suricata
detect-http-raw-header.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /** \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * \brief Handle HTTP raw header match.
31  *
32  */
33 
34 #include "../suricata-common.h"
35 #include "../suricata.h"
36 #include "../decode.h"
37 
38 #include "../detect.h"
39 #include "../detect-engine.h"
40 #include "../detect-isdataat.h"
41 #include "../detect-pcre.h"
42 
43 #include "../stream-tcp.h"
44 #include "../app-layer.h"
45 #include "../app-layer-htp.h"
46 #include "../app-layer-protos.h"
47 #include "../app-layer-parser.h"
48 
49 #include "../util-unittest.h"
50 #include "../util-unittest-helper.h"
51 #include "../util-validate.h"
52 
53 /***********************************Unittests**********************************/
54 
55 #ifdef UNITTESTS
56 
57 /**
58  * \test Test parser accepting valid rules and rejecting invalid rules
59  */
60 static int DetectHttpRawHeaderParserTest01(void)
61 {
62  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; http_raw_header; sid:1;)", true));
63  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; nocase; http_raw_header; sid:1;)", true));
64  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; endswith; http_raw_header; sid:1;)", true));
65  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; http_raw_header; sid:1;)", true));
66  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; endswith; http_raw_header; sid:1;)", true));
67 
68  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; rawbytes; http_raw_header; sid:1;)", false));
69  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_server; http_raw_header; sid:1;)", false));
70  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_server; content:\"abc\"; http_raw_header; sid:1;)", false));
71  PASS;
72 }
73 
74 /**
75  * \test Test parser accepting valid rules and rejecting invalid rules
76  */
77 static int DetectHttpRawHeaderParserTest02(void)
78 {
79  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; sid:1;)", true));
80  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; nocase; sid:1;)", true));
81  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; endswith; sid:1;)", true));
82  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; startswith; sid:1;)", true));
83  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; startswith; endswith; sid:1;)", true));
84  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; bsize:10; sid:1;)", true));
85 
86  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; rawbytes; sid:1;)", false));
87  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_server; http.header.raw; sid:1;)", false));
88  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; sid:1;)", false));
89  PASS;
90 }
91 
92 /**
93  *\test Test that the http_header content matches against a http request
94  * which holds the content.
95  */
96 static int DetectEngineHttpRawHeaderTest01(void)
97 {
98  TcpSession ssn;
99  Packet *p = NULL;
100  ThreadVars th_v;
101  DetectEngineCtx *de_ctx = NULL;
102  DetectEngineThreadCtx *det_ctx = NULL;
103  HtpState *http_state = NULL;
104  Flow f;
105  uint8_t http_buf[] =
106  "GET /index.html HTTP/1.0\r\n"
107  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
108  uint32_t http_len = sizeof(http_buf) - 1;
109  int result = 0;
111 
112  memset(&th_v, 0, sizeof(th_v));
113  memset(&f, 0, sizeof(f));
114  memset(&ssn, 0, sizeof(ssn));
115 
116  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
117 
118  FLOW_INITIALIZE(&f);
119  f.protoctx = (void *)&ssn;
120  f.proto = IPPROTO_TCP;
121  f.flags |= FLOW_IPV4;
122  p->flow = &f;
126  f.alproto = ALPROTO_HTTP;
127 
129 
130  de_ctx = DetectEngineCtxInit();
131  if (de_ctx == NULL)
132  goto end;
133 
134  de_ctx->flags |= DE_QUIET;
135 
136  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
137  "(msg:\"http header test\"; flow:to_server; "
138  "content:\"one\"; http_raw_header; "
139  "sid:1;)");
140  if (de_ctx->sig_list == NULL)
141  goto end;
142 
143  SigGroupBuild(de_ctx);
144  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
145 
146  FLOWLOCK_WRLOCK(&f);
147  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
148  STREAM_TOSERVER, http_buf, http_len);
149  if (r != 0) {
150  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
151  result = 0;
152  FLOWLOCK_UNLOCK(&f);
153  goto end;
154  }
155  FLOWLOCK_UNLOCK(&f);
156 
157  http_state = f.alstate;
158  if (http_state == NULL) {
159  printf("no http state: ");
160  result = 0;
161  goto end;
162  }
163 
164  /* do detect */
165  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
166 
167  if (!(PacketAlertCheck(p, 1))) {
168  printf("sid 1 didn't match but should have: ");
169  goto end;
170  }
171 
172  result = 1;
173 end:
174  if (alp_tctx != NULL)
175  AppLayerParserThreadCtxFree(alp_tctx);
176  if (de_ctx != NULL)
177  DetectEngineCtxFree(de_ctx);
178 
180  FLOW_DESTROY(&f);
181  UTHFreePackets(&p, 1);
182  return result;
183 }
184 
185 /**
186  *\test Test that the http_header content matches against a http request
187  * which holds the content.
188  */
189 static int DetectEngineHttpRawHeaderTest02(void)
190 {
191  TcpSession ssn;
192  Packet *p = NULL;
193  ThreadVars th_v;
194  DetectEngineCtx *de_ctx = NULL;
195  DetectEngineThreadCtx *det_ctx = NULL;
196  HtpState *http_state = NULL;
197  Flow f;
198  uint8_t http_buf[] =
199  "GET /index.html HTTP/1.0\r\n"
200  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
201  uint32_t http_len = sizeof(http_buf) - 1;
202  int result = 0;
204 
205  memset(&th_v, 0, sizeof(th_v));
206  memset(&f, 0, sizeof(f));
207  memset(&ssn, 0, sizeof(ssn));
208 
209  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
210 
211  FLOW_INITIALIZE(&f);
212  f.protoctx = (void *)&ssn;
213  f.proto = IPPROTO_TCP;
214  f.flags |= FLOW_IPV4;
215  p->flow = &f;
219  f.alproto = ALPROTO_HTTP;
220 
222 
223  de_ctx = DetectEngineCtxInit();
224  if (de_ctx == NULL)
225  goto end;
226 
227  de_ctx->flags |= DE_QUIET;
228 
229  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
230  "(msg:\"http header test\"; flow:to_server; "
231  "content:\"one\"; depth:15; http_raw_header; "
232  "sid:1;)");
233  if (de_ctx->sig_list == NULL)
234  goto end;
235 
236  SigGroupBuild(de_ctx);
237  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
238 
239  FLOWLOCK_WRLOCK(&f);
240  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
241  STREAM_TOSERVER, http_buf, http_len);
242  if (r != 0) {
243  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
244  result = 0;
245  FLOWLOCK_UNLOCK(&f);
246  goto end;
247  }
248  FLOWLOCK_UNLOCK(&f);
249 
250  http_state = f.alstate;
251  if (http_state == NULL) {
252  printf("no http state: ");
253  result = 0;
254  goto end;
255  }
256 
257  /* do detect */
258  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
259 
260  if (!(PacketAlertCheck(p, 1))) {
261  printf("sid 1 didn't match but should have: ");
262  goto end;
263  }
264 
265  result = 1;
266 end:
267  if (alp_tctx != NULL)
268  AppLayerParserThreadCtxFree(alp_tctx);
269  if (de_ctx != NULL)
270  DetectEngineCtxFree(de_ctx);
271 
273  FLOW_DESTROY(&f);
274  UTHFreePackets(&p, 1);
275  return result;
276 }
277 
278 /**
279  *\test Test that the http_header content matches against a http request
280  * which holds the content.
281  */
282 static int DetectEngineHttpRawHeaderTest03(void)
283 {
284  TcpSession ssn;
285  Packet *p = NULL;
286  ThreadVars th_v;
287  DetectEngineCtx *de_ctx = NULL;
288  DetectEngineThreadCtx *det_ctx = NULL;
289  HtpState *http_state = NULL;
290  Flow f;
291  uint8_t http_buf[] =
292  "GET /index.html HTTP/1.0\r\n"
293  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
294  uint32_t http_len = sizeof(http_buf) - 1;
295  int result = 0;
297 
298  memset(&th_v, 0, sizeof(th_v));
299  memset(&f, 0, sizeof(f));
300  memset(&ssn, 0, sizeof(ssn));
301 
302  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
303 
304  FLOW_INITIALIZE(&f);
305  f.protoctx = (void *)&ssn;
306  f.proto = IPPROTO_TCP;
307  f.flags |= FLOW_IPV4;
308  p->flow = &f;
312  f.alproto = ALPROTO_HTTP;
313 
315 
316  de_ctx = DetectEngineCtxInit();
317  if (de_ctx == NULL)
318  goto end;
319 
320  de_ctx->flags |= DE_QUIET;
321 
322  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
323  "(msg:\"http header test\"; flow:to_server; "
324  "content:!\"one\"; depth:5; http_raw_header; "
325  "sid:1;)");
326  if (de_ctx->sig_list == NULL)
327  goto end;
328 
329  SigGroupBuild(de_ctx);
330  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
331 
332  FLOWLOCK_WRLOCK(&f);
333  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
334  STREAM_TOSERVER, http_buf, http_len);
335  if (r != 0) {
336  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
337  result = 0;
338  FLOWLOCK_UNLOCK(&f);
339  goto end;
340  }
341  FLOWLOCK_UNLOCK(&f);
342 
343  http_state = f.alstate;
344  if (http_state == NULL) {
345  printf("no http state: ");
346  result = 0;
347  goto end;
348  }
349 
350  /* do detect */
351  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
352 
353  if (!(PacketAlertCheck(p, 1))) {
354  printf("sid 1 didn't match but should have: ");
355  goto end;
356  }
357 
358  result = 1;
359 end:
360  if (alp_tctx != NULL)
361  AppLayerParserThreadCtxFree(alp_tctx);
362  if (de_ctx != NULL)
363  DetectEngineCtxFree(de_ctx);
364 
366  FLOW_DESTROY(&f);
367  UTHFreePackets(&p, 1);
368  return result;
369 }
370 
371 /**
372  *\test Test that the http_header content matches against a http request
373  * which holds the content.
374  */
375 static int DetectEngineHttpRawHeaderTest04(void)
376 {
377  TcpSession ssn;
378  Packet *p = NULL;
379  ThreadVars th_v;
380  DetectEngineCtx *de_ctx = NULL;
381  DetectEngineThreadCtx *det_ctx = NULL;
382  HtpState *http_state = NULL;
383  Flow f;
384  uint8_t http_buf[] =
385  "GET /index.html HTTP/1.0\r\n"
386  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
387  uint32_t http_len = sizeof(http_buf) - 1;
388  int result = 0;
390 
391  memset(&th_v, 0, sizeof(th_v));
392  memset(&f, 0, sizeof(f));
393  memset(&ssn, 0, sizeof(ssn));
394 
395  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
396 
397  FLOW_INITIALIZE(&f);
398  f.protoctx = (void *)&ssn;
399  f.proto = IPPROTO_TCP;
400  f.flags |= FLOW_IPV4;
401  p->flow = &f;
405  f.alproto = ALPROTO_HTTP;
406 
408 
409  de_ctx = DetectEngineCtxInit();
410  if (de_ctx == NULL)
411  goto end;
412 
413  de_ctx->flags |= DE_QUIET;
414 
415  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
416  "(msg:\"http header test\"; flow:to_server; "
417  "content:\"one\"; depth:5; http_raw_header; "
418  "sid:1;)");
419  if (de_ctx->sig_list == NULL)
420  goto end;
421 
422  SigGroupBuild(de_ctx);
423  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
424 
425  FLOWLOCK_WRLOCK(&f);
426  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
427  STREAM_TOSERVER, http_buf, http_len);
428  if (r != 0) {
429  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
430  result = 0;
431  FLOWLOCK_UNLOCK(&f);
432  goto end;
433  }
434  FLOWLOCK_UNLOCK(&f);
435 
436  http_state = f.alstate;
437  if (http_state == NULL) {
438  printf("no http state: ");
439  result = 0;
440  goto end;
441  }
442 
443  /* do detect */
444  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
445 
446  if (PacketAlertCheck(p, 1)) {
447  printf("sid 1 matched but shouldn't have: ");
448  goto end;
449  }
450 
451  result = 1;
452 end:
453  if (alp_tctx != NULL)
454  AppLayerParserThreadCtxFree(alp_tctx);
455  if (de_ctx != NULL)
456  DetectEngineCtxFree(de_ctx);
457 
459  FLOW_DESTROY(&f);
460  UTHFreePackets(&p, 1);
461  return result;
462 }
463 
464 /**
465  *\test Test that the http_header content matches against a http request
466  * which holds the content.
467  */
468 static int DetectEngineHttpRawHeaderTest05(void)
469 {
470  TcpSession ssn;
471  Packet *p = NULL;
472  ThreadVars th_v;
473  DetectEngineCtx *de_ctx = NULL;
474  DetectEngineThreadCtx *det_ctx = NULL;
475  HtpState *http_state = NULL;
476  Flow f;
477  uint8_t http_buf[] =
478  "GET /index.html HTTP/1.0\r\n"
479  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
480  uint32_t http_len = sizeof(http_buf) - 1;
481  int result = 0;
483 
484  memset(&th_v, 0, sizeof(th_v));
485  memset(&f, 0, sizeof(f));
486  memset(&ssn, 0, sizeof(ssn));
487 
488  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
489 
490  FLOW_INITIALIZE(&f);
491  f.protoctx = (void *)&ssn;
492  f.proto = IPPROTO_TCP;
493  f.flags |= FLOW_IPV4;
494  p->flow = &f;
498  f.alproto = ALPROTO_HTTP;
499 
501 
502  de_ctx = DetectEngineCtxInit();
503  if (de_ctx == NULL)
504  goto end;
505 
506  de_ctx->flags |= DE_QUIET;
507 
508  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
509  "(msg:\"http header test\"; flow:to_server; "
510  "content:!\"one\"; depth:15; http_raw_header; "
511  "sid:1;)");
512  if (de_ctx->sig_list == NULL)
513  goto end;
514 
515  SigGroupBuild(de_ctx);
516  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
517 
518  FLOWLOCK_WRLOCK(&f);
519  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
520  STREAM_TOSERVER, http_buf, http_len);
521  if (r != 0) {
522  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
523  result = 0;
524  FLOWLOCK_UNLOCK(&f);
525  goto end;
526  }
527  FLOWLOCK_UNLOCK(&f);
528 
529  http_state = f.alstate;
530  if (http_state == NULL) {
531  printf("no http state: ");
532  result = 0;
533  goto end;
534  }
535 
536  /* do detect */
537  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
538 
539  if (PacketAlertCheck(p, 1)) {
540  printf("sid 1 matched but shouldn't have: ");
541  goto end;
542  }
543 
544  result = 1;
545 end:
546  if (alp_tctx != NULL)
547  AppLayerParserThreadCtxFree(alp_tctx);
548  if (de_ctx != NULL)
549  DetectEngineCtxFree(de_ctx);
550 
552  FLOW_DESTROY(&f);
553  UTHFreePackets(&p, 1);
554  return result;
555 }
556 
557 /**
558  *\test Test that the http_header content matches against a http request
559  * which holds the content.
560  */
561 static int DetectEngineHttpRawHeaderTest06(void)
562 {
563  TcpSession ssn;
564  Packet *p = NULL;
565  ThreadVars th_v;
566  DetectEngineCtx *de_ctx = NULL;
567  DetectEngineThreadCtx *det_ctx = NULL;
568  HtpState *http_state = NULL;
569  Flow f;
570  uint8_t http_buf[] =
571  "GET /index.html HTTP/1.0\r\n"
572  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
573  uint32_t http_len = sizeof(http_buf) - 1;
574  int result = 0;
576 
577  memset(&th_v, 0, sizeof(th_v));
578  memset(&f, 0, sizeof(f));
579  memset(&ssn, 0, sizeof(ssn));
580 
581  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
582 
583  FLOW_INITIALIZE(&f);
584  f.protoctx = (void *)&ssn;
585  f.proto = IPPROTO_TCP;
586  f.flags |= FLOW_IPV4;
587  p->flow = &f;
591  f.alproto = ALPROTO_HTTP;
592 
594 
595  de_ctx = DetectEngineCtxInit();
596  if (de_ctx == NULL)
597  goto end;
598 
599  de_ctx->flags |= DE_QUIET;
600 
601  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
602  "(msg:\"http header test\"; flow:to_server; "
603  "content:\"one\"; offset:10; http_raw_header; "
604  "sid:1;)");
605  if (de_ctx->sig_list == NULL)
606  goto end;
607 
608  SigGroupBuild(de_ctx);
609  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
610 
611  FLOWLOCK_WRLOCK(&f);
612  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
613  STREAM_TOSERVER, http_buf, http_len);
614  if (r != 0) {
615  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
616  result = 0;
617  FLOWLOCK_UNLOCK(&f);
618  goto end;
619  }
620  FLOWLOCK_UNLOCK(&f);
621 
622  http_state = f.alstate;
623  if (http_state == NULL) {
624  printf("no http state: ");
625  result = 0;
626  goto end;
627  }
628 
629  /* do detect */
630  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
631 
632  if (!(PacketAlertCheck(p, 1))) {
633  printf("sid 1 didn't match but should have: ");
634  goto end;
635  }
636 
637  result = 1;
638 end:
639  if (alp_tctx != NULL)
640  AppLayerParserThreadCtxFree(alp_tctx);
641  if (de_ctx != NULL)
642  DetectEngineCtxFree(de_ctx);
643 
645  FLOW_DESTROY(&f);
646  UTHFreePackets(&p, 1);
647  return result;
648 }
649 
650 /**
651  *\test Test that the http_header content matches against a http request
652  * which holds the content.
