33 #include "../suricata-common.h"
34 #include "../suricata.h"
35 #include "../decode.h"
37 #include "../detect.h"
38 #include "../detect-engine.h"
39 #include "../detect-isdataat.h"
40 #include "../detect-pcre.h"
41 #include "../detect-engine-build.h"
42 #include "../detect-engine-alert.h"
44 #include "../stream-tcp.h"
45 #include "../app-layer.h"
46 #include "../app-layer-htp.h"
47 #include "../app-layer-protos.h"
48 #include "../app-layer-parser.h"
50 #include "../util-unittest.h"
51 #include "../util-unittest-helper.h"
52 #include "../util-validate.h"
61 static int DetectHttpRawHeaderParserTest01(
void)
64 "http_raw_header; sid:1;)",
67 "nocase; http_raw_header; sid:1;)",
70 "endswith; http_raw_header; sid:1;)",
73 "startswith; http_raw_header; sid:1;)",
76 "startswith; endswith; http_raw_header; sid:1;)",
80 "rawbytes; http_raw_header; sid:1;)",
83 "alert tcp any any -> any any (flow:to_server; http_raw_header; sid:1;)",
false));
85 "http_raw_header; sid:1;)",
93 static int DetectHttpRawHeaderParserTest02(
void)
96 "content:\"abc\"; sid:1;)",
99 "content:\"abc\"; nocase; sid:1;)",
102 "content:\"abc\"; endswith; sid:1;)",
105 "content:\"abc\"; startswith; sid:1;)",
108 "content:\"abc\"; startswith; endswith; sid:1;)",
111 "alert http any any -> any any (flow:to_server; http.header.raw; bsize:10; sid:1;)",
115 "content:\"abc\"; rawbytes; sid:1;)",
118 "alert tcp any any -> any any (flow:to_server; http.header.raw; sid:1;)",
false));
120 "content:\"abc\"; sid:1;)",
129 static int DetectEngineHttpRawHeaderTest01(
void)
135 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
136 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
137 uint32_t http_len =
sizeof(http_buf) - 1;
140 memset(&th_v, 0,
sizeof(th_v));
141 memset(&f, 0,
sizeof(f));
142 memset(&ssn, 0,
sizeof(ssn));
148 f.
proto = IPPROTO_TCP;
164 "(msg:\"http header test\"; flow:to_server; "
165 "content:\"one\"; http_raw_header; "
197 static int DetectEngineHttpRawHeaderTest02(
void)
203 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
204 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
205 uint32_t http_len =
sizeof(http_buf) - 1;
208 memset(&th_v, 0,
sizeof(th_v));
209 memset(&f, 0,
sizeof(f));
210 memset(&ssn, 0,
sizeof(ssn));
216 f.
proto = IPPROTO_TCP;
231 "(msg:\"http header test\"; flow:to_server; "
232 "content:\"one\"; depth:15; http_raw_header; "
264 static int DetectEngineHttpRawHeaderTest03(
void)
270 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
271 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
272 uint32_t http_len =
sizeof(http_buf) - 1;
275 memset(&th_v, 0,
sizeof(th_v));
276 memset(&f, 0,
sizeof(f));
277 memset(&ssn, 0,
sizeof(ssn));
283 f.
proto = IPPROTO_TCP;
298 "(msg:\"http header test\"; flow:to_server; "
299 "content:!\"one\"; depth:5; http_raw_header; "
333 static int DetectEngineHttpRawHeaderTest04(
void)
339 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
340 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
341 uint32_t http_len =
sizeof(http_buf) - 1;
344 memset(&th_v, 0,
sizeof(th_v));
345 memset(&f, 0,
sizeof(f));
346 memset(&ssn, 0,
sizeof(ssn));
352 f.
proto = IPPROTO_TCP;
367 "(msg:\"http header test\"; flow:to_server; "
368 "content:\"one\"; depth:5; http_raw_header; "
400 static int DetectEngineHttpRawHeaderTest05(
void)
406 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
407 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
408 uint32_t http_len =
sizeof(http_buf) - 1;
411 memset(&th_v, 0,
sizeof(th_v));
412 memset(&f, 0,
sizeof(f));
413 memset(&ssn, 0,
sizeof(ssn));
419 f.
