3172  goto end;
3173 
3174  SigGroupBuild(de_ctx);
3175  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3176 
3177  int r = AppLayerParserParse(
3178  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3179  if (r != 0) {
3180  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3181  result = 0;
3182  goto end;
3183  }
3184 
3185  http_state = f.alstate;
3186  if (http_state == NULL) {
3187  printf("no http state: ");
3188  result = 0;
3189  goto end;
3190  }
3191 
3192  /* do detect */
3193  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3194 
3195  if ( (PacketAlertCheck(p1, 1))) {
3196  printf("sid 1 matched but shouldn't have: ");
3197  goto end;
3198  }
3199 
3200  r = AppLayerParserParse(
3201  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3202  if (r != 0) {
3203  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3204  result = 0;
3205  goto end;
3206  }
3207 
3208  /* do detect */
3209  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3210 
3211  if (!(PacketAlertCheck(p2, 1))) {
3212  printf("sid 1 didn't match but should have: ");
3213  goto end;
3214  }
3215 
3216  result = 1;
3217 end:
3218  if (alp_tctx != NULL)
3219  AppLayerParserThreadCtxFree(alp_tctx);
3220  if (de_ctx != NULL)
3221  DetectEngineCtxFree(de_ctx);
3222 
3223  StreamTcpFreeConfig(true);
3224  FLOW_DESTROY(&f);
3225  UTHFreePackets(&p1, 1);
3226  UTHFreePackets(&p2, 1);
3227  return result;
3228 }
3229 
3230 /**
3231  *\test Test that the http_header content matches against a http request
3232  * which holds the content.
3233  */
3234 static int DetectHttpRawHeaderTest08(void)
3235 {
3236  TcpSession ssn;
3237  Packet *p1 = NULL;
3238  Packet *p2 = NULL;
3239  ThreadVars th_v;
3240  DetectEngineCtx *de_ctx = NULL;
3241  DetectEngineThreadCtx *det_ctx = NULL;
3242  HtpState *http_state = NULL;
3243  Flow f;
3244  uint8_t http1_buf[] =
3245  "GET /index.html HTTP/1.0\r\n"
3246  "Host: www.openinfosecfoundation.org\r\n";
3247  uint8_t http2_buf[] =
3248  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3249  "Content-Type: text/html\r\n"
3250  "Content-Length: 67\r\n"
3251  "\r\n";
3252  uint32_t http1_len = sizeof(http1_buf) - 1;
3253  uint32_t http2_len = sizeof(http2_buf) - 1;
3254  int result = 0;
3255  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3256 
3257  memset(&th_v, 0, sizeof(th_v));
3258  memset(&f, 0, sizeof(f));
3259  memset(&ssn, 0, sizeof(ssn));
3260 
3261  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3262  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3263 
3264  FLOW_INITIALIZE(&f);
3265  f.protoctx = (void *)&ssn;
3266  f.proto = IPPROTO_TCP;
3267  f.flags |= FLOW_IPV4;
3268  p1->flow = &f;
3269  p1->flowflags |= FLOW_PKT_TOSERVER;
3270  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3271  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3272  p2->flow = &f;
3273  p2->flowflags |= FLOW_PKT_TOSERVER;
3274  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3275  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3276  f.alproto = ALPROTO_HTTP1;
3277 
3278  StreamTcpInitConfig(true);
3279 
3280  de_ctx = DetectEngineCtxInit();
3281  if (de_ctx == NULL)
3282  goto end;
3283 
3284  de_ctx->flags |= DE_QUIET;
3285 
3286  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3287  "(msg:\"http header test\"; flow:to_server; "
3288  "content:\"Gecko/20091221 Firefox/3.5.7\"; http_raw_header; "
3289  "sid:1;)");
3290  if (de_ctx->sig_list == NULL)
3291  goto end;
3292 
3293  SigGroupBuild(de_ctx);
3294  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3295 
3296  int r = AppLayerParserParse(
3297  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3298  if (r != 0) {
3299  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3300  result = 0;
3301  goto end;
3302  }
3303 
3304  http_state = f.alstate;
3305  if (http_state == NULL) {
3306  printf("no http state: ");
3307  result = 0;
3308  goto end;
3309  }
3310 
3311  /* do detect */
3312  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3313 
3314  if ((PacketAlertCheck(p1, 1))) {
3315  printf("sid 1 didn't match but should have: ");
3316  goto end;
3317  }
3318 
3319  r = AppLayerParserParse(
3320  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3321  if (r != 0) {
3322  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3323  result = 0;
3324  goto end;
3325  }
3326 
3327  /* do detect */
3328  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3329 
3330  if (!(PacketAlertCheck(p2, 1))) {
3331  printf("sid 1 didn't match but should have: ");
3332  goto end;
3333  }
3334 
3335  result = 1;
3336 end:
3337  if (alp_tctx != NULL)
3338  AppLayerParserThreadCtxFree(alp_tctx);
3339  if (de_ctx != NULL)
3340  DetectEngineCtxFree(de_ctx);
3341 
3342  StreamTcpFreeConfig(true);
3343  FLOW_DESTROY(&f);
3344  UTHFreePackets(&p1, 1);
3345  UTHFreePackets(&p2, 1);
3346  return result;
3347 }
3348 
3349 /**
3350  *\test Test that the http_header content matches against a http request
3351  * which holds the content, against a cross boundary present pattern.