653  */
654 static int DetectEngineHttpRawHeaderTest07(void)
655 {
656  TcpSession ssn;
657  Packet *p = NULL;
658  ThreadVars th_v;
659  DetectEngineCtx *de_ctx = NULL;
660  DetectEngineThreadCtx *det_ctx = NULL;
661  HtpState *http_state = NULL;
662  Flow f;
663  uint8_t http_buf[] =
664  "GET /index.html HTTP/1.0\r\n"
665  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
666  uint32_t http_len = sizeof(http_buf) - 1;
667  int result = 0;
669 
670  memset(&th_v, 0, sizeof(th_v));
671  memset(&f, 0, sizeof(f));
672  memset(&ssn, 0, sizeof(ssn));
673 
674  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
675 
676  FLOW_INITIALIZE(&f);
677  f.protoctx = (void *)&ssn;
678  f.proto = IPPROTO_TCP;
679  f.flags |= FLOW_IPV4;
680  p->flow = &f;
684  f.alproto = ALPROTO_HTTP;
685 
687 
688  de_ctx = DetectEngineCtxInit();
689  if (de_ctx == NULL)
690  goto end;
691 
692  de_ctx->flags |= DE_QUIET;
693 
694  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
695  "(msg:\"http header test\"; flow:to_server; "
696  "content:!\"one\"; offset:15; http_raw_header; "
697  "sid:1;)");
698  if (de_ctx->sig_list == NULL)
699  goto end;
700 
701  SigGroupBuild(de_ctx);
702  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
703 
704  FLOWLOCK_WRLOCK(&f);
705  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
706  STREAM_TOSERVER, http_buf, http_len);
707  if (r != 0) {
708  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
709  result = 0;
710  FLOWLOCK_UNLOCK(&f);
711  goto end;
712  }
713  FLOWLOCK_UNLOCK(&f);
714 
715  http_state = f.alstate;
716  if (http_state == NULL) {
717  printf("no http state: ");
718  result = 0;
719  goto end;
720  }
721 
722  /* do detect */
723  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
724 
725  if (!(PacketAlertCheck(p, 1))) {
726  printf("sid 1 didn't match but should have: ");
727  goto end;
728  }
729 
730  result = 1;
731 end:
732  if (alp_tctx != NULL)
733  AppLayerParserThreadCtxFree(alp_tctx);
734  if (de_ctx != NULL)
735  DetectEngineCtxFree(de_ctx);
736 
738  FLOW_DESTROY(&f);
739  UTHFreePackets(&p, 1);
740  return result;
741 }
742 
743 /**
744  *\test Test that the http_header content matches against a http request
745  * which holds the content.
746  */
747 static int DetectEngineHttpRawHeaderTest08(void)
748 {
749  TcpSession ssn;
750  Packet *p = NULL;
751  ThreadVars th_v;
752  DetectEngineCtx *de_ctx = NULL;
753  DetectEngineThreadCtx *det_ctx = NULL;
754  HtpState *http_state = NULL;
755  Flow f;
756  uint8_t http_buf[] =
757  "GET /index.html HTTP/1.0\r\n"
758  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
759  uint32_t http_len = sizeof(http_buf) - 1;
760  int result = 0;
762 
763  memset(&th_v, 0, sizeof(th_v));
764  memset(&f, 0, sizeof(f));
765  memset(&ssn, 0, sizeof(ssn));
766 
767  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
768 
769  FLOW_INITIALIZE(&f);
770  f.protoctx = (void *)&ssn;
771  f.proto = IPPROTO_TCP;
772  f.flags |= FLOW_IPV4;
773  p->flow = &f;
777  f.alproto = ALPROTO_HTTP;
778 
780 
781  de_ctx = DetectEngineCtxInit();
782  if (de_ctx == NULL)
783  goto end;
784 
785  de_ctx->flags |= DE_QUIET;
786 
787  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
788  "(msg:\"http header test\"; flow:to_server; "
789  "content:\"one\"; offset:15; http_raw_header; "
790  "sid:1;)");
791  if (de_ctx->sig_list == NULL)
792  goto end;
793 
794  SigGroupBuild(de_ctx);
795  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
796 
797  FLOWLOCK_WRLOCK(&f);
798  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
799  STREAM_TOSERVER, http_buf, http_len);
800  if (r != 0) {
801  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
802  result = 0;
803  FLOWLOCK_UNLOCK(&f);
804  goto end;
805  }
806  FLOWLOCK_UNLOCK(&f);
807 
808  http_state = f.alstate;
809  if (http_state == NULL) {
810  printf("no http state: ");
811  result = 0;
812  goto end;
813  }
814 
815  /* do detect */
816  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
817 
818  if (PacketAlertCheck(p, 1)) {
819  printf("sid 1 matched but shouldn't have: ");
820  goto end;
821  }
822 
823  result = 1;
824 end:
825  if (alp_tctx != NULL)
826  AppLayerParserThreadCtxFree(alp_tctx);
827  if (de_ctx != NULL)
828  DetectEngineCtxFree(de_ctx);
829 
831  FLOW_DESTROY(&f);
832  UTHFreePackets(&p, 1);
833  return result;
834 }
835 
836 /**
837  *\test Test that the http_header content matches against a http request
838  * which holds the content.
839  */
840 static int DetectEngineHttpRawHeaderTest09(void)
841 {
842  TcpSession ssn;
843  Packet *p = NULL;
844  ThreadVars th_v;
845  DetectEngineCtx *de_ctx = NULL;
846  DetectEngineThreadCtx *det_ctx = NULL;
847  HtpState *http_state = NULL;
848  Flow f;
849  uint8_t http_buf[] =
850  "GET /index.html HTTP/1.0\r\n"
851  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
852  uint32_t http_len = sizeof(http_buf) - 1;
853  int result = 0;
855 
856  memset(&th_v, 0, sizeof(th_v));
857  memset(&f, 0, sizeof(f));
858  memset(&ssn, 0, sizeof(ssn));
859 
860  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
861 
862  FLOW_INITIALIZE(&f);
863  f.protoctx = (void *)&ssn;
864  f.proto = IPPROTO_TCP;
865  f.flags |= FLOW_IPV4;
866  p->flow = &f;
870  f.alproto = ALPROTO_HTTP;
871 
873 
874  de_ctx = DetectEngineCtxInit();
875  if (de_ctx == NULL)
876  goto end;
877 
878  de_ctx->flags |= DE_QUIET;
879 
880  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
881  "(msg:\"http header test\"; flow:to_server; "
882  "content:!\"one\"; offset:10; http_raw_header; "
883  "sid:1;)");
884  if (de_ctx->sig_list == NULL)
885  goto end;
886 
887  SigGroupBuild(de_ctx);
888  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
889 
890  FLOWLOCK_WRLOCK(&f);
891  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
892  STREAM_TOSERVER, http_buf, http_len);
893  if (r != 0) {
894  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
895  result = 0;
896  FLOWLOCK_UNLOCK(&f);
897  goto end;
898  }
899  FLOWLOCK_UNLOCK(&f);
900 
901  http_state = f.alstate;
902  if (http_state == NULL) {
903  printf("no http state: ");
904  result = 0;
905  goto end;
906  }
907 
908  /* do detect */
909  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
910 
911  if (PacketAlertCheck(p, 1)) {
912  printf("sid 1 matched but shouldn't have: ");
913  goto end;
914  }
915 
916  result = 1;
917 end:
918  if (alp_tctx != NULL)
919  AppLayerParserThreadCtxFree(alp_tctx);
920  if (de_ctx != NULL)
921  DetectEngineCtxFree(de_ctx);
922 
924  FLOW_DESTROY(&f);
925  UTHFreePackets(&p, 1);
926  return result;
927 }
928 
929 /**
930  *\test Test that the http_header content matches against a http request
931  * which holds the content.
932  */
933 static int DetectEngineHttpRawHeaderTest10(void)
934 {
935  TcpSession ssn;
936  Packet *p = NULL;
937  ThreadVars th_v;
938  DetectEngineCtx *de_ctx = NULL;
939  DetectEngineThreadCtx *det_ctx = NULL;
940  HtpState *http_state = NULL;
941  Flow f;
942  uint8_t http_buf[] =
943  "GET /index.html HTTP/1.0\r\n"
944  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
945  uint32_t http_len = sizeof(http_buf) - 1;
946  int result = 0;
948 
949  memset(&th_v, 0, sizeof(th_v));
950  memset(&f, 0, sizeof(f));
951  memset(&ssn, 0, sizeof(ssn));
952 
953  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
954 
955  FLOW_INITIALIZE(&f);
956  f.protoctx = (void *)&ssn;
957  f.proto = IPPROTO_TCP;
958  f.flags |= FLOW_IPV4;
959  p->flow = &f;
963  f.alproto = ALPROTO_HTTP;
964 
966 
967  de_ctx = DetectEngineCtxInit();
968  if (de_ctx == NULL)
969  goto end;
970 
971  de_ctx->flags |= DE_QUIET;
972 
973  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
974  "(msg:\"http header test\"; flow:to_server; "
975  "content:\"one\"; http_raw_header; content:\"three\"; http_raw_header; within:10; "
976  "sid:1;)");
977  if (de_ctx->sig_list == NULL)
978  goto end;
979 
980  SigGroupBuild(de_ctx);
981  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
982 
983  FLOWLOCK_WRLOCK(&f);
984  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
985  STREAM_TOSERVER, http_buf, http_len);
986  if (r != 0) {
987  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
988  result = 0;
989  FLOWLOCK_UNLOCK(&f);
990  goto end;
991  }
992  FLOWLOCK_UNLOCK(&f);
993 
994  http_state = f.alstate;
995  if (http_state == NULL) {
996  printf("no http state: ");
997  result = 0;
998  goto end;
999  }
1000 
1001  /* do detect */
1002  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1003 
1004  if (!(PacketAlertCheck(p, 1))) {
1005  printf("sid 1 didn't match but should have: ");
1006  goto end;
1007  }
1008 
1009  result = 1;
1010 end:
1011  if (alp_tctx != NULL)
1012  AppLayerParserThreadCtxFree(alp_tctx);
1013  if (de_ctx != NULL)
1014  DetectEngineCtxFree(de_ctx);
1015 
1017  FLOW_DESTROY(&f);
1018  UTHFreePackets(&p, 1);
1019  return result;
1020 }
1021 
1022 /**
1023  *\test Test that the http_header content matches against a http request
1024  * which holds the content.
1025  */
1026 static int DetectEngineHttpRawHeaderTest11(void)
1027 {
1028  TcpSession ssn;
1029  Packet *p = NULL;
1030  ThreadVars th_v;
1031  DetectEngineCtx *de_ctx = NULL;
1032  DetectEngineThreadCtx *det_ctx = NULL;
1033  HtpState *http_state = NULL;
1034  Flow f;
1035  uint8_t http_buf[] =
1036  "GET /index.html HTTP/1.0\r\n"
1037  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1038  uint32_t http_len = sizeof(http_buf) - 1;
1039  int result = 0;
1041 
1042  memset(&th_v, 0, sizeof(th_v));
1043  memset(&f, 0, sizeof(f));
1044  memset(&ssn, 0, sizeof(ssn));
1045 
1046  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1047 
1048  FLOW_INITIALIZE(&f);
1049  f.protoctx = (void *)&ssn;
1050  f.proto = IPPROTO_TCP;
1051  f.flags |= FLOW_IPV4;
1052  p->flow = &f;
1056  f.alproto = ALPROTO_HTTP;
1057 
1059 
1060  de_ctx = DetectEngineCtxInit();
1061  if (de_ctx == NULL)
1062  goto end;
1063 
1064  de_ctx->flags |= DE_QUIET;
1065 
1066  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1067  "(msg:\"http header test\"; flow:to_server; "
1068  "content:\"one\"; http_raw_header; content:!\"three\"; http_raw_header; within:5; "
1069  "sid:1;)");
1070  if (de_ctx->sig_list == NULL)
1071  goto end;
1072 
1073  SigGroupBuild(de_ctx);
1074  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1075 
1076  FLOWLOCK_WRLOCK(&f);
1077  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1078  STREAM_TOSERVER, http_buf, http_len);
1079  if (r != 0) {
1080  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1081  result = 0;
1082  FLOWLOCK_UNLOCK(&f);
1083  goto end;
1084  }
1085  FLOWLOCK_UNLOCK(&f);
1086 
1087  http_state = f.alstate;
1088  if (http_state == NULL) {
1089  printf("no http state: ");
1090  result = 0;
1091  goto end;
1092  }
1093 
1094  /* do detect */
1095  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1096 
1097  if (!(PacketAlertCheck(p, 1))) {
1098  printf("sid 1 didn't match but should have: ");
1099  goto end;
1100  }
1101 
1102  result = 1;
1103 end:
1104  if (alp_tctx != NULL)
1105  AppLayerParserThreadCtxFree(alp_tctx);
1106  if (de_ctx != NULL)
1107  DetectEngineCtxFree(de_ctx);
1108 
1110  FLOW_DESTROY(&f);
1111  UTHFreePackets(&p, 1);
1112  return result;
1113 }
1114 
1115 /**
1116  *\test Test that the http_header content matches against a http request
1117  * which holds the content.
1118  */
1119 static int DetectEngineHttpRawHeaderTest12(void)
1120 {
1121  TcpSession ssn;
1122  Packet *p = NULL;
1123  ThreadVars th_v;
1124  DetectEngineCtx *de_ctx = NULL;
1125  DetectEngineThreadCtx *det_ctx = NULL;
1126  HtpState *http_state = NULL;
1127  Flow f;
1128  uint8_t http_buf[] =
1129  "GET /index.html HTTP/1.0\r\n"
1130  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1131  uint32_t http_len = sizeof(http_buf) - 1;
1132  int result = 0;
1134 
1135  memset(&th_v, 0, sizeof(th_v));
1136  memset(&f, 0, sizeof(f));
1137  memset(&ssn, 0, sizeof(ssn));
1138 
1139  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1140 
1141  FLOW_INITIALIZE(&f);
1142  f.protoctx = (void *)&ssn;
1143  f.proto = IPPROTO_TCP;
1144  f.flags |= FLOW_IPV4;
1145  p->flow = &f;
1149  f.alproto = ALPROTO_HTTP;
1150 
1152 
1153  de_ctx = DetectEngineCtxInit();
1154  if (de_ctx == NULL)
1155  goto end;
1156 
1157  de_ctx->flags |= DE_QUIET;
1158 
1159  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1160  "(msg:\"http header test\"; flow:to_server; "
1161  "content:\"one\"; http_raw_header; content:!\"three\"; http_raw_header; within:10; "
1162  "sid:1;)");
1163  if (de_ctx->sig_list == NULL)
1164  goto end;
1165 
1166  SigGroupBuild(de_ctx);
1167  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1168 
1169  FLOWLOCK_WRLOCK(&f);
1170  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1171  STREAM_TOSERVER, http_buf, http_len);
1172  if (r != 0) {
1173  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1174  result = 0;
1175  FLOWLOCK_UNLOCK(&f);
1176  goto end;
1177  }
1178  FLOWLOCK_UNLOCK(&f);
1179 
1180  http_state = f.alstate;
1181  if (http_state == NULL) {
1182  printf("no http state: ");
1183  result = 0;
1184  goto end;
1185  }
1186 
1187  /* do detect */
1188  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1189 
1190  if (PacketAlertCheck(p, 1)) {
1191  printf("sid 1 matched but shouldn't have: ");
1192  goto end;
1193  }
1194 
1195  result = 1;
1196 end:
1197  if (alp_tctx != NULL)
1198  AppLayerParserThreadCtxFree(alp_tctx);
1199  if (de_ctx != NULL)
1200  DetectEngineCtxFree(de_ctx);
1201 
1203  FLOW_DESTROY(&f);
1204  UTHFreePackets(&p, 1);
1205  return result;
1206 }
1207 
1208 /**
1209  *\test Test that the http_header content matches against a http request
1210  * which holds the content.
1211  */
1212 static int DetectEngineHttpRawHeaderTest13(void)
1213 {
1214  TcpSession ssn;
1215  Packet *p = NULL;
1216  ThreadVars th_v;
1217  DetectEngineCtx *de_ctx = NULL;
1218  DetectEngineThreadCtx *det_ctx = NULL;
1219  HtpState *http_state = NULL;
1220  Flow f;
1221  uint8_t http_buf[] =
1222  "GET /index.html HTTP/1.0\r\n"
1223  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1224  uint32_t http_len = sizeof(http_buf) - 1;
1225  int result = 0;
1227 
1228  memset(&th_v, 0, sizeof(th_v));
1229  memset(&f, 0, sizeof(f));
1230  memset(&ssn, 0, sizeof(ssn));
1231 
1232  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1233 
1234  FLOW_INITIALIZE(&f);
1235  f.protoctx = (void *)&ssn;
1236  f.proto = IPPROTO_TCP;
1237  f.flags |= FLOW_IPV4;
1238  p->flow = &f;
1242  f.alproto = ALPROTO_HTTP;
1243 
1245 
1246  de_ctx = DetectEngineCtxInit();
1247  if (de_ctx == NULL)
1248  goto end;
1249 
1250  de_ctx->flags |= DE_QUIET;
1251 
1252  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1253  "(msg:\"http header test\"; flow:to_server; "
1254  "content:\"one\"; http_raw_header; content:\"three\"; http_raw_header; within:5; "
1255  "sid:1;)");
1256  if (de_ctx->sig_list == NULL)
1257  goto end;
1258 
1259  SigGroupBuild(de_ctx);
1260  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1261 
1262  FLOWLOCK_WRLOCK(&f);
1263  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1264  STREAM_TOSERVER, http_buf, http_len);
1265  if (r != 0) {
1266  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1267  result = 0;
1268  FLOWLOCK_UNLOCK(&f);
1269  goto end;
1270  }
1271  FLOWLOCK_UNLOCK(&f);
1272 
1273  http_state = f.alstate;
1274  if (http_state == NULL) {
1275  printf("no http state: ");
1276  result = 0;
1277  goto end;
1278  }
1279 
1280  /* do detect */
1281  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1282 
1283  if (PacketAlertCheck(p, 1)) {
1284  printf("sid 1 matched but shouldn't have: ");
1285  goto end;
1286  }
1287 
1288  result = 1;
1289 end:
1290  if (alp_tctx != NULL)
1291  AppLayerParserThreadCtxFree(alp_tctx);
1292  if (de_ctx != NULL)
1293  DetectEngineCtxFree(de_ctx);
1294 
1296  FLOW_DESTROY(&f);
1297  UTHFreePackets(&p, 1);
1298  return result;
1299 }
1300 
1301 /**
1302  *\test Test that the http_header content matches against a http request
1303  * which holds the content.