proto = IPPROTO_TCP;
435 "(msg:\"http header test\"; flow:to_server; "
436 "content:!\"one\"; depth:15; http_raw_header; "
467 static int DetectEngineHttpRawHeaderTest06(
void)
473 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
474 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
475 uint32_t http_len =
sizeof(http_buf) - 1;
478 memset(&th_v, 0,
sizeof(th_v));
479 memset(&f, 0,
sizeof(f));
480 memset(&ssn, 0,
sizeof(ssn));
486 f.
proto = IPPROTO_TCP;
501 "(msg:\"http header test\"; flow:to_server; "
502 "content:\"one\"; offset:10; http_raw_header; "
533 static int DetectEngineHttpRawHeaderTest07(
void)
539 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
540 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
541 uint32_t http_len =
sizeof(http_buf) - 1;
544 memset(&th_v, 0,
sizeof(th_v));
545 memset(&f, 0,
sizeof(f));
546 memset(&ssn, 0,
sizeof(ssn));
552 f.
proto = IPPROTO_TCP;
567 "(msg:\"http header test\"; flow:to_server; "
568 "content:!\"one\"; offset:15; http_raw_header; "
599 static int DetectEngineHttpRawHeaderTest08(
void)
605 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
606 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
607 uint32_t http_len =
sizeof(http_buf) - 1;
610 memset(&th_v, 0,
sizeof(th_v));
611 memset(&f, 0,
sizeof(f));
612 memset(&ssn, 0,
sizeof(ssn));
618 f.
proto = IPPROTO_TCP;
633 "(msg:\"http header test\"; flow:to_server; "
634 "content:\"one\"; offset:15; http_raw_header; "
665 static int DetectEngineHttpRawHeaderTest09(
void)
671 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
672 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
673 uint32_t http_len =
sizeof(http_buf) - 1;
676 memset(&th_v, 0,
sizeof(th_v));
677 memset(&f, 0,
sizeof(f));
678 memset(&ssn, 0,
sizeof(ssn));
684 f.
proto = IPPROTO_TCP;
699 "(msg:\"http header test\"; flow:to_server; "
700 "content:!\"one\"; offset:10; http_raw_header; "
731 static int DetectEngineHttpRawHeaderTest10(
void)
737 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
738 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
739 uint32_t http_len =
sizeof(http_buf) - 1;
742 memset(&th_v, 0,
sizeof(th_v));
743 memset(&f, 0,
sizeof(f));
744 memset(&ssn, 0,
sizeof(ssn));
750 f.
proto = IPPROTO_TCP;
765 "alert http any any -> any any "
766 "(msg:\"http header test\"; flow:to_server; "
767 "content:\"one\"; http_raw_header; content:\"three\"; http_raw_header; within:10; "
798 static int DetectEngineHttpRawHeaderTest11(
void)
804 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
805 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
806 uint32_t http_len =
sizeof(http_buf) - 1;
809 memset(&th_v, 0,
sizeof(th_v));
810 memset(&f, 0,
sizeof(f));
811 memset(&ssn, 0,
sizeof(ssn));
817 f.
proto = IPPROTO_TCP;
832 "alert http any any -> any any "
833 "(msg:\"http header test\"; flow:to_server; "
834 "content:\"one\"; http_raw_header; content:!\"three\"; http_raw_header; within:5; "
866 static int DetectEngineHttpRawHeaderTest12(
void)
872 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
873 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
874 uint32_t http_len =
sizeof(http_buf) - 1;
877 memset(&th_v, 0,
sizeof(th_v));
878 memset(&f, 0,
sizeof(f));
879 memset(&ssn, 0,
sizeof(ssn));
885 f.
proto = IPPROTO_TCP;
900 "alert http any any -> any any "
901 "(msg:\"http header test\"; flow:to_server; "
902 "content:\"one\"; http_raw_header; content:!\"three\"; http_raw_header; within:10; "
934 static int DetectEngineHttpRawHeaderTest13(
void)
940 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
941 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
942 uint32_t http_len =
sizeof(http_buf) - 1;
945 memset(&th_v, 0,
sizeof(th_v));
946 memset(&f, 0,
sizeof(f));
947 memset(&ssn, 0,
sizeof(ssn));
953 f.
