suricata
detect-http-server-body.c
Go to the documentation of this file.
1 /* Copyright (C) 2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Giuseppe Longo <giuseppe@glongo.it>
22  *
23  * Tests for the hsbd with swf files
24  */
25 
26 #include "../suricata-common.h"
27 #include "../conf-yaml-loader.h"
28 #include "../decode.h"
29 #include "../flow.h"
30 #include "../detect.h"
31 #include "../detect-engine-build.h"
32 #include "../detect-engine-alert.h"
33 
34 /**
35  * \test Test parser accepting valid rules and rejecting invalid rules
36  */
37 static int DetectHttpServerBodyParserTest01(void)
38 {
39  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", true));
40  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; nocase; http_server_body; sid:1;)", true));
41  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; endswith; http_server_body; sid:1;)", true));
42  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; http_server_body; sid:1;)", true));
43  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; endswith; http_server_body; sid:1;)", true));
44 
45  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; rawbytes; http_server_body; sid:1;)", false));
46  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http_server_body; sid:1;)", false));
47  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", false));
48  PASS;
49 }
50 
51 /**
52  * \test Test parser accepting valid rules and rejecting invalid rules
53  */
54 static int DetectHttpServerBodyParserTest02(void)
55 {
56  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", true));
57  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; nocase; sid:1;)", true));
58  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; endswith; sid:1;)", true));
59  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; sid:1;)", true));
60  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; endswith; sid:1;)", true));
61  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; bsize:10; sid:1;)", true));
62 
63  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; rawbytes; sid:1;)", false));
64  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http.response_body; sid:1;)", false));
65  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", false));
66  PASS;
67 }
68 struct TestSteps {
69  const uint8_t *input;
70  size_t input_size; /**< if 0 strlen will be used */
71  int direction; /**< STREAM_TOSERVER, STREAM_TOCLIENT */
72  int expect;
73 };
74 
75 static int RunTest(struct TestSteps *steps, const char *sig, const char *yaml)
76 {
77  TcpSession ssn;
78  Flow f;
79  ThreadVars th_v;
80  DetectEngineThreadCtx *det_ctx = NULL;
81  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
82  FAIL_IF_NULL(alp_tctx);
83 
84  memset(&th_v, 0, sizeof(th_v));
85  memset(&f, 0, sizeof(f));
86  memset(&ssn, 0, sizeof(ssn));
87 
88  if (yaml) {
89  ConfCreateContextBackup();
90  ConfInit();
91  HtpConfigCreateBackup();
92 
93  ConfYamlLoadString(yaml, strlen(yaml));
94  HTPConfigure();
95  EngineModeSetIPS();
96  }
97 
98  StreamTcpInitConfig(true);
99 
100  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
101  FAIL_IF_NULL(de_ctx);
102  de_ctx->flags |= DE_QUIET;
103 
104  FLOW_INITIALIZE(&f);
105  f.protoctx = (void *)&ssn;
106  f.proto = IPPROTO_TCP;
107  f.flags |= FLOW_IPV4;
108  f.alproto = ALPROTO_HTTP1;
109 
110  SCLogDebug("sig %s", sig);
111  Signature *s = DetectEngineAppendSig(de_ctx, (char *)sig);
112  FAIL_IF_NULL(s);
113 
114  SigGroupBuild(de_ctx);
115  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
116  FAIL_IF_NULL(det_ctx);
117 
118  struct TestSteps *b = steps;
119  int i = 0;
120  while (b->input != NULL) {
121  SCLogDebug("chunk %p %d", b, i);
122  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
123  FAIL_IF_NULL(p);
124  p->flow = &f;
125  p->flowflags = (b->direction == STREAM_TOSERVER) ? FLOW_PKT_TOSERVER : FLOW_PKT_TOCLIENT;
126  p->flowflags |= FLOW_PKT_ESTABLISHED;
127  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
128 
129  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, b->direction,
130  (uint8_t *)b->input,
131  b->input_size ? b->input_size : strlen((const char *)b->input));
132  FAIL_IF_NOT(r == 0);
133 
134  /* do detect */
135  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
136 
137  int match = PacketAlertCheck(p, 1);
138  FAIL_IF_NOT(b->expect == match);
139 
140  UTHFreePackets(&p, 1);
141  b++;
142  i++;
143  }
144 
145  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
146  AppLayerParserThreadCtxFree(alp_tctx);
147  DetectEngineCtxFree(de_ctx);
148 
149  StreamTcpFreeConfig(true);
150  FLOW_DESTROY(&f);
151 
152  if (yaml) {
153  HtpConfigRestoreBackup();
154  ConfRestoreContextBackup();
155  EngineModeSetIDS();
156  }
157  PASS;
158 }
159 
160 static int DetectEngineHttpServerBodyTest01(void)
161 {
162  TcpSession ssn;
163  Packet *p1 = NULL;
164  Packet *p2 = NULL;
165  ThreadVars th_v;
166  DetectEngineCtx *de_ctx = NULL;
167  DetectEngineThreadCtx *det_ctx = NULL;
168  HtpState *http_state = NULL;
169  Flow f;
170  uint8_t http_buf1[] =
171  "GET /index.html HTTP/1.0\r\n"
172  "Host: www.openinfosecfoundation.org\r\n"
173  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
174  "\r\n";
175  uint32_t http_len1 = sizeof(http_buf1) - 1;
176  uint8_t http_buf2[] =
177  "HTTP/1.0 200 ok\r\n"
178  "Content-Type: text/html\r\n"
179  "Content-Length: 7\r\n"
180  "\r\n"
181  "message";
182  uint32_t http_len2 = sizeof(http_buf2) - 1;
183  int result = 0;
184  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
185 
186  memset(&th_v, 0, sizeof(th_v));
187  memset(&f, 0, sizeof(f));
188  memset(&ssn, 0, sizeof(ssn));
189 
190  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
191  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
192 
193  FLOW_INITIALIZE(&f);
194  f.protoctx = (void *)&ssn;
195  f.proto = IPPROTO_TCP;
196  f.flags |= FLOW_IPV4;
197 
198  p1->flow = &f;
199  p1->flowflags |= FLOW_PKT_TOSERVER;
200  p1->flowflags |= FLOW_PKT_ESTABLISHED;
201  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
202  p2->flow = &f;
203  p2->flowflags |= FLOW_PKT_TOCLIENT;
204  p2->flowflags |= FLOW_PKT_ESTABLISHED;
205  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
206  f.alproto = ALPROTO_HTTP1;
207 
208  StreamTcpInitConfig(true);
209 
210  de_ctx = DetectEngineCtxInit();
211  if (de_ctx == NULL)
212  goto end;
213 
214  de_ctx->flags |= DE_QUIET;
215 
216  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
217  "(msg:\"http server body test\"; "
218  "content:\"message\"; http_server_body; "
219  "sid:1;)");
220  if (de_ctx->sig_list == NULL)
221  goto end;
222 
223  SigGroupBuild(de_ctx);
224  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
225 
226  int r = AppLayerParserParse(
227  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
228  if (r != 0) {
229  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
230  result = 0;
231  goto end;
232  }
233 
234  http_state = f.alstate;
235  if (http_state == NULL) {
236  printf("no http state: \n");
237  result = 0;
238  goto end;
239  }
240 
241  /* do detect */
242  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
243 
244  if ((PacketAlertCheck(p1, 1))) {
245  printf("sid 1 matched but shouldn't have\n");
246  goto end;
247  }
248 
249  r = AppLayerParserParse(
250  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
251  if (r != 0) {
252  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
253  result = 0;
254  goto end;
255  }
256 
257  /* do detect */
258  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
259 
260  if (!(PacketAlertCheck(p2, 1))) {
261  printf("sid 1 didn't match but should have");
262  goto end;
263  }
264 
265  result = 1;
266 
267 end:
268  if (alp_tctx != NULL)
269  AppLayerParserThreadCtxFree(alp_tctx);
270  if (de_ctx != NULL)
271  DetectEngineCtxFree(de_ctx);
272 
273  StreamTcpFreeConfig(true);
274  FLOW_DESTROY(&f);
275  UTHFreePackets(&p1, 1);
276  UTHFreePackets(&p2, 1);
277  return result;
278 }
279 
280 static int DetectEngineHttpServerBodyTest02(void)
281 {
282  TcpSession ssn;
283  Packet *p1 = NULL;
284  ThreadVars th_v;
285  DetectEngineCtx *de_ctx = NULL;
286  DetectEngineThreadCtx *det_ctx = NULL;
287  HtpState *http_state = NULL;
288  Flow f;
289  uint8_t http_buf1[] =
290  "GET /index.html HTTP/1.0\r\n"
291  "Host: www.openinfosecfoundation.org\r\n"
292  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
293  "\r\n";
294  uint32_t http_len1 = sizeof(http_buf1) - 1;
295  uint8_t http_buf2[] =
296  "HTTP/1.0 200 ok\r\n"
297  "Content-Type: text/html\r\n"
298  "Content-Length: 7\r\n"
299  "\r\n"
300  "xxxxABC";
301  uint32_t http_len2 = sizeof(http_buf2) - 1;
302  int result = 0;
303  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
304 
305  memset(&th_v, 0, sizeof(th_v));
306  memset(&f, 0, sizeof(f));
307  memset(&ssn, 0, sizeof(ssn));
308 
309  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
310 
311  FLOW_INITIALIZE(&f);
312  f.protoctx = (void *)&ssn;
313  f.proto = IPPROTO_TCP;
314  f.flags |= FLOW_IPV4;
315 
316  p1->flow = &f;
317  p1->flowflags |= FLOW_PKT_TOCLIENT;
318  p1->flowflags |= FLOW_PKT_ESTABLISHED;
319  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
320  f.alproto = ALPROTO_HTTP1;
321 
322  StreamTcpInitConfig(true);
323 
324  de_ctx = DetectEngineCtxInit();
325  if (de_ctx == NULL)
326  goto end;
327 
328  de_ctx->flags |= DE_QUIET;
329 
330  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
331  "(msg:\"http server body test\"; "
332  "content:\"ABC\"; http_server_body; offset:4; "
333  "sid:1;)");
334  if (de_ctx->sig_list == NULL)
335  goto end;
336 
337  SigGroupBuild(de_ctx);
338  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
339 
340  int r = AppLayerParserParse(
341  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
342  if (r != 0) {
343  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
344  result = 0;
345  goto end;
346  }
347 
348  r = AppLayerParserParse(
349  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
350  if (r != 0) {
351  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
352  result = 0;
353  goto end;
354  }
355 
356  http_state = f.alstate;
357  if (http_state == NULL) {
358  printf("no http state: \n");
359  result = 0;
360  goto end;
361  }
362 
363  /* do detect */
364  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
365 
366  if (!(PacketAlertCheck(p1, 1))) {
367  printf("sid 1 didn't match but should have\n");
368  goto end;
369  }
370 
371  result = 1;
372 
373 end:
374  if (alp_tctx != NULL)
375  AppLayerParserThreadCtxFree(alp_tctx);
376  if (de_ctx != NULL)
377  DetectEngineCtxFree(de_ctx);
378 
379  StreamTcpFreeConfig(true);
380  FLOW_DESTROY(&f);
381  UTHFreePackets(&p1, 1);
382  return result;
383 }
384 
385 static int DetectEngineHttpServerBodyTest03(void)
386 {
387  TcpSession ssn;
388  Packet *p1 = NULL;
389  Packet *p2 = NULL;
390  ThreadVars th_v;
391  DetectEngineCtx *de_ctx = NULL;
392  DetectEngineThreadCtx *det_ctx = NULL;
393  HtpState *http_state = NULL;
394  Flow f;
395  int result = 0;
396  uint8_t http_buf1[] =
397  "GET /index.html HTTP/1.0\r\n"
398  "Host: www.openinfosecfoundation.org\r\n"
399  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
400  "\r\n";
401  uint32_t http_len1 = sizeof(http_buf1) - 1;
402  uint8_t http_buf2[] =
403  "HTTP/1.0 200 ok\r\n"
404  "Content-Type: text/html\r\n"
405  "Content-Length: 17\r\n"
406  "\r\n"
407  "1234567";
408  uint32_t http_len2 = sizeof(http_buf2) - 1;
409  uint8_t http_buf3[] =
410  "8901234ABC";
411  uint32_t http_len3 = sizeof(http_buf3) - 1;
412  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
413 
414  memset(&th_v, 0, sizeof(th_v));
415  memset(&f, 0, sizeof(f));
416  memset(&ssn, 0, sizeof(ssn));
417 
418  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
419  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
420 
421  FLOW_INITIALIZE(&f);
422  f.protoctx = (void *)&ssn;
423  f.proto = IPPROTO_TCP;
424  f.flags |= FLOW_IPV4;
425 
426  p1->flow = &f;
427  p1->flowflags |= FLOW_PKT_TOSERVER;
428  p1->flowflags |= FLOW_PKT_ESTABLISHED;
429  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
430  p2->flow = &f;
431  p2->flowflags |= FLOW_PKT_TOCLIENT;
432  p2->flowflags |= FLOW_PKT_ESTABLISHED;
433  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
434  f.alproto = ALPROTO_HTTP1;
435 
436  StreamTcpInitConfig(true);
437 
438  de_ctx = DetectEngineCtxInit();
439  if (de_ctx == NULL)
440  goto end;
441 
442  de_ctx->flags |= DE_QUIET;
443 
444  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
445  "(msg:\"http server body test\"; "
446  "content:\"ABC\"; http_server_body; offset:14; "
447  "sid:1;)");
448  if (de_ctx->sig_list == NULL)
449  goto end;
450 
451  SigGroupBuild(de_ctx);
452  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
453 
454  int r = AppLayerParserParse(
455  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
456  if (r != 0) {
457  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
458  result = 0;
459  goto end;
460  }
461 
462  http_state = f.alstate;
463  if (http_state == NULL) {
464  printf("no http state: \n");
465  result = 0;
466  goto end;
467  }
468 
469  /* do detect */
470  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
471 
472  if (PacketAlertCheck(p1, 1)) {
473  printf("sid 1 matched but shouldn't have\n");
474  goto end;
475  }
476 
477  r = AppLayerParserParse(
478  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
479  if (r != 0) {
480  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
481  result = 0;
482  goto end;
483  }
484 
485  r = AppLayerParserParse(