1304  */
1305 static int DetectEngineHttpRawHeaderTest14(void)
1306 {
1307  TcpSession ssn;
1308  Packet *p = NULL;
1309  ThreadVars th_v;
1310  DetectEngineCtx *de_ctx = NULL;
1311  DetectEngineThreadCtx *det_ctx = NULL;
1312  HtpState *http_state = NULL;
1313  Flow f;
1314  uint8_t http_buf[] =
1315  "GET /index.html HTTP/1.0\r\n"
1316  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1317  uint32_t http_len = sizeof(http_buf) - 1;
1318  int result = 0;
1320 
1321  memset(&th_v, 0, sizeof(th_v));
1322  memset(&f, 0, sizeof(f));
1323  memset(&ssn, 0, sizeof(ssn));
1324 
1325  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1326 
1327  FLOW_INITIALIZE(&f);
1328  f.protoctx = (void *)&ssn;
1329  f.proto = IPPROTO_TCP;
1330  f.flags |= FLOW_IPV4;
1331  p->flow = &f;
1335  f.alproto = ALPROTO_HTTP;
1336 
1338 
1339  de_ctx = DetectEngineCtxInit();
1340  if (de_ctx == NULL)
1341  goto end;
1342 
1343  de_ctx->flags |= DE_QUIET;
1344 
1345  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1346  "(msg:\"http header test\"; flow:to_server; "
1347  "content:\"one\"; http_raw_header; content:\"five\"; http_raw_header; distance:7; "
1348  "sid:1;)");
1349  if (de_ctx->sig_list == NULL)
1350  goto end;
1351 
1352  SigGroupBuild(de_ctx);
1353  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1354 
1355  FLOWLOCK_WRLOCK(&f);
1356  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1357  STREAM_TOSERVER, http_buf, http_len);
1358  if (r != 0) {
1359  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1360  result = 0;
1361  FLOWLOCK_UNLOCK(&f);
1362  goto end;
1363  }
1364  FLOWLOCK_UNLOCK(&f);
1365 
1366  http_state = f.alstate;
1367  if (http_state == NULL) {
1368  printf("no http state: ");
1369  result = 0;
1370  goto end;
1371  }
1372 
1373  /* do detect */
1374  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1375 
1376  if (!(PacketAlertCheck(p, 1))) {
1377  printf("sid 1 didn't match but should have: ");
1378  goto end;
1379  }
1380 
1381  result = 1;
1382 end:
1383  if (alp_tctx != NULL)
1384  AppLayerParserThreadCtxFree(alp_tctx);
1385  if (de_ctx != NULL)
1386  DetectEngineCtxFree(de_ctx);
1387 
1389  FLOW_DESTROY(&f);
1390  UTHFreePackets(&p, 1);
1391  return result;
1392 }
1393 
1394 /**
1395  *\test Test that the http_header content matches against a http request
1396  * which holds the content.
1397  */
1398 static int DetectEngineHttpRawHeaderTest15(void)
1399 {
1400  TcpSession ssn;
1401  Packet *p = NULL;
1402  ThreadVars th_v;
1403  DetectEngineCtx *de_ctx = NULL;
1404  DetectEngineThreadCtx *det_ctx = NULL;
1405  HtpState *http_state = NULL;
1406  Flow f;
1407  uint8_t http_buf[] =
1408  "GET /index.html HTTP/1.0\r\n"
1409  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1410  uint32_t http_len = sizeof(http_buf) - 1;
1411  int result = 0;
1413 
1414  memset(&th_v, 0, sizeof(th_v));
1415  memset(&f, 0, sizeof(f));
1416  memset(&ssn, 0, sizeof(ssn));
1417 
1418  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1419 
1420  FLOW_INITIALIZE(&f);
1421  f.protoctx = (void *)&ssn;
1422  f.proto = IPPROTO_TCP;
1423  f.flags |= FLOW_IPV4;
1424  p->flow = &f;
1428  f.alproto = ALPROTO_HTTP;
1429 
1431 
1432  de_ctx = DetectEngineCtxInit();
1433  if (de_ctx == NULL)
1434  goto end;
1435 
1436  de_ctx->flags |= DE_QUIET;
1437 
1438  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1439  "(msg:\"http header test\"; flow:to_server; "
1440  "content:\"one\"; http_raw_header; content:!\"five\"; http_raw_header; distance:15; "
1441  "sid:1;)");
1442  if (de_ctx->sig_list == NULL)
1443  goto end;
1444 
1445  SigGroupBuild(de_ctx);
1446  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1447 
1448  FLOWLOCK_WRLOCK(&f);
1449  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1450  STREAM_TOSERVER, http_buf, http_len);
1451  if (r != 0) {
1452  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1453  result = 0;
1454  FLOWLOCK_UNLOCK(&f);
1455  goto end;
1456  }
1457  FLOWLOCK_UNLOCK(&f);
1458 
1459  http_state = f.alstate;
1460  if (http_state == NULL) {
1461  printf("no http state: ");
1462  result = 0;
1463  goto end;
1464  }
1465 
1466  /* do detect */
1467  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1468 
1469  if (!(PacketAlertCheck(p, 1))) {
1470  printf("sid 1 didn't match but should have: ");
1471  goto end;
1472  }
1473 
1474  result = 1;
1475 end:
1476  if (alp_tctx != NULL)
1477  AppLayerParserThreadCtxFree(alp_tctx);
1478  if (de_ctx != NULL)
1479  DetectEngineCtxFree(de_ctx);
1480 
1482  FLOW_DESTROY(&f);
1483  UTHFreePackets(&p, 1);
1484  return result;
1485 }
1486 
1487 /**
1488  *\test Test that the http_header content matches against a http request
1489  * which holds the content.
1490  */
1491 static int DetectEngineHttpRawHeaderTest16(void)
1492 {
1493  TcpSession ssn;
1494  Packet *p = NULL;
1495  ThreadVars th_v;
1496  DetectEngineCtx *de_ctx = NULL;
1497  DetectEngineThreadCtx *det_ctx = NULL;
1498  HtpState *http_state = NULL;
1499  Flow f;
1500  uint8_t http_buf[] =
1501  "GET /index.html HTTP/1.0\r\n"
1502  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1503  uint32_t http_len = sizeof(http_buf) - 1;
1504  int result = 0;
1506 
1507  memset(&th_v, 0, sizeof(th_v));
1508  memset(&f, 0, sizeof(f));
1509  memset(&ssn, 0, sizeof(ssn));
1510 
1511  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1512 
1513  FLOW_INITIALIZE(&f);
1514  f.protoctx = (void *)&ssn;
1515  f.proto = IPPROTO_TCP;
1516  f.flags |= FLOW_IPV4;
1517  p->flow = &f;
1521  f.alproto = ALPROTO_HTTP;
1522 
1524 
1525  de_ctx = DetectEngineCtxInit();
1526  if (de_ctx == NULL)
1527  goto end;
1528 
1529  de_ctx->flags |= DE_QUIET;
1530 
1531  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1532  "(msg:\"http header test\"; flow:to_server; "
1533  "content:\"one\"; http_raw_header; content:!\"five\"; http_raw_header; distance:7; "
1534  "sid:1;)");
1535  if (de_ctx->sig_list == NULL)
1536  goto end;
1537 
1538  SigGroupBuild(de_ctx);
1539  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1540 
1541  FLOWLOCK_WRLOCK(&f);
1542  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1543  STREAM_TOSERVER, http_buf, http_len);
1544  if (r != 0) {
1545  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1546  result = 0;
1547  FLOWLOCK_UNLOCK(&f);
1548  goto end;
1549  }
1550  FLOWLOCK_UNLOCK(&f);
1551 
1552  http_state = f.alstate;
1553  if (http_state == NULL) {
1554  printf("no http state: ");
1555  result = 0;
1556  goto end;
1557  }
1558 
1559  /* do detect */
1560  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1561 
1562  if (PacketAlertCheck(p, 1)) {
1563  printf("sid 1 matched but shouldn't have: ");
1564  goto end;
1565  }
1566 
1567  result = 1;
1568 end:
1569  if (alp_tctx != NULL)
1570  AppLayerParserThreadCtxFree(alp_tctx);
1571  if (de_ctx != NULL)
1572  DetectEngineCtxFree(de_ctx);
1573 
1575  FLOW_DESTROY(&f);
1576  UTHFreePackets(&p, 1);
1577  return result;
1578 }
1579 
1580 /**
1581  *\test Test that the http_header content matches against a http request
1582  * which holds the content.
1583  */
1584 static int DetectEngineHttpRawHeaderTest17(void)
1585 {
1586  TcpSession ssn;
1587  Packet *p = NULL;
1588  ThreadVars th_v;
1589  DetectEngineCtx *de_ctx = NULL;
1590  DetectEngineThreadCtx *det_ctx = NULL;
1591  HtpState *http_state = NULL;
1592  Flow f;
1593  uint8_t http_buf[] =
1594  "GET /index.html HTTP/1.0\r\n"
1595  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1596  uint32_t http_len = sizeof(http_buf) - 1;
1597  int result = 0;
1599 
1600  memset(&th_v, 0, sizeof(th_v));
1601  memset(&f, 0, sizeof(f));
1602  memset(&ssn, 0, sizeof(ssn));
1603 
1604  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1605 
1606  FLOW_INITIALIZE(&f);
1607  f.protoctx = (void *)&ssn;
1608  f.proto = IPPROTO_TCP;
1609  f.flags |= FLOW_IPV4;
1610  p->flow = &f;
1614  f.alproto = ALPROTO_HTTP;
1615 
1617 
1618  de_ctx = DetectEngineCtxInit();
1619  if (de_ctx == NULL)
1620  goto end;
1621 
1622  de_ctx->flags |= DE_QUIET;
1623 
1624  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1625  "(msg:\"http header test\"; flow:to_server; "
1626  "content:\"one\"; http_raw_header; content:\"five\"; http_raw_header; distance:15; "
1627  "sid:1;)");
1628  if (de_ctx->sig_list == NULL)
1629  goto end;
1630 
1631  SigGroupBuild(de_ctx);
1632  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1633 
1634  FLOWLOCK_WRLOCK(&f);
1635  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1636  STREAM_TOSERVER, http_buf, http_len);
1637  if (r != 0) {
1638  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1639  result = 0;
1640  FLOWLOCK_UNLOCK(&f);
1641  goto end;
1642  }
1643  FLOWLOCK_UNLOCK(&f);
1644 
1645  http_state = f.alstate;
1646  if (http_state == NULL) {
1647  printf("no http state: ");
1648  result = 0;
1649  goto end;
1650  }
1651 
1652  /* do detect */
1653  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1654 
1655  if (PacketAlertCheck(p, 1)) {
1656  printf("sid 1 matched but shouldn't have: ");
1657  goto end;
1658  }
1659 
1660  result = 1;
1661 end:
1662  if (alp_tctx != NULL)
1663  AppLayerParserThreadCtxFree(alp_tctx);
1664  if (de_ctx != NULL)
1665  DetectEngineCtxFree(de_ctx);
1666 
1668  FLOW_DESTROY(&f);
1669  UTHFreePackets(&p, 1);
1670  return result;
1671 }
1672 
1673 static int DetectEngineHttpRawHeaderTest20(void)
1674 {
1675  TcpSession ssn;
1676  ThreadVars th_v;
1677  DetectEngineThreadCtx *det_ctx = NULL;
1678  Flow f;
1679  uint8_t http1_buf[] =
1680  "GET /index.html HTTP/1.0\r\n"
1681  "Host: This_is_dummy_body1";
1682  uint8_t http2_buf[] =
1683  "This_is_dummy_message_body2\r\n"
1684  "\r\n";
1685  uint32_t http1_len = sizeof(http1_buf) - 1;
1686  uint32_t http2_len = sizeof(http2_buf) - 1;
1688  FAIL_IF_NULL(alp_tctx);
1689 
1690  memset(&th_v, 0, sizeof(th_v));
1691  memset(&f, 0, sizeof(f));
1692  memset(&ssn, 0, sizeof(ssn));
1693 
1694  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1695  FAIL_IF_NULL(p1);
1696  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1697  FAIL_IF_NULL(p2);
1698 
1699  FLOW_INITIALIZE(&f);
1700  f.protoctx = (void *)&ssn;
1701  f.proto = IPPROTO_TCP;
1702  f.flags |= FLOW_IPV4;
1703 
1704  p1->flow = &f;
1708  p2->flow = &f;
1712  f.alproto = ALPROTO_HTTP;
1713 
1715 
1717  FAIL_IF_NULL(de_ctx);
1718  de_ctx->flags |= DE_QUIET;
1719 
1720  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1721  "(flow:to_server; pcre:/body1/D; "
1722  "content:!\"dummy\"; http_raw_header; within:7; "
1723  "sid:1;)");
1724  FAIL_IF_NULL(s);
1725 
1726  SigGroupBuild(de_ctx);
1727  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1728  FAIL_IF_NULL(det_ctx);
1729 
1730  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1731  STREAM_TOSERVER, http1_buf, http1_len);
1732  FAIL_IF_NOT(r == 0);
1733 
1734  HtpState *http_state = f.alstate;
1735  FAIL_IF_NULL(http_state);
1736 
1737  /* do detect */
1738  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1739  FAIL_IF(PacketAlertCheck(p1, 1));
1740 
1741  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1742  STREAM_TOSERVER, http2_buf, http2_len);
1743  FAIL_IF_NOT(r == 0);
1744 
1745  /* do detect */
1746  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1747 
1748  FAIL_IF(!PacketAlertCheck(p2, 1));
1749 
1750  AppLayerParserThreadCtxFree(alp_tctx);
1751  DetectEngineCtxFree(de_ctx);
1752 
1754  FLOW_DESTROY(&f);
1755  UTHFreePackets(&p1, 1);
1756  UTHFreePackets(&p2, 1);
1757 
1758  PASS;
1759 }
1760 
1761 static int DetectEngineHttpRawHeaderTest21(void)
1762 {
1763  TcpSession ssn;
1764  Packet *p1 = NULL;
1765  Packet *p2 = NULL;
1766  ThreadVars th_v;
1767  DetectEngineCtx *de_ctx = NULL;
1768  DetectEngineThreadCtx *det_ctx = NULL;
1769  HtpState *http_state = NULL;
1770  Flow f;
1771  uint8_t http1_buf[] =
1772  "GET /index.html HTTP/1.0\r\n"
1773  "Host: This_is_dummy_body1";
1774  uint8_t http2_buf[] =
1775  "This_is_dummy_message_body2\r\n"
1776  "\r\n";
1777  uint32_t http1_len = sizeof(http1_buf) - 1;
1778  uint32_t http2_len = sizeof(http2_buf) - 1;
1779  int result = 0;
1781 
1782  memset(&th_v, 0, sizeof(th_v));
1783  memset(&f, 0, sizeof(f));
1784  memset(&ssn, 0, sizeof(ssn));
1785 
1786  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1787  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1788 
1789  FLOW_INITIALIZE(&f);
1790  f.protoctx = (void *)&ssn;
1791  f.proto = IPPROTO_TCP;
1792  f.flags |= FLOW_IPV4;
1793 
1794  p1->flow = &f;
1798  p2->flow = &f;
1802  f.alproto = ALPROTO_HTTP;
1803 
1805 
1806  de_ctx = DetectEngineCtxInit();
1807  if (de_ctx == NULL)
1808  goto end;
1809 
1810  de_ctx->flags |= DE_QUIET;
1811 
1812  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1813  "(msg:\"http client body test\"; flow:to_server; "
1814  "pcre:/body1/D; "
1815  "content:!\"dummy\"; within:7; http_raw_header; "
1816  "sid:1;)");
1817  if (de_ctx->sig_list == NULL)
1818  goto end;
1819 
1820  SigGroupBuild(de_ctx);
1821  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1822 
1823  FLOWLOCK_WRLOCK(&f);
1824  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1825  STREAM_TOSERVER, http1_buf, http1_len);
1826  if (r != 0) {
1827  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1828  result = 0;
1829  FLOWLOCK_UNLOCK(&f);
1830  goto end;
1831  }
1832  FLOWLOCK_UNLOCK(&f);
1833 
1834  http_state = f.alstate;
1835  if (http_state == NULL) {
1836  printf("no http state: \n");
1837  result = 0;
1838  goto end;
1839  }
1840 
1841  /* do detect */
1842  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1843 
1844  if (PacketAlertCheck(p1, 1)) {
1845  printf("sid 1 matched but shouldn't have\n");
1846  goto end;
1847  }
1848 
1849  FLOWLOCK_WRLOCK(&f);
1850  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1851  STREAM_TOSERVER, http2_buf, http2_len);
1852  if (r != 0) {
1853  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1854  result = 0;
1855  FLOWLOCK_UNLOCK(&f);
1856  goto end;