proto = IPPROTO_TCP;
968 "alert http any any -> any any "
969 "(msg:\"http header test\"; flow:to_server; "
970 "content:\"one\"; http_raw_header; content:\"three\"; http_raw_header; within:5; "
1001 static int DetectEngineHttpRawHeaderTest14(
void)
1007 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
1008 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1009 uint32_t http_len =
sizeof(http_buf) - 1;
1012 memset(&th_v, 0,
sizeof(th_v));
1013 memset(&f, 0,
sizeof(f));
1014 memset(&ssn, 0,
sizeof(ssn));
1020 f.
proto = IPPROTO_TCP;
1035 "alert http any any -> any any "
1036 "(msg:\"http header test\"; flow:to_server; "
1037 "content:\"one\"; http_raw_header; content:\"five\"; http_raw_header; distance:7; "
1068 static int DetectEngineHttpRawHeaderTest15(
void)
1074 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
1075 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1076 uint32_t http_len =
sizeof(http_buf) - 1;
1079 memset(&th_v, 0,
sizeof(th_v));
1080 memset(&f, 0,
sizeof(f));
1081 memset(&ssn, 0,
sizeof(ssn));
1087 f.
proto = IPPROTO_TCP;
1102 "alert http any any -> any any "
1103 "(msg:\"http header test\"; flow:to_server; "
1104 "content:\"one\"; http_raw_header; content:!\"five\"; http_raw_header; distance:15; "
1136 static int DetectEngineHttpRawHeaderTest16(
void)
1142 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
1143 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1144 uint32_t http_len =
sizeof(http_buf) - 1;
1147 memset(&th_v, 0,
sizeof(th_v));
1148 memset(&f, 0,
sizeof(f));
1149 memset(&ssn, 0,
sizeof(ssn));
1155 f.
proto = IPPROTO_TCP;
1170 "alert http any any -> any any "
1171 "(msg:\"http header test\"; flow:to_server; "
1172 "content:\"one\"; http_raw_header; content:!\"five\"; http_raw_header; distance:7; "
1203 static int DetectEngineHttpRawHeaderTest17(
void)
1209 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
1210 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1211 uint32_t http_len =
sizeof(http_buf) - 1;
1214 memset(&th_v, 0,
sizeof(th_v));
1215 memset(&f, 0,
sizeof(f));
1216 memset(&ssn, 0,
sizeof(ssn));
1222 f.
proto = IPPROTO_TCP;
1237 "alert http any any -> any any "
1238 "(msg:\"http header test\"; flow:to_server; "
1239 "content:\"one\"; http_raw_header; content:\"five\"; http_raw_header; distance:15; "
1266 static int DetectEngineHttpRawHeaderTest20(
void)
1272 uint8_t http1_buf[] =
"GET /index.html HTTP/1.0\r\n"
1273 "Host: This_is_dummy_body1";
1274 uint8_t http2_buf[] =
"This_is_dummy_message_body2\r\n"
1276 uint32_t http1_len =
sizeof(http1_buf) - 1;
1277 uint32_t http2_len =
sizeof(http2_buf) - 1;
1281 memset(&th_v, 0,
sizeof(th_v));
1282 memset(&f, 0,
sizeof(f));
1283 memset(&ssn, 0,
sizeof(ssn));
1292 f.
proto = IPPROTO_TCP;
1312 "(flow:to_server; pcre:/body1/D; "
1313 "content:!\"dummy\"; http_raw_header; within:7; "
1350 static int DetectEngineHttpRawHeaderTest21(
void)
1358 uint8_t http1_buf[] =
"GET /index.html HTTP/1.0\r\n"
1359 "Host: This_is_dummy_body1";
1360 uint8_t http2_buf[] =
"This_is_dummy_message_body2\r\n"
1362 uint32_t http1_len =
sizeof(http1_buf) - 1;
1363 uint32_t http2_len =
sizeof(http2_buf) - 1;
1366 memset(&th_v, 0,
sizeof(th_v));
1367 memset(&f, 0,
sizeof(f));
1368 memset(&ssn, 0,
sizeof(ssn));
1375 f.