3352  */
3353 static int DetectHttpRawHeaderTest09(void)
3354 {
3355  TcpSession ssn;
3356  Packet *p1 = NULL;
3357  Packet *p2 = NULL;
3358  ThreadVars th_v;
3359  DetectEngineCtx *de_ctx = NULL;
3360  DetectEngineThreadCtx *det_ctx = NULL;
3361  HtpState *http_state = NULL;
3362  Flow f;
3363  uint8_t http1_buf[] =
3364  "GET /index.html HTTP/1.0\r\n"
3365  "Host: www.openinfosecfoundation.org\r\n"
3366  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n";
3367  uint8_t http2_buf[] =
3368  "Content-Type: text/html\r\n"
3369  "Content-Length: 67\r\n"
3370  "\r\n"
3371  "This is dummy body\r\n";
3372  uint32_t http1_len = sizeof(http1_buf) - 1;
3373  uint32_t http2_len = sizeof(http2_buf) - 1;
3374  int result = 0;
3375  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3376 
3377  memset(&th_v, 0, sizeof(th_v));
3378  memset(&f, 0, sizeof(f));
3379  memset(&ssn, 0, sizeof(ssn));
3380 
3381  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3382  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3383 
3384  FLOW_INITIALIZE(&f);
3385  f.protoctx = (void *)&ssn;
3386  f.proto = IPPROTO_TCP;
3387  f.flags |= FLOW_IPV4;
3388  p1->flow = &f;
3389  p1->flowflags |= FLOW_PKT_TOSERVER;
3390  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3391  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3392  p2->flow = &f;
3393  p2->flowflags |= FLOW_PKT_TOSERVER;
3394  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3395  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3396  f.alproto = ALPROTO_HTTP1;
3397 
3398  StreamTcpInitConfig(true);
3399 
3400  de_ctx = DetectEngineCtxInit();
3401  if (de_ctx == NULL)
3402  goto end;
3403 
3404  de_ctx->flags |= DE_QUIET;
3405 
3406  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3407  "(msg:\"http header test\"; flow:to_server; "
3408  "content:\"Firefox/3.5.7|0D 0A|Content\"; http_raw_header; "
3409  "sid:1;)");
3410  if (de_ctx->sig_list == NULL)
3411  goto end;
3412 
3413  SigGroupBuild(de_ctx);
3414  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3415 
3416  int r = AppLayerParserParse(
3417  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3418  if (r != 0) {
3419  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3420  result = 0;
3421  goto end;
3422  }
3423 
3424  http_state = f.alstate;
3425  if (http_state == NULL) {
3426  printf("no http state: ");
3427  result = 0;
3428  goto end;
3429  }
3430 
3431  /* do detect */
3432  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3433 
3434  if ((PacketAlertCheck(p1, 1))) {
3435  printf("sid 1 didn't match but should have: ");
3436  goto end;
3437  }
3438 
3439  r = AppLayerParserParse(
3440  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3441  if (r != 0) {
3442  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3443  result = 0;
3444  goto end;
3445  }
3446 
3447  /* do detect */
3448  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3449 
3450  if (!(PacketAlertCheck(p2, 1))) {
3451  printf("sid 1 didn't match but should have: ");
3452  goto end;
3453  }
3454 
3455  result = 1;
3456 end:
3457  if (alp_tctx != NULL)
3458  AppLayerParserThreadCtxFree(alp_tctx);
3459  if (de_ctx != NULL)
3460  DetectEngineCtxFree(de_ctx);
3461 
3462  StreamTcpFreeConfig(true);
3463  FLOW_DESTROY(&f);
3464  UTHFreePackets(&p1, 1);
3465  UTHFreePackets(&p2, 1);
3466  return result;
3467 }
3468 
3469 /**
3470  *\test Test that the http_header content matches against a http request
3471  * against a case insensitive pattern.