1857  }
1858  FLOWLOCK_UNLOCK(&f);
1859 
1860  /* do detect */
1861  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1862 
1863  if (!PacketAlertCheck(p2, 1)) {
1864  printf("sid 1 didn't match but shouldn't have");
1865  goto end;
1866  }
1867 
1868  result = 1;
1869 
1870 end:
1871  if (alp_tctx != NULL)
1872  AppLayerParserThreadCtxFree(alp_tctx);
1873  if (de_ctx != NULL)
1874  DetectEngineCtxFree(de_ctx);
1875 
1877  FLOW_DESTROY(&f);
1878  UTHFreePackets(&p1, 1);
1879  UTHFreePackets(&p2, 1);
1880  return result;
1881 }
1882 
1883 static int DetectEngineHttpRawHeaderTest22(void)
1884 {
1885  TcpSession ssn;
1886  Packet *p1 = NULL;
1887  Packet *p2 = NULL;
1888  ThreadVars th_v;
1889  DetectEngineCtx *de_ctx = NULL;
1890  DetectEngineThreadCtx *det_ctx = NULL;
1891  HtpState *http_state = NULL;
1892  Flow f;
1893  uint8_t http1_buf[] =
1894  "GET /index.html HTTP/1.0\r\n"
1895  "Host: This_is_dummy_body1";
1896  uint8_t http2_buf[] =
1897  "This_is_dummy_message_body2\r\n"
1898  "\r\n";
1899  uint32_t http1_len = sizeof(http1_buf) - 1;
1900  uint32_t http2_len = sizeof(http2_buf) - 1;
1901  int result = 0;
1903 
1904  memset(&th_v, 0, sizeof(th_v));
1905  memset(&f, 0, sizeof(f));
1906  memset(&ssn, 0, sizeof(ssn));
1907 
1908  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1909  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1910 
1911  FLOW_INITIALIZE(&f);
1912  f.protoctx = (void *)&ssn;
1913  f.proto = IPPROTO_TCP;
1914  f.flags |= FLOW_IPV4;
1915 
1916  p1->flow = &f;
1920  p2->flow = &f;
1924  f.alproto = ALPROTO_HTTP;
1925 
1927 
1928  de_ctx = DetectEngineCtxInit();
1929  if (de_ctx == NULL)
1930  goto end;
1931 
1932  de_ctx->flags |= DE_QUIET;
1933 
1934  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1935  "(msg:\"http client body test\"; flow:to_server; "
1936  "pcre:/body1/D; "
1937  "content:!\"dummy\"; distance:3; http_raw_header; "
1938  "sid:1;)");
1939  if (de_ctx->sig_list == NULL)
1940  goto end;
1941 
1942  SigGroupBuild(de_ctx);
1943  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1944 
1945  FLOWLOCK_WRLOCK(&f);
1946  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1947  STREAM_TOSERVER, http1_buf, http1_len);
1948  if (r != 0) {
1949  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1950  result = 0;
1951  FLOWLOCK_UNLOCK(&f);
1952  goto end;
1953  }
1954  FLOWLOCK_UNLOCK(&f);
1955 
1956  http_state = f.alstate;
1957  if (http_state == NULL) {
1958  printf("no http state: \n");
1959  result = 0;
1960  goto end;
1961  }
1962 
1963  /* do detect */
1964  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1965 
1966  if (PacketAlertCheck(p1, 1)) {
1967  printf("sid 1 matched but shouldn't have\n");
1968  goto end;
1969  }
1970 
1971  FLOWLOCK_WRLOCK(&f);
1972  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1973  STREAM_TOSERVER, http2_buf, http2_len);
1974  if (r != 0) {
1975  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1976  result = 0;
1977  FLOWLOCK_UNLOCK(&f);
1978  goto end;
1979  }
1980  FLOWLOCK_UNLOCK(&f);
1981 
1982  /* do detect */
1983  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1984 
1985  if (PacketAlertCheck(p2, 1)) {
1986  printf("sid 1 matched but shouldn't have");
1987  goto end;
1988  }
1989 
1990  result = 1;
1991 
1992 end:
1993  if (alp_tctx != NULL)
1994  AppLayerParserThreadCtxFree(alp_tctx);
1995  if (de_ctx != NULL)
1996  DetectEngineCtxFree(de_ctx);
1997 
1999  FLOW_DESTROY(&f);
2000  UTHFreePackets(&p1, 1);
2001  UTHFreePackets(&p2, 1);
2002  return result;
2003 }
2004 
2005 static int DetectEngineHttpRawHeaderTest23(void)
2006 {
2007  TcpSession ssn;
2008  Packet *p1 = NULL;
2009  Packet *p2 = NULL;
2010  ThreadVars th_v;
2011  DetectEngineCtx *de_ctx = NULL;
2012  DetectEngineThreadCtx *det_ctx = NULL;
2013  HtpState *http_state = NULL;
2014  Flow f;
2015  uint8_t http1_buf[] =
2016  "GET /index.html HTTP/1.0\r\n"
2017  "Host: This_is_dummy_body1";
2018  uint8_t http2_buf[] =
2019  "This_is_dummy_message_body2\r\n"
2020  "\r\n";
2021  uint32_t http1_len = sizeof(http1_buf) - 1;
2022  uint32_t http2_len = sizeof(http2_buf) - 1;
2023  int result = 0;
2025 
2026  memset(&th_v, 0, sizeof(th_v));
2027  memset(&f, 0, sizeof(f));
2028  memset(&ssn, 0, sizeof(ssn));
2029 
2030  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2031  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2032 
2033  FLOW_INITIALIZE(&f);
2034  f.protoctx = (void *)&ssn;
2035  f.proto = IPPROTO_TCP;
2036  f.flags |= FLOW_IPV4;
2037 
2038  p1->flow = &f;
2042  p2->flow = &f;
2046  f.alproto = ALPROTO_HTTP;
2047 
2049 
2050  de_ctx = DetectEngineCtxInit();
2051  if (de_ctx == NULL)
2052  goto end;
2053 
2054  de_ctx->flags |= DE_QUIET;
2055 
2056  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2057  "(msg:\"http client body test\"; flow:to_server; "
2058  "pcre:/body1/D; "
2059  "content:!\"dummy\"; distance:13; http_raw_header; "
2060  "sid:1;)");
2061  if (de_ctx->sig_list == NULL)
2062  goto end;
2063 
2064  SigGroupBuild(de_ctx);
2065  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2066 
2067  FLOWLOCK_WRLOCK(&f);
2068  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2069  STREAM_TOSERVER, http1_buf, http1_len);
2070  if (r != 0) {
2071  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2072  result = 0;
2073  FLOWLOCK_UNLOCK(&f);
2074  goto end;
2075  }
2076  FLOWLOCK_UNLOCK(&f);
2077 
2078  http_state = f.alstate;
2079  if (http_state == NULL) {
2080  printf("no http state: \n");
2081  result = 0;
2082  goto end;
2083  }
2084 
2085  /* do detect */
2086  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2087 
2088  if (PacketAlertCheck(p1, 1)) {
2089  printf("sid 1 matched but shouldn't have\n");
2090  goto end;
2091  }
2092 
2093  FLOWLOCK_WRLOCK(&f);
2094  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2095  STREAM_TOSERVER, http2_buf, http2_len);
2096  if (r != 0) {
2097  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2098  result = 0;
2099  FLOWLOCK_UNLOCK(&f);
2100  goto end;
2101  }
2102  FLOWLOCK_UNLOCK(&f);
2103 
2104  /* do detect */
2105  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2106 
2107  if (!PacketAlertCheck(p2, 1)) {
2108  printf("sid 1 didn't match but should have");
2109  goto end;
2110  }
2111 
2112  result = 1;
2113 
2114 end:
2115  if (alp_tctx != NULL)
2116  AppLayerParserThreadCtxFree(alp_tctx);
2117  if (de_ctx != NULL)
2118  DetectEngineCtxFree(de_ctx);
2119 
2121  FLOW_DESTROY(&f);
2122  UTHFreePackets(&p1, 1);
2123  UTHFreePackets(&p2, 1);
2124  return result;
2125 }
2126 
2127 static int DetectEngineHttpRawHeaderTest24(void)
2128 {
2129  TcpSession ssn;
2130  Packet *p1 = NULL;
2131  Packet *p2 = NULL;
2132  ThreadVars th_v;
2133  DetectEngineCtx *de_ctx = NULL;
2134  DetectEngineThreadCtx *det_ctx = NULL;
2135  HtpState *http_state = NULL;
2136  Flow f;
2137  uint8_t http1_buf[] =
2138  "GET /index.html HTTP/1.0\r\n"
2139  "Host: This_is_dummy_body1";
2140  uint8_t http2_buf[] =
2141  "This_is_dummy_message_body2\r\n"
2142  "\r\n";
2143  uint32_t http1_len = sizeof(http1_buf) - 1;
2144  uint32_t http2_len = sizeof(http2_buf) - 1;
2145  int result = 0;
2147 
2148  memset(&th_v, 0, sizeof(th_v));
2149  memset(&f, 0, sizeof(f));
2150  memset(&ssn, 0, sizeof(ssn));
2151 
2152  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2153  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2154 
2155  FLOW_INITIALIZE(&f);
2156  f.protoctx = (void *)&ssn;
2157  f.proto = IPPROTO_TCP;
2158  f.flags |= FLOW_IPV4;
2159 
2160  p1->flow = &f;
2164  p2->flow = &f;
2168  f.alproto = ALPROTO_HTTP;
2169 
2171 
2172  de_ctx = DetectEngineCtxInit();
2173  if (de_ctx == NULL)
2174  goto end;
2175 
2176  de_ctx->flags |= DE_QUIET;
2177 
2178  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2179  "(msg:\"http client body test\"; flow:to_server; "
2180  "pcre:/body1/D; "
2181  "content:\"dummy\"; within:15; http_raw_header; "
2182  "sid:1;)");
2183  if (de_ctx->sig_list == NULL)
2184  goto end;
2185 
2186  SigGroupBuild(de_ctx);
2187  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2188 
2189  FLOWLOCK_WRLOCK(&f);
2190  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2191  STREAM_TOSERVER, http1_buf, http1_len);
2192  if (r != 0) {
2193  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2194  result = 0;
2195  FLOWLOCK_UNLOCK(&f);
2196  goto end;
2197  }
2198  FLOWLOCK_UNLOCK(&f);
2199 
2200  http_state = f.alstate;
2201  if (http_state == NULL) {
2202  printf("no http state: \n");
2203  result = 0;
2204  goto end;
2205  }
2206 
2207  /* do detect */
2208  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2209 
2210  if (PacketAlertCheck(p1, 1)) {
2211  printf("sid 1 matched but shouldn't have\n");
2212  goto end;
2213  }
2214 
2215  FLOWLOCK_WRLOCK(&f);
2216  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2217  STREAM_TOSERVER, http2_buf, http2_len);
2218  if (r != 0) {
2219  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2220  result = 0;
2221  FLOWLOCK_UNLOCK(&f);
2222  goto end;
2223  }
2224  FLOWLOCK_UNLOCK(&f);
2225 
2226  /* do detect */
2227  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2228 
2229  if (!PacketAlertCheck(p2, 1)) {
2230  printf("sid 1 didn't match but should have");
2231  goto end;
2232  }
2233 
2234  result = 1;
2235 
2236 end:
2237  if (alp_tctx != NULL)
2238  AppLayerParserThreadCtxFree(alp_tctx);
2239  if (de_ctx != NULL)
2240  DetectEngineCtxFree(de_ctx);
2241 
2243  FLOW_DESTROY(&f);
2244  UTHFreePackets(&p1, 1);
2245  UTHFreePackets(&p2, 1);
2246  return result;
2247 }
2248 
2249 static int DetectEngineHttpRawHeaderTest25(void)
2250 {
2251  TcpSession ssn;
2252  Packet *p1 = NULL;
2253  Packet *p2 = NULL;
2254  ThreadVars th_v;
2255  DetectEngineCtx *de_ctx = NULL;
2256  DetectEngineThreadCtx *det_ctx = NULL;
2257  HtpState *http_state = NULL;
2258  Flow f;
2259  uint8_t http1_buf[] =
2260  "GET /index.html HTTP/1.0\r\n"
2261  "Host: This_is_dummy_body1";
2262  uint8_t http2_buf[] =
2263  "This_is_dummy_message_body2\r\n"
2264  "\r\n";
2265  uint32_t http1_len = sizeof(http1_buf) - 1;
2266  uint32_t http2_len = sizeof(http2_buf) - 1;
2267  int result = 0;
2269 
2270  memset(&th_v, 0, sizeof(th_v));
2271  memset(&f, 0, sizeof(f));
2272  memset(&ssn, 0, sizeof(ssn));
2273 
2274  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2275  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2276 
2277  FLOW_INITIALIZE(&f);
2278  f.protoctx = (void *)&ssn;
2279  f.proto = IPPROTO_TCP;
2280  f.flags |= FLOW_IPV4;
2281 
2282  p1->flow = &f;
2286  p2->flow = &f;
2290  f.alproto = ALPROTO_HTTP;
2291 
2293 
2294  de_ctx = DetectEngineCtxInit();
2295  if (de_ctx == NULL)
2296  goto end;
2297 
2298  de_ctx->flags |= DE_QUIET;
2299 
2300  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2301  "(msg:\"http client body test\"; flow:to_server; "
2302  "pcre:/body1/D; "
2303  "content:\"dummy\"; within:10; http_raw_header; "
2304  "sid:1;)");
2305  if (de_ctx->sig_list == NULL)
2306  goto end;
2307 
2308  SigGroupBuild(de_ctx);
2309  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2310 
2311  FLOWLOCK_WRLOCK(&f);
2312  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2313  STREAM_TOSERVER, http1_buf, http1_len);
2314  if (r != 0) {
2315  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2316  result = 0;
2317  FLOWLOCK_UNLOCK(&f);
2318  goto end;
2319  }
2320  FLOWLOCK_UNLOCK(&f);
2321 
2322  http_state = f.alstate;
2323  if (http_state == NULL) {
2324  printf("no http state: \n");
2325  result = 0;
2326  goto end;
2327  }
2328 
2329  /* do detect */
2330  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2331 
2332  if (PacketAlertCheck(p1, 1)) {
2333  printf("sid 1 matched but shouldn't have\n");
2334  goto end;
2335  }
2336 
2337  FLOWLOCK_WRLOCK(&f);
2338  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2339  STREAM_TOSERVER, http2_buf, http2_len);
2340  if (r != 0) {
2341  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2342  result = 0;
2343  FLOWLOCK_UNLOCK(&f);
2344  goto end;
2345  }
2346  FLOWLOCK_UNLOCK(&f);
2347 
2348  /* do detect */
2349  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2350 
2351  if (PacketAlertCheck(p2, 1)) {
2352  printf("sid 1 matched but shouldn't have");
2353  goto end;
2354  }
2355 
2356  result = 1;
2357 
2358 end:
2359  if (alp_tctx != NULL)
2360  AppLayerParserThreadCtxFree(alp_tctx);
2361  if (de_ctx != NULL)
2362  DetectEngineCtxFree(de_ctx);
2363 
2365  FLOW_DESTROY(&f);
2366  UTHFreePackets(&p1, 1);
2367  UTHFreePackets(&p2, 1);
2368  return result;
2369 }
2370 
2371 static int DetectEngineHttpRawHeaderTest26(void)
2372 {
2373  TcpSession ssn;
2374  Packet *p1 = NULL;
2375  Packet *p2 = NULL;
2376  ThreadVars th_v;
2377  DetectEngineCtx *de_ctx = NULL;
2378  DetectEngineThreadCtx *det_ctx = NULL;
2379  HtpState *http_state = NULL;
2380  Flow f;
2381  uint8_t http1_buf[] =
2382  "GET /index.html HTTP/1.0\r\n"
2383  "Host: This_is_dummy_body1";
2384  uint8_t http2_buf[] =
2385  "This_is_dummy_message_body2\r\n"
2386  "\r\n";
2387  uint32_t http1_len = sizeof(http1_buf) - 1;
2388  uint32_t http2_len = sizeof(http2_buf) - 1;
2389  int result = 0;
2391 
2392  memset(&th_v, 0, sizeof(th_v));
2393  memset(&f, 0, sizeof(f));
2394  memset(&ssn, 0, sizeof(ssn));
2395 
2396  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2397  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2398 
2399  FLOW_INITIALIZE(&f);
2400  f.protoctx = (void *)&ssn;
2401  f.proto = IPPROTO_TCP;
2402  f.flags |= FLOW_IPV4;
2403 
2404  p1->flow = &f;
2408  p2->flow = &f;
2412  f.alproto = ALPROTO_HTTP;
2413 
2415 
2416  de_ctx = DetectEngineCtxInit();
2417  if (de_ctx == NULL)
2418  goto end;
2419 
2420  de_ctx->flags |= DE_QUIET;
2421 
2422  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2423  "(msg:\"http client body test\"; flow:to_server; "
2424  "pcre:/body1/D; "
2425  "content:\"dummy\"; distance:8; http_raw_header; "
2426  "sid:1;)");