proto = IPPROTO_TCP;
1395 "(msg:\"http client body test\"; flow:to_server; "
1397 "content:!\"dummy\"; within:7; http_raw_header; "
1432 static int DetectEngineHttpRawHeaderTest22(
void)
1440 uint8_t http1_buf[] =
"GET /index.html HTTP/1.0\r\n"
1441 "Host: This_is_dummy_body1";
1442 uint8_t http2_buf[] =
"This_is_dummy_message_body2\r\n"
1444 uint32_t http1_len =
sizeof(http1_buf) - 1;
1445 uint32_t http2_len =
sizeof(http2_buf) - 1;
1448 memset(&th_v, 0,
sizeof(th_v));
1449 memset(&f, 0,
sizeof(f));
1450 memset(&ssn, 0,
sizeof(ssn));
1457 f.
proto = IPPROTO_TCP;
1477 "(msg:\"http client body test\"; flow:to_server; "
1479 "content:!\"dummy\"; distance:3; http_raw_header; "
1515 static int DetectEngineHttpRawHeaderTest23(
void)
1523 uint8_t http1_buf[] =
"GET /index.html HTTP/1.0\r\n"
1524 "Host: This_is_dummy_body1";
1525 uint8_t http2_buf[] =
"This_is_dummy_message_body2\r\n"
1527 uint32_t http1_len =
sizeof(http1_buf) - 1;
1528 uint32_t http2_len =
sizeof(http2_buf) - 1;
1531 memset(&th_v, 0,
sizeof(th_v));
1532 memset(&f, 0,
sizeof(f));
1533 memset(&ssn, 0,
sizeof(ssn));
1540 f.
proto = IPPROTO_TCP;
1561 "(msg:\"http client body test\"; flow:to_server; "
1563 "content:!\"dummy\"; distance:13; http_raw_header; "
1598 static int DetectEngineHttpRawHeaderTest24(
void)
1606 uint8_t http1_buf[] =
"GET /index.html HTTP/1.0\r\n"
1607 "Host: This_is_dummy_body1";
1608 uint8_t http2_buf[] =
"This_is_dummy_message_body2\r\n"
1610 uint32_t http1_len =
sizeof(http1_buf) - 1;
1611 uint32_t http2_len =
sizeof(http2_buf) - 1;
1614 memset(&th_v, 0,
sizeof(th_v));
1615 memset(&f, 0,
sizeof(f));
1616 memset(&ssn, 0,
sizeof(ssn));
1623 f.
proto = IPPROTO_TCP;
1643 "(msg:\"http client body test\"; flow:to_server; "
1645 "content:\"dummy\"; within:15; http_raw_header; "
1681 static int DetectEngineHttpRawHeaderTest25(
void)
1689 uint8_t http1_buf[] =
"GET /index.html HTTP/1.0\r\n"
1690 "Host: This_is_dummy_body1";
1691 uint8_t http2_buf[] =
"This_is_dummy_message_body2\r\n"
1693 uint32_t http1_len =
sizeof(http1_buf) - 1;
1694 uint32_t http2_len =
sizeof(http2_buf) - 1;
1697 memset(&th_v, 0,
sizeof(th_v));
1698 memset(&f, 0,
sizeof(f));
1699 memset(&ssn, 0,
sizeof(ssn));
1706 f.
proto = IPPROTO_TCP;
1726 "(msg:\"http client body test\"; flow:to_server; "
1728 "content:\"dummy\"; within:10; http_raw_header; "
1763 static int DetectEngineHttpRawHeaderTest26(
void)
1771 uint8_t http1_buf[] =
"GET /index.html HTTP/1.0\r\n"
1772 "Host: This_is_dummy_body1";
1773 uint8_t http2_buf[] =
"This_is_dummy_message_body2\r\n"
1775 uint32_t http1_len =
sizeof(http1_buf) - 1;
1776 uint32_t http2_len =
sizeof(http2_buf) - 1;
1779 memset(&th_v, 0,
sizeof(th_v));
1780 memset(&f, 0,
sizeof(f));
1781 memset(&ssn, 0,
sizeof(ssn));
1788 f.