3472  */
3473 static int DetectHttpRawHeaderTest10(void)
3474 {
3475  TcpSession ssn;
3476  Packet *p1 = NULL;
3477  Packet *p2 = NULL;
3478  ThreadVars th_v;
3479  DetectEngineCtx *de_ctx = NULL;
3480  DetectEngineThreadCtx *det_ctx = NULL;
3481  HtpState *http_state = NULL;
3482  Flow f;
3483  uint8_t http1_buf[] =
3484  "GET /index.html HTTP/1.0\r\n"
3485  "Host: www.openinfosecfoundation.org\r\n"
3486  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n";
3487  uint8_t http2_buf[] =
3488  "Content-Type: text/html\r\n"
3489  "Content-Length: 67\r\n"
3490  "\r\n"
3491  "This is dummy body";
3492  uint32_t http1_len = sizeof(http1_buf) - 1;
3493  uint32_t http2_len = sizeof(http2_buf) - 1;
3494  int result = 0;
3495  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3496 
3497  memset(&th_v, 0, sizeof(th_v));
3498  memset(&f, 0, sizeof(f));
3499  memset(&ssn, 0, sizeof(ssn));
3500 
3501  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3502  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3503 
3504  FLOW_INITIALIZE(&f);
3505  f.protoctx = (void *)&ssn;
3506  f.proto = IPPROTO_TCP;
3507  f.flags |= FLOW_IPV4;
3508  p1->flow = &f;
3509  p1->flowflags |= FLOW_PKT_TOSERVER;
3510  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3511  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3512  p2->flow = &f;
3513  p2->flowflags |= FLOW_PKT_TOSERVER;
3514  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3515  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3516  f.alproto = ALPROTO_HTTP1;
3517 
3518  StreamTcpInitConfig(true);
3519 
3520  de_ctx = DetectEngineCtxInit();
3521  if (de_ctx == NULL)
3522  goto end;
3523 
3524  de_ctx->flags |= DE_QUIET;
3525 
3526  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3527  "(msg:\"http header test\"; flow:to_server; "
3528  "content:\"firefox/3.5.7|0D 0A|content\"; nocase; http_raw_header;"
3529  "sid:1;)");
3530  if (de_ctx->sig_list == NULL)
3531  goto end;
3532 
3533  SigGroupBuild(de_ctx);
3534  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3535 
3536  int r = AppLayerParserParse(
3537  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3538  if (r != 0) {
3539  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3540  result = 0;
3541  goto end;
3542  }
3543 
3544  http_state = f.alstate;
3545  if (http_state == NULL) {
3546  printf("no http state: ");
3547  result = 0;
3548  goto end;
3549  }
3550 
3551  /* do detect */
3552  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3553 
3554  if ((PacketAlertCheck(p1, 1))) {
3555  printf("sid 1 didn't match but should have: ");
3556  goto end;
3557  }
3558 
3559  r = AppLayerParserParse(
3560  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3561  if (r != 0) {
3562  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3563  result = 0;
3564  goto end;
3565  }
3566 
3567  /* do detect */
3568  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3569 
3570  if (!(PacketAlertCheck(p2, 1))) {
3571  printf("sid 1 didn't match but should have: ");
3572  goto end;
3573  }
3574 
3575  result = 1;
3576 end:
3577  if (alp_tctx != NULL)
3578  AppLayerParserThreadCtxFree(alp_tctx);
3579  if (de_ctx != NULL)
3580  DetectEngineCtxFree(de_ctx);
3581 
3582  StreamTcpFreeConfig(true);
3583  FLOW_DESTROY(&f);
3584  UTHFreePackets(&p1, 1);
3585  UTHFreePackets(&p2, 1);
3586  return result;
3587 }
3588 
3589 /**
3590  *\test Test that the negated http_header content matches against a
3591  * http request which doesn't hold the content.