2427  if (de_ctx->sig_list == NULL)
2428  goto end;
2429 
2430  SigGroupBuild(de_ctx);
2431  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2432 
2433  FLOWLOCK_WRLOCK(&f);
2434  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2435  STREAM_TOSERVER, http1_buf, http1_len);
2436  if (r != 0) {
2437  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2438  result = 0;
2439  FLOWLOCK_UNLOCK(&f);
2440  goto end;
2441  }
2442  FLOWLOCK_UNLOCK(&f);
2443 
2444  http_state = f.alstate;
2445  if (http_state == NULL) {
2446  printf("no http state: \n");
2447  result = 0;
2448  goto end;
2449  }
2450 
2451  /* do detect */
2452  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2453 
2454  if (PacketAlertCheck(p1, 1)) {
2455  printf("sid 1 matched but shouldn't have\n");
2456  goto end;
2457  }
2458 
2459  FLOWLOCK_WRLOCK(&f);
2460  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2461  STREAM_TOSERVER, http2_buf, http2_len);
2462  if (r != 0) {
2463  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2464  result = 0;
2465  FLOWLOCK_UNLOCK(&f);
2466  goto end;
2467  }
2468  FLOWLOCK_UNLOCK(&f);
2469 
2470  /* do detect */
2471  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2472 
2473  if (!PacketAlertCheck(p2, 1)) {
2474  printf("sid 1 didn't match but should have");
2475  goto end;
2476  }
2477 
2478  result = 1;
2479 
2480 end:
2481  if (de_ctx != NULL)
2482  DetectEngineCtxFree(de_ctx);
2483 
2485  FLOW_DESTROY(&f);
2486  UTHFreePackets(&p1, 1);
2487  UTHFreePackets(&p2, 1);
2488  return result;
2489 }
2490 
2491 static int DetectEngineHttpRawHeaderTest27(void)
2492 {
2493  TcpSession ssn;
2494  Packet *p1 = NULL;
2495  Packet *p2 = NULL;
2496  ThreadVars th_v;
2497  DetectEngineCtx *de_ctx = NULL;
2498  DetectEngineThreadCtx *det_ctx = NULL;
2499  HtpState *http_state = NULL;
2500  Flow f;
2501  uint8_t http1_buf[] =
2502  "GET /index.html HTTP/1.0\r\n"
2503  "Host: This_is_dummy_body1";
2504  uint8_t http2_buf[] =
2505  "This_is_dummy_message_body2\r\n"
2506  "\r\n";
2507  uint32_t http1_len = sizeof(http1_buf) - 1;
2508  uint32_t http2_len = sizeof(http2_buf) - 1;
2509  int result = 0;
2511 
2512  memset(&th_v, 0, sizeof(th_v));
2513  memset(&f, 0, sizeof(f));
2514  memset(&ssn, 0, sizeof(ssn));
2515 
2516  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2517  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2518 
2519  FLOW_INITIALIZE(&f);
2520  f.protoctx = (void *)&ssn;
2521  f.proto = IPPROTO_TCP;
2522  f.flags |= FLOW_IPV4;
2523 
2524  p1->flow = &f;
2528  p2->flow = &f;
2532  f.alproto = ALPROTO_HTTP;
2533 
2535 
2536  de_ctx = DetectEngineCtxInit();
2537  if (de_ctx == NULL)
2538  goto end;
2539 
2540  de_ctx->flags |= DE_QUIET;
2541 
2542  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2543  "(msg:\"http client body test\"; flow:to_server; "
2544  "pcre:/body1/D; "
2545  "content:\"dummy\"; distance:14; http_raw_header; "
2546  "sid:1;)");
2547  if (de_ctx->sig_list == NULL)
2548  goto end;
2549 
2550  SigGroupBuild(de_ctx);
2551  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2552 
2553  FLOWLOCK_WRLOCK(&f);
2554  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2555  STREAM_TOSERVER, http1_buf, http1_len);
2556  if (r != 0) {
2557  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2558  result = 0;
2559  FLOWLOCK_UNLOCK(&f);
2560  goto end;
2561  }
2562  FLOWLOCK_UNLOCK(&f);
2563 
2564  http_state = f.alstate;
2565  if (http_state == NULL) {
2566  printf("no http state: \n");
2567  result = 0;
2568  goto end;
2569  }
2570 
2571  /* do detect */
2572  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2573 
2574  if (PacketAlertCheck(p1, 1)) {
2575  printf("sid 1 matched but shouldn't have\n");
2576  goto end;
2577  }
2578 
2579  FLOWLOCK_WRLOCK(&f);
2580  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2581  STREAM_TOSERVER, http2_buf, http2_len);
2582  if (r != 0) {
2583  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2584  result = 0;
2585  FLOWLOCK_UNLOCK(&f);
2586  goto end;
2587  }
2588  FLOWLOCK_UNLOCK(&f);
2589 
2590  /* do detect */
2591  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2592 
2593  if (PacketAlertCheck(p2, 1)) {
2594  printf("sid 1 matched but shouldn't have");
2595  goto end;
2596  }
2597 
2598  result = 1;
2599 
2600 end:
2601  if (alp_tctx != NULL)
2602  AppLayerParserThreadCtxFree(alp_tctx);
2603  if (de_ctx != NULL)
2604  DetectEngineCtxFree(de_ctx);
2605 
2607  FLOW_DESTROY(&f);
2608  UTHFreePackets(&p1, 1);
2609  UTHFreePackets(&p2, 1);
2610  return result;
2611 }
2612 
2613 static int DetectEngineHttpRawHeaderTest28(void)
2614 {
2615  TcpSession ssn;
2616  Packet *p1 = NULL;
2617  Packet *p2 = NULL;
2618  ThreadVars th_v;
2619  DetectEngineCtx *de_ctx = NULL;
2620  DetectEngineThreadCtx *det_ctx = NULL;
2621  HtpState *http_state = NULL;
2622  Flow f;
2623  uint8_t http_buf1[] =
2624  "GET /index.html HTTP/1.0\r\n"
2625  "Host: www.openinfosecfoundation.org\r\n"
2626  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2627  "\r\n";
2628  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
2629  uint8_t http_buf2[] =
2630  "HTTP/1.0 200 ok\r\n"
2631  "Content-Type: text/html\r\n"
2632  "Content-Length: 6\r\n"
2633  "\r\n"
2634  "abcdef";
2635  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
2636  int result = 0;
2638 
2639  memset(&th_v, 0, sizeof(th_v));
2640  memset(&f, 0, sizeof(f));
2641  memset(&ssn, 0, sizeof(ssn));
2642 
2643  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2644  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2645 
2646  FLOW_INITIALIZE(&f);
2647  f.protoctx = (void *)&ssn;
2648  f.proto = IPPROTO_TCP;
2649  f.flags |= FLOW_IPV4;
2650 
2651  p1->flow = &f;
2655  p2->flow = &f;
2659  f.alproto = ALPROTO_HTTP;
2660 
2662 
2663  de_ctx = DetectEngineCtxInit();
2664  if (de_ctx == NULL)
2665  goto end;
2666 
2667  de_ctx->flags |= DE_QUIET;
2668 
2669  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2670  "(msg:\"http header test\"; flow:to_client; "
2671  "content:\"Content-Length: 6\"; http_raw_header; "
2672  "sid:1;)");
2673  if (de_ctx->sig_list == NULL)
2674  goto end;
2675 
2676  SigGroupBuild(de_ctx);
2677  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2678 
2679  FLOWLOCK_WRLOCK(&f);
2680  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2681  STREAM_TOSERVER, http_buf1, http_buf1_len);
2682  if (r != 0) {
2683  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2684  result = 0;
2685  FLOWLOCK_UNLOCK(&f);
2686  goto end;
2687  }
2688  FLOWLOCK_UNLOCK(&f);
2689 
2690  http_state = f.alstate;
2691  if (http_state == NULL) {
2692  printf("no http state: \n");
2693  result = 0;
2694  goto end;
2695  }
2696 
2697  /* do detect */
2698  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2699 
2700  if (PacketAlertCheck(p1, 1)) {
2701  printf("sid 1 matched but shouldn't have\n");
2702  goto end;
2703  }
2704 
2705  FLOWLOCK_WRLOCK(&f);
2706  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2707  STREAM_TOCLIENT, http_buf2, http_buf2_len);
2708  if (r != 0) {
2709  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2710  result = 0;
2711  FLOWLOCK_UNLOCK(&f);
2712  goto end;
2713  }
2714  FLOWLOCK_UNLOCK(&f);
2715 
2716  /* do detect */
2717  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2718 
2719  if (!PacketAlertCheck(p2, 1)) {
2720  printf("sid 1 didn't match but should have");
2721  goto end;
2722  }
2723 
2724  result = 1;
2725 
2726 end:
2727  if (alp_tctx != NULL)
2728  AppLayerParserThreadCtxFree(alp_tctx);
2729  if (de_ctx != NULL)
2730  DetectEngineCtxFree(de_ctx);
2731 
2733  FLOW_DESTROY(&f);
2734  UTHFreePackets(&p1, 1);
2735  UTHFreePackets(&p2, 1);
2736  return result;
2737 }
2738 
2739 static int DetectEngineHttpRawHeaderTest29(void)
2740 {
2741  TcpSession ssn;
2742  Packet *p1 = NULL;
2743  Packet *p2 = NULL;
2744  ThreadVars th_v;
2745  DetectEngineCtx *de_ctx = NULL;
2746  DetectEngineThreadCtx *det_ctx = NULL;
2747  HtpState *http_state = NULL;
2748  Flow f;
2749  uint8_t http_buf1[] =
2750  "GET /index.html HTTP/1.0\r\n"
2751  "Host: www.openinfosecfoundation.org\r\n"
2752  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2753  "\r\n";
2754  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
2755  uint8_t http_buf2[] =
2756  "HTTP/1.0 200 ok\r\n"
2757  "Content-Type: text/html\r\n"
2758  "Content-Length: 6\r\n"
2759  "\r\n"
2760  "abcdef";
2761  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
2762  int result = 0;
2764 
2765  memset(&th_v, 0, sizeof(th_v));
2766  memset(&f, 0, sizeof(f));
2767  memset(&ssn, 0, sizeof(ssn));
2768 
2769  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2770  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2771 
2772  FLOW_INITIALIZE(&f);
2773  f.protoctx = (void *)&ssn;
2774  f.proto = IPPROTO_TCP;
2775  f.flags |= FLOW_IPV4;
2776 
2777  p1->flow = &f;
2781  p2->flow = &f;
2785  f.alproto = ALPROTO_HTTP;
2786 
2788 
2789  de_ctx = DetectEngineCtxInit();
2790  if (de_ctx == NULL)
2791  goto end;
2792 
2793  de_ctx->flags |= DE_QUIET;
2794 
2795  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2796  "(msg:\"http header test\"; flow:to_client; "
2797  "content:\"Content-Length: 7\"; http_raw_header; "
2798  "sid:1;)");
2799  if (de_ctx->sig_list == NULL)
2800  goto end;
2801 
2802  SigGroupBuild(de_ctx);
2803  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2804 
2805  FLOWLOCK_WRLOCK(&f);
2806  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2807  STREAM_TOSERVER, http_buf1, http_buf1_len);
2808  if (r != 0) {
2809  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2810  result = 0;
2811  FLOWLOCK_UNLOCK(&f);
2812  goto end;
2813  }
2814  FLOWLOCK_UNLOCK(&f);
2815 
2816  http_state = f.alstate;
2817  if (http_state == NULL) {
2818  printf("no http state: \n");
2819  result = 0;
2820  goto end;
2821  }
2822 
2823  /* do detect */
2824  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2825 
2826  if (PacketAlertCheck(p1, 1)) {
2827  printf("sid 1 matched but shouldn't have\n");
2828  goto end;
2829  }
2830 
2831  FLOWLOCK_WRLOCK(&f);
2832  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2833  STREAM_TOCLIENT, http_buf2, http_buf2_len);
2834  if (r != 0) {
2835  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2836  result = 0;
2837  FLOWLOCK_UNLOCK(&f);
2838  goto end;
2839  }
2840  FLOWLOCK_UNLOCK(&f);
2841 
2842  /* do detect */
2843  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2844 
2845  if (PacketAlertCheck(p2, 1)) {
2846  printf("sid 1 matched but shouldn't have");
2847  goto end;
2848  }
2849 
2850  result = 1;
2851 
2852 end:
2853  if (alp_tctx != NULL)
2854  AppLayerParserThreadCtxFree(alp_tctx);
2855  if (de_ctx != NULL)
2856  DetectEngineCtxFree(de_ctx);
2857 
2859  FLOW_DESTROY(&f);
2860  UTHFreePackets(&p1, 1);
2861  UTHFreePackets(&p2, 1);
2862  return result;
2863 }
2864 
2865 #if 0
2866 
2867 static int DetectEngineHttpRawHeaderTest30(void)
2868 {
2869  int result = 0;
2871 
2872  if (de_ctx == NULL) {
2873  goto end;
2874  }
2875 
2876  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
2877  "(msg:\"http header test\"; "
2878  "content:\"Content-Length: 6\"; http_raw_header; "
2879  "content:\"User-Agent: Mozilla\"; http_raw_header; "
2880  "sid:1;)");
2881  if (de_ctx->sig_list != NULL) {
2882  goto end;
2883  }
2884 
2885  result = 1;
2886 
2887  end:
2888  if (de_ctx != NULL)
2889  SigCleanSignatures(de_ctx);
2890  if (de_ctx != NULL)
2891  DetectEngineCtxFree(de_ctx);
2892  return result;
2893 }
2894 
2895 #endif /* #if 0 */
2896 
2897 /**
2898  * \test Trailing headers.
2899  */
2900 static int DetectEngineHttpRawHeaderTest31(void)
2901 {
2902  TcpSession ssn;
2903  Packet *p1 = NULL;
2904  ThreadVars th_v;
2905  DetectEngineCtx *de_ctx = NULL;
2906  DetectEngineThreadCtx *det_ctx = NULL;
2907  HtpState *http_state = NULL;
2908  Flow f;
2909  uint8_t http1_buf[] =
2910  "GET /index.html HTTP/1.0\r\n"
2911  "host: boom\r\n"
2912  "Transfer-Encoding: chunked\r\n"
2913  "\r\n"
2914  "13\r\n"
2915  "This is dummy body1\r\n"
2916  "0\r\n"
2917  "Dummy-Header: kaboom\r\n"
2918  "\r\n";
2919  uint32_t http1_len = sizeof(http1_buf) - 1;
2920  int result = 0;
2922 
2923  memset(&th_v, 0, sizeof(th_v));
2924  memset(&f, 0, sizeof(f));
2925  memset(&ssn, 0, sizeof(ssn));
2926 
2927  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2928 
2929  FLOW_INITIALIZE(&f);
2930  f.protoctx = (void *)&ssn;
2931  f.proto = IPPROTO_TCP;
2932  f.flags |= FLOW_IPV4;
2933 
2934  p1->flow = &f;
2938  f.alproto = ALPROTO_HTTP;
2939 
2941 
2942  de_ctx = DetectEngineCtxInit();
2943  if (de_ctx == NULL)
2944  goto end;
2945 
2946  de_ctx->flags |= DE_QUIET;
2947 
2948  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2949  "(flow:to_server; "
2950  "content:\"Dummy\"; http_raw_header; "
2951  "sid:1;)");
2952  if (de_ctx->sig_list == NULL)
2953  goto end;
2954 
2955  SigGroupBuild(de_ctx);
2956  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2957 
2958  FLOWLOCK_WRLOCK(&f);
2959  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2960  STREAM_TOSERVER, http1_buf, http1_len);
2961  if (r != 0) {
2962  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2963  result = 0;
2964  FLOWLOCK_UNLOCK(&f);
2965  goto end;
2966  }
2967  FLOWLOCK_UNLOCK(&f);
2968 
2969  http_state = f.alstate;
2970  if (http_state == NULL) {
2971  printf("no http state: \n");
2972  result = 0;
2973  goto end;
2974  }
2975 
2976  /* do detect */
2977  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2978 
2979  if (!(PacketAlertCheck(p1, 1))) {
2980  printf("sid 1 didn't match but should have: ");
2981  goto end;
2982  }
2983 
2984  result = 1;
2985 
2986 end:
2987  if (alp_tctx != NULL)
2988  AppLayerParserThreadCtxFree(alp_tctx);
2989  if (de_ctx != NULL)
2990  DetectEngineCtxFree(de_ctx);
2991 
2993  FLOW_DESTROY(&f);
2994  UTHFreePackets(&p1, 1);
2995  return result;
2996 }
2997 
2998 /**
2999  * \test Trailing headers.