486  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf3, http_len3);
487  if (r != 0) {
488  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
489  result = 0;
490  goto end;
491  }
492 
493  /* do detect */
494  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
495 
496  if (!(PacketAlertCheck(p2, 1))) {
497  printf("sid 1 didn't match but should have");
498  goto end;
499  }
500 
501  result = 1;
502 
503 end:
504  if (alp_tctx != NULL)
505  AppLayerParserThreadCtxFree(alp_tctx);
506  if (de_ctx != NULL)
507  DetectEngineCtxFree(de_ctx);
508 
509  StreamTcpFreeConfig(true);
510  FLOW_DESTROY(&f);
511  UTHFreePackets(&p1, 1);
512  UTHFreePackets(&p2, 1);
513  return result;
514 }
515 
516 static int DetectEngineHttpServerBodyTest04(void)
517 {
518  TcpSession ssn;
519  Packet *p1 = NULL;
520  Packet *p2 = NULL;
521  ThreadVars th_v;
522  DetectEngineCtx *de_ctx = NULL;
523  DetectEngineThreadCtx *det_ctx = NULL;
524  HtpState *http_state = NULL;
525  Flow f;
526  uint8_t http_buf1[] =
527  "GET /index.html HTTP/1.0\r\n"
528  "Host: www.openinfosecfoundation.org\r\n"
529  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
530  "\r\n";
531  uint32_t http_len1 = sizeof(http_buf1) - 1;
532  uint8_t http_buf2[] =
533  "HTTP/1.0 200 ok\r\n"
534  "Content-Type: text/html\r\n"
535  "Content-Length: 6\r\n"
536  "\r\n"
537  "abcdef";
538  uint32_t http_len2 = sizeof(http_buf2) - 1;
539  int result = 0;
540  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
541 
542  memset(&th_v, 0, sizeof(th_v));
543  memset(&f, 0, sizeof(f));
544  memset(&ssn, 0, sizeof(ssn));
545 
546  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
547  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
548 
549  FLOW_INITIALIZE(&f);
550  f.protoctx = (void *)&ssn;
551  f.proto = IPPROTO_TCP;
552  f.flags |= FLOW_IPV4;
553 
554  p1->flow = &f;
555  p1->flowflags |= FLOW_PKT_TOSERVER;
556  p1->flowflags |= FLOW_PKT_ESTABLISHED;
557  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
558  p2->flow = &f;
559  p2->flowflags |= FLOW_PKT_TOCLIENT;
560  p2->flowflags |= FLOW_PKT_ESTABLISHED;
561  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
562  f.alproto = ALPROTO_HTTP1;
563 
564  StreamTcpInitConfig(true);
565 
566  de_ctx = DetectEngineCtxInit();
567  if (de_ctx == NULL)
568  goto end;
569 
570  de_ctx->flags |= DE_QUIET;
571 
572  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
573  "(msg:\"http server body test\"; "
574  "content:!\"abc\"; http_server_body; offset:3; "
575  "sid:1;)");
576  if (de_ctx->sig_list == NULL)
577  goto end;
578 
579  SigGroupBuild(de_ctx);
580  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
581 
582  int r = AppLayerParserParse(
583  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
584  if (r != 0) {
585  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
586  result = 0;
587  goto end;
588  }
589 
590  http_state = f.alstate;
591  if (http_state == NULL) {
592  printf("no http state: \n");
593  result = 0;
594  goto end;
595  }
596 
597  /* do detect */
598  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
599 
600  if (PacketAlertCheck(p1, 1)) {
601  printf("sid 1 matched but shouldn't have: ");
602  goto end;
603  }
604 
605  r = AppLayerParserParse(
606  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
607  if (r != 0) {
608  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
609  result = 0;
610  goto end;
611  }
612 
613  /* do detect */
614  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
615 
616  if (!PacketAlertCheck(p2, 1)) {
617  printf("sid 1 didn't match but should have: ");
618  goto end;
619  }
620 
621  result = 1;
622 
623 end:
624  if (alp_tctx != NULL)
625  AppLayerParserThreadCtxFree(alp_tctx);
626  if (de_ctx != NULL)
627  DetectEngineCtxFree(de_ctx);
628 
629  StreamTcpFreeConfig(true);
630  FLOW_DESTROY(&f);
631  UTHFreePackets(&p1, 1);
632  UTHFreePackets(&p2, 1);
633  return result;
634 }
635 
636 static int DetectEngineHttpServerBodyTest05(void)
637 {
638  TcpSession ssn;
639  Packet *p1 = NULL;
640  Packet *p2 = NULL;
641  ThreadVars th_v;
642  DetectEngineCtx *de_ctx = NULL;
643  DetectEngineThreadCtx *det_ctx = NULL;
644  HtpState *http_state = NULL;
645  Flow f;
646  uint8_t http_buf1[] =
647  "GET /index.html HTTP/1.0\r\n"
648  "Host: www.openinfosecfoundation.org\r\n"
649  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
650  "\r\n";
651  uint32_t http_len1 = sizeof(http_buf1) - 1;
652  uint8_t http_buf2[] =
653  "HTTP/1.0 200 ok\r\n"
654  "Content-Type: text/html\r\n"
655  "Content-Length: 6\r\n"
656  "\r\n"
657  "abcdef";
658  uint32_t http_len2 = sizeof(http_buf2) - 1;
659  int result = 0;
660  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
661 
662  memset(&th_v, 0, sizeof(th_v));
663  memset(&f, 0, sizeof(f));
664  memset(&ssn, 0, sizeof(ssn));
665 
666  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
667  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
668 
669  FLOW_INITIALIZE(&f);
670  f.protoctx = (void *)&ssn;
671  f.proto = IPPROTO_TCP;
672  f.flags |= FLOW_IPV4;
673 
674  p1->flow = &f;
675  p1->flowflags |= FLOW_PKT_TOSERVER;
676  p1->flowflags |= FLOW_PKT_ESTABLISHED;
677  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
678  p2->flow = &f;
679  p2->flowflags |= FLOW_PKT_TOCLIENT;
680  p2->flowflags |= FLOW_PKT_ESTABLISHED;
681  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
682  f.alproto = ALPROTO_HTTP1;
683 
684  StreamTcpInitConfig(true);
685 
686  de_ctx = DetectEngineCtxInit();
687  if (de_ctx == NULL)
688  goto end;
689 
690  de_ctx->flags |= DE_QUIET;
691 
692  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
693  "(msg:\"http server body test\"; "
694  "content:\"abc\"; http_server_body; depth:3; "
695  "sid:1;)");
696  if (de_ctx->sig_list == NULL)
697  goto end;
698 
699  SigGroupBuild(de_ctx);
700  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
701 
702  int r = AppLayerParserParse(
703  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
704  if (r != 0) {
705  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
706  result = 0;
707  goto end;
708  }
709 
710  http_state = f.alstate;
711  if (http_state == NULL) {
712  printf("no http state: \n");
713  result = 0;
714  goto end;
715  }
716 
717  /* do detect */
718  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
719 
720  if (PacketAlertCheck(p1, 1)) {
721  printf("sid 1 matched but shouldn't have: ");
722  goto end;
723  }
724 
725  r = AppLayerParserParse(
726  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
727  if (r != 0) {
728  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
729  result = 0;
730  goto end;
731  }
732 
733  /* do detect */
734  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
735 
736  if (!PacketAlertCheck(p2, 1)) {
737  printf("sid 1 didn't match but should have: ");
738  goto end;
739  }
740 
741  result = 1;
742 
743 end:
744  if (alp_tctx != NULL)
745  AppLayerParserThreadCtxFree(alp_tctx);
746  if (de_ctx != NULL)
747  DetectEngineCtxFree(de_ctx);
748 
749  StreamTcpFreeConfig(true);
750  FLOW_DESTROY(&f);
751  UTHFreePackets(&p1, 1);
752  UTHFreePackets(&p2, 1);
753  return result;
754 }
755 
756 static int DetectEngineHttpServerBodyTest06(void)
757 {
758  TcpSession ssn;
759  Packet *p1 = NULL;
760  Packet *p2 = NULL;
761  ThreadVars th_v;
762  DetectEngineCtx *de_ctx = NULL;
763  DetectEngineThreadCtx *det_ctx = NULL;
764  HtpState *http_state = NULL;
765  Flow f;
766  uint8_t http_buf1[] =
767  "GET /index.html HTTP/1.0\r\n"
768  "Host: www.openinfosecfoundation.org\r\n"
769  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
770  "\r\n";
771  uint32_t http_len1 = sizeof(http_buf1) - 1;
772  uint8_t http_buf2[] =
773  "HTTP/1.0 200 ok\r\n"
774  "Content-Type: text/html\r\n"
775  "Content-Length: 6\r\n"
776  "\r\n"
777  "abcdef";
778  uint32_t http_len2 = sizeof(http_buf2) - 1;
779  int result = 0;
780  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
781 
782  memset(&th_v, 0, sizeof(th_v));
783  memset(&f, 0, sizeof(f));
784  memset(&ssn, 0, sizeof(ssn));
785 
786  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
787  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
788 
789  FLOW_INITIALIZE(&f);
790  f.protoctx = (void *)&ssn;
791  f.proto = IPPROTO_TCP;
792  f.flags |= FLOW_IPV4;
793 
794  p1->flow = &f;
795  p1->flowflags |= FLOW_PKT_TOSERVER;
796  p1->flowflags |= FLOW_PKT_ESTABLISHED;
797  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
798  p2->flow = &f;
799  p2->flowflags |= FLOW_PKT_TOCLIENT;
800  p2->flowflags |= FLOW_PKT_ESTABLISHED;
801  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
802  f.alproto = ALPROTO_HTTP1;
803 
804  StreamTcpInitConfig(true);
805 
806  de_ctx = DetectEngineCtxInit();
807  if (de_ctx == NULL)
808  goto end;
809 
810  de_ctx->flags |= DE_QUIET;
811 
812  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
813  "(msg:\"http server body test\"; "
814  "content:!\"def\"; http_server_body; depth:3; "
815  "sid:1;)");
816  if (de_ctx->sig_list == NULL)
817  goto end;
818 
819  SigGroupBuild(de_ctx);
820  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
821 
822  int r = AppLayerParserParse(
823  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
824  if (r != 0) {
825  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
826  result = 0;
827  goto end;
828  }
829 
830  http_state = f.alstate;
831  if (http_state == NULL) {
832  printf("no http state: \n");
833  result = 0;
834  goto end;
835  }
836 
837  /* do detect */
838  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
839 
840  if (PacketAlertCheck(p1, 1)) {
841  printf("sid 1 matched but shouldn't have: ");
842  goto end;
843  }
844 
845  r = AppLayerParserParse(
846  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
847  if (r != 0) {
848  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
849  result = 0;
850  goto end;
851  }
852 
853  /* do detect */
854  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
855 
856  if (!PacketAlertCheck(p2, 1)) {
857  printf("sid 1 didn't match but should have: ");
858  goto end;
859  }
860 
861  result = 1;
862 
863 end:
864  if (alp_tctx != NULL)
865  AppLayerParserThreadCtxFree(alp_tctx);
866  if (de_ctx != NULL)
867  DetectEngineCtxFree(de_ctx);
868 
869  StreamTcpFreeConfig(true);
870  FLOW_DESTROY(&f);
871  UTHFreePackets(&p1, 1);
872  UTHFreePackets(&p2, 1);
873  return result;
874 }
875 
876 static int DetectEngineHttpServerBodyTest07(void)
877 {
878  TcpSession ssn;
879  Packet *p1 = NULL;
880  Packet *p2 = NULL;
881  ThreadVars th_v;
882  DetectEngineCtx *de_ctx = NULL;
883  DetectEngineThreadCtx *det_ctx = NULL;
884  HtpState *http_state = NULL;
885  Flow f;
886  uint8_t http_buf1[] =
887  "GET /index.html HTTP/1.0\r\n"
888  "Host: www.openinfosecfoundation.org\r\n"
889  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
890  "\r\n";
891  uint32_t http_len1 = sizeof(http_buf1) - 1;
892  uint8_t http_buf2[] =
893  "HTTP/1.0 200 ok\r\n"
894  "Content-Type: text/html\r\n"
895  "Content-Length: 6\r\n"
896  "\r\n"
897  "abcdef";
898  uint32_t http_len2 = sizeof(http_buf2) - 1;
899  int result = 0;
900  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
901 
902  memset(&th_v, 0, sizeof(th_v));
903  memset(&f, 0, sizeof(f));
904  memset(&ssn, 0, sizeof(ssn));
905 
906  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
907  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
908 
909  FLOW_INITIALIZE(&f);
910  f.protoctx = (void *)&ssn;
911  f.proto = IPPROTO_TCP;
912  f.flags |= FLOW_IPV4;
913 
914  p1->flow = &f;
915  p1->flowflags |= FLOW_PKT_TOSERVER;
916  p1->flowflags |= FLOW_PKT_ESTABLISHED;
917  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
918  p2->flow = &f;
919  p2->flowflags |= FLOW_PKT_TOCLIENT;
920  p2->flowflags |= FLOW_PKT_ESTABLISHED;
921  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
922  f.alproto = ALPROTO_HTTP1;
923 
924  StreamTcpInitConfig(true);
925 
926  de_ctx = DetectEngineCtxInit();
927  if (de_ctx == NULL)
928  goto end;
929 
930  de_ctx->flags |= DE_QUIET;
931 
932  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
933  "(msg:\"http server body test\"; "
934  "content:!\"def\"; http_server_body; offset:3; "
935  "sid:1;)");
936  if (de_ctx->sig_list == NULL)
937  goto end;
938 
939  SigGroupBuild(de_ctx);
940  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
941 
942  int r = AppLayerParserParse(
943  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
944  if (r != 0) {
945  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
946  result = 0;
947  goto end;
948  }
949 
950  http_state = f.alstate;
951  if (http_state == NULL) {
952  printf("no http state: \n");
953  result = 0;
954  goto end;
955  }
956 
957  /* do detect */
958  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
959 
960  if (PacketAlertCheck(p1, 1)) {
961  printf("sid 1 matched but shouldn't have: ");
962  goto end;
963  }
964 
965  r = AppLayerParserParse(
966  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
967  if (r != 0) {
968  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
969  result = 0;
970  goto end;
971  }
972 
973  /* do detect */
974  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
975 
976  if (PacketAlertCheck(p2, 1)) {
977  printf("sid 1 matched but shouldn't have: ");
978  goto end;
979  }
980 
981  result = 1;
982 
983 end:
984  if (alp_tctx != NULL)
985  AppLayerParserThreadCtxFree(alp_tctx);
986  if (de_ctx != NULL)
987  DetectEngineCtxFree(de_ctx);
988 
989  StreamTcpFreeConfig(true);
990  FLOW_DESTROY(&f);
991  UTHFreePackets(&p1, 1);
992  UTHFreePackets(&p2, 1);
993  return result;
994 }
995 