proto = IPPROTO_TCP;
1808 "(msg:\"http client body test\"; flow:to_server; "
1810 "content:\"dummy\"; distance:8; http_raw_header; "
1845 static int DetectEngineHttpRawHeaderTest27(
void)
1853 uint8_t http1_buf[] =
"GET /index.html HTTP/1.0\r\n"
1854 "Host: This_is_dummy_body1";
1855 uint8_t http2_buf[] =
"This_is_dummy_message_body2\r\n"
1857 uint32_t http1_len =
sizeof(http1_buf) - 1;
1858 uint32_t http2_len =
sizeof(http2_buf) - 1;
1861 memset(&th_v, 0,
sizeof(th_v));
1862 memset(&f, 0,
sizeof(f));
1863 memset(&ssn, 0,
sizeof(ssn));
1870 f.
proto = IPPROTO_TCP;
1890 "(msg:\"http client body test\"; flow:to_server; "
1892 "content:\"dummy\"; distance:14; http_raw_header; "
1927 static int DetectEngineHttpRawHeaderTest28(
void)
1935 uint8_t http_buf1[] =
"GET /index.html HTTP/1.0\r\n"
1936 "Host: www.openinfosecfoundation.org\r\n"
1937 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1938 "Gecko/20091221 Firefox/3.5.7\r\n"
1940 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
1941 uint8_t http_buf2[] =
"HTTP/1.0 200 ok\r\n"
1942 "Content-Type: text/html\r\n"
1943 "Content-Length: 6\r\n"
1946 uint32_t http_buf2_len =
sizeof(http_buf2) - 1;
1949 memset(&th_v, 0,
sizeof(th_v));
1950 memset(&f, 0,
sizeof(f));
1951 memset(&ssn, 0,
sizeof(ssn));
1958 f.
proto = IPPROTO_TCP;
1978 "(msg:\"http header test\"; flow:to_client; "
1979 "content:\"Content-Length: 6\"; http_raw_header; "
2014 static int DetectEngineHttpRawHeaderTest29(
void)
2022 uint8_t http_buf1[] =
"GET /index.html HTTP/1.0\r\n"
2023 "Host: www.openinfosecfoundation.org\r\n"
2024 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2025 "Gecko/20091221 Firefox/3.5.7\r\n"
2027 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
2028 uint8_t http_buf2[] =
"HTTP/1.0 200 ok\r\n"
2029 "Content-Type: text/html\r\n"
2030 "Content-Length: 6\r\n"
2033 uint32_t http_buf2_len =
sizeof(http_buf2) - 1;
2036 memset(&th_v, 0,
sizeof(th_v));
2037 memset(&f, 0,
sizeof(f));
2038 memset(&ssn, 0,
sizeof(ssn));
2045 f.
proto = IPPROTO_TCP;
2065 "(msg:\"http header test\"; flow:to_client; "
2066 "content:\"Content-Length: 7\"; http_raw_header; "
2104 static int DetectEngineHttpRawHeaderTest31(
void)
2111 uint8_t http1_buf[] =
"GET /index.html HTTP/1.0\r\n"
2113 "Transfer-Encoding: chunked\r\n"
2116 "This is dummy body1\r\n"
2118 "Dummy-Header: kaboom\r\n"
2120 uint32_t http1_len =
sizeof(http1_buf) - 1;
2123 memset(&th_v, 0,
sizeof(th_v));
2124 memset(&f, 0,
sizeof(f));
2125 memset(&ssn, 0,
sizeof(ssn));
2131 f.
proto = IPPROTO_TCP;
2148 "content:\"Dummy\"; http_raw_header; "
2178 static int DetectEngineHttpRawHeaderTest32(
void)
2186 uint8_t http1_buf[] =
"GET /index.html HTTP/1.0\r\n"
2188 "Transfer-Encoding: chunked\r\n"
2191 "This is dummy body1\r\n"
2193 uint8_t http2_buf[] =
"Dummy-Header: kaboom\r\n"
2195 uint32_t http1_len =
sizeof(http1_buf) - 1;
2196 uint32_t http2_len =
sizeof(http2_buf) - 1;
2199 memset(&th_v, 0,
sizeof(th_v));
2200 memset(&f, 0,
sizeof(f));
2201 memset(&ssn, 0,
sizeof(ssn));
2208 f.