3000  */
3001 static int DetectEngineHttpRawHeaderTest32(void)
3002 {
3003  TcpSession ssn;
3004  Packet *p1 = NULL;
3005  Packet *p2 = NULL;
3006  ThreadVars th_v;
3007  DetectEngineCtx *de_ctx = NULL;
3008  DetectEngineThreadCtx *det_ctx = NULL;
3009  HtpState *http_state = NULL;
3010  Flow f;
3011  uint8_t http1_buf[] =
3012  "GET /index.html HTTP/1.0\r\n"
3013  "host: boom\r\n"
3014  "Transfer-Encoding: chunked\r\n"
3015  "\r\n"
3016  "13\r\n"
3017  "This is dummy body1\r\n"
3018  "0\r\n";
3019  uint8_t http2_buf[] =
3020  "Dummy-Header: kaboom\r\n"
3021  "\r\n";
3022  uint32_t http1_len = sizeof(http1_buf) - 1;
3023  uint32_t http2_len = sizeof(http2_buf) - 1;
3024  int result = 0;
3026 
3027  memset(&th_v, 0, sizeof(th_v));
3028  memset(&f, 0, sizeof(f));
3029  memset(&ssn, 0, sizeof(ssn));
3030 
3031  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3032  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3033 
3034  FLOW_INITIALIZE(&f);
3035  f.protoctx = (void *)&ssn;
3036  f.proto = IPPROTO_TCP;
3037  f.flags |= FLOW_IPV4;
3038 
3039  p1->flow = &f;
3043  p2->flow = &f;
3047  f.alproto = ALPROTO_HTTP;
3048 
3050 
3051  de_ctx = DetectEngineCtxInit();
3052  if (de_ctx == NULL)
3053  goto end;
3054 
3055  de_ctx->flags |= DE_QUIET;
3056 
3057  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3058  "(flow:to_server; "
3059  "content:\"Dummy\"; http_raw_header; "
3060  "sid:1;)");
3061  if (de_ctx->sig_list == NULL)
3062  goto end;
3063 
3064  SigGroupBuild(de_ctx);
3065  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3066 
3067  FLOWLOCK_WRLOCK(&f);
3068  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3069  STREAM_TOSERVER, http1_buf, http1_len);
3070  if (r != 0) {
3071  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3072  result = 0;
3073  FLOWLOCK_UNLOCK(&f);
3074  goto end;
3075  }
3076  FLOWLOCK_UNLOCK(&f);
3077 
3078  http_state = f.alstate;
3079  if (http_state == NULL) {
3080  printf("no http state: \n");
3081  result = 0;
3082  goto end;
3083  }
3084 
3085  /* do detect */
3086  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3087 
3088  if (PacketAlertCheck(p1, 1)) {
3089  printf("sid 1 matched but shouldn't have\n");
3090  goto end;
3091  }
3092 
3093  FLOWLOCK_WRLOCK(&f);
3094  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3095  STREAM_TOSERVER, http2_buf, http2_len);
3096  if (r != 0) {
3097  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3098  result = 0;
3099  FLOWLOCK_UNLOCK(&f);
3100  goto end;
3101  }
3102  FLOWLOCK_UNLOCK(&f);
3103 
3104  /* do detect */
3105  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3106 
3107  if (!PacketAlertCheck(p2, 1)) {
3108  printf("sid 1 didn't match but should have\n");
3109  goto end;
3110  }
3111 
3112  result = 1;
3113 
3114 end:
3115  if (alp_tctx != NULL)
3116  AppLayerParserThreadCtxFree(alp_tctx);
3117  if (de_ctx != NULL)
3118  DetectEngineCtxFree(de_ctx);
3119 
3121  FLOW_DESTROY(&f);
3122  UTHFreePackets(&p1, 1);
3123  UTHFreePackets(&p2, 1);
3124  return result;
3125 }
3126 
3127 /**
3128  * \test Test that a signature containting a http_header is correctly parsed
3129  * and the keyword is registered.
3130  */
3131 static int DetectHttpRawHeaderTest01(void)
3132 {
3133  DetectEngineCtx *de_ctx = NULL;
3134  int result = 0;
3135  SigMatch *sm = NULL;
3136 
3137  de_ctx = DetectEngineCtxInit();
3138  if (de_ctx == NULL)
3139  goto end;
3140 
3141  de_ctx->flags |= DE_QUIET;
3142  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3143  "(msg:\"Testing http_header\"; flow:to_server; "
3144  "content:\"one\"; http_raw_header; sid:1;)");
3145  if (de_ctx->sig_list != NULL) {
3146  result = 1;
3147  } else {
3148  printf("Error parsing signature: ");
3149  goto end;
3150  }
3151 
3152  sm = de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id];
3153  if (sm != NULL) {
3154  result &= (sm->type == DETECT_CONTENT);
3155  result &= (sm->next == NULL);
3156  } else {
3157  result = 0;
3158  printf("Error updating content pattern to http_header pattern: ");
3159  }
3160 
3161 
3162  end:
3163  DetectEngineCtxFree(de_ctx);
3164 
3165  return result;
3166 }
3167 
3168 /**
3169  * \test Test that a signature containing an valid http_header entry is
3170  * parsed.
3171  */
3172 static int DetectHttpRawHeaderTest02(void)
3173 {
3174  DetectEngineCtx *de_ctx = NULL;
3175  int result = 0;
3176 
3177  de_ctx = DetectEngineCtxInit();
3178  if (de_ctx == NULL)
3179  goto end;
3180 
3181  de_ctx->flags |= DE_QUIET;
3182  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3183  "(msg:\"Testing http_header\"; flow:to_server; "
3184  "content:\"one\"; http_raw_header:; sid:1;)");
3185  if (de_ctx->sig_list != NULL)
3186  result = 1;
3187  else
3188  printf("Error parsing signature: ");
3189 
3190  end:
3191  DetectEngineCtxFree(de_ctx);
3192 
3193  return result;
3194 }
3195 
3196 /**
3197  * \test Test that an invalid signature containing no content but a http_header
3198  * is invalidated.
3199  */
3200 static int DetectHttpRawHeaderTest03(void)
3201 {
3202  DetectEngineCtx *de_ctx = NULL;
3203  int result = 0;
3204 
3205  de_ctx = DetectEngineCtxInit();
3206  if (de_ctx == NULL)
3207  goto end;
3208 
3209  de_ctx->flags |= DE_QUIET;
3210  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3211  "(msg:\"Testing http_header\"; flow:to_server; "
3212  "http_raw_header; sid:1;)");
3213  if (de_ctx->sig_list == NULL)
3214  result = 1;
3215  else
3216  printf("Error parsing signature: ");
3217 
3218  end:
3219  DetectEngineCtxFree(de_ctx);
3220 
3221  return result;
3222 }
3223 
3224 /**
3225  * \test Test that an invalid signature containing a rawbytes along with a
3226  * http_header is invalidated.
3227  */
3228 static int DetectHttpRawHeaderTest04(void)
3229 {
3230  DetectEngineCtx *de_ctx = NULL;
3231  int result = 0;
3232 
3233  de_ctx = DetectEngineCtxInit();
3234  if (de_ctx == NULL)
3235  goto end;
3236 
3237  de_ctx->flags |= DE_QUIET;
3238  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3239  "(msg:\"Testing http_header\"; flow:to_server; "
3240  "content:\"one\"; rawbytes; http_raw_header; sid:1;)");
3241  if (de_ctx->sig_list == NULL)
3242  result = 1;
3243  else
3244  printf("Error parsing signature: ");
3245 
3246  end:
3247  DetectEngineCtxFree(de_ctx);
3248 
3249  return result;
3250 }
3251 
3252 /**
3253  * \test Test that an invalid signature containing a rawbytes along with a
3254  * http_header is invalidated.
3255  */
3256 static int DetectHttpRawHeaderTest05(void)
3257 {
3258  DetectEngineCtx *de_ctx = NULL;
3259  int result = 0;
3260 
3261  de_ctx = DetectEngineCtxInit();
3262  if (de_ctx == NULL)
3263  goto end;
3264 
3265  de_ctx->flags |= DE_QUIET;
3266  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3267  "(msg:\"Testing http_header\"; flow:to_server; "
3268  "content:\"one\"; nocase; http_raw_header; sid:1;)");
3269  if (de_ctx->sig_list != NULL)
3270  result = 1;
3271  else
3272  printf("Error parsing signature: ");
3273 
3274  end:
3275  DetectEngineCtxFree(de_ctx);
3276 
3277  return result;
3278 }
3279 
3280 /**
3281  *\test Test that the http_header content matches against a http request
3282  * which holds the content.
3283  */
3284 static int DetectHttpRawHeaderTest06(void)
3285 {
3286  TcpSession ssn;
3287  Packet *p = NULL;
3288  ThreadVars th_v;
3289  DetectEngineCtx *de_ctx = NULL;
3290  DetectEngineThreadCtx *det_ctx = NULL;
3291  HtpState *http_state = NULL;
3292  Flow f;
3293  uint8_t http_buf[] =
3294  "GET /index.html HTTP/1.0\r\n"
3295  "Host: www.openinfosecfoundation.org\r\n"
3296  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3297  "Content-Type: text/html\r\n"
3298  "Content-Length: 26\r\n"
3299  "\r\n"
3300  "This is dummy message body\r\n";
3301  uint32_t http_len = sizeof(http_buf) - 1;
3302  int result = 0;
3304 
3305  memset(&th_v, 0, sizeof(th_v));
3306  memset(&f, 0, sizeof(f));
3307  memset(&ssn, 0, sizeof(ssn));
3308 
3309  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3310 
3311  FLOW_INITIALIZE(&f);
3312  f.protoctx = (void *)&ssn;
3313  f.proto = IPPROTO_TCP;
3314  f.flags |= FLOW_IPV4;
3315  p->flow = &f;
3319  f.alproto = ALPROTO_HTTP;
3320 
3322 
3323  de_ctx = DetectEngineCtxInit();
3324  if (de_ctx == NULL)
3325  goto end;
3326 
3327  de_ctx->flags |= DE_QUIET;
3328 
3329  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3330  "(msg:\"http header test\"; flow:to_server; "
3331  "content:\"Content-Type: text/html\"; http_raw_header; "
3332  "sid:1;)");
3333  if (de_ctx->sig_list == NULL)
3334  goto end;
3335 
3336  SigGroupBuild(de_ctx);
3337  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3338 
3339  FLOWLOCK_WRLOCK(&f);
3340  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3341  STREAM_TOSERVER, http_buf, http_len);
3342  if (r != 0) {
3343  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3344  result = 0;
3345  FLOWLOCK_UNLOCK(&f);
3346  goto end;
3347  }
3348  FLOWLOCK_UNLOCK(&f);
3349 
3350  http_state = f.alstate;
3351  if (http_state == NULL) {
3352  printf("no http state: ");
3353  result = 0;
3354  goto end;
3355  }
3356 
3357  /* do detect */
3358  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3359 
3360  if (!(PacketAlertCheck(p, 1))) {
3361  printf("sid 1 didn't match but should have: ");
3362  goto end;
3363  }
3364 
3365  result = 1;
3366 end:
3367  if (alp_tctx != NULL)
3368  AppLayerParserThreadCtxFree(alp_tctx);
3369  if (de_ctx != NULL)
3370  DetectEngineCtxFree(de_ctx);
3371 
3373  FLOW_DESTROY(&f);
3374  UTHFreePackets(&p, 1);
3375  return result;
3376 }
3377 
3378 /**
3379  *\test Test that the http_header content matches against a http request
3380  * which holds the content.
3381  */
3382 static int DetectHttpRawHeaderTest07(void)
3383 {
3384  TcpSession ssn;
3385  Packet *p1 = NULL;
3386  Packet *p2 = NULL;
3387  ThreadVars th_v;
3388  DetectEngineCtx *de_ctx = NULL;
3389  DetectEngineThreadCtx *det_ctx = NULL;
3390  HtpState *http_state = NULL;
3391  Flow f;
3392  uint8_t http1_buf[] =
3393  "GET /index.html HTTP/1.0\r\n"
3394  "Host: www.openinfosecfoundation.org\r\n"
3395  "User-Agent: Mozi";
3396  uint8_t http2_buf[] =
3397  "lla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\nContent-Type: text/html\r\n"
3398  "Content-Length: 67\r\n"
3399  "\r\n"
3400  "This is dummy message body1";
3401  uint32_t http1_len = sizeof(http1_buf) - 1;
3402  uint32_t http2_len = sizeof(http2_buf) - 1;
3403  int result = 0;
3405 
3406  memset(&th_v, 0, sizeof(th_v));
3407  memset(&f, 0, sizeof(f));
3408  memset(&ssn, 0, sizeof(ssn));
3409 
3410  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3411  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3412 
3413  FLOW_INITIALIZE(&f);
3414  f.protoctx = (void *)&ssn;
3415  f.proto = IPPROTO_TCP;
3416  f.flags |= FLOW_IPV4;
3417  p1->flow = &f;
3421  p2->flow = &f;
3425  f.alproto = ALPROTO_HTTP;
3426 
3428 
3429  de_ctx = DetectEngineCtxInit();
3430  if (de_ctx == NULL)
3431  goto end;
3432 
3433  de_ctx->flags |= DE_QUIET;
3434 
3435  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3436  "(msg:\"http header test\"; flow:to_server; "
3437  "content:\"Mozilla\"; http_raw_header; "
3438  "sid:1;)");
3439  if (de_ctx->sig_list == NULL)
3440  goto end;
3441 
3442  SigGroupBuild(de_ctx);
3443  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3444 
3445  FLOWLOCK_WRLOCK(&f);
3446  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3447  STREAM_TOSERVER, http1_buf, http1_len);
3448  if (r != 0) {
3449  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3450  result = 0;
3451  FLOWLOCK_UNLOCK(&f);
3452  goto end;
3453  }
3454  FLOWLOCK_UNLOCK(&f);
3455 
3456  http_state = f.alstate;
3457  if (http_state == NULL) {
3458  printf("no http state: ");
3459  result = 0;
3460  goto end;
3461  }
3462 
3463  /* do detect */
3464  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3465 
3466  if ( (PacketAlertCheck(p1, 1))) {
3467  printf("sid 1 matched but shouldn't have: ");
3468  goto end;
3469  }
3470 
3471  FLOWLOCK_WRLOCK(&f);
3472  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3473  STREAM_TOSERVER, http2_buf, http2_len);
3474  if (r != 0) {
3475  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3476  result = 0;
3477  FLOWLOCK_UNLOCK(&f);
3478  goto end;
3479  }
3480  FLOWLOCK_UNLOCK(&f);
3481 
3482  /* do detect */
3483  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3484 
3485  if (!(PacketAlertCheck(p2, 1))) {
3486  printf("sid 1 didn't match but should have: ");
3487  goto end;
3488  }
3489 
3490  result = 1;
3491 end:
3492  if (alp_tctx != NULL)
3493  AppLayerParserThreadCtxFree(alp_tctx);
3494  if (de_ctx != NULL)
3495  DetectEngineCtxFree(de_ctx);
3496 
3498  FLOW_DESTROY(&f);
3499  UTHFreePackets(&p1, 1);
3500  UTHFreePackets(&p2, 1);
3501  return result;
3502 }
3503 
3504 /**
3505  *\test Test that the http_header content matches against a http request
3506  * which holds the content.
3507  */
3508 static int DetectHttpRawHeaderTest08(void)
3509 {
3510  TcpSession ssn;
3511  Packet *p1 = NULL;
3512  Packet *p2 = NULL;
3513  ThreadVars th_v;
3514  DetectEngineCtx *de_ctx = NULL;
3515  DetectEngineThreadCtx *det_ctx = NULL;
3516  HtpState *http_state = NULL;
3517  Flow f;
3518  uint8_t http1_buf[] =
3519  "GET /index.html HTTP/1.0\r\n"
3520  "Host: www.openinfosecfoundation.org\r\n";
3521  uint8_t http2_buf[] =
3522  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3523  "Content-Type: text/html\r\n"
3524  "Content-Length: 67\r\n"
3525  "\r\n";
3526  uint32_t http1_len = sizeof(http1_buf) - 1;
3527  uint32_t http2_len = sizeof(http2_buf) - 1;
3528  int result = 0;
3530 
3531  memset(&th_v, 0, sizeof(th_v));
3532  memset(&f, 0, sizeof(f));
3533  memset(&ssn, 0, sizeof(ssn));
3534 
3535  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3536  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3537 
3538  FLOW_INITIALIZE(&f);
3539  f.protoctx = (void *)&ssn;
3540  f.proto = IPPROTO_TCP;
3541  f.flags |= FLOW_IPV4;
3542  p1->flow = &f;
3546  p2->flow = &f;
3550  f.alproto = ALPROTO_HTTP;
3551 
3553 
3554  de_ctx = DetectEngineCtxInit();
3555  if (de_ctx == NULL)
3556  goto end;
3557 
3558  de_ctx->flags |= DE_QUIET;
3559 
3560  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3561  "(msg:\"http header test\"; flow:to_server; "
3562  "content:\"Gecko/20091221 Firefox/3.5.7\"; http_raw_header; "
3563  "sid:1;)");
3564  if (de_ctx->sig_list == NULL)
3565  goto end;
3566 
3567  SigGroupBuild(de_ctx);
3568  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3569 
3570  FLOWLOCK_WRLOCK(&f);
3571  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3572  STREAM_TOSERVER, http1_buf, http1_len);
3573  if (r != 0) {
3574  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3575  result = 0;
3576  FLOWLOCK_UNLOCK(&f);
3577  goto end;
3578  }
3579  FLOWLOCK_UNLOCK(&f);
3580 
3581  http_state = f.alstate;
3582  if (http_state == NULL) {
3583  printf("no http state: ");
3584  result = 0;
3585  goto end;
3586  }
3587 
3588  /* do detect */
3589  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3590 
3591  if ((PacketAlertCheck(p1, 1))) {
3592  printf("sid 1 didn't match but should have: ");
3593  goto end;
3594  }
3595 
3596  FLOWLOCK_WRLOCK(&f);
3597  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3598  STREAM_TOSERVER, http2_buf, http2_len);
3599  if (r != 0) {
3600  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3601  result = 0;
3602  FLOWLOCK_UNLOCK(&f);
3603  goto end;
3604  }
3605  FLOWLOCK_UNLOCK(&f);
3606 
3607  /* do detect */
3608  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3609 
3610  if (!(PacketAlertCheck(p2, 1))) {
3611  printf("sid 1 didn't match but should have: ");
3612  goto end;
3613  }
3614 
3615  result = 1;
3616 end:
3617  if (alp_tctx != NULL)
3618  AppLayerParserThreadCtxFree(alp_tctx);
3619  if (de_ctx != NULL)
3620  DetectEngineCtxFree(de_ctx);
3621 
3623  FLOW_DESTROY(&f);
3624  UTHFreePackets(&p1, 1);
3625  UTHFreePackets(&p2, 1);
3626  return result;
3627 }
3628 
3629 /**
3630  *\test Test that the http_header content matches against a http request
3631  * which holds the content, against a cross boundary present pattern.