996 static int DetectEngineHttpServerBodyTest08(void)
997 {
998  TcpSession ssn;
999  Packet *p1 = NULL;
1000  Packet *p2 = NULL;
1001  ThreadVars th_v;
1002  DetectEngineCtx *de_ctx = NULL;
1003  DetectEngineThreadCtx *det_ctx = NULL;
1004  HtpState *http_state = NULL;
1005  Flow f;
1006  uint8_t http_buf1[] =
1007  "GET /index.html HTTP/1.0\r\n"
1008  "Host: www.openinfosecfoundation.org\r\n"
1009  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1010  "\r\n";
1011  uint32_t http_len1 = sizeof(http_buf1) - 1;
1012  uint8_t http_buf2[] =
1013  "HTTP/1.0 200 ok\r\n"
1014  "Content-Type: text/html\r\n"
1015  "Content-Length: 6\r\n"
1016  "\r\n"
1017  "abcdef";
1018  uint32_t http_len2 = sizeof(http_buf2) - 1;
1019  int result = 0;
1020  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1021 
1022  memset(&th_v, 0, sizeof(th_v));
1023  memset(&f, 0, sizeof(f));
1024  memset(&ssn, 0, sizeof(ssn));
1025 
1026  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1027  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1028 
1029  FLOW_INITIALIZE(&f);
1030  f.protoctx = (void *)&ssn;
1031  f.proto = IPPROTO_TCP;
1032  f.flags |= FLOW_IPV4;
1033 
1034  p1->flow = &f;
1035  p1->flowflags |= FLOW_PKT_TOSERVER;
1036  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1037  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1038  p2->flow = &f;
1039  p2->flowflags |= FLOW_PKT_TOCLIENT;
1040  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1041  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1042  f.alproto = ALPROTO_HTTP1;
1043 
1044  StreamTcpInitConfig(true);
1045 
1046  de_ctx = DetectEngineCtxInit();
1047  if (de_ctx == NULL)
1048  goto end;
1049 
1050  de_ctx->flags |= DE_QUIET;
1051 
1052  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1053  "(msg:\"http server body test\"; "
1054  "content:!\"abc\"; http_server_body; depth:3; "
1055  "sid:1;)");
1056  if (de_ctx->sig_list == NULL)
1057  goto end;
1058 
1059  SigGroupBuild(de_ctx);
1060  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1061 
1062  int r = AppLayerParserParse(
1063  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1064  if (r != 0) {
1065  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1066  result = 0;
1067  goto end;
1068  }
1069 
1070  http_state = f.alstate;
1071  if (http_state == NULL) {
1072  printf("no http state: \n");
1073  result = 0;
1074  goto end;
1075  }
1076 
1077  /* do detect */
1078  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1079 
1080  if (PacketAlertCheck(p1, 1)) {
1081  printf("sid 1 matched but shouldn't have: ");
1082  goto end;
1083  }
1084 
1085  r = AppLayerParserParse(
1086  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1087  if (r != 0) {
1088  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1089  result = 0;
1090  goto end;
1091  }
1092 
1093  /* do detect */
1094  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1095 
1096  if (PacketAlertCheck(p2, 1)) {
1097  printf("sid 1 matched but shouldn't have: ");
1098  goto end;
1099  }
1100 
1101  result = 1;
1102 
1103 end:
1104  if (alp_tctx != NULL)
1105  AppLayerParserThreadCtxFree(alp_tctx);
1106  if (de_ctx != NULL)
1107  DetectEngineCtxFree(de_ctx);
1108 
1109  StreamTcpFreeConfig(true);
1110  FLOW_DESTROY(&f);
1111  UTHFreePackets(&p1, 1);
1112  UTHFreePackets(&p2, 1);
1113  return result;
1114 }
1115 
1116 static int DetectEngineHttpServerBodyTest09(void)
1117 {
1118  TcpSession ssn;
1119  Packet *p1 = NULL;
1120  Packet *p2 = NULL;
1121  ThreadVars th_v;
1122  DetectEngineCtx *de_ctx = NULL;
1123  DetectEngineThreadCtx *det_ctx = NULL;
1124  HtpState *http_state = NULL;
1125  Flow f;
1126  uint8_t http_buf1[] =
1127  "GET /index.html HTTP/1.0\r\n"
1128  "Host: www.openinfosecfoundation.org\r\n"
1129  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1130  "\r\n";
1131  uint32_t http_len1 = sizeof(http_buf1) - 1;
1132  uint8_t http_buf2[] =
1133  "HTTP/1.0 200 ok\r\n"
1134  "Content-Type: text/html\r\n"
1135  "Content-Length: 6\r\n"
1136  "\r\n"
1137  "abcdef";
1138  uint32_t http_len2 = sizeof(http_buf2) - 1;
1139  int result = 0;
1140  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1141 
1142  memset(&th_v, 0, sizeof(th_v));
1143  memset(&f, 0, sizeof(f));
1144  memset(&ssn, 0, sizeof(ssn));
1145 
1146  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1147  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1148 
1149  FLOW_INITIALIZE(&f);
1150  f.protoctx = (void *)&ssn;
1151  f.proto = IPPROTO_TCP;
1152  f.flags |= FLOW_IPV4;
1153 
1154  p1->flow = &f;
1155  p1->flowflags |= FLOW_PKT_TOSERVER;
1156  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1157  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1158  p2->flow = &f;
1159  p2->flowflags |= FLOW_PKT_TOCLIENT;
1160  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1161  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1162  f.alproto = ALPROTO_HTTP1;
1163 
1164  StreamTcpInitConfig(true);
1165 
1166  de_ctx = DetectEngineCtxInit();
1167  if (de_ctx == NULL)
1168  goto end;
1169 
1170  de_ctx->flags |= DE_QUIET;
1171 
1172  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1173  "(msg:\"http server body test\"; "
1174  "content:\"abc\"; http_server_body; depth:3; "
1175  "content:\"def\"; http_server_body; within:3; "
1176  "sid:1;)");
1177  if (de_ctx->sig_list == NULL)
1178  goto end;
1179 
1180  SigGroupBuild(de_ctx);
1181  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1182 
1183  int r = AppLayerParserParse(
1184  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1185  if (r != 0) {
1186  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1187  result = 0;
1188  goto end;
1189  }
1190 
1191  http_state = f.alstate;
1192  if (http_state == NULL) {
1193  printf("no http state: \n");
1194  result = 0;
1195  goto end;
1196  }
1197 
1198  /* do detect */
1199  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1200 
1201  if (PacketAlertCheck(p1, 1)) {
1202  printf("sid 1 matched but shouldn't have: ");
1203  goto end;
1204  }
1205 
1206  r = AppLayerParserParse(
1207  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1208  if (r != 0) {
1209  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1210  result = 0;
1211  goto end;
1212  }
1213 
1214  /* do detect */
1215  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1216 
1217  if (!PacketAlertCheck(p2, 1)) {
1218  printf("sid 1 didn't match but should have: ");
1219  goto end;
1220  }
1221 
1222  result = 1;
1223 
1224 end:
1225  if (alp_tctx != NULL)
1226  AppLayerParserThreadCtxFree(alp_tctx);
1227  if (de_ctx != NULL)
1228  DetectEngineCtxFree(de_ctx);
1229 
1230  StreamTcpFreeConfig(true);
1231  FLOW_DESTROY(&f);
1232  UTHFreePackets(&p1, 1);
1233  UTHFreePackets(&p2, 1);
1234  return result;
1235 }
1236 
1237 static int DetectEngineHttpServerBodyTest10(void)
1238 {
1239  TcpSession ssn;
1240  Packet *p1 = NULL;
1241  Packet *p2 = NULL;
1242  ThreadVars th_v;
1243  DetectEngineCtx *de_ctx = NULL;
1244  DetectEngineThreadCtx *det_ctx = NULL;
1245  HtpState *http_state = NULL;
1246  Flow f;
1247  uint8_t http_buf1[] =
1248  "GET /index.html HTTP/1.0\r\n"
1249  "Host: www.openinfosecfoundation.org\r\n"
1250  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1251  "\r\n";
1252  uint32_t http_len1 = sizeof(http_buf1) - 1;
1253  uint8_t http_buf2[] =
1254  "HTTP/1.0 200 ok\r\n"
1255  "Content-Type: text/html\r\n"
1256  "Content-Length: 6\r\n"
1257  "\r\n"
1258  "abcdef";
1259  uint32_t http_len2 = sizeof(http_buf2) - 1;
1260  int result = 0;
1261  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1262 
1263  memset(&th_v, 0, sizeof(th_v));
1264  memset(&f, 0, sizeof(f));
1265  memset(&ssn, 0, sizeof(ssn));
1266 
1267  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1268  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1269 
1270  FLOW_INITIALIZE(&f);
1271  f.protoctx = (void *)&ssn;
1272  f.proto = IPPROTO_TCP;
1273  f.flags |= FLOW_IPV4;
1274 
1275  p1->flow = &f;
1276  p1->flowflags |= FLOW_PKT_TOSERVER;
1277  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1278  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1279  p2->flow = &f;
1280  p2->flowflags |= FLOW_PKT_TOCLIENT;
1281  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1282  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1283  f.alproto = ALPROTO_HTTP1;
1284 
1285  StreamTcpInitConfig(true);
1286 
1287  de_ctx = DetectEngineCtxInit();
1288  if (de_ctx == NULL)
1289  goto end;
1290 
1291  de_ctx->flags |= DE_QUIET;
1292 
1293  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1294  "(msg:\"http server body test\"; "
1295  "content:\"abc\"; http_server_body; depth:3; "
1296  "content:!\"xyz\"; http_server_body; within:3; "
1297  "sid:1;)");
1298  if (de_ctx->sig_list == NULL)
1299  goto end;
1300 
1301  SigGroupBuild(de_ctx);
1302  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1303 
1304  int r = AppLayerParserParse(
1305  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1306  if (r != 0) {
1307  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1308  result = 0;
1309  goto end;
1310  }
1311 
1312  http_state = f.alstate;
1313  if (http_state == NULL) {
1314  printf("no http state: \n");
1315  result = 0;
1316  goto end;
1317  }
1318 
1319  /* do detect */
1320  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1321 
1322  if (PacketAlertCheck(p1, 1)) {
1323  printf("sid 1 matched but shouldn't have: ");
1324  goto end;
1325  }
1326 
1327  r = AppLayerParserParse(
1328  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1329  if (r != 0) {
1330  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1331  result = 0;
1332  goto end;
1333  }
1334 
1335  /* do detect */
1336  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1337 
1338  if (!PacketAlertCheck(p2, 1)) {
1339  printf("sid 1 didn't match but should have: ");
1340  goto end;
1341  }
1342 
1343  result = 1;
1344 
1345 end:
1346  if (alp_tctx != NULL)
1347  AppLayerParserThreadCtxFree(alp_tctx);
1348  if (de_ctx != NULL)
1349  DetectEngineCtxFree(de_ctx);
1350 
1351  StreamTcpFreeConfig(true);
1352  FLOW_DESTROY(&f);
1353  UTHFreePackets(&p1, 1);
1354  UTHFreePackets(&p2, 1);
1355  return result;
1356 }
1357 
1358 static int DetectEngineHttpServerBodyTest11(void)
1359 {
1360  TcpSession ssn;
1361  Packet *p1 = NULL;
1362  Packet *p2 = NULL;
1363  ThreadVars th_v;
1364  DetectEngineCtx *de_ctx = NULL;
1365  DetectEngineThreadCtx *det_ctx = NULL;
1366  HtpState *http_state = NULL;
1367  Flow f;
1368  uint8_t http_buf1[] =
1369  "GET /index.html HTTP/1.0\r\n"
1370  "Host: www.openinfosecfoundation.org\r\n"
1371  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1372  "\r\n";
1373  uint32_t http_len1 = sizeof(http_buf1) - 1;
1374  uint8_t http_buf2[] =
1375  "HTTP/1.0 200 ok\r\n"
1376  "Content-Type: text/html\r\n"
1377  "Content-Length: 6\r\n"
1378  "\r\n"
1379  "abcdef";
1380  uint32_t http_len2 = sizeof(http_buf2) - 1;
1381  int result = 0;
1382  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1383 
1384  memset(&th_v, 0, sizeof(th_v));
1385  memset(&f, 0, sizeof(f));
1386  memset(&ssn, 0, sizeof(ssn));
1387 
1388  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1389  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1390 
1391  FLOW_INITIALIZE(&f);
1392  f.protoctx = (void *)&ssn;
1393  f.proto = IPPROTO_TCP;
1394  f.flags |= FLOW_IPV4;
1395 
1396  p1->flow = &f;
1397  p1->flowflags |= FLOW_PKT_TOSERVER;
1398  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1399  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1400  p2->flow = &f;
1401  p2->flowflags |= FLOW_PKT_TOCLIENT;
1402  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1403  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1404  f.alproto = ALPROTO_HTTP1;
1405 
1406  StreamTcpInitConfig(true);
1407 
1408  de_ctx = DetectEngineCtxInit();
1409  if (de_ctx == NULL)
1410  goto end;
1411 
1412  de_ctx->flags |= DE_QUIET;
1413 
1414  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1415  "(msg:\"http server body test\"; "
1416  "content:\"abc\"; http_server_body; depth:3; "
1417  "content:\"xyz\"; http_server_body; within:3; "
1418  "sid:1;)");
1419  if (de_ctx->sig_list == NULL)
1420  goto end;
1421 
1422  SigGroupBuild(de_ctx);
1423  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1424 
1425  int r = AppLayerParserParse(
1426  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1427  if (r != 0) {
1428  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1429  result = 0;
1430  goto end;
1431  }
1432 
1433  http_state = f.alstate;
1434  if (http_state == NULL) {
1435  printf("no http state: \n");
1436  result = 0;
1437  goto end;
1438  }
1439 
1440  /* do detect */
1441  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1442 
1443  if (PacketAlertCheck(p1, 1)) {
1444  printf("sid 1 matched but shouldn't have: ");
1445  goto end;
1446  }
1447 
1448  r = AppLayerParserParse(
1449  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1450  if (r != 0) {
1451  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1452  result = 0;
1453  goto end;
1454  }
1455 
1456  /* do detect */
1457  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1458 
1459  if (PacketAlertCheck(p2, 1)) {
1460  printf("sid 1 did match but should not have: ");
1461  goto end;
1462  }
1463 
1464  result = 1;
1465 
1466 end:
1467  if (alp_tctx != NULL)
1468  AppLayerParserThreadCtxFree(alp_tctx);
1469  if (de_ctx != NULL)
1470  DetectEngineCtxFree(de_ctx);
1471 
1472  StreamTcpFreeConfig(true);
1473  FLOW_DESTROY(&f);
1474  UTHFreePackets(&p1, 1);
1475  UTHFreePackets(&p2, 1);
1476  return result;
1477 }
1478 
1479 static int DetectEngineHttpServerBodyTest12(void)