proto = IPPROTO_TCP;
2229 "content:\"Dummy\"; http_raw_header; "
2269 static int DetectHttpRawHeaderTest06(
void)
2275 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
2276 "Host: www.openinfosecfoundation.org\r\n"
2277 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2278 "Gecko/20091221 Firefox/3.5.7\r\n"
2279 "Content-Type: text/html\r\n"
2280 "Content-Length: 26\r\n"
2282 "This is dummy message body\r\n";
2283 uint32_t http_len =
sizeof(http_buf) - 1;
2286 memset(&th_v, 0,
sizeof(th_v));
2287 memset(&f, 0,
sizeof(f));
2288 memset(&ssn, 0,
sizeof(ssn));
2294 f.
proto = IPPROTO_TCP;
2310 "(msg:\"http header test\"; flow:to_server; "
2311 "content:\"Content-Type: text/html\"; http_raw_header; "
2342 static int DetectHttpRawHeaderTest07(
void)
2350 uint8_t http1_buf[] =
"GET /index.html HTTP/1.0\r\n"
2351 "Host: www.openinfosecfoundation.org\r\n"
2353 uint8_t http2_buf[] =
"lla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 "
2354 "Firefox/3.5.7\r\nContent-Type: text/html\r\n"
2355 "Content-Length: 67\r\n"
2357 "This is dummy message body1";
2358 uint32_t http1_len =
sizeof(http1_buf) - 1;
2359 uint32_t http2_len =
sizeof(http2_buf) - 1;
2362 memset(&th_v, 0,
sizeof(th_v));
2363 memset(&f, 0,
sizeof(f));
2364 memset(&ssn, 0,
sizeof(ssn));
2371 f.
proto = IPPROTO_TCP;
2390 "(msg:\"http header test\"; flow:to_server; "
2391 "content:\"Mozilla\"; http_raw_header; "
2430 static int DetectHttpRawHeaderTest08(
void)
2438 uint8_t http1_buf[] =
"GET /index.html HTTP/1.0\r\n"
2439 "Host: www.openinfosecfoundation.org\r\n";
2440 uint8_t http2_buf[] =
"User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2441 "Gecko/20091221 Firefox/3.5.7\r\n"
2442 "Content-Type: text/html\r\n"
2443 "Content-Length: 67\r\n"
2445 uint32_t http1_len =
sizeof(http1_buf) - 1;
2446 uint32_t http2_len =
sizeof(http2_buf) - 1;
2449 memset(&th_v, 0,
sizeof(th_v));
2450 memset(&f, 0,
sizeof(f));
2451 memset(&ssn, 0,
sizeof(ssn));
2458 f.
proto = IPPROTO_TCP;
2477 "alert http any any -> any any "
2478 "(msg:\"http header test\"; flow:to_server; "
2479 "content:\"Gecko/20091221 Firefox/3.5.7\"; http_raw_header; "
2518 static int DetectHttpRawHeaderTest09(
void)
2526 uint8_t http1_buf[] =
"GET /index.html HTTP/1.0\r\n"
2527 "Host: www.openinfosecfoundation.org\r\n"
2528 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2529 "Gecko/20091221 Firefox/3.5.7\r\n";
2530 uint8_t http2_buf[] =
"Content-Type: text/html\r\n"
2531 "Content-Length: 67\r\n"
2533 "This is dummy body\r\n";
2534 uint32_t http1_len =
sizeof(http1_buf) - 1;
2535 uint32_t http2_len =
sizeof(http2_buf) - 1;
2538 memset(&th_v, 0,
sizeof(th_v));
2539 memset(&f, 0,
sizeof(f));
2540 memset(&ssn, 0,
sizeof(ssn));
2547 f.