3592  */
3593 static int DetectHttpRawHeaderTest11(void)
3594 {
3595  TcpSession ssn;
3596  Packet *p = NULL;
3597  ThreadVars th_v;
3598  DetectEngineCtx *de_ctx = NULL;
3599  DetectEngineThreadCtx *det_ctx = NULL;
3600  HtpState *http_state = NULL;
3601  Flow f;
3602  uint8_t http_buf[] =
3603  "GET /index.html HTTP/1.0\r\n"
3604  "Host: www.openinfosecfoundation.org\r\n"
3605  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3606  "Content-Type: text/html\r\n"
3607  "Content-Length: 26\r\n"
3608  "\r\n"
3609  "This is dummy message body\r\n";
3610  uint32_t http_len = sizeof(http_buf) - 1;
3611  int result = 0;
3612  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3613 
3614  memset(&th_v, 0, sizeof(th_v));
3615  memset(&f, 0, sizeof(f));
3616  memset(&ssn, 0, sizeof(ssn));
3617 
3618  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3619 
3620  FLOW_INITIALIZE(&f);
3621  f.protoctx = (void *)&ssn;
3622  f.proto = IPPROTO_TCP;
3623  f.flags |= FLOW_IPV4;
3624  p->flow = &f;
3625  p->flowflags |= FLOW_PKT_TOSERVER;
3626  p->flowflags |= FLOW_PKT_ESTABLISHED;
3627  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3628  f.alproto = ALPROTO_HTTP1;
3629 
3630  StreamTcpInitConfig(true);
3631 
3632  de_ctx = DetectEngineCtxInit();
3633  if (de_ctx == NULL)
3634  goto end;
3635 
3636  de_ctx->flags |= DE_QUIET;
3637 
3638  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3639  "(msg:\"http header test\"; flow:to_server; "
3640  "content:!\"lalalalala\"; http_raw_header; "
3641  "sid:1;)");
3642  if (de_ctx->sig_list == NULL)
3643  goto end;
3644 
3645  SigGroupBuild(de_ctx);
3646  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3647 
3648  int r = AppLayerParserParse(
3649  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
3650  if (r != 0) {
3651  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3652  result = 0;
3653  goto end;
3654  }
3655 
3656  http_state = f.alstate;
3657  if (http_state == NULL) {
3658  printf("no http state: ");
3659  result = 0;
3660  goto end;
3661  }
3662 
3663  /* do detect */
3664  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3665 
3666  if (!(PacketAlertCheck(p, 1))) {
3667  printf("sid 1 didn't match but should have: ");
3668  goto end;
3669  }
3670 
3671  result = 1;
3672 end:
3673  if (alp_tctx != NULL)
3674  AppLayerParserThreadCtxFree(alp_tctx);
3675  if (de_ctx != NULL)
3676  DetectEngineCtxFree(de_ctx);
3677 
3678  StreamTcpFreeConfig(true);
3679  FLOW_DESTROY(&f);
3680  UTHFreePackets(&p, 1);
3681  return result;
3682 }
3683 
3684 /**
3685  *\test Negative test that the negated http_header content matches against a
3686  * http request which holds hold the content.