1480 {
1481  TcpSession ssn;
1482  Packet *p1 = NULL;
1483  Packet *p2 = NULL;
1484  ThreadVars th_v;
1485  DetectEngineCtx *de_ctx = NULL;
1486  DetectEngineThreadCtx *det_ctx = NULL;
1487  HtpState *http_state = NULL;
1488  Flow f;
1489  uint8_t http_buf1[] =
1490  "GET /index.html HTTP/1.0\r\n"
1491  "Host: www.openinfosecfoundation.org\r\n"
1492  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1493  "\r\n";
1494  uint32_t http_len1 = sizeof(http_buf1) - 1;
1495  uint8_t http_buf2[] =
1496  "HTTP/1.0 200 ok\r\n"
1497  "Content-Type: text/html\r\n"
1498  "Content-Length: 6\r\n"
1499  "\r\n"
1500  "abcdef";
1501  uint32_t http_len2 = sizeof(http_buf2) - 1;
1502  int result = 0;
1503  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1504 
1505  memset(&th_v, 0, sizeof(th_v));
1506  memset(&f, 0, sizeof(f));
1507  memset(&ssn, 0, sizeof(ssn));
1508 
1509  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1510  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1511 
1512  FLOW_INITIALIZE(&f);
1513  f.protoctx = (void *)&ssn;
1514  f.proto = IPPROTO_TCP;
1515  f.flags |= FLOW_IPV4;
1516 
1517  p1->flow = &f;
1518  p1->flowflags |= FLOW_PKT_TOSERVER;
1519  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1520  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1521  p2->flow = &f;
1522  p2->flowflags |= FLOW_PKT_TOCLIENT;
1523  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1524  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1525  f.alproto = ALPROTO_HTTP1;
1526 
1527  StreamTcpInitConfig(true);
1528 
1529  de_ctx = DetectEngineCtxInit();
1530  if (de_ctx == NULL)
1531  goto end;
1532 
1533  de_ctx->flags |= DE_QUIET;
1534 
1535  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1536  "(msg:\"http server body test\"; "
1537  "content:\"ab\"; http_server_body; depth:2; "
1538  "content:\"ef\"; http_server_body; distance:2; "
1539  "sid:1;)");
1540  if (de_ctx->sig_list == NULL)
1541  goto end;
1542 
1543  SigGroupBuild(de_ctx);
1544  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1545 
1546  int r = AppLayerParserParse(
1547  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1548  if (r != 0) {
1549  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1550  result = 0;
1551  goto end;
1552  }
1553 
1554  http_state = f.alstate;
1555  if (http_state == NULL) {
1556  printf("no http state: \n");
1557  result = 0;
1558  goto end;
1559  }
1560 
1561  /* do detect */
1562  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1563 
1564  if (PacketAlertCheck(p1, 1)) {
1565  printf("sid 1 matched but shouldn't have: ");
1566  goto end;
1567  }
1568 
1569  r = AppLayerParserParse(
1570  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1571  if (r != 0) {
1572  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1573  result = 0;
1574  goto end;
1575  }
1576 
1577  /* do detect */
1578  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1579 
1580  if (!PacketAlertCheck(p2, 1)) {
1581  printf("sid 1 did not match but should have: ");
1582  goto end;
1583  }
1584 
1585  result = 1;
1586 
1587 end:
1588  if (alp_tctx != NULL)
1589  AppLayerParserThreadCtxFree(alp_tctx);
1590  if (de_ctx != NULL)
1591  DetectEngineCtxFree(de_ctx);
1592 
1593  StreamTcpFreeConfig(true);
1594  FLOW_DESTROY(&f);
1595  UTHFreePackets(&p1, 1);
1596  UTHFreePackets(&p2, 1);
1597  return result;
1598 }
1599 
1600 static int DetectEngineHttpServerBodyTest13(void)
1601 {
1602  TcpSession ssn;
1603  Packet *p1 = NULL;
1604  Packet *p2 = NULL;
1605  ThreadVars th_v;
1606  DetectEngineCtx *de_ctx = NULL;
1607  DetectEngineThreadCtx *det_ctx = NULL;
1608  HtpState *http_state = NULL;
1609  Flow f;
1610  uint8_t http_buf1[] =
1611  "GET /index.html HTTP/1.0\r\n"
1612  "Host: www.openinfosecfoundation.org\r\n"
1613  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1614  "\r\n";
1615  uint32_t http_len1 = sizeof(http_buf1) - 1;
1616  uint8_t http_buf2[] =
1617  "HTTP/1.0 200 ok\r\n"
1618  "Content-Type: text/html\r\n"
1619  "Content-Length: 6\r\n"
1620  "\r\n"
1621  "abcdef";
1622  uint32_t http_len2 = sizeof(http_buf2) - 1;
1623  int result = 0;
1624  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1625 
1626  memset(&th_v, 0, sizeof(th_v));
1627  memset(&f, 0, sizeof(f));
1628  memset(&ssn, 0, sizeof(ssn));
1629 
1630  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1631  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1632 
1633  FLOW_INITIALIZE(&f);
1634  f.protoctx = (void *)&ssn;
1635  f.proto = IPPROTO_TCP;
1636  f.flags |= FLOW_IPV4;
1637 
1638  p1->flow = &f;
1639  p1->flowflags |= FLOW_PKT_TOSERVER;
1640  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1641  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1642  p2->flow = &f;
1643  p2->flowflags |= FLOW_PKT_TOCLIENT;
1644  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1645  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1646  f.alproto = ALPROTO_HTTP1;
1647 
1648  StreamTcpInitConfig(true);
1649 
1650  de_ctx = DetectEngineCtxInit();
1651  if (de_ctx == NULL)
1652  goto end;
1653 
1654  de_ctx->flags |= DE_QUIET;
1655 
1656  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1657  "(msg:\"http server body test\"; "
1658  "content:\"ab\"; http_server_body; depth:3; "
1659  "content:!\"yz\"; http_server_body; distance:2; "
1660  "sid:1;)");
1661  if (de_ctx->sig_list == NULL)
1662  goto end;
1663 
1664  SigGroupBuild(de_ctx);
1665  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1666 
1667  int r = AppLayerParserParse(
1668  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1669  if (r != 0) {
1670  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1671  result = 0;
1672  goto end;
1673  }
1674 
1675  http_state = f.alstate;
1676  if (http_state == NULL) {
1677  printf("no http state: \n");
1678  result = 0;
1679  goto end;
1680  }
1681 
1682  /* do detect */
1683  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1684 
1685  if (PacketAlertCheck(p1, 1)) {
1686  printf("sid 1 matched but shouldn't have: ");
1687  goto end;
1688  }
1689 
1690  r = AppLayerParserParse(
1691  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1692  if (r != 0) {
1693  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1694  result = 0;
1695  goto end;
1696  }
1697 
1698  /* do detect */
1699  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1700 
1701  if (!PacketAlertCheck(p2, 1)) {
1702  printf("sid 1 did not match but should have: ");
1703  goto end;
1704  }
1705 
1706  result = 1;
1707 
1708 end:
1709  if (alp_tctx != NULL)
1710  AppLayerParserThreadCtxFree(alp_tctx);
1711  if (de_ctx != NULL)
1712  DetectEngineCtxFree(de_ctx);
1713 
1714  StreamTcpFreeConfig(true);
1715  FLOW_DESTROY(&f);
1716  UTHFreePackets(&p1, 1);
1717  UTHFreePackets(&p2, 1);
1718  return result;
1719 }
1720 
1721 static int DetectEngineHttpServerBodyTest14(void)
1722 {
1723  TcpSession ssn;
1724  Packet *p1 = NULL;
1725  Packet *p2 = NULL;
1726  ThreadVars th_v;
1727  DetectEngineCtx *de_ctx = NULL;
1728  DetectEngineThreadCtx *det_ctx = NULL;
1729  HtpState *http_state = NULL;
1730  Flow f;
1731  uint8_t http_buf1[] =
1732  "GET /index.html HTTP/1.0\r\n"
1733  "Host: www.openinfosecfoundation.org\r\n"
1734  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1735  "\r\n";
1736  uint32_t http_len1 = sizeof(http_buf1) - 1;
1737  uint8_t http_buf2[] =
1738  "HTTP/1.0 200 ok\r\n"
1739  "Content-Type: text/html\r\n"
1740  "Content-Length: 6\r\n"
1741  "\r\n"
1742  "abcdef";
1743  uint32_t http_len2 = sizeof(http_buf2) - 1;
1744  int result = 0;
1745  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1746 
1747  memset(&th_v, 0, sizeof(th_v));
1748  memset(&f, 0, sizeof(f));
1749  memset(&ssn, 0, sizeof(ssn));
1750 
1751  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1752  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1753 
1754  FLOW_INITIALIZE(&f);
1755  f.protoctx = (void *)&ssn;
1756  f.proto = IPPROTO_TCP;
1757  f.flags |= FLOW_IPV4;
1758 
1759  p1->flow = &f;
1760  p1->flowflags |= FLOW_PKT_TOSERVER;
1761  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1762  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1763  p2->flow = &f;
1764  p2->flowflags |= FLOW_PKT_TOCLIENT;
1765  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1766  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1767  f.alproto = ALPROTO_HTTP1;
1768 
1769  StreamTcpInitConfig(true);
1770 
1771  de_ctx = DetectEngineCtxInit();
1772  if (de_ctx == NULL)
1773  goto end;
1774 
1775  de_ctx->flags |= DE_QUIET;
1776 
1777  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1778  "(msg:\"http server body test\"; "
1779  "pcre:/ab/Q; "
1780  "content:\"ef\"; http_server_body; distance:2; "
1781  "sid:1;)");
1782  if (de_ctx->sig_list == NULL)
1783  goto end;
1784 
1785  SigGroupBuild(de_ctx);
1786  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1787 
1788  int r = AppLayerParserParse(
1789  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1790  if (r != 0) {
1791  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1792  result = 0;
1793  goto end;
1794  }
1795 
1796  http_state = f.alstate;
1797  if (http_state == NULL) {
1798  printf("no http state: \n");
1799  result = 0;
1800  goto end;
1801  }
1802 
1803  /* do detect */
1804  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1805 
1806  if (PacketAlertCheck(p1, 1)) {
1807  printf("sid 1 matched but shouldn't have: ");
1808  goto end;
1809  }
1810 
1811  r = AppLayerParserParse(
1812  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1813  if (r != 0) {
1814  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1815  result = 0;
1816  goto end;
1817  }
1818 
1819  /* do detect */
1820  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1821 
1822  if (!PacketAlertCheck(p2, 1)) {
1823  printf("sid 1 did not match but should have: ");
1824  goto end;
1825  }
1826 
1827  result = 1;
1828 
1829 end:
1830  if (alp_tctx != NULL)
1831  AppLayerParserThreadCtxFree(alp_tctx);
1832  if (de_ctx != NULL)
1833  DetectEngineCtxFree(de_ctx);
1834 
1835  StreamTcpFreeConfig(true);
1836  FLOW_DESTROY(&f);
1837  UTHFreePackets(&p1, 1);
1838  UTHFreePackets(&p2, 1);
1839  return result;
1840 }
1841 
1842 static int DetectEngineHttpServerBodyTest15(void)
1843 {
1844  TcpSession ssn;
1845  Packet *p1 = NULL;
1846  Packet *p2 = NULL;
1847  ThreadVars th_v;
1848  DetectEngineCtx *de_ctx = NULL;
1849  DetectEngineThreadCtx *det_ctx = NULL;
1850  HtpState *http_state = NULL;
1851  Flow f;
1852  uint8_t http_buf1[] =
1853  "GET /index.html HTTP/1.0\r\n"
1854  "Host: www.openinfosecfoundation.org\r\n"
1855  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1856  "\r\n";
1857  uint32_t http_len1 = sizeof(http_buf1) - 1;
1858  uint8_t http_buf2[] =
1859  "HTTP/1.0 200 ok\r\n"
1860  "Content-Type: text/html\r\n"
1861  "Content-Length: 6\r\n"
1862  "\r\n"
1863  "abcdef";
1864  uint32_t http_len2 = sizeof(http_buf2) - 1;
1865  int result = 0;
1866  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1867 
1868  memset(&th_v, 0, sizeof(th_v));
1869  memset(&f, 0, sizeof(f));
1870  memset(&ssn, 0, sizeof(ssn));
1871 
1872  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1873  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1874 
1875  FLOW_INITIALIZE(&f);
1876  f.protoctx = (void *)&ssn;
1877  f.proto = IPPROTO_TCP;
1878  f.flags |= FLOW_IPV4;
1879 
1880  p1->flow = &f;
1881  p1->flowflags |= FLOW_PKT_TOSERVER;
1882  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1883  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1884  p2->flow = &f;
1885  p2->flowflags |= FLOW_PKT_TOCLIENT;
1886  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1887  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1888  f.alproto = ALPROTO_HTTP1;
1889 
1890  StreamTcpInitConfig(true);
1891 
1892  de_ctx = DetectEngineCtxInit();
1893  if (de_ctx == NULL)
1894  goto end;
1895 
1896  de_ctx->flags |= DE_QUIET;
1897 
1898  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1899  "(msg:\"http server body test\"; "
1900  "pcre:/abc/Q; "
1901  "content:!\"xyz\"; http_server_body; distance:0; within:3; "
1902  "sid:1;)");
1903  if (de_ctx->sig_list == NULL)
1904  goto end;
1905 
1906  SigGroupBuild(de_ctx);
1907  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1908 
1909  int r = AppLayerParserParse(
1910  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1911  if (r != 0) {
1912  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1913  result = 0;
1914  goto end;
1915  }
1916 
1917  http_state = f.alstate;
1918  if (http_state == NULL) {
1919  printf("no http state: \n");
1920  result = 0;
1921  goto end;
1922  }
1923 
1924  /* do detect */
1925  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1926 
1927  if (PacketAlertCheck(p1, 1)) {
1928  printf("sid 1 matched but shouldn't have: ");
1929  goto end;
1930  }
1931 
1932  r = AppLayerParserParse(
1933  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1934  if (r != 0) {
1935  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1936  result = 0;
1937  goto end;
1938  }
1939 
1940  /* do detect */
1941  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1942 
1943  if (!PacketAlertCheck(p2, 1)) {
1944  printf("sid 1 did not match but should have: ");
1945  goto end;
1946  }
1947 
1948  result = 1;
1949 
1950 end:
1951  if (alp_tctx != NULL)
1952  AppLayerParserThreadCtxFree(alp_tctx);
1953  if (de_ctx != NULL)
1954  DetectEngineCtxFree(de_ctx);
1955 
1956  StreamTcpFreeConfig(true);
1957  FLOW_DESTROY(&f);
1958  UTHFreePackets(&p1, 1);
1959  UTHFreePackets(&p2, 1);
1960  return result;
1961 }
1962 
1963 static int DetectEngineHttpServerBodyTest16(void)