proto = IPPROTO_TCP;
2566 "alert http any any -> any any "
2567 "(msg:\"http header test\"; flow:to_server; "
2568 "content:\"Firefox/3.5.7|0D 0A|Content\"; http_raw_header; "
2607 static int DetectHttpRawHeaderTest10(
void)
2615 uint8_t http1_buf[] =
"GET /index.html HTTP/1.0\r\n"
2616 "Host: www.openinfosecfoundation.org\r\n"
2617 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2618 "Gecko/20091221 Firefox/3.5.7\r\n";
2619 uint8_t http2_buf[] =
"Content-Type: text/html\r\n"
2620 "Content-Length: 67\r\n"
2622 "This is dummy body";
2623 uint32_t http1_len =
sizeof(http1_buf) - 1;
2624 uint32_t http2_len =
sizeof(http2_buf) - 1;
2627 memset(&th_v, 0,
sizeof(th_v));
2628 memset(&f, 0,
sizeof(f));
2629 memset(&ssn, 0,
sizeof(ssn));
2636 f.
proto = IPPROTO_TCP;
2655 "alert http any any -> any any "
2656 "(msg:\"http header test\"; flow:to_server; "
2657 "content:\"firefox/3.5.7|0D 0A|content\"; nocase; http_raw_header;"
2696 static int DetectHttpRawHeaderTest11(
void)
2702 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
2703 "Host: www.openinfosecfoundation.org\r\n"
2704 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2705 "Gecko/20091221 Firefox/3.5.7\r\n"
2706 "Content-Type: text/html\r\n"
2707 "Content-Length: 26\r\n"
2709 "This is dummy message body\r\n";
2710 uint32_t http_len =
sizeof(http_buf) - 1;
2713 memset(&th_v, 0,
sizeof(th_v));
2714 memset(&f, 0,
sizeof(f));
2715 memset(&ssn, 0,
sizeof(ssn));
2721 f.
proto = IPPROTO_TCP;
2736 "(msg:\"http header test\"; flow:to_server; "
2737 "content:!\"lalalalala\"; http_raw_header; "
2769 static int DetectHttpRawHeaderTest12(
void)
2775 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
2776 "Host: www.openinfosecfoundation.org\r\n"
2777 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2778 "Gecko/20091221 Firefox/3.5.7\r\n"
2779 "Content-Type: text/html\r\n"
2780 "Content-Length: 26\r\n"
2782 "This is dummy message body\r\n";
2783 uint32_t http_len =
sizeof(http_buf) - 1;
2786 memset(&th_v, 0,
sizeof(th_v));
2787 memset(&f, 0,
sizeof(f));
2788 memset(&ssn, 0,
sizeof(ssn));
2794 f.
proto = IPPROTO_TCP;
2810 "(msg:\"http header test\"; flow:to_server; "
2811 "content:!\"User-Agent: Mozilla/5.0 \"; http_raw_header; "
2844 static int DetectHttpRawHeaderTest13(
void)
2850 uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
2851 "Host: www.openinfosecfoundation.org\r\n"
2852 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2853 "Gecko/20091221 Firefox/3.5.7\r\n"
2854 "Content-Type: text/html\r\n"
2855 "Content-Length: 100\r\n"
2857 "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n";
2858 uint32_t http_len =
sizeof(http_buf) - 1;
2861 memset(&th_v, 0,
sizeof(th_v));
2862 memset(&f, 0,
sizeof(f));
2863 memset(&ssn, 0,
sizeof(ssn));
2869 f.