3687  */
3688 static int DetectHttpRawHeaderTest12(void)
3689 {
3690  TcpSession ssn;
3691  Packet *p = NULL;
3692  ThreadVars th_v;
3693  DetectEngineCtx *de_ctx = NULL;
3694  DetectEngineThreadCtx *det_ctx = NULL;
3695  HtpState *http_state = NULL;
3696  Flow f;
3697  uint8_t http_buf[] =
3698  "GET /index.html HTTP/1.0\r\n"
3699  "Host: www.openinfosecfoundation.org\r\n"
3700  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3701  "Content-Type: text/html\r\n"
3702  "Content-Length: 26\r\n"
3703  "\r\n"
3704  "This is dummy message body\r\n";
3705  uint32_t http_len = sizeof(http_buf) - 1;
3706  int result = 0;
3707  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3708 
3709  memset(&th_v, 0, sizeof(th_v));
3710  memset(&f, 0, sizeof(f));
3711  memset(&ssn, 0, sizeof(ssn));
3712 
3713  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3714 
3715  FLOW_INITIALIZE(&f);
3716  f.protoctx = (void *)&ssn;
3717  f.proto = IPPROTO_TCP;
3718  f.flags |= FLOW_IPV4;
3719  p->flow = &f;
3720  p->flowflags |= FLOW_PKT_TOSERVER;
3721  p->flowflags |= FLOW_PKT_ESTABLISHED;
3722  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3723  f.alproto = ALPROTO_HTTP1;
3724 
3725  StreamTcpInitConfig(true);
3726 
3727  de_ctx = DetectEngineCtxInit();
3728  if (de_ctx == NULL)
3729  goto end;
3730 
3731  de_ctx->flags |= DE_QUIET;
3732 
3733  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3734  "(msg:\"http header test\"; flow:to_server; "
3735  "content:!\"User-Agent: Mozilla/5.0 \"; http_raw_header; "
3736  "sid:1;)");
3737  if (de_ctx->sig_list == NULL)
3738  goto end;
3739 
3740  SigGroupBuild(de_ctx);
3741  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3742 
3743  int r = AppLayerParserParse(
3744  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
3745  if (r != 0) {
3746  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3747  result = 0;
3748  goto end;
3749  }
3750 
3751  http_state = f.alstate;
3752  if (http_state == NULL) {
3753  printf("no http state: ");
3754  result = 0;
3755  goto end;
3756  }
3757 
3758  /* do detect */
3759  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3760 
3761  if ((PacketAlertCheck(p, 1))) {
3762  printf("sid 1 didn't match but should have: ");
3763  goto end;
3764  }
3765 
3766  result = 1;
3767 end:
3768  if (alp_tctx != NULL)
3769  AppLayerParserThreadCtxFree(alp_tctx);
3770  if (de_ctx != NULL)
3771  DetectEngineCtxFree(de_ctx);
3772 
3773  StreamTcpFreeConfig(true);
3774  FLOW_DESTROY(&f);
3775  UTHFreePackets(&p, 1);
3776  return result;
3777 }
3778 
3779 /**
3780  *\test Test that the http_header content matches against a http request
3781  * which holds the content.
3782  */
3783 static int DetectHttpRawHeaderTest13(void)
3784 {
3785  TcpSession ssn;
3786  Packet *p = NULL;
3787  ThreadVars th_v;
3788  DetectEngineCtx *de_ctx = NULL;
3789  DetectEngineThreadCtx *det_ctx = NULL;
3790  HtpState *http_state = NULL;
3791  Flow f;
3792  uint8_t http_buf[] =
3793  "GET /index.html HTTP/1.0\r\n"
3794  "Host: www.openinfosecfoundation.org\r\n"
3795  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3796  "Content-Type: text/html\r\n"
3797  "Content-Length: 100\r\n"
3798  "\r\n"
3799  "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n";
3800  uint32_t http_len = sizeof(http_buf) - 1;
3801  int result = 0;
3802  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3803 
3804  memset(&th_v, 0, sizeof(th_v));
3805  memset(&f, 0, sizeof(f));
3806  memset(&ssn, 0, sizeof(ssn));
3807 
3808  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3809 
3810  FLOW_INITIALIZE(&f);
3811  f.protoctx = (void *)&ssn;
3812  f.proto = IPPROTO_TCP;
3813  f.flags |= FLOW_IPV4;
3814 
3815  p->flow = &f;
3816  p->flowflags |= FLOW_PKT_TOSERVER;
3817  p->flowflags |= FLOW_PKT_ESTABLISHED;
3818  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3819  f.alproto = ALPROTO_HTTP1;