1964 {
1965  char input[] = "\
1966 %YAML 1.1\n\
1967 ---\n\
1968 libhtp:\n\
1969 \n\
1970  default-config:\n\
1971  personality: IDS\n\
1972  request-body-limit: 0\n\
1973  response-body-limit: 0\n\
1974 \n\
1975  request-body-inspect-window: 0\n\
1976  response-body-inspect-window: 0\n\
1977  request-body-minimal-inspect-size: 0\n\
1978  response-body-minimal-inspect-size: 0\n\
1979 ";
1980 
1981  ConfCreateContextBackup();
1982  ConfInit();
1983  HtpConfigCreateBackup();
1984 
1985  ConfYamlLoadString(input, strlen(input));
1986  HTPConfigure();
1987 
1988  TcpSession ssn;
1989  Packet *p1 = NULL;
1990  Packet *p2 = NULL;
1991  ThreadVars th_v;
1992  DetectEngineCtx *de_ctx = NULL;
1993  DetectEngineThreadCtx *det_ctx = NULL;
1994  HtpState *http_state = NULL;
1995  Flow f;
1996  int result = 0;
1997  uint8_t http_buf1[] =
1998  "GET /index.html HTTP/1.0\r\n"
1999  "Host: www.openinfosecfoundation.org\r\n"
2000  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2001  "\r\n";
2002  uint32_t http_len1 = sizeof(http_buf1) - 1;
2003  uint8_t http_buf2[] =
2004  "HTTP/1.0 200 ok\r\n"
2005  "Content-Type: text/html\r\n"
2006  "Content-Length: 17\r\n"
2007  "\r\n"
2008  "1234567";
2009  uint32_t http_len2 = sizeof(http_buf2) - 1;
2010  uint8_t http_buf3[] =
2011  "8901234ABC";
2012  uint32_t http_len3 = sizeof(http_buf3) - 1;
2013  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2014 
2015  memset(&th_v, 0, sizeof(th_v));
2016  memset(&f, 0, sizeof(f));
2017  memset(&ssn, 0, sizeof(ssn));
2018 
2019  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2020  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2021 
2022  FLOW_INITIALIZE(&f);
2023  f.protoctx = (void *)&ssn;
2024  f.proto = IPPROTO_TCP;
2025  f.flags |= FLOW_IPV4;
2026 
2027  p1->flow = &f;
2028  p1->flowflags |= FLOW_PKT_TOSERVER;
2029  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2030  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2031  p2->flow = &f;
2032  p2->flowflags |= FLOW_PKT_TOCLIENT;
2033  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2034  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2035  f.alproto = ALPROTO_HTTP1;
2036 
2037  StreamTcpInitConfig(true);
2038 
2039  de_ctx = DetectEngineCtxInit();
2040  if (de_ctx == NULL)
2041  goto end;
2042 
2043  de_ctx->flags |= DE_QUIET;
2044 
2045  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2046  "(msg:\"http server body test\"; "
2047  "content:\"890\"; within:3; http_server_body; "
2048  "sid:1;)");
2049  if (de_ctx->sig_list == NULL)
2050  goto end;
2051 
2052  SigGroupBuild(de_ctx);
2053  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2054 
2055  int r = AppLayerParserParse(
2056  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2057  if (r != 0) {
2058  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2059  result = 0;
2060  goto end;
2061  }
2062 
2063  http_state = f.alstate;
2064  if (http_state == NULL) {
2065  printf("no http state: \n");
2066  result = 0;
2067  goto end;
2068  }
2069 
2070  /* do detect */
2071  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2072 
2073  if (PacketAlertCheck(p1, 1)) {
2074  printf("sid 1 matched but shouldn't have\n");
2075  goto end;
2076  }
2077 
2078  r = AppLayerParserParse(
2079  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2080  if (r != 0) {
2081  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2082  result = 0;
2083  goto end;
2084  }
2085 
2086  /* do detect */
2087  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2088 
2089  if (PacketAlertCheck(p2, 1)) {
2090  printf("sid 1 matched but shouldn't have\n");
2091  goto end;
2092  }
2093 
2094  r = AppLayerParserParse(
2095  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf3, http_len3);
2096  if (r != 0) {
2097  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2098  result = 0;
2099  goto end;
2100  }
2101 
2102  /* do detect */
2103  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2104 
2105  if (PacketAlertCheck(p2, 1)) {
2106  printf("sid 1 matched but shouldn't have\n");
2107  goto end;
2108  }
2109 
2110  result = 1;
2111 
2112 end:
2113  if (alp_tctx != NULL)
2114  AppLayerParserThreadCtxFree(alp_tctx);
2115  HTPFreeConfig();
2116  HtpConfigRestoreBackup();
2117  ConfRestoreContextBackup();
2118 
2119  if (de_ctx != NULL)
2120  DetectEngineCtxFree(de_ctx);
2121 
2122  StreamTcpFreeConfig(true);
2123  FLOW_DESTROY(&f);
2124  UTHFreePackets(&p1, 1);
2125  UTHFreePackets(&p2, 1);
2126  return result;
2127 }
2128 
2129 static int DetectEngineHttpServerBodyTest17(void)
2130 {
2131  char input[] = "\
2132 %YAML 1.1\n\
2133 ---\n\
2134 libhtp:\n\
2135 \n\
2136  default-config:\n\
2137  personality: IDS\n\
2138  request-body-limit: 0\n\
2139  response-body-limit: 0\n\
2140 \n\
2141  request-body-inspect-window: 0\n\
2142  response-body-inspect-window: 0\n\
2143  request-body-minimal-inspect-size: 0\n\
2144  response-body-minimal-inspect-size: 0\n\
2145 ";
2146 
2147  ConfCreateContextBackup();
2148  ConfInit();
2149  HtpConfigCreateBackup();
2150 
2151  ConfYamlLoadString(input, strlen(input));
2152  HTPConfigure();
2153 
2154  TcpSession ssn;
2155  Packet *p1 = NULL;
2156  Packet *p2 = NULL;
2157  ThreadVars th_v;
2158  DetectEngineCtx *de_ctx = NULL;
2159  DetectEngineThreadCtx *det_ctx = NULL;
2160  HtpState *http_state = NULL;
2161  Flow f;
2162  uint8_t http_buf1[] =
2163  "GET /index.html HTTP/1.0\r\n"
2164  "Host: www.openinfosecfoundation.org\r\n"
2165  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2166  "\r\n";
2167  uint32_t http_len1 = sizeof(http_buf1) - 1;
2168  uint8_t http_buf2[] =
2169  "HTTP/1.0 200 ok\r\n"
2170  "Content-Type: text/html\r\n"
2171  "Content-Length: 17\r\n"
2172  "\r\n"
2173  "1234567";
2174  uint32_t http_len2 = sizeof(http_buf2) - 1;
2175  uint8_t http_buf3[] =
2176  "8901234ABC";
2177  uint32_t http_len3 = sizeof(http_buf3) - 1;
2178  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2179 
2180  memset(&th_v, 0, sizeof(th_v));
2181  memset(&f, 0, sizeof(f));
2182  memset(&ssn, 0, sizeof(ssn));
2183 
2184  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2185  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2186 
2187  FLOW_INITIALIZE(&f);
2188  f.protoctx = (void *)&ssn;
2189  f.proto = IPPROTO_TCP;
2190  f.flags |= FLOW_IPV4;
2191 
2192  p1->flow = &f;
2193  p1->flowflags |= FLOW_PKT_TOSERVER;
2194  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2195  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2196  p2->flow = &f;
2197  p2->flowflags |= FLOW_PKT_TOCLIENT;
2198  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2199  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2200  f.alproto = ALPROTO_HTTP1;
2201 
2202  StreamTcpInitConfig(true);
2203 
2204  de_ctx = DetectEngineCtxInit();
2205  FAIL_IF_NULL(de_ctx);
2206  de_ctx->flags |= DE_QUIET;
2207 
2208  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any ("
2209  "content:\"890\"; depth:3; http_server_body; "
2210  "sid:1;)");
2211  FAIL_IF_NULL(s);
2212 
2213  SigGroupBuild(de_ctx);
2214  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2215 
2216  int r = AppLayerParserParse(
2217  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2218  FAIL_IF_NOT(r == 0);
2219 
2220  http_state = f.alstate;
2221  FAIL_IF_NULL(http_state);
2222 
2223  /* do detect */
2224  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2225  FAIL_IF(PacketAlertCheck(p1, 1));
2226 
2227  SCLogDebug("chunk http_buf2");
2228  r = AppLayerParserParse(
2229  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2230  FAIL_IF_NOT(r == 0);
2231 
2232  /* do detect */
2233  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2234  FAIL_IF(PacketAlertCheck(p2, 1));
2235 
2236  SCLogDebug("chunk http_buf3");
2237  r = AppLayerParserParse(
2238  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf3, http_len3);
2239  FAIL_IF_NOT(r == 0);
2240 
2241  /* do detect */
2242  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2243  FAIL_IF(PacketAlertCheck(p2, 1));
2244 
2245  AppLayerParserThreadCtxFree(alp_tctx);
2246  HTPFreeConfig();
2247  HtpConfigRestoreBackup();
2248  ConfRestoreContextBackup();
2249 
2250  DetectEngineCtxFree(de_ctx);
2251 
2252  StreamTcpFreeConfig(true);
2253  FLOW_DESTROY(&f);
2254  UTHFreePackets(&p1, 1);
2255  UTHFreePackets(&p2, 1);
2256  PASS;
2257 }
2258 
2259 /*
2260  * gzip stream
2261  */
2262 static int DetectEngineHttpServerBodyTest18(void)
2263 {
2264  TcpSession ssn;
2265  Packet *p1 = NULL;
2266  Packet *p2 = NULL;
2267  ThreadVars th_v;
2268  DetectEngineCtx *de_ctx = NULL;
2269  DetectEngineThreadCtx *det_ctx = NULL;
2270  HtpState *http_state = NULL;
2271  Flow f;
2272  uint8_t http_buf1[] =
2273  "GET /index.html HTTP/1.0\r\n"
2274  "Host: www.openinfosecfoundation.org\r\n"
2275  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2276  "\r\n";
2277  uint32_t http_len1 = sizeof(http_buf1) - 1;
2278  uint8_t http_buf2[] = {
2279  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2280  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
2281  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'g', 'z', 'i', 'p', 0x0d, 0x0a,
2282  0x0d, 0x0a,
2283  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51,
2284  0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
2285  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2286  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2287  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2288  0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
2289  0x00, 0x00, 0x00,
2290  };
2291  uint32_t http_len2 = sizeof(http_buf2);
2292  int result = 0;
2293  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2294 
2295  memset(&th_v, 0, sizeof(th_v));
2296  memset(&f, 0, sizeof(f));
2297  memset(&ssn, 0, sizeof(ssn));
2298 
2299  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2300  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2301 
2302  FLOW_INITIALIZE(&f);
2303  f.protoctx = (void *)&ssn;
2304  f.proto = IPPROTO_TCP;
2305  f.flags |= FLOW_IPV4;
2306 
2307  p1->flow = &f;
2308  p1->flowflags |= FLOW_PKT_TOSERVER;
2309  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2310  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2311  p2->flow = &f;
2312  p2->flowflags |= FLOW_PKT_TOCLIENT;
2313  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2314  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2315  f.alproto = ALPROTO_HTTP1;
2316 
2317  StreamTcpInitConfig(true);
2318 
2319  de_ctx = DetectEngineCtxInit();
2320  if (de_ctx == NULL)
2321  goto end;
2322 
2323  de_ctx->flags |= DE_QUIET;
2324 
2325  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2326  "(msg:\"http server body test\"; "
2327  "content:\"file\"; http_server_body; "
2328  "sid:1;)");
2329  if (de_ctx->sig_list == NULL)
2330  goto end;
2331 
2332  SigGroupBuild(de_ctx);
2333  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2334 
2335  int r = AppLayerParserParse(
2336  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2337  if (r != 0) {
2338  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2339  result = 0;
2340  goto end;
2341  }
2342 
2343  http_state = f.alstate;
2344  if (http_state == NULL) {
2345  printf("no http state: \n");
2346  result = 0;
2347  goto end;
2348  }
2349 
2350  /* do detect */
2351  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2352 
2353  if ((PacketAlertCheck(p1, 1))) {
2354  printf("sid 1 matched but shouldn't have\n");
2355  goto end;
2356  }
2357 
2358  r = AppLayerParserParse(
2359  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2360  if (r != 0) {
2361  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2362  result = 0;
2363  goto end;
2364  }
2365 
2366  /* do detect */
2367  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2368 
2369  if (!(PacketAlertCheck(p2, 1))) {
2370  printf("sid 1 didn't match but should have");
2371  goto end;
2372  }
2373 
2374  result = 1;
2375 
2376 end:
2377  if (alp_tctx != NULL)
2378  AppLayerParserThreadCtxFree(alp_tctx);
2379  if (de_ctx != NULL)
2380  DetectEngineCtxFree(de_ctx);
2381 
2382  StreamTcpFreeConfig(true);
2383  FLOW_DESTROY(&f);
2384  UTHFreePackets(&p1, 1);
2385  UTHFreePackets(&p2, 1);
2386  return result;
2387 }
2388 
2389 /*
2390  * deflate stream
2391  */
2392 static int DetectEngineHttpServerBodyTest19(void)
2393 {
2394  TcpSession ssn;
2395  Packet *p1 = NULL;
2396  Packet *p2 = NULL;
2397  ThreadVars th_v;
2398  DetectEngineCtx *de_ctx = NULL;
2399  DetectEngineThreadCtx *det_ctx = NULL;
2400  HtpState *http_state = NULL;
2401  Flow f;
2402  uint8_t http_buf1[] =
2403  "GET /index.html HTTP/1.0\r\n"
2404  "Host: www.openinfosecfoundation.org\r\n"
2405  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2406  "\r\n";
2407  uint32_t http_len1 = sizeof(http_buf1) - 1;
2408  uint8_t http_buf2[] = {
2409  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2410  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '2', '4', 0x0d, 0x0a,
2411  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
2412  0x0d, 0x0a,
2413  0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2414  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2415  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2416  0x8f, 0x0b, 0x00,
2417  };
2418  // 0xb2, 0x7d, 0xac, 0x9b, 0x19, 0x00, 0x00, 0x00,
2419  uint32_t http_len2 = sizeof(http_buf2);
2420  int result = 0;
2421  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2422 
2423  memset(&th_v, 0, sizeof(th_v));
2424  memset(&f, 0, sizeof(f));
2425  memset(&ssn, 0, sizeof(ssn));
2426 
2427  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2428  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2429 