proto = IPPROTO_TCP;
2885 "alert http any any -> any any "
2886 "(msg:\"http header test\"; flow:to_server; "
2887 "content:\"Host: www.openinfosecfoundation.org\"; http_raw_header; "
2918 UtRegisterTest(
"DetectHttpRawHeaderParserTest01", DetectHttpRawHeaderParserTest01);
2919 UtRegisterTest(
"DetectHttpRawHeaderParserTest02", DetectHttpRawHeaderParserTest02);
2921 UtRegisterTest(
"DetectEngineHttpRawHeaderTest01", DetectEngineHttpRawHeaderTest01);
2922 UtRegisterTest(
"DetectEngineHttpRawHeaderTest02", DetectEngineHttpRawHeaderTest02);
2923 UtRegisterTest(
"DetectEngineHttpRawHeaderTest03", DetectEngineHttpRawHeaderTest03);
2924 UtRegisterTest(
"DetectEngineHttpRawHeaderTest04", DetectEngineHttpRawHeaderTest04);
2925 UtRegisterTest(
"DetectEngineHttpRawHeaderTest05", DetectEngineHttpRawHeaderTest05);
2926 UtRegisterTest(
"DetectEngineHttpRawHeaderTest06", DetectEngineHttpRawHeaderTest06);
2927 UtRegisterTest(
"DetectEngineHttpRawHeaderTest07", DetectEngineHttpRawHeaderTest07);
2928 UtRegisterTest(
"DetectEngineHttpRawHeaderTest08", DetectEngineHttpRawHeaderTest08);
2929 UtRegisterTest(
"DetectEngineHttpRawHeaderTest09", DetectEngineHttpRawHeaderTest09);
2930 UtRegisterTest(
"DetectEngineHttpRawHeaderTest10", DetectEngineHttpRawHeaderTest10);
2931 UtRegisterTest(
"DetectEngineHttpRawHeaderTest11", DetectEngineHttpRawHeaderTest11);
2932 UtRegisterTest(
"DetectEngineHttpRawHeaderTest12", DetectEngineHttpRawHeaderTest12);
2933 UtRegisterTest(
"DetectEngineHttpRawHeaderTest13", DetectEngineHttpRawHeaderTest13);
2934 UtRegisterTest(
"DetectEngineHttpRawHeaderTest14", DetectEngineHttpRawHeaderTest14);
2935 UtRegisterTest(
"DetectEngineHttpRawHeaderTest15", DetectEngineHttpRawHeaderTest15);
2936 UtRegisterTest(
"DetectEngineHttpRawHeaderTest16", DetectEngineHttpRawHeaderTest16);
2937 UtRegisterTest(
"DetectEngineHttpRawHeaderTest17", DetectEngineHttpRawHeaderTest17);
2938 UtRegisterTest(
"DetectEngineHttpRawHeaderTest20", DetectEngineHttpRawHeaderTest20);
2939 UtRegisterTest(
"DetectEngineHttpRawHeaderTest21", DetectEngineHttpRawHeaderTest21);
2940 UtRegisterTest(
"DetectEngineHttpRawHeaderTest22", DetectEngineHttpRawHeaderTest22);
2941 UtRegisterTest(
"DetectEngineHttpRawHeaderTest23", DetectEngineHttpRawHeaderTest23);
2942 UtRegisterTest(
"DetectEngineHttpRawHeaderTest24", DetectEngineHttpRawHeaderTest24);
2943 UtRegisterTest(
"DetectEngineHttpRawHeaderTest25", DetectEngineHttpRawHeaderTest25);
2944 UtRegisterTest(
"DetectEngineHttpRawHeaderTest26", DetectEngineHttpRawHeaderTest26);
2945 UtRegisterTest(
"DetectEngineHttpRawHeaderTest27", DetectEngineHttpRawHeaderTest27);
2946 UtRegisterTest(
"DetectEngineHttpRawHeaderTest28", DetectEngineHttpRawHeaderTest28);
2947 UtRegisterTest(
"DetectEngineHttpRawHeaderTest29", DetectEngineHttpRawHeaderTest29);
2950 DetectEngineHttpRawHeaderTest30, 1);
2952 UtRegisterTest(
"DetectEngineHttpRawHeaderTest31", DetectEngineHttpRawHeaderTest31);
2953 UtRegisterTest(
"DetectEngineHttpRawHeaderTest32", DetectEngineHttpRawHeaderTest32);
2955 UtRegisterTest(
"DetectHttpRawHeaderTest06", DetectHttpRawHeaderTest06);
2956 UtRegisterTest(
"DetectHttpRawHeaderTest07", DetectHttpRawHeaderTest07);
2957 UtRegisterTest(
"DetectHttpRawHeaderTest08", DetectHttpRawHeaderTest08);
2958 UtRegisterTest(
"DetectHttpRawHeaderTest09", DetectHttpRawHeaderTest09);
2959 UtRegisterTest(
"DetectHttpRawHeaderTest10", DetectHttpRawHeaderTest10);
2960 UtRegisterTest(
"DetectHttpRawHeaderTest11", DetectHttpRawHeaderTest11);
2961 UtRegisterTest(
"DetectHttpRawHeaderTest12", DetectHttpRawHeaderTest12);
2962 UtRegisterTest(
"DetectHttpRawHeaderTest13", DetectHttpRawHeaderTest13);
1.8.18