3632  */
3633 static int DetectHttpRawHeaderTest09(void)
3634 {
3635  TcpSession ssn;
3636  Packet *p1 = NULL;
3637  Packet *p2 = NULL;
3638  ThreadVars th_v;
3639  DetectEngineCtx *de_ctx = NULL;
3640  DetectEngineThreadCtx *det_ctx = NULL;
3641  HtpState *http_state = NULL;
3642  Flow f;
3643  uint8_t http1_buf[] =
3644  "GET /index.html HTTP/1.0\r\n"
3645  "Host: www.openinfosecfoundation.org\r\n"
3646  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n";
3647  uint8_t http2_buf[] =
3648  "Content-Type: text/html\r\n"
3649  "Content-Length: 67\r\n"
3650  "\r\n"
3651  "This is dummy body\r\n";
3652  uint32_t http1_len = sizeof(http1_buf) - 1;
3653  uint32_t http2_len = sizeof(http2_buf) - 1;
3654  int result = 0;
3656 
3657  memset(&th_v, 0, sizeof(th_v));
3658  memset(&f, 0, sizeof(f));
3659  memset(&ssn, 0, sizeof(ssn));
3660 
3661  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3662  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3663 
3664  FLOW_INITIALIZE(&f);
3665  f.protoctx = (void *)&ssn;
3666  f.proto = IPPROTO_TCP;
3667  f.flags |= FLOW_IPV4;
3668  p1->flow = &f;
3672  p2->flow = &f;
3676  f.alproto = ALPROTO_HTTP;
3677 
3679 
3680  de_ctx = DetectEngineCtxInit();
3681  if (de_ctx == NULL)
3682  goto end;
3683 
3684  de_ctx->flags |= DE_QUIET;
3685 
3686  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3687  "(msg:\"http header test\"; flow:to_server; "
3688  "content:\"Firefox/3.5.7|0D 0A|Content\"; http_raw_header; "
3689  "sid:1;)");
3690  if (de_ctx->sig_list == NULL)
3691  goto end;
3692 
3693  SigGroupBuild(de_ctx);
3694  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3695 
3696  FLOWLOCK_WRLOCK(&f);
3697  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3698  STREAM_TOSERVER, http1_buf, http1_len);
3699  if (r != 0) {
3700  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3701  result = 0;
3702  FLOWLOCK_UNLOCK(&f);
3703  goto end;
3704  }
3705  FLOWLOCK_UNLOCK(&f);
3706 
3707  http_state = f.alstate;
3708  if (http_state == NULL) {
3709  printf("no http state: ");
3710  result = 0;
3711  goto end;
3712  }
3713 
3714  /* do detect */
3715  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3716 
3717  if ((PacketAlertCheck(p1, 1))) {
3718  printf("sid 1 didn't match but should have: ");
3719  goto end;
3720  }
3721 
3722  FLOWLOCK_WRLOCK(&f);
3723  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3724  STREAM_TOSERVER, http2_buf, http2_len);
3725  if (r != 0) {
3726  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3727  result = 0;
3728  FLOWLOCK_UNLOCK(&f);
3729  goto end;
3730  }
3731  FLOWLOCK_UNLOCK(&f);
3732 
3733  /* do detect */
3734  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3735 
3736  if (!(PacketAlertCheck(p2, 1))) {
3737  printf("sid 1 didn't match but should have: ");
3738  goto end;
3739  }
3740 
3741  result = 1;
3742 end:
3743  if (alp_tctx != NULL)
3744  AppLayerParserThreadCtxFree(alp_tctx);
3745  if (de_ctx != NULL)
3746  DetectEngineCtxFree(de_ctx);
3747 
3749  FLOW_DESTROY(&f);
3750  UTHFreePackets(&p1, 1);
3751  UTHFreePackets(&p2, 1);
3752  return result;
3753 }
3754 
3755 /**
3756  *\test Test that the http_header content matches against a http request
3757  * against a case insensitive pattern.
3758  */
3759 static int DetectHttpRawHeaderTest10(void)
3760 {
3761  TcpSession ssn;
3762  Packet *p1 = NULL;
3763  Packet *p2 = NULL;
3764  ThreadVars th_v;
3765  DetectEngineCtx *de_ctx = NULL;
3766  DetectEngineThreadCtx *det_ctx = NULL;
3767  HtpState *http_state = NULL;
3768  Flow f;
3769  uint8_t http1_buf[] =
3770  "GET /index.html HTTP/1.0\r\n"
3771  "Host: www.openinfosecfoundation.org\r\n"
3772  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n";
3773  uint8_t http2_buf[] =
3774  "Content-Type: text/html\r\n"
3775  "Content-Length: 67\r\n"
3776  "\r\n"
3777  "This is dummy body";
3778  uint32_t http1_len = sizeof(http1_buf) - 1;
3779  uint32_t http2_len = sizeof(http2_buf) - 1;
3780  int result = 0;
3782 
3783  memset(&th_v, 0, sizeof(th_v));
3784  memset(&f, 0, sizeof(f));
3785  memset(&ssn, 0, sizeof(ssn));
3786 
3787  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3788  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3789 
3790  FLOW_INITIALIZE(&f);
3791  f.protoctx = (void *)&ssn;
3792  f.proto = IPPROTO_TCP;
3793  f.flags |= FLOW_IPV4;
3794  p1->flow = &f;
3798  p2->flow = &f;
3802  f.alproto = ALPROTO_HTTP;
3803 
3805 
3806  de_ctx = DetectEngineCtxInit();
3807  if (de_ctx == NULL)
3808  goto end;
3809 
3810  de_ctx->flags |= DE_QUIET;
3811 
3812  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3813  "(msg:\"http header test\"; flow:to_server; "
3814  "content:\"firefox/3.5.7|0D 0A|content\"; nocase; http_raw_header;"
3815  "sid:1;)");
3816  if (de_ctx->sig_list == NULL)
3817  goto end;
3818 
3819  SigGroupBuild(de_ctx);
3820  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3821 
3822  FLOWLOCK_WRLOCK(&f);
3823  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3824  STREAM_TOSERVER, http1_buf, http1_len);
3825  if (r != 0) {
3826  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3827  result = 0;
3828  FLOWLOCK_UNLOCK(&f);
3829  goto end;
3830  }
3831  FLOWLOCK_UNLOCK(&f);
3832 
3833  http_state = f.alstate;
3834  if (http_state == NULL) {
3835  printf("no http state: ");
3836  result = 0;
3837  goto end;
3838  }
3839 
3840  /* do detect */
3841  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3842 
3843  if ((PacketAlertCheck(p1, 1))) {
3844  printf("sid 1 didn't match but should have: ");
3845  goto end;
3846  }
3847 
3848  FLOWLOCK_WRLOCK(&f);
3849  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3850  STREAM_TOSERVER, http2_buf, http2_len);
3851  if (r != 0) {
3852  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3853  result = 0;
3854  FLOWLOCK_UNLOCK(&f);
3855  goto end;
3856  }
3857  FLOWLOCK_UNLOCK(&f);
3858 
3859  /* do detect */
3860  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3861 
3862  if (!(PacketAlertCheck(p2, 1))) {
3863  printf("sid 1 didn't match but should have: ");
3864  goto end;
3865  }
3866 
3867  result = 1;
3868 end:
3869  if (alp_tctx != NULL)
3870  AppLayerParserThreadCtxFree(alp_tctx);
3871  if (de_ctx != NULL)
3872  DetectEngineCtxFree(de_ctx);
3873 
3875  FLOW_DESTROY(&f);
3876  UTHFreePackets(&p1, 1);
3877  UTHFreePackets(&p2, 1);
3878  return result;
3879 }
3880 
3881 /**
3882  *\test Test that the negated http_header content matches against a
3883  * http request which doesn't hold the content.
3884  */
3885 static int DetectHttpRawHeaderTest11(void)
3886 {
3887  TcpSession ssn;
3888  Packet *p = NULL;
3889  ThreadVars th_v;
3890  DetectEngineCtx *de_ctx = NULL;
3891  DetectEngineThreadCtx *det_ctx = NULL;
3892  HtpState *http_state = NULL;
3893  Flow f;
3894  uint8_t http_buf[] =
3895  "GET /index.html HTTP/1.0\r\n"
3896  "Host: www.openinfosecfoundation.org\r\n"
3897  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3898  "Content-Type: text/html\r\n"
3899  "Content-Length: 26\r\n"
3900  "\r\n"
3901  "This is dummy message body\r\n";
3902  uint32_t http_len = sizeof(http_buf) - 1;
3903  int result = 0;
3905 
3906  memset(&th_v, 0, sizeof(th_v));
3907  memset(&f, 0, sizeof(f));
3908  memset(&ssn, 0, sizeof(ssn));
3909 
3910  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3911 
3912  FLOW_INITIALIZE(&f);
3913  f.protoctx = (void *)&ssn;
3914  f.proto = IPPROTO_TCP;
3915  f.flags |= FLOW_IPV4;
3916  p->flow = &f;
3920  f.alproto = ALPROTO_HTTP;
3921 
3923 
3924  de_ctx = DetectEngineCtxInit();
3925  if (de_ctx == NULL)
3926  goto end;
3927 
3928  de_ctx->flags |= DE_QUIET;
3929 
3930  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3931  "(msg:\"http header test\"; flow:to_server; "
3932  "content:!\"lalalalala\"; http_raw_header; "
3933  "sid:1;)");
3934  if (de_ctx->sig_list == NULL)
3935  goto end;
3936 
3937  SigGroupBuild(de_ctx);
3938  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3939 
3940  FLOWLOCK_WRLOCK(&f);
3941  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3942  STREAM_TOSERVER, http_buf, http_len);
3943  if (r != 0) {
3944  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3945  result = 0;
3946  FLOWLOCK_UNLOCK(&f);
3947  goto end;
3948  }
3949  FLOWLOCK_UNLOCK(&f);
3950 
3951  http_state = f.alstate;
3952  if (http_state == NULL) {
3953  printf("no http state: ");
3954  result = 0;
3955  goto end;
3956  }
3957 
3958  /* do detect */
3959  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3960 
3961  if (!(PacketAlertCheck(p, 1))) {
3962  printf("sid 1 didn't match but should have: ");
3963  goto end;
3964  }
3965 
3966  result = 1;
3967 end:
3968  if (alp_tctx != NULL)
3969  AppLayerParserThreadCtxFree(alp_tctx);
3970  if (de_ctx != NULL)
3971  DetectEngineCtxFree(de_ctx);
3972 
3974  FLOW_DESTROY(&f);
3975  UTHFreePackets(&p, 1);
3976  return result;
3977 }
3978 
3979 /**
3980  *\test Negative test that the negated http_header content matches against a
3981  * http request which holds hold the content.
3982  */
3983 static int DetectHttpRawHeaderTest12(void)
3984 {
3985  TcpSession ssn;
3986  Packet *p = NULL;
3987  ThreadVars th_v;
3988  DetectEngineCtx *de_ctx = NULL;
3989  DetectEngineThreadCtx *det_ctx = NULL;
3990  HtpState *http_state = NULL;
3991  Flow f;
3992  uint8_t http_buf[] =
3993  "GET /index.html HTTP/1.0\r\n"
3994  "Host: www.openinfosecfoundation.org\r\n"
3995  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3996  "Content-Type: text/html\r\n"
3997  "Content-Length: 26\r\n"
3998  "\r\n"
3999  "This is dummy message body\r\n";
4000  uint32_t http_len = sizeof(http_buf) - 1;
4001  int result = 0;
4003 
4004  memset(&th_v, 0, sizeof(th_v));
4005  memset(&f, 0, sizeof(f));
4006  memset(&ssn, 0, sizeof(ssn));
4007 
4008  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4009 
4010  FLOW_INITIALIZE(&f);
4011  f.protoctx = (void *)&ssn;
4012  f.proto = IPPROTO_TCP;
4013  f.flags |= FLOW_IPV4;
4014  p->flow = &f;
4018  f.alproto = ALPROTO_HTTP;
4019 
4021 
4022  de_ctx = DetectEngineCtxInit();
4023  if (de_ctx == NULL)
4024  goto end;
4025 
4026  de_ctx->flags |= DE_QUIET;
4027 
4028  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4029  "(msg:\"http header test\"; flow:to_server; "
4030  "content:!\"User-Agent: Mozilla/5.0 \"; http_raw_header; "
4031  "sid:1;)");
4032  if (de_ctx->sig_list == NULL)
4033  goto end;
4034 
4035  SigGroupBuild(de_ctx);
4036  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4037 
4038  FLOWLOCK_WRLOCK(&f);
4039  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
4040  STREAM_TOSERVER, http_buf, http_len);
4041  if (r != 0) {
4042  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4043  result = 0;
4044  FLOWLOCK_UNLOCK(&f);
4045  goto end;
4046  }
4047  FLOWLOCK_UNLOCK(&f);
4048 
4049  http_state = f.alstate;
4050  if (http_state == NULL) {
4051  printf("no http state: ");
4052  result = 0;
4053  goto end;
4054  }
4055 
4056  /* do detect */
4057  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4058 
4059  if ((PacketAlertCheck(p, 1))) {
4060  printf("sid 1 didn't match but should have: ");
4061  goto end;
4062  }
4063 
4064  result = 1;
4065 end:
4066  if (alp_tctx != NULL)
4067  AppLayerParserThreadCtxFree(alp_tctx);
4068  if (de_ctx != NULL)
4069  DetectEngineCtxFree(de_ctx);
4070 
4072  FLOW_DESTROY(&f);
4073  UTHFreePackets(&p, 1);
4074  return result;
4075 }
4076 
4077 /**
4078  *\test Test that the http_header content matches against a http request
4079  * which holds the content.