2430  FLOW_INITIALIZE(&f);
2431  f.protoctx = (void *)&ssn;
2432  f.proto = IPPROTO_TCP;
2433  f.flags |= FLOW_IPV4;
2434 
2435  p1->flow = &f;
2436  p1->flowflags |= FLOW_PKT_TOSERVER;
2437  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2438  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2439  p2->flow = &f;
2440  p2->flowflags |= FLOW_PKT_TOCLIENT;
2441  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2442  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2443  f.alproto = ALPROTO_HTTP1;
2444 
2445  StreamTcpInitConfig(true);
2446 
2447  de_ctx = DetectEngineCtxInit();
2448  if (de_ctx == NULL)
2449  goto end;
2450 
2451  de_ctx->flags |= DE_QUIET;
2452 
2453  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2454  "(msg:\"http server body test\"; "
2455  "content:\"file\"; http_server_body; "
2456  "sid:1;)");
2457  if (de_ctx->sig_list == NULL)
2458  goto end;
2459 
2460  SigGroupBuild(de_ctx);
2461  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2462 
2463  int r = AppLayerParserParse(
2464  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2465  if (r != 0) {
2466  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2467  result = 0;
2468  goto end;
2469  }
2470 
2471  http_state = f.alstate;
2472  if (http_state == NULL) {
2473  printf("no http state: \n");
2474  result = 0;
2475  goto end;
2476  }
2477 
2478  /* do detect */
2479  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2480 
2481  if ((PacketAlertCheck(p1, 1))) {
2482  printf("sid 1 matched but shouldn't have\n");
2483  goto end;
2484  }
2485 
2486  r = AppLayerParserParse(
2487  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2488  if (r != 0) {
2489  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2490  result = 0;
2491  goto end;
2492  }
2493 
2494  /* do detect */
2495  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2496 
2497  if (!(PacketAlertCheck(p2, 1))) {
2498  printf("sid 1 didn't match but should have");
2499  goto end;
2500  }
2501 
2502  result = 1;
2503 
2504 end:
2505  if (alp_tctx != NULL)
2506  AppLayerParserThreadCtxFree(alp_tctx);
2507  if (de_ctx != NULL)
2508  DetectEngineCtxFree(de_ctx);
2509 
2510  StreamTcpFreeConfig(true);
2511  FLOW_DESTROY(&f);
2512  UTHFreePackets(&p1, 1);
2513  UTHFreePackets(&p2, 1);
2514  return result;
2515 }
2516 
2517 /*
2518  * deflate stream with gzip set as content-encoding
2519  */
2520 static int DetectEngineHttpServerBodyTest20(void)
2521 {
2522  TcpSession ssn;
2523  Packet *p1 = NULL;
2524  Packet *p2 = NULL;
2525  ThreadVars th_v;
2526  DetectEngineCtx *de_ctx = NULL;
2527  DetectEngineThreadCtx *det_ctx = NULL;
2528  HtpState *http_state = NULL;
2529  Flow f;
2530  uint8_t http_buf1[] =
2531  "GET /index.html HTTP/1.0\r\n"
2532  "Host: www.openinfosecfoundation.org\r\n"
2533  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2534  "\r\n";
2535  uint32_t http_len1 = sizeof(http_buf1) - 1;
2536  uint8_t http_buf2[] = {
2537  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2538  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '2', '4', 0x0d, 0x0a,
2539  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'g', 'z', 'i', 'p', 0x0d, 0x0a,
2540  0x0d, 0x0a,
2541  0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2542  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2543  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2544  0x8f, 0x0b, 0x00,
2545  };
2546  // 0xb2, 0x7d, 0xac, 0x9b, 0x19, 0x00, 0x00, 0x00,
2547  uint32_t http_len2 = sizeof(http_buf2);
2548  int result = 0;
2549  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2550 
2551  memset(&th_v, 0, sizeof(th_v));
2552  memset(&f, 0, sizeof(f));
2553  memset(&ssn, 0, sizeof(ssn));
2554 
2555  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2556  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2557 
2558  FLOW_INITIALIZE(&f);
2559  f.protoctx = (void *)&ssn;
2560  f.proto = IPPROTO_TCP;
2561  f.flags |= FLOW_IPV4;
2562 
2563  p1->flow = &f;
2564  p1->flowflags |= FLOW_PKT_TOSERVER;
2565  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2566  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2567  p2->flow = &f;
2568  p2->flowflags |= FLOW_PKT_TOCLIENT;
2569  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2570  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2571  f.alproto = ALPROTO_HTTP1;
2572 
2573  StreamTcpInitConfig(true);
2574 
2575  de_ctx = DetectEngineCtxInit();
2576  if (de_ctx == NULL)
2577  goto end;
2578 
2579  de_ctx->flags |= DE_QUIET;
2580 
2581  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2582  "(msg:\"http server body test\"; "
2583  "content:\"file\"; http_server_body; "
2584  "sid:1;)");
2585  if (de_ctx->sig_list == NULL)
2586  goto end;
2587 
2588  SigGroupBuild(de_ctx);
2589  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2590 
2591  int r = AppLayerParserParse(
2592  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2593  if (r != 0) {
2594  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2595  result = 0;
2596  goto end;
2597  }
2598 
2599  http_state = f.alstate;
2600  if (http_state == NULL) {
2601  printf("no http state: \n");
2602  result = 0;
2603  goto end;
2604  }
2605 
2606  /* do detect */
2607  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2608 
2609  if ((PacketAlertCheck(p1, 1))) {
2610  printf("sid 1 matched but shouldn't have\n");
2611  goto end;
2612  }
2613 
2614  r = AppLayerParserParse(
2615  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2616  if (r != 0) {
2617  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2618  result = 0;
2619  goto end;
2620  }
2621 
2622  /* do detect */
2623  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2624 
2625 #ifdef HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT
2626  FAIL_IF(!(PacketAlertCheck(p2, 1)));
2627 #endif
2628 
2629  result = 1;
2630 
2631 end:
2632  if (alp_tctx != NULL)
2633  AppLayerParserThreadCtxFree(alp_tctx);
2634  if (de_ctx != NULL)
2635  DetectEngineCtxFree(de_ctx);
2636 
2637  StreamTcpFreeConfig(true);
2638  FLOW_DESTROY(&f);
2639  UTHFreePackets(&p1, 1);
2640  UTHFreePackets(&p2, 1);
2641  return result;
2642 }
2643 
2644 /*
2645  * gzip stream with deflate set as content-encoding.
2646  */
2647 static int DetectEngineHttpServerBodyTest21(void)
2648 {
2649  TcpSession ssn;
2650  Packet *p1 = NULL;
2651  Packet *p2 = NULL;
2652  ThreadVars th_v;
2653  DetectEngineCtx *de_ctx = NULL;
2654  DetectEngineThreadCtx *det_ctx = NULL;
2655  HtpState *http_state = NULL;
2656  Flow f;
2657  uint8_t http_buf1[] =
2658  "GET /index.html HTTP/1.0\r\n"
2659  "Host: www.openinfosecfoundation.org\r\n"
2660  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2661  "\r\n";
2662  uint32_t http_len1 = sizeof(http_buf1) - 1;
2663  uint8_t http_buf2[] = {
2664  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2665  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
2666  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
2667  0x0d, 0x0a,
2668  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51,
2669  0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
2670  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2671  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2672  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2673  0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
2674  0x00, 0x00, 0x00,
2675  };
2676  uint32_t http_len2 = sizeof(http_buf2);
2677  int result = 0;
2678  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2679 
2680  memset(&th_v, 0, sizeof(th_v));
2681  memset(&f, 0, sizeof(f));
2682  memset(&ssn, 0, sizeof(ssn));
2683 
2684  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2685  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2686 
2687  FLOW_INITIALIZE(&f);
2688  f.protoctx = (void *)&ssn;
2689  f.proto = IPPROTO_TCP;
2690  f.flags |= FLOW_IPV4;
2691 
2692  p1->flow = &f;
2693  p1->flowflags |= FLOW_PKT_TOSERVER;
2694  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2695  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2696  p2->flow = &f;
2697  p2->flowflags |= FLOW_PKT_TOCLIENT;
2698  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2699  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2700  f.alproto = ALPROTO_HTTP1;
2701 
2702  StreamTcpInitConfig(true);
2703 
2704  de_ctx = DetectEngineCtxInit();
2705  if (de_ctx == NULL)
2706  goto end;
2707 
2708  de_ctx->flags |= DE_QUIET;
2709 
2710  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2711  "(msg:\"http server body test\"; "
2712  "content:\"file\"; http_server_body; "
2713  "sid:1;)");
2714  if (de_ctx->sig_list == NULL)
2715  goto end;
2716 
2717  SigGroupBuild(de_ctx);
2718  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2719 
2720  int r = AppLayerParserParse(
2721  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2722  if (r != 0) {
2723  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2724  result = 0;
2725  goto end;
2726  }
2727 
2728  http_state = f.alstate;
2729  if (http_state == NULL) {
2730  printf("no http state: \n");
2731  result = 0;
2732  goto end;
2733  }
2734 
2735  /* do detect */
2736  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2737 
2738  if ((PacketAlertCheck(p1, 1))) {
2739  printf("sid 1 matched but shouldn't have\n");
2740  goto end;
2741  }
2742 
2743  r = AppLayerParserParse(
2744  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2745  if (r != 0) {
2746  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2747  result = 0;
2748  goto end;
2749  }
2750 
2751  /* do detect */
2752  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2753 
2754 #ifdef HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT
2755  FAIL_IF(!(PacketAlertCheck(p2, 1)));
2756 #endif
2757 
2758  result = 1;
2759 
2760 end:
2761  if (alp_tctx != NULL)
2762  AppLayerParserThreadCtxFree(alp_tctx);
2763  if (de_ctx != NULL)
2764  DetectEngineCtxFree(de_ctx);
2765 
2766  StreamTcpFreeConfig(true);
2767  FLOW_DESTROY(&f);
2768  UTHFreePackets(&p1, 1);
2769  UTHFreePackets(&p2, 1);
2770  return result;
2771 }
2772 
2773 /*
2774  * gzip stream.
2775  * We have 2 content-encoding headers. First gzip and second deflate.
2776  */
2777 static int DetectEngineHttpServerBodyTest22(void)
2778 {
2779  TcpSession ssn;
2780  Packet *p1 = NULL;
2781  Packet *p2 = NULL;
2782  ThreadVars th_v;
2783  DetectEngineCtx *de_ctx = NULL;
2784  DetectEngineThreadCtx *det_ctx = NULL;
2785  HtpState *http_state = NULL;
2786  Flow f;
2787  uint8_t http_buf1[] =
2788  "GET /index.html HTTP/1.0\r\n"
2789  "Host: www.openinfosecfoundation.org\r\n"
2790  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2791  "\r\n";
2792  uint32_t http_len1 = sizeof(http_buf1) - 1;
2793  uint8_t http_buf2[] = {
2794  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2795  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
2796  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'g', 'z', 'i', 'p', 0x0d, 0x0a,
2797  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
2798  0x0d, 0x0a,
2799  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51,
2800  0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
2801  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2802  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2803  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2804  0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
2805  0x00, 0x00, 0x00,
2806  };
2807  uint32_t http_len2 = sizeof(http_buf2);
2808  int result = 0;
2809  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2810 
2811  memset(&th_v, 0, sizeof(th_v));
2812  memset(&f, 0, sizeof(f));
2813  memset(&ssn, 0, sizeof(ssn));
2814 
2815  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2816  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2817 
2818  FLOW_INITIALIZE(&f);
2819  f.protoctx = (void *)&ssn;
2820  f.proto = IPPROTO_TCP;
2821  f.flags |= FLOW_IPV4;
2822 
2823  p1->flow = &f;
2824  p1->flowflags |= FLOW_PKT_TOSERVER;
2825  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2826  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2827  p2->flow = &f;
2828  p2->flowflags |= FLOW_PKT_TOCLIENT;
2829  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2830  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2831  f.alproto = ALPROTO_HTTP1;
2832 
2833  StreamTcpInitConfig(true);
2834 
2835  de_ctx = DetectEngineCtxInit();
2836  if (de_ctx == NULL)
2837  goto end;
2838 
2839  de_ctx->flags |= DE_QUIET;
2840 
2841  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2842  "(msg:\"http server body test\"; "
2843  "content:\"file\"; http_server_body; "
2844  "sid:1;)");
2845  if (de_ctx->sig_list == NULL)
2846  goto end;
2847 
2848  SigGroupBuild(de_ctx);
2849  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2850 
2851  int r = AppLayerParserParse(
2852  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2853  if (r != 0) {
2854  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2855  result = 0;
2856  goto end;
2857  }
2858 
2859  http_state = f.alstate;
2860  if (http_state == NULL) {
2861  printf("no http state: \n");
2862  result = 0;
2863  goto end;
2864  }
2865 
2866  /* do detect */
2867  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2868 
2869  if ((PacketAlertCheck(p1, 1))) {
2870  printf("sid 1 matched but shouldn't have: ");
2871  goto end;
2872  }
2873 
2874  r = AppLayerParserParse(
2875  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2876  if (r != 0) {
2877  printf("toserver chunk 2 returned %" PRId32 ", expected 0: \n", r);
2878  result = 0;
2879  goto end;
2880  }
2881 
2882  /* do detect */