3820 
3821  StreamTcpInitConfig(true);
3822 
3823  de_ctx = DetectEngineCtxInit();
3824  if (de_ctx == NULL)
3825  goto end;
3826 
3827  de_ctx->flags |= DE_QUIET;
3828 
3829  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3830  "(msg:\"http header test\"; flow:to_server; "
3831  "content:\"Host: www.openinfosecfoundation.org\"; http_raw_header; "
3832  "sid:1;)");
3833  if (de_ctx->sig_list == NULL)
3834  goto end;
3835 
3836  SigGroupBuild(de_ctx);
3837  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3838 
3839  int r = AppLayerParserParse(
3840  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
3841  if (r != 0) {
3842  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3843  result = 0;
3844  goto end;
3845  }
3846 
3847  http_state = f.alstate;
3848  if (http_state == NULL) {
3849  printf("no http state: ");
3850  result = 0;
3851  goto end;
3852  }
3853 
3854  /* do detect */
3855  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3856 
3857  if (!(PacketAlertCheck(p, 1))) {
3858  printf("sid 1 didn't match but should have: ");
3859  goto end;
3860  }
3861 
3862  result = 1;
3863 end:
3864 
3865  if (alp_tctx != NULL)
3866  AppLayerParserThreadCtxFree(alp_tctx);
3867  if (de_ctx != NULL)
3868  DetectEngineCtxFree(de_ctx);
3869 
3870  StreamTcpFreeConfig(true);
3871  FLOW_DESTROY(&f);
3872  UTHFreePackets(&p, 1);
3873  return result;
3874 }
3875 
3876 void DetectHttpRawHeaderRegisterTests(void)
3877 {
3878  UtRegisterTest("DetectHttpRawHeaderParserTest01",
3879  DetectHttpRawHeaderParserTest01);
3880  UtRegisterTest("DetectHttpRawHeaderParserTest02",
3881  DetectHttpRawHeaderParserTest02);
3882 
3883  UtRegisterTest("DetectEngineHttpRawHeaderTest01",
3884  DetectEngineHttpRawHeaderTest01);
3885  UtRegisterTest("DetectEngineHttpRawHeaderTest02",
3886  DetectEngineHttpRawHeaderTest02);
3887  UtRegisterTest("DetectEngineHttpRawHeaderTest03",
3888  DetectEngineHttpRawHeaderTest03);
3889  UtRegisterTest("DetectEngineHttpRawHeaderTest04",
3890  DetectEngineHttpRawHeaderTest04);
3891  UtRegisterTest("DetectEngineHttpRawHeaderTest05",
3892  DetectEngineHttpRawHeaderTest05);
3893  UtRegisterTest("DetectEngineHttpRawHeaderTest06",
3894  DetectEngineHttpRawHeaderTest06);
3895  UtRegisterTest("DetectEngineHttpRawHeaderTest07",
3896  DetectEngineHttpRawHeaderTest07);
3897  UtRegisterTest("DetectEngineHttpRawHeaderTest08",
3898  DetectEngineHttpRawHeaderTest08);
3899  UtRegisterTest("DetectEngineHttpRawHeaderTest09",
3900  DetectEngineHttpRawHeaderTest09);
3901  UtRegisterTest("DetectEngineHttpRawHeaderTest10",
3902  DetectEngineHttpRawHeaderTest10);
3903  UtRegisterTest("DetectEngineHttpRawHeaderTest11",
3904  DetectEngineHttpRawHeaderTest11);
3905  UtRegisterTest("DetectEngineHttpRawHeaderTest12",
3906  DetectEngineHttpRawHeaderTest12);
3907  UtRegisterTest("DetectEngineHttpRawHeaderTest13",
3908  DetectEngineHttpRawHeaderTest13);
3909  UtRegisterTest("DetectEngineHttpRawHeaderTest14",
3910  DetectEngineHttpRawHeaderTest14);
3911  UtRegisterTest("DetectEngineHttpRawHeaderTest15",
3912  DetectEngineHttpRawHeaderTest15);
3913  UtRegisterTest("DetectEngineHttpRawHeaderTest16",
3914  DetectEngineHttpRawHeaderTest16);
3915  UtRegisterTest("DetectEngineHttpRawHeaderTest17",
3916  DetectEngineHttpRawHeaderTest17);
3917  UtRegisterTest("DetectEngineHttpRawHeaderTest20",
3918  DetectEngineHttpRawHeaderTest20);
3919  UtRegisterTest("DetectEngineHttpRawHeaderTest21",
3920  DetectEngineHttpRawHeaderTest21);
3921  UtRegisterTest("DetectEngineHttpRawHeaderTest22",
3922  DetectEngineHttpRawHeaderTest22);
3923  UtRegisterTest("DetectEngineHttpRawHeaderTest23",
3924  DetectEngineHttpRawHeaderTest23);
3925  UtRegisterTest("DetectEngineHttpRawHeaderTest24",
3926  DetectEngineHttpRawHeaderTest24);
3927  UtRegisterTest("DetectEngineHttpRawHeaderTest25",
3928  DetectEngineHttpRawHeaderTest25);