4080  */
4081 static int DetectHttpRawHeaderTest13(void)
4082 {
4083  TcpSession ssn;
4084  Packet *p = NULL;
4085  ThreadVars th_v;
4086  DetectEngineCtx *de_ctx = NULL;
4087  DetectEngineThreadCtx *det_ctx = NULL;
4088  HtpState *http_state = NULL;
4089  Flow f;
4090  uint8_t http_buf[] =
4091  "GET /index.html HTTP/1.0\r\n"
4092  "Host: www.openinfosecfoundation.org\r\n"
4093  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4094  "Content-Type: text/html\r\n"
4095  "Content-Length: 100\r\n"
4096  "\r\n"
4097  "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n";
4098  uint32_t http_len = sizeof(http_buf) - 1;
4099  int result = 0;
4101 
4102  memset(&th_v, 0, sizeof(th_v));
4103  memset(&f, 0, sizeof(f));
4104  memset(&ssn, 0, sizeof(ssn));
4105 
4106  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4107 
4108  FLOW_INITIALIZE(&f);
4109  f.protoctx = (void *)&ssn;
4110  f.proto = IPPROTO_TCP;
4111  f.flags |= FLOW_IPV4;
4112 
4113  p->flow = &f;
4117  f.alproto = ALPROTO_HTTP;
4118 
4120 
4121  de_ctx = DetectEngineCtxInit();
4122  if (de_ctx == NULL)
4123  goto end;
4124 
4125  de_ctx->flags |= DE_QUIET;
4126 
4127  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4128  "(msg:\"http header test\"; flow:to_server; "
4129  "content:\"Host: www.openinfosecfoundation.org\"; http_raw_header; "
4130  "sid:1;)");
4131  if (de_ctx->sig_list == NULL)
4132  goto end;
4133 
4134  SigGroupBuild(de_ctx);
4135  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4136 
4137  FLOWLOCK_WRLOCK(&f);
4138  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
4139  STREAM_TOSERVER, http_buf, http_len);
4140  if (r != 0) {
4141  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4142  result = 0;
4143  FLOWLOCK_UNLOCK(&f);
4144  goto end;
4145  }
4146  FLOWLOCK_UNLOCK(&f);
4147 
4148  http_state = f.alstate;
4149  if (http_state == NULL) {
4150  printf("no http state: ");
4151  result = 0;
4152  goto end;
4153  }
4154 
4155  /* do detect */
4156  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4157 
4158  if (!(PacketAlertCheck(p, 1))) {
4159  printf("sid 1 didn't match but should have: ");
4160  goto end;
4161  }
4162 
4163  result = 1;
4164 end:
4165 
4166  if (alp_tctx != NULL)
4167  AppLayerParserThreadCtxFree(alp_tctx);
4168  if (de_ctx != NULL)
4169  DetectEngineCtxFree(de_ctx);
4170 
4172  FLOW_DESTROY(&f);
4173  UTHFreePackets(&p, 1);
4174  return result;
4175 }
4176 
4177 static int DetectHttpRawHeaderTest20(void)
4178 {
4179  DetectEngineCtx *de_ctx = NULL;
4180  int result = 0;
4181 
4182  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4183  goto end;
4184 
4185  de_ctx->flags |= DE_QUIET;
4186  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
4187  "(flow:to_server; content:\"one\"; http_raw_header; "
4188  "content:\"two\"; distance:0; http_raw_header; sid:1;)");
4189  if (de_ctx->sig_list == NULL) {
4190  printf("de_ctx->sig_list == NULL\n");
4191  goto end;
4192  }
4193 
4194  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4195  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4196  goto end;
4197  }
4198 
4199  if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
4200  printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
4201  goto end;
4202  }
4203 
4204  DetectContentData *hrhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
4205  DetectContentData *hrhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
4206  if (hrhd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4207  memcmp(hrhd1->content, "one", hrhd1->content_len) != 0 ||
4208  hrhd2->flags != DETECT_CONTENT_DISTANCE ||
4209  memcmp(hrhd2->content, "two", hrhd1->content_len) != 0) {
4210  goto end;
4211  }
4212 
4213  result = 1;
4214 
4215  end:
4216  SigCleanSignatures(de_ctx);
4217  DetectEngineCtxFree(de_ctx);
4218  return result;
4219 }
4220 
4221 static int DetectHttpRawHeaderTest21(void)
4222 {
4223  DetectEngineCtx *de_ctx = NULL;
4224  int result = 0;
4225 
4226  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4227  goto end;
4228 
4229  de_ctx->flags |= DE_QUIET;
4230  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
4231  "(flow:to_server; content:\"one\"; http_raw_header; "
4232  "content:\"two\"; within:5; http_raw_header; sid:1;)");
4233  if (de_ctx->sig_list == NULL) {
4234  printf("de_ctx->sig_list == NULL\n");
4235  goto end;
4236  }
4237 
4238  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4239  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4240  goto end;
4241  }
4242 
4243  if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
4244  printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
4245  goto end;
4246  }
4247 
4248  DetectContentData *hrhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
4249  DetectContentData *hrhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
4250  if (hrhd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4251  memcmp(hrhd1->content, "one", hrhd1->content_len) != 0 ||
4252  hrhd2->flags != DETECT_CONTENT_WITHIN ||
4253  memcmp(hrhd2->content, "two", hrhd1->content_len) != 0) {
4254  goto end;
4255  }
4256 
4257  result = 1;
4258 
4259  end:
4260  SigCleanSignatures(de_ctx);
4261  DetectEngineCtxFree(de_ctx);
4262  return result;
4263 }
4264 
4265 static int DetectHttpRawHeaderTest22(void)
4266 {
4267  DetectEngineCtx *de_ctx = NULL;
4268  int result = 0;
4269 
4270  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4271  goto end;
4272 
4273  de_ctx->flags |= DE_QUIET;
4274  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
4275  "(flow:to_server; content:\"one\"; within:5; http_raw_header; sid:1;)");
4276  if (de_ctx->sig_list == NULL) {
4277  printf("de_ctx->sig_list == NULL\n");
4278  goto end;
4279  }
4280 
4281  result = 1;
4282 
4283  end:
4284  SigCleanSignatures(de_ctx);
4285  DetectEngineCtxFree(de_ctx);
4286  return result;
4287 }
4288 
4289 static int DetectHttpRawHeaderTest23(void)
4290 {
4291  DetectEngineCtx *de_ctx = NULL;
4292  int result = 0;
4293 
4294  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4295  goto end;
4296 
4297  de_ctx->flags |= DE_QUIET;
4298  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
4299  "(flow:to_server; content:\"one\"; http_raw_header; within:5; sid:1;)");
4300  if (de_ctx->sig_list == NULL) {
4301  printf("de_ctx->sig_list == NULL\n");
4302  goto end;
4303  }
4304 
4305  result = 1;
4306 
4307  end:
4308  SigCleanSignatures(de_ctx);
4309  DetectEngineCtxFree(de_ctx);
4310  return result;
4311 }
4312 
4313 static int DetectHttpRawHeaderTest24(void)
4314 {
4315  DetectEngineCtx *de_ctx = NULL;
4316  int result = 0;
4317 
4318  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4319  goto end;
4320 
4321  de_ctx->flags |= DE_QUIET;
4322  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
4323  "(flow:to_server; content:\"one\"; within:5; sid:1;)");
4324  if (de_ctx->sig_list == NULL) {
4325  printf("de_ctx->sig_list == NULL\n");
4326  goto end;
4327  }
4328 
4329  result = 1;
4330 
4331  end:
4332  SigCleanSignatures(de_ctx);
4333  DetectEngineCtxFree(de_ctx);
4334  return result;
4335 }
4336 
4337 static int DetectHttpRawHeaderTest25(void)
4338 {
4339  DetectEngineCtx *de_ctx = NULL;
4340  int result = 0;
4341 
4342  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4343  goto end;
4344 
4345  de_ctx->flags |= DE_QUIET;
4346  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
4347  "(flow:to_server; pcre:/one/D; "
4348  "content:\"two\"; within:5; http_raw_header; sid:1;)");
4349  if (de_ctx->sig_list == NULL) {
4350  printf("de_ctx->sig_list == NULL\n");
4351  goto end;
4352  }
4353 
4354  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4355  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4356  goto end;
4357  }
4358 
4359  if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
4360  printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
4361  goto end;
4362  }
4363 
4364  if (de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id] == NULL ||
4365  de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->type != DETECT_CONTENT ||
4366  de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev == NULL ||
4367  de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->type != DETECT_PCRE) {
4368 
4369  goto end;
4370  }
4371 
4372  DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
4373  DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
4374  if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
4375  hhd2->flags != DETECT_CONTENT_WITHIN ||
4376  memcmp(hhd2->content, "two", hhd2->content_len) != 0) {
4377  goto end;
4378  }
4379 
4380  result = 1;
4381 
4382  end:
4383  SigCleanSignatures(de_ctx);
4384  DetectEngineCtxFree(de_ctx);
4385  return result;
4386 }
4387 
4388 static int DetectHttpRawHeaderTest26(void)
4389 {
4390  DetectEngineCtx *de_ctx = NULL;
4391  int result = 0;
4392 
4393  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4394  goto end;
4395 
4396  de_ctx->flags |= DE_QUIET;
4397  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
4398  "(flow:to_server; content:\"two\"; http_raw_header; "
4399  "pcre:/one/DR; sid:1;)");
4400  if (de_ctx->sig_list == NULL) {
4401  printf("de_ctx->sig_list == NULL\n");
4402  goto end;
4403  }
4404 
4405  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4406  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4407  goto end;
4408  }
4409 
4410  if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
4411  printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
4412  goto end;
4413  }
4414 
4415  if (de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id] == NULL ||
4416  de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->type != DETECT_PCRE ||
4417  de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev == NULL ||
4418  de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->type != DETECT_CONTENT) {
4419 
4420  goto end;
4421  }
4422 
4423  DetectContentData *hhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
4424  DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
4425  if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
4427  memcmp(hhd1->content, "two", hhd1->content_len) != 0) {
4428  goto end;
4429  }
4430 
4431  result = 1;
4432 
4433  end:
4434  SigCleanSignatures(de_ctx);
4435  DetectEngineCtxFree(de_ctx);
4436  return result;
4437 }
4438 
4439 static int DetectHttpRawHeaderTest27(void)
4440 {
4441  DetectEngineCtx *de_ctx = NULL;
4442  int result = 0;
4443 
4444  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4445  goto end;
4446 
4447  de_ctx->flags |= DE_QUIET;
4448  de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
4449  "(flow:to_server; pcre:/one/D; "
4450  "content:\"two\"; distance:5; http_raw_header; sid:1;)");
4451  if (de_ctx->sig_list == NULL) {
4452  printf("de_ctx->sig_list == NULL\n");
4453  goto end;
4454  }
4455 
4456  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4457  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4458  goto end;
4459  }
4460 
4461  if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
4462  printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
4463  goto end;
4464  }
4465 
4466  if (de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id] == NULL ||
4467  de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->type != DETECT_CONTENT ||
4468  de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev == NULL ||
4469  de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->type != DETECT_PCRE) {
4470 
4471  goto end;
4472  }
4473 
4474  DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
4475  DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
4476  if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
4477  hhd2->flags != DETECT_CONTENT_DISTANCE ||
4478  memcmp(hhd2->content, "two", hhd2->content_len) != 0) {
4479  goto end;
4480  }
4481 
4482  result = 1;
4483 
4484  end:
4485  SigCleanSignatures(de_ctx);
4486  DetectEngineCtxFree(de_ctx);
4487  return result;
4488 }
4489 
4490 static int DetectHttpRawHeaderIsdataatParseTest(void)
4491 {
4493  FAIL_IF_NULL(de_ctx);
4494  de_ctx->flags |= DE_QUIET;
4495 
4496  Signature *s = DetectEngineAppendSig(de_ctx,
4497  "alert tcp any any -> any any ("
4498  "flow:to_server; "
4499  "content:\"one\"; http_raw_header; "
4500  "isdataat:!4,relative; sid:1;)");
4501  FAIL_IF_NULL(s);
4502 
4503  SigMatch *sm = s->init_data->smlists_tail[g_http_raw_header_buffer_id];
4504  FAIL_IF_NULL(sm);
4506 
4507  DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
4510  FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
4511 
4512  DetectEngineCtxFree(de_ctx);
4513  PASS;
4514 }
4515 
4517 {
4518  UtRegisterTest("DetectHttpRawHeaderParserTest01",
4519  DetectHttpRawHeaderParserTest01);
4520  UtRegisterTest("DetectHttpRawHeaderParserTest02",
4521  DetectHttpRawHeaderParserTest02);
4522 
4523  UtRegisterTest("DetectEngineHttpRawHeaderTest01",
4524  DetectEngineHttpRawHeaderTest01);
4525  UtRegisterTest("DetectEngineHttpRawHeaderTest02",
4526  DetectEngineHttpRawHeaderTest02);
4527  UtRegisterTest("DetectEngineHttpRawHeaderTest03",
4528  DetectEngineHttpRawHeaderTest03);
4529  UtRegisterTest("DetectEngineHttpRawHeaderTest04",
4530  DetectEngineHttpRawHeaderTest04);
4531  UtRegisterTest("DetectEngineHttpRawHeaderTest05",
4532  DetectEngineHttpRawHeaderTest05);
4533  UtRegisterTest("DetectEngineHttpRawHeaderTest06",
4534  DetectEngineHttpRawHeaderTest06);
4535  UtRegisterTest("DetectEngineHttpRawHeaderTest07",
4536  DetectEngineHttpRawHeaderTest07);
4537  UtRegisterTest("DetectEngineHttpRawHeaderTest08",
4538  DetectEngineHttpRawHeaderTest08);
4539  UtRegisterTest("DetectEngineHttpRawHeaderTest09",
4540  DetectEngineHttpRawHeaderTest09);
4541  UtRegisterTest("DetectEngineHttpRawHeaderTest10",
4542  DetectEngineHttpRawHeaderTest10);
4543  UtRegisterTest("DetectEngineHttpRawHeaderTest11",
4544  DetectEngineHttpRawHeaderTest11);
4545  UtRegisterTest("DetectEngineHttpRawHeaderTest12",
4546  DetectEngineHttpRawHeaderTest12);
4547  UtRegisterTest("DetectEngineHttpRawHeaderTest13",
4548  DetectEngineHttpRawHeaderTest13);
4549  UtRegisterTest("DetectEngineHttpRawHeaderTest14",
4550  DetectEngineHttpRawHeaderTest14);
4551  UtRegisterTest("DetectEngineHttpRawHeaderTest15",
4552  DetectEngineHttpRawHeaderTest15);
4553  UtRegisterTest("DetectEngineHttpRawHeaderTest16",
4554  DetectEngineHttpRawHeaderTest16);
4555  UtRegisterTest("DetectEngineHttpRawHeaderTest17",
4556  DetectEngineHttpRawHeaderTest17);
4557  UtRegisterTest("DetectEngineHttpRawHeaderTest20",
4558  DetectEngineHttpRawHeaderTest20);
4559  UtRegisterTest("DetectEngineHttpRawHeaderTest21",
4560  DetectEngineHttpRawHeaderTest21);
4561  UtRegisterTest("DetectEngineHttpRawHeaderTest22",
4562  DetectEngineHttpRawHeaderTest22);
4563  UtRegisterTest("DetectEngineHttpRawHeaderTest23",
4564  DetectEngineHttpRawHeaderTest23);
4565  UtRegisterTest("DetectEngineHttpRawHeaderTest24",
4566  DetectEngineHttpRawHeaderTest24);
4567  UtRegisterTest("DetectEngineHttpRawHeaderTest25",
4568  DetectEngineHttpRawHeaderTest25);
4569  UtRegisterTest("DetectEngineHttpRawHeaderTest26",
4570  DetectEngineHttpRawHeaderTest26);
4571  UtRegisterTest("DetectEngineHttpRawHeaderTest27",
4572  DetectEngineHttpRawHeaderTest27);
4573  UtRegisterTest("DetectEngineHttpRawHeaderTest28",
4574  DetectEngineHttpRawHeaderTest28);
4575  UtRegisterTest("DetectEngineHttpRawHeaderTest29",
4576  DetectEngineHttpRawHeaderTest29);
4577 #if 0
4578  UtRegisterTest("DetectEngineHttpRawHeaderTest30",
4579  DetectEngineHttpRawHeaderTest30, 1);
4580 #endif
4581  UtRegisterTest("DetectEngineHttpRawHeaderTest31",
4582  DetectEngineHttpRawHeaderTest31);
4583  UtRegisterTest("DetectEngineHttpRawHeaderTest32",
4584  DetectEngineHttpRawHeaderTest32);
4585 
4586  UtRegisterTest("DetectHttpRawHeaderTest01", DetectHttpRawHeaderTest01);
4587  UtRegisterTest("DetectHttpRawHeaderTest02", DetectHttpRawHeaderTest02);
4588  UtRegisterTest("DetectHttpRawHeaderTest03", DetectHttpRawHeaderTest03);
4589  UtRegisterTest("DetectHttpRawHeaderTest04", DetectHttpRawHeaderTest04);
4590  UtRegisterTest("DetectHttpRawHeaderTest05", DetectHttpRawHeaderTest05);
4591  UtRegisterTest("DetectHttpRawHeaderTest06", DetectHttpRawHeaderTest06);
4592  UtRegisterTest("DetectHttpRawHeaderTest07", DetectHttpRawHeaderTest07);
4593  UtRegisterTest("DetectHttpRawHeaderTest08", DetectHttpRawHeaderTest08);
4594  UtRegisterTest("DetectHttpRawHeaderTest09", DetectHttpRawHeaderTest09);
4595  UtRegisterTest("DetectHttpRawHeaderTest10", DetectHttpRawHeaderTest10);
4596  UtRegisterTest("DetectHttpRawHeaderTest11", DetectHttpRawHeaderTest11);
4597  UtRegisterTest("DetectHttpRawHeaderTest12", DetectHttpRawHeaderTest12);
4598  UtRegisterTest("DetectHttpRawHeaderTest13", DetectHttpRawHeaderTest13);
4599  UtRegisterTest("DetectHttpRawHeaderTest20", DetectHttpRawHeaderTest20);
4600  UtRegisterTest("DetectHttpRawHeaderTest21", DetectHttpRawHeaderTest21);
4601  UtRegisterTest("DetectHttpRawHeaderTest22", DetectHttpRawHeaderTest22);
4602  UtRegisterTest("DetectHttpRawHeaderTest23", DetectHttpRawHeaderTest23);
4603  UtRegisterTest("DetectHttpRawHeaderTest24", DetectHttpRawHeaderTest24);
4604  UtRegisterTest("DetectHttpRawHeaderTest25", DetectHttpRawHeaderTest25);
4605  UtRegisterTest("DetectHttpRawHeaderTest26", DetectHttpRawHeaderTest26);
4606  UtRegisterTest("DetectHttpRawHeaderTest27", DetectHttpRawHeaderTest27);
4607 
4608  UtRegisterTest("DetectHttpRawHeaderIsdataatParseTest",
4609  DetectHttpRawHeaderIsdataatParseTest);
4610 
4611 
4612  return;
4613 }
4614 
4615 #endif /* UNITTESTS */
4616 
4617 /**
4618  * @}
4619  */
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
SignatureInitData * init_data
Definition: detect.h:591
#define DETECT_PCRE_RELATIVE
Definition: detect-pcre.h:27
struct Flow_ * flow
Definition: decode.h:445
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:344
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:243
#define PASS
Pass the test.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
int UTHParseSignature(const char *str, bool expect)
parser a sig and see if the expected result is correct
Signature * sig_list
Definition: detect.h:767
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
void SigCleanSignatures(DetectEngineCtx *de_ctx)
#define ISDATAAT_RELATIVE
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
#define DETECT_CONTENT_DISTANCE
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:240
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define ISDATAAT_RAWBYTES
Signature container.
Definition: detect.h:522
#define TRUE
void * protoctx
Definition: flow.h:400
uint16_t flags
Definition: detect-pcre.h:42
struct SigMatch_ * next
Definition: detect.h:322
main detection engine ctx
Definition: detect.h:761
void * alstate
Definition: flow.h:438
#define DE_QUIET
Definition: detect.h:292
uint8_t flags
Definition: detect.h:762
#define ISDATAAT_NEGATED
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1669
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
uint8_t flowflags
Definition: decode.h:439
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
#define STREAM_TOCLIENT
Definition: stream.h:32
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
struct SigMatch_ ** smlists_tail
Definition: detect.h:518
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
uint8_t type
Definition: detect.h:319
SigMatchCtx * ctx
Definition: detect.h:321
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
void DetectHttpRawHeaderRegisterTests(void)
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
#define DETECT_CONTENT_WITHIN
#define PKT_HAS_FLOW
Definition: decode.h:1093
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:32
#define DETECT_CONTENT_RELATIVE_NEXT
Per thread variable structure.
Definition: threadvars.h:57
#define FLOW_PKT_TOCLIENT
Definition: flow.h:202
AppProto alproto
application level protocol
Definition: flow.h:409
uint32_t flags
Definition: decode.h:443
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Flow data structure.
Definition: flow.h:325
#define FLOW_IPV4
Definition: flow.h:94
uint32_t flags
Definition: flow.h:379
#define PKT_STREAM_EST
Definition: decode.h:1091
a single match condition for a signature
Definition: detect.h:318
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
DetectEngineCtx * DetectEngineCtxInit(void)