2883  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2884 
2885 #ifdef HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT
2886  FAIL_IF(!(PacketAlertCheck(p2, 1)));
2887 #endif
2888 
2889  result = 1;
2890 
2891 end:
2892  if (alp_tctx != NULL)
2893  AppLayerParserThreadCtxFree(alp_tctx);
2894  if (de_ctx != NULL)
2895  DetectEngineCtxFree(de_ctx);
2896 
2897  StreamTcpFreeConfig(true);
2898  FLOW_DESTROY(&f);
2899  UTHFreePackets(&p1, 1);
2900  UTHFreePackets(&p2, 1);
2901  return result;
2902 }
2903 
2904 static int DetectEngineHttpServerBodyFileDataTest01(void)
2905 {
2906  TcpSession ssn;
2907  Packet *p1 = NULL;
2908  Packet *p2 = NULL;
2909  ThreadVars th_v;
2910  DetectEngineCtx *de_ctx = NULL;
2911  DetectEngineThreadCtx *det_ctx = NULL;
2912  HtpState *http_state = NULL;
2913  Flow f;
2914  uint8_t http_buf1[] =
2915  "GET /index.html HTTP/1.0\r\n"
2916  "Host: www.openinfosecfoundation.org\r\n"
2917  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2918  "\r\n";
2919  uint32_t http_len1 = sizeof(http_buf1) - 1;
2920  uint8_t http_buf2[] =
2921  "HTTP/1.0 200 ok\r\n"
2922  "Content-Type: text/html\r\n"
2923  "Content-Length: 6\r\n"
2924  "\r\n"
2925  "abcdef";
2926  uint32_t http_len2 = sizeof(http_buf2) - 1;
2927  int result = 0;
2928  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2929 
2930  memset(&th_v, 0, sizeof(th_v));
2931  memset(&f, 0, sizeof(f));
2932  memset(&ssn, 0, sizeof(ssn));
2933 
2934  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2935  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2936 
2937  FLOW_INITIALIZE(&f);
2938  f.protoctx = (void *)&ssn;
2939  f.proto = IPPROTO_TCP;
2940  f.flags |= FLOW_IPV4;
2941 
2942  p1->flow = &f;
2943  p1->flowflags |= FLOW_PKT_TOSERVER;
2944  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2945  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2946  p2->flow = &f;
2947  p2->flowflags |= FLOW_PKT_TOCLIENT;
2948  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2949  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2950  f.alproto = ALPROTO_HTTP1;
2951 
2952  StreamTcpInitConfig(true);
2953 
2954  de_ctx = DetectEngineCtxInit();
2955  if (de_ctx == NULL)
2956  goto end;
2957 
2958  de_ctx->flags |= DE_QUIET;
2959 
2960  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2961  "(msg:\"http server body test\"; "
2962  "file_data; pcre:/ab/; "
2963  "content:\"ef\"; distance:2; "
2964  "sid:1;)");
2965  if (de_ctx->sig_list == NULL)
2966  goto end;
2967 
2968  SigGroupBuild(de_ctx);
2969  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2970 
2971  int r = AppLayerParserParse(
2972  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2973  if (r != 0) {
2974  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2975  result = 0;
2976  goto end;
2977  }
2978 
2979  http_state = f.alstate;
2980  if (http_state == NULL) {
2981  printf("no http state: \n");
2982  result = 0;
2983  goto end;
2984  }
2985 
2986  /* do detect */
2987  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2988 
2989  if (PacketAlertCheck(p1, 1)) {
2990  printf("sid 1 matched but shouldn't have: ");
2991  goto end;
2992  }
2993 
2994  r = AppLayerParserParse(
2995  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2996  if (r != 0) {
2997  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2998  result = 0;
2999  goto end;
3000  }
3001 
3002  /* do detect */
3003  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3004 
3005  if (!PacketAlertCheck(p2, 1)) {
3006  printf("sid 1 did not match but should have: ");
3007  goto end;
3008  }
3009 
3010  result = 1;
3011 
3012 end:
3013  if (alp_tctx != NULL)
3014  AppLayerParserThreadCtxFree(alp_tctx);
3015  if (de_ctx != NULL)
3016  DetectEngineCtxFree(de_ctx);
3017 
3018  StreamTcpFreeConfig(true);
3019  FLOW_DESTROY(&f);
3020  UTHFreePackets(&p1, 1);
3021  UTHFreePackets(&p2, 1);
3022  return result;
3023 }
3024 
3025 static int DetectEngineHttpServerBodyFileDataTest02(void)
3026 {
3027  TcpSession ssn;
3028  Packet *p1 = NULL;
3029  Packet *p2 = NULL;
3030  ThreadVars th_v;
3031  DetectEngineCtx *de_ctx = NULL;
3032  DetectEngineThreadCtx *det_ctx = NULL;
3033  HtpState *http_state = NULL;
3034  Flow f;
3035  uint8_t http_buf1[] =
3036  "GET /index.html HTTP/1.0\r\n"
3037  "Host: www.openinfosecfoundation.org\r\n"
3038  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3039  "\r\n";
3040  uint32_t http_len1 = sizeof(http_buf1) - 1;
3041  uint8_t http_buf2[] =
3042  "HTTP/1.0 200 ok\r\n"
3043  "Content-Type: text/html\r\n"
3044  "Content-Length: 6\r\n"
3045  "\r\n"
3046  "abcdef";
3047  uint32_t http_len2 = sizeof(http_buf2) - 1;
3048  int result = 0;
3049  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3050 
3051  memset(&th_v, 0, sizeof(th_v));
3052  memset(&f, 0, sizeof(f));
3053  memset(&ssn, 0, sizeof(ssn));
3054 
3055  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3056  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3057 
3058  FLOW_INITIALIZE(&f);
3059  f.protoctx = (void *)&ssn;
3060  f.proto = IPPROTO_TCP;
3061  f.flags |= FLOW_IPV4;
3062 
3063  p1->flow = &f;
3064  p1->flowflags |= FLOW_PKT_TOSERVER;
3065  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3066  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3067  p2->flow = &f;
3068  p2->flowflags |= FLOW_PKT_TOCLIENT;
3069  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3070  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3071  f.alproto = ALPROTO_HTTP1;
3072 
3073  StreamTcpInitConfig(true);
3074 
3075  de_ctx = DetectEngineCtxInit();
3076  if (de_ctx == NULL)
3077  goto end;
3078 
3079  de_ctx->flags |= DE_QUIET;
3080 
3081  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3082  "(msg:\"http server body test\"; "
3083  "file_data; pcre:/abc/; "
3084  "content:!\"xyz\"; distance:0; within:3; "
3085  "sid:1;)");
3086  if (de_ctx->sig_list == NULL)
3087  goto end;
3088 
3089  SigGroupBuild(de_ctx);
3090  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3091 
3092  int r = AppLayerParserParse(
3093  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
3094  if (r != 0) {
3095  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3096  result = 0;
3097  goto end;
3098  }
3099 
3100  http_state = f.alstate;
3101  if (http_state == NULL) {
3102  printf("no http state: \n");
3103  result = 0;
3104  goto end;
3105  }
3106 
3107  /* do detect */
3108  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3109 
3110  if (PacketAlertCheck(p1, 1)) {
3111  printf("sid 1 matched but shouldn't have: ");
3112  goto end;
3113  }
3114 
3115  r = AppLayerParserParse(
3116  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
3117  if (r != 0) {
3118  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3119  result = 0;
3120  goto end;
3121  }
3122 
3123  /* do detect */
3124  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3125 
3126  if (!PacketAlertCheck(p2, 1)) {
3127  printf("sid 1 did not match but should have: ");
3128  goto end;
3129  }
3130 
3131  result = 1;
3132 
3133 end:
3134  if (alp_tctx != NULL)
3135  AppLayerParserThreadCtxFree(alp_tctx);
3136  if (de_ctx != NULL)
3137  DetectEngineCtxFree(de_ctx);
3138 
3139  StreamTcpFreeConfig(true);
3140  FLOW_DESTROY(&f);
3141  UTHFreePackets(&p1, 1);
3142  UTHFreePackets(&p2, 1);
3143  return result;
3144 }
3145 
3146 /* \test recursive relative byte test */
3147 static int DetectEngineHttpServerBodyFileDataTest03(void)
3148 {
3149  TcpSession ssn;
3150  Packet *p1 = NULL;
3151  Packet *p2 = NULL;
3152  ThreadVars th_v;
3153  DetectEngineThreadCtx *det_ctx = NULL;
3154  HtpState *http_state = NULL;
3155  Flow f;
3156  uint8_t http_buf1[] =
3157  "GET /index.html HTTP/1.0\r\n"
3158  "Host: www.openinfosecfoundation.org\r\n"
3159  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3160  "\r\n";
3161  uint32_t http_len1 = sizeof(http_buf1) - 1;
3162  uint8_t http_buf2[] =
3163  "HTTP/1.0 200 ok\r\n"
3164  "Content-Type: text/html\r\n"
3165  "Content-Length: 33\r\n"
3166  "\r\n"
3167  "XYZ_klm_1234abcd_XYZ_klm_5678abcd";
3168  uint32_t http_len2 = sizeof(http_buf2) - 1;
3169  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3170 
3171  memset(&th_v, 0, sizeof(th_v));
3172  memset(&f, 0, sizeof(f));
3173  memset(&ssn, 0, sizeof(ssn));
3174 
3175  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3176  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3177 
3178  FLOW_INITIALIZE(&f);
3179  f.protoctx = (void *)&ssn;
3180  f.proto = IPPROTO_TCP;
3181  f.flags |= FLOW_IPV4;
3182 
3183  p1->flow = &f;
3184  p1->flowflags |= FLOW_PKT_TOSERVER;
3185  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3186  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3187  p2->flow = &f;
3188  p2->flowflags |= FLOW_PKT_TOCLIENT;
3189  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3190  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3191  f.alproto = ALPROTO_HTTP1;
3192 
3193  StreamTcpInitConfig(true);
3194 
3195  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3196  FAIL_IF_NULL(de_ctx);
3197  de_ctx->flags |= DE_QUIET;
3198 
3199  Signature *s = DetectEngineAppendSig(de_ctx,
3200  "alert http any any -> any any "
3201  "(msg:\"match on 1st\"; "
3202  "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; "
3203  "distance:4; byte_test:4,=,1234,-8,relative,string;"
3204  "sid:1;)");
3205  FAIL_IF_NULL(s);
3206  s = DetectEngineAppendSig(de_ctx,
3207  "alert http any any -> any any "
3208  "(msg:\"match on 2nd\"; "
3209  "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; "
3210  "distance:4; byte_test:4,=,5678,-8,relative,string;"
3211  "sid:2;)");
3212  FAIL_IF_NULL(s);
3213 
3214  SigGroupBuild(de_ctx);
3215  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3216 
3217  int r = AppLayerParserParse(
3218  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
3219  FAIL_IF(r != 0);
3220  http_state = f.alstate;
3221  FAIL_IF_NULL(http_state);
3222 
3223  /* do detect */
3224  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3225  FAIL_IF(PacketAlertCheck(p1, 1));
3226 
3227  r = AppLayerParserParse(
3228  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
3229  FAIL_IF(r != 0);
3230 
3231  /* do detect */
3232  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3233 
3234  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
3235  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
3236 
3237  AppLayerParserThreadCtxFree(alp_tctx);
3238  DetectEngineCtxFree(de_ctx);
3239  StreamTcpFreeConfig(true);
3240  FLOW_DESTROY(&f);
3241  UTHFreePackets(&p1, 1);
3242  UTHFreePackets(&p2, 1);
3243  PASS;
3244 }
3245 
3246 static int DetectEngineHttpServerBodyFileDataTest04(void)
3247 {
3248 
3249  const char yaml[] = "\
3250 %YAML 1.1\n\
3251 ---\n\
3252 libhtp:\n\
3253 \n\
3254  default-config:\n\
3255 \n\
3256  http-body-inline: yes\n\
3257  response-body-minimal-inspect-size: 6\n\
3258  response-body-inspect-window: 3\n\
3259 ";
3260 
3261  struct TestSteps steps[] = {
3262  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3263  "Host: www.openinfosecfoundation.org\r\n"
3264  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3265  "\r\n",
3266  0, STREAM_TOSERVER, 0 },
3267  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3268  "Content-Type: text/html\r\n"
3269  "Content-Length: 6\r\n"
3270  "\r\n"
3271  "ab",
3272  0, STREAM_TOCLIENT, 0 },
3273  { (const uint8_t *)"cd",
3274  0, STREAM_TOCLIENT, 1 },
3275  { (const uint8_t *)"ef",
3276  0, STREAM_TOCLIENT, 0 },
3277  { NULL, 0, 0, 0 },
3278  };
3279 
3280  const char *sig = "alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)";
3281  return RunTest(steps, sig, yaml);
3282 }
3283 
3284 static int DetectEngineHttpServerBodyFileDataTest05(void)
3285 {
3286 
3287  const char yaml[] = "\
3288 %YAML 1.1\n\
3289 ---\n\
3290 libhtp:\n\
3291 \n\
3292  default-config:\n\
3293 \n\
3294  http-body-inline: yes\n\
3295  response-body-minimal-inspect-size: 6\n\
3296  response-body-inspect-window: 3\n\
3297 ";
3298 
3299  struct TestSteps steps[] = {
3300  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3301  "Host: www.openinfosecfoundation.org\r\n"
3302  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3303  "\r\n",
3304  0, STREAM_TOSERVER, 0 },
3305  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3306  "Content-Type: text/html\r\n"
3307  "Content-Length: 6\r\n"
3308  "\r\n"
3309  "ab",
3310  0, STREAM_TOCLIENT, 0 },
3311  { (const uint8_t *)"cd",
3312  0, STREAM_TOCLIENT, 0 },
3313  { (const uint8_t *)"ef",
3314  0, STREAM_TOCLIENT, 1 },
3315  { NULL, 0, 0, 0 },
3316  };
3317 
3318  const char *sig = "alert http any any -> any any (file_data; content:\"abcdef\"; sid:1;)";
3319  return RunTest(steps, sig, yaml);
3320 }
3321 
3322 static int DetectEngineHttpServerBodyFileDataTest06(void)
3323 {
3324 
3325  const char yaml[] = "\
3326 %YAML 1.1\n\
3327 ---\n\
3328 libhtp:\n\
3329 \n\
3330  default-config:\n\
3331 \n\
3332  http-body-inline: yes\n\
3333  response-body-minimal-inspect-size: 6\n\
3334  response-body-inspect-window: 3\n\
3335 ";
3336 
3337  struct TestSteps steps[] = {
3338  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3339  "Host: www.openinfosecfoundation.org\r\n"
3340  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3341  "\r\n",
3342  0, STREAM_TOSERVER, 0 },
3343  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3344  "Content-Type: text/html\r\n"
3345  "Content-Length: 6\r\n"
3346  "\r\n"
3347  "ab",
3348  0, STREAM_TOCLIENT, 0 },
3349  { (const uint8_t *)"cd",
3350  0, STREAM_TOCLIENT, 0 },
3351  { (const uint8_t *)"ef",
3352  0, STREAM_TOCLIENT, 1 },
3353  { NULL, 0, 0, 0 },
3354  };
3355 