3929  UtRegisterTest("DetectEngineHttpRawHeaderTest26",
3930  DetectEngineHttpRawHeaderTest26);
3931  UtRegisterTest("DetectEngineHttpRawHeaderTest27",
3932  DetectEngineHttpRawHeaderTest27);
3933  UtRegisterTest("DetectEngineHttpRawHeaderTest28",
3934  DetectEngineHttpRawHeaderTest28);
3935  UtRegisterTest("DetectEngineHttpRawHeaderTest29",
3936  DetectEngineHttpRawHeaderTest29);
3937 #if 0
3938  UtRegisterTest("DetectEngineHttpRawHeaderTest30",
3939  DetectEngineHttpRawHeaderTest30, 1);
3940 #endif
3941  UtRegisterTest("DetectEngineHttpRawHeaderTest31",
3942  DetectEngineHttpRawHeaderTest31);
3943  UtRegisterTest("DetectEngineHttpRawHeaderTest32",
3944  DetectEngineHttpRawHeaderTest32);
3945 
3946  UtRegisterTest("DetectHttpRawHeaderTest06", DetectHttpRawHeaderTest06);
3947  UtRegisterTest("DetectHttpRawHeaderTest07", DetectHttpRawHeaderTest07);
3948  UtRegisterTest("DetectHttpRawHeaderTest08", DetectHttpRawHeaderTest08);
3949  UtRegisterTest("DetectHttpRawHeaderTest09", DetectHttpRawHeaderTest09);
3950  UtRegisterTest("DetectHttpRawHeaderTest10", DetectHttpRawHeaderTest10);
3951  UtRegisterTest("DetectHttpRawHeaderTest11", DetectHttpRawHeaderTest11);
3952  UtRegisterTest("DetectHttpRawHeaderTest12", DetectHttpRawHeaderTest12);
3953  UtRegisterTest("DetectHttpRawHeaderTest13", DetectHttpRawHeaderTest13);
3954 }
3955 
3956 #endif /* UNITTESTS */
3957 
3958 /**
3959  * @}
3960  */
UTHParseSignature
int UTHParseSignature(const char *str, bool expect)
parser a sig and see if the expected result is correct
Definition: util-unittest-helper.c:890
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1264
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_::proto
uint8_t proto
Definition: flow.h:378
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:510
DetectHttpRawHeaderRegisterTests
void DetectHttpRawHeaderRegisterTests(void)
Definition: detect-http-raw-header.c:3876
Flow_
Flow data structure.
Definition: flow.h:356
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:841
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2611
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:300
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:232
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:359
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1938
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:55
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2587
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:504
Flow_::protoctx
void * protoctx
Definition: flow.h:446
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
HtpState_
Definition: app-layer-htp.h:238
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:461
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1093
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3347
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2285
Packet_
Definition: decode.h:473
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:233
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2144
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:279
Packet_::flow
struct Flow_ * flow
Definition: decode.h:512
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:792
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1265
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:849
Flow_::alstate
void * alstate
Definition: flow.h:481
Flow_::flags
uint32_t flags
Definition: flow.h:426
Signature_
Signature container.
Definition: detect.h:601
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:234
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2572
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:843
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:58
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:455
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1261
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:450