3356  const char *sig = "alert http any any -> any any (file_data; content:\"bcdef\"; offset:1; sid:1;)";
3357  return RunTest(steps, sig, yaml);
3358 }
3359 
3360 static int DetectEngineHttpServerBodyFileDataTest07(void)
3361 {
3362 
3363  const char yaml[] = "\
3364 %YAML 1.1\n\
3365 ---\n\
3366 libhtp:\n\
3367 \n\
3368  default-config:\n\
3369 \n\
3370  http-body-inline: yes\n\
3371  response-body-minimal-inspect-size: 6\n\
3372  response-body-inspect-window: 3\n\
3373 ";
3374 
3375  struct TestSteps steps[] = {
3376  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3377  "Host: www.openinfosecfoundation.org\r\n"
3378  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3379  "\r\n",
3380  0, STREAM_TOSERVER, 0 },
3381  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3382  "Content-Type: text/html\r\n"
3383  "Content-Length: 13\r\n"
3384  "\r\n"
3385  "ab",
3386  0, STREAM_TOCLIENT, 0 },
3387  { (const uint8_t *)"cd",
3388  0, STREAM_TOCLIENT, 1 },
3389  { (const uint8_t *)"123456789",
3390  0, STREAM_TOCLIENT, 0 },
3391  { NULL, 0, 0, 0 },
3392  };
3393 
3394  const char *sig = "alert http any any -> any any (file_data; content:\"bc\"; offset:1; depth:2; sid:1;)";
3395  return RunTest(steps, sig, yaml);
3396 }
3397 
3398 static int DetectEngineHttpServerBodyFileDataTest08(void)
3399 {
3400 
3401  const char yaml[] = "\
3402 %YAML 1.1\n\
3403 ---\n\
3404 libhtp:\n\
3405 \n\
3406  default-config:\n\
3407 \n\
3408  http-body-inline: yes\n\
3409  response-body-minimal-inspect-size: 6\n\
3410  response-body-inspect-window: 3\n\
3411 ";
3412 
3413  struct TestSteps steps[] = {
3414  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3415  "Host: www.openinfosecfoundation.org\r\n"
3416  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3417  "\r\n",
3418  0, STREAM_TOSERVER, 0 },
3419  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3420  "Content-Type: text/html\r\n"
3421  "Content-Length: 14\r\n"
3422  "\r\n"
3423  "ab",
3424  0, STREAM_TOCLIENT, 0 },
3425  { (const uint8_t *)"cd",
3426  0, STREAM_TOCLIENT, 0 },
3427  { (const uint8_t *)"1234567890",
3428  0, STREAM_TOCLIENT, 1 },
3429  { NULL, 0, 0, 0 },
3430  };
3431 
3432  const char *sig = "alert http any any -> any any (file_data; content:\"d123456789\"; offset:3; sid:1;)";
3433  return RunTest(steps, sig, yaml);
3434 }
3435 
3436 static int DetectEngineHttpServerBodyFileDataTest09(void)
3437 {
3438 
3439  const char yaml[] = "\
3440 %YAML 1.1\n\
3441 ---\n\
3442 libhtp:\n\
3443 \n\
3444  default-config:\n\
3445 \n\
3446  http-body-inline: yes\n\
3447  response-body-minimal-inspect-size: 6\n\
3448  response-body-inspect-window: 3\n\
3449 ";
3450 
3451  struct TestSteps steps[] = {
3452  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3453  "Host: www.openinfosecfoundation.org\r\n"
3454  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3455  "\r\n",
3456  0, STREAM_TOSERVER, 0 },
3457  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3458  "Content-Type: text/html\r\n"
3459  "Content-Length: 13\r\n"
3460  "\r\n"
3461  "ab",
3462  0, STREAM_TOCLIENT, 0 },
3463  { (const uint8_t *)"cd",
3464  0, STREAM_TOCLIENT, 0 },
3465  { (const uint8_t *)"123456789",
3466  0, STREAM_TOCLIENT, 1 },
3467  { NULL, 0, 0, 0 },
3468  };
3469 
3470  const char *sig = "alert http any any -> any any (file_data; content:\"abcd12\"; depth:6; sid:1;)";
3471  return RunTest(steps, sig, yaml);
3472 }
3473 
3474 static int DetectEngineHttpServerBodyFileDataTest10(void)
3475 {
3476 
3477  const char yaml[] = "\
3478 %YAML 1.1\n\
3479 ---\n\
3480 libhtp:\n\
3481 \n\
3482  default-config:\n\
3483 \n\
3484  http-body-inline: yes\n\
3485  response-body-minimal-inspect-size: 6\n\
3486  response-body-inspect-window: 3\n\
3487 ";
3488 
3489  struct TestSteps steps[] = {
3490  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3491  "Host: www.openinfosecfoundation.org\r\n"
3492  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3493  "\r\n",
3494  0, STREAM_TOSERVER, 0 },
3495  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3496  "Content-Type: text/html\r\n"
3497  "Content-Length: 5\r\n"
3498  "\r\n"
3499  "ab",
3500  0, STREAM_TOCLIENT, 0 },
3501  { (const uint8_t *)"c",
3502  0, STREAM_TOCLIENT, 1 },
3503  { (const uint8_t *)"de",
3504  0, STREAM_TOCLIENT, 0 },
3505  { NULL, 0, 0, 0 },
3506  };
3507 
3508  const char *sig = "alert http any any -> any any (file_data; content:\"abc\"; depth:3; sid:1;)";
3509  return RunTest(steps, sig, yaml);
3510 }
3511 
3512 static int DetectEngineHttpServerBodyFileDataTest11(void)
3513 {
3514 
3515  const char yaml[] = "\
3516 %YAML 1.1\n\
3517 ---\n\
3518 libhtp:\n\
3519 \n\
3520  default-config:\n\
3521 \n\
3522  http-body-inline: yes\n\
3523  response-body-minimal-inspect-size: 6\n\
3524  response-body-inspect-window: 3\n\
3525 ";
3526 
3527  struct TestSteps steps[] = {
3528  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3529  "Host: www.openinfosecfoundation.org\r\n"
3530  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3531  "\r\n",
3532  0, STREAM_TOSERVER, 0 },
3533  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3534  "Content-Type: text/html\r\n"
3535  "Content-Length: 5\r\n"
3536  "\r\n"
3537  "ab",
3538  0, STREAM_TOCLIENT, 0 },
3539  { (const uint8_t *)"c",
3540  0, STREAM_TOCLIENT, 0 },
3541  { (const uint8_t *)"de",
3542  0, STREAM_TOCLIENT, 1 },
3543  { NULL, 0, 0, 0 },
3544  };
3545 
3546  const char *sig = "alert http any any -> any any (file_data; content:\"bcde\"; offset:1; depth:4; sid:1;)";
3547  return RunTest(steps, sig, yaml);
3548 }
3549 
3550 static int DetectEngineHttpServerBodyFileDataTest12(void)
3551 {
3552 
3553  const char yaml[] = "\
3554 %YAML 1.1\n\
3555 ---\n\
3556 libhtp:\n\
3557 \n\
3558  default-config:\n\
3559 \n\
3560  http-body-inline: yes\n\
3561  response-body-minimal-inspect-size: 6\n\
3562  response-body-inspect-window: 3\n\
3563 ";
3564 
3565  struct TestSteps steps[] = {
3566  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3567  "Host: www.openinfosecfoundation.org\r\n"
3568  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3569  "\r\n",
3570  0, STREAM_TOSERVER, 0 },
3571  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3572  "Content-Type: text/html\r\n"
3573  "Content-Length: 13\r\n"
3574  "\r\n"
3575  "a",
3576  0, STREAM_TOCLIENT, 0 },
3577  { (const uint8_t *)"b",
3578  0, STREAM_TOCLIENT, 0 },
3579  { (const uint8_t *)"c",
3580  0, STREAM_TOCLIENT, 0 },
3581  { (const uint8_t *)"d",
3582  0, STREAM_TOCLIENT, 1 },
3583  { (const uint8_t *)"efghijklm",
3584  0, STREAM_TOCLIENT, 0 },
3585  { NULL, 0, 0, 0 },
3586  };
3587 
3588  const char *sig = "alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)";
3589  return RunTest(steps, sig, yaml);
3590 }
3591 
3592 static int DetectEngineHttpServerBodyFileDataTest13(void)
3593 {
3594 
3595  const char yaml[] = "\
3596 %YAML 1.1\n\
3597 ---\n\
3598 libhtp:\n\
3599 \n\
3600  default-config:\n\
3601 \n\
3602  http-body-inline: yes\n\
3603  response-body-minimal-inspect-size: 9\n\
3604  response-body-inspect-window: 12\n\
3605 ";
3606 
3607  struct TestSteps steps[] = {
3608  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3609  "Host: www.openinfosecfoundation.org\r\n"
3610  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3611  "\r\n",
3612  0, STREAM_TOSERVER, 0 },
3613  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3614  "Content-Type: text/html\r\n"
3615  "Content-Length: 13\r\n"
3616  "\r\n"
3617  "a",
3618  0, STREAM_TOCLIENT, 0 },
3619  { (const uint8_t *)"b",
3620  0, STREAM_TOCLIENT, 0 },
3621  { (const uint8_t *)"c",
3622  0, STREAM_TOCLIENT, 0 },
3623  { (const uint8_t *)"d",
3624  0, STREAM_TOCLIENT, 0 },
3625  { (const uint8_t *)"efghijklm",
3626  0, STREAM_TOCLIENT, 1 },
3627  { NULL, 0, 0, 0 },
3628  };
3629 
3630  const char *sig = "alert http any any -> any any (file_data; content:\"abcdefghijklm\"; sid:1;)";
3631  return RunTest(steps, sig, yaml);
3632 }
3633 
3634 static int DetectEngineHttpServerBodyFileDataTest14(void)
3635 {
3636 
3637  const char yaml[] = "\
3638 %YAML 1.1\n\
3639 ---\n\
3640 libhtp:\n\
3641 \n\
3642  default-config:\n\
3643 \n\
3644  http-body-inline: yes\n\
3645  response-body-minimal-inspect-size: 9\n\
3646  response-body-inspect-window: 12\n\
3647 ";
3648 
3649  struct TestSteps steps[] = {
3650  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3651  "Host: www.openinfosecfoundation.org\r\n"
3652  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3653  "\r\n",
3654  0, STREAM_TOSERVER, 0 },
3655  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3656  "Content-Type: text/html\r\n"
3657  "Content-Length: 20\r\n"
3658  "\r\n"
3659  "1234567890",
3660  0, STREAM_TOCLIENT, 0 },
3661  { (const uint8_t *)"abcdefghi",
3662  0, STREAM_TOCLIENT, 1 },
3663  { NULL, 0, 0, 0 },
3664  };
3665 
3666  const char *sig = "alert http any any -> any any (file_data; content:\"890abcdefghi\"; sid:1;)";
3667  return RunTest(steps, sig, yaml);
3668 }
3669 
3670 static int DetectEngineHttpServerBodyFileDataTest15(void)
3671 {
3672 
3673  const char yaml[] = "\
3674 %YAML 1.1\n\
3675 ---\n\
3676 libhtp:\n\
3677 \n\
3678  default-config:\n\
3679 \n\
3680  http-body-inline: yes\n\
3681  response-body-minimal-inspect-size: 9\n\
3682  response-body-inspect-window: 12\n\
3683 ";
3684 
3685  struct TestSteps steps[] = {
3686  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3687  "Host: www.openinfosecfoundation.org\r\n"
3688  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3689  "\r\n",
3690  0, STREAM_TOSERVER, 0 },
3691  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3692  "Content-Type: text/html\r\n"
3693  "Content-Length: 20\r\n"
3694  "\r\n"
3695  "1234567890",
3696  0, STREAM_TOCLIENT, 0 },
3697  { (const uint8_t *)"abcdefghi",
3698  0, STREAM_TOCLIENT, 0 },
3699  { NULL, 0, 0, 0 },
3700  };
3701 
3702  const char *sig = "alert http any any -> any any (file_data; content:\"7890ab\"; depth:6; sid:1;)";
3703  return RunTest(steps, sig, yaml);
3704 }
3705 
3706 static int DetectEngineHttpServerBodyFileDataTest16(void)
3707 {
3708 
3709  const char yaml[] = "\
3710 %YAML 1.1\n\
3711 ---\n\
3712 libhtp:\n\
3713 \n\
3714  default-config:\n\
3715 \n\
3716  http-body-inline: yes\n\
3717  response-body-minimal-inspect-size: 9\n\
3718  response-body-inspect-window: 12\n\
3719 ";
3720 
3721  struct TestSteps steps[] = {
3722  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3723  "Host: www.openinfosecfoundation.org\r\n"
3724  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3725  "\r\n",
3726  0, STREAM_TOSERVER, 0 },
3727  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3728  "Content-Type: text/html\r\n"
3729  "Content-Length: 20\r\n"
3730  "\r\n"
3731  "aaaab",
3732  0, STREAM_TOCLIENT, 0 },
3733  { (const uint8_t *)"bbbbc",
3734  0, STREAM_TOCLIENT, 0 },
3735  { (const uint8_t *)"ccccd",
3736  0, STREAM_TOCLIENT, 0 },
3737  { (const uint8_t *)"dddde",
3738  0, STREAM_TOCLIENT, 0 },
3739  { NULL, 0, 0, 0 },
3740  };
3741 
3742  const char *sig = "alert http any any -> any any (file_data; content:\"aabb\"; depth:4; sid:1;)";
3743  return RunTest(steps, sig, yaml);
3744 }
3745 
3746 static int DetectEngineHttpServerBodyFileDataTest17(void)
3747 {
3748 
3749  const char yaml[] = "\
3750 %YAML 1.1\n\
3751 ---\n\
3752 libhtp:\n\
3753 \n\
3754  default-config:\n\
3755 \n\
3756  http-body-inline: yes\n\
3757  response-body-minimal-inspect-size: 8\n\
3758  response-body-inspect-window: 4\n\
3759 ";
3760 
3761  struct TestSteps steps[] = {
3762  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3763  "Host: www.openinfosecfoundation.org\r\n"
3764  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3765  "\r\n",
3766  0, STREAM_TOSERVER, 0 },
3767  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3768  "Content-Type: text/html\r\n"
3769  "Content-Length: 20\r\n"
3770  "\r\n"
3771  "aaaab",
3772  0, STREAM_TOCLIENT, 0 },
3773  { (const uint8_t *)"bbbbc",
3774  0, STREAM_TOCLIENT, 0 },
3775  { (const uint8_t *)"ccccd",
3776  0, STREAM_TOCLIENT, 0 },
3777  { (const uint8_t *)"dddde",
3778  0, STREAM_TOCLIENT, 0 },
3779  { NULL, 0, 0, 0 },
3780  };
3781 
3782  const char *sig = "alert http any any -> any any (file_data; content:\"bbbc\"; depth:4; sid:1;)";
3783  return RunTest(steps, sig, yaml);
3784 }
3785 
3786 static int DetectEngineHttpServerBodyFileDataTest18(void)
3787 {
3788 
3789  const char yaml[] = "\
3790 %YAML 1.1\n\
3791 ---\n\
3792 libhtp:\n\
3793 \n\
3794  default-config:\n\
3795 \n\
3796  http-body-inline: yes\n\
3797  response-body-minimal-inspect-size: 8\n\
3798  response-body-inspect-window: 4\n\
3799 ";
3800 
3801  struct TestSteps steps[] = {
3802  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3803  "Host: www.openinfosecfoundation.org\r\n"
3804  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3805  "\r\n",
3806  0, STREAM_TOSERVER, 0 },
3807  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3808  "Content-Type: text/html\r\n"
3809  "Content-Length: 20\r\n"
3810  "\r\n"
3811  "aaaab",
3812  0, STREAM_TOCLIENT, 0 },
3813  { (const uint8_t *)"bbbbc",
3814  0, STREAM_TOCLIENT, 0 },
3815  { (const uint8_t *)"ccccd",
3816  0, STREAM_TOCLIENT, 0 },
3817  { (const uint8_t *)"dddde",
3818  0, STREAM_TOCLIENT, 0 },
3819  { NULL, 0, 0, 0 },
3820  };
3821 
3822  const char *sig = "alert http any any -> any any (file_data; content:\"bccd\"; depth:4; sid:1;)";
3823  return RunTest(steps, sig, yaml);
3824 }
3825 static int DetectEngineHttpServerBodyFileDataTest19(void)
3826 {
3827  char input[] = "\
3828 %YAML 1.1\n\
3829 ---\n\
3830 libhtp:\n\
3831 \n\
3832  default-config:\n\
3833 \n\
3834  swf-decompression:\n\
3835  enabled: yes\n\
3836  type: both\n\
3837  compress-depth: 0\n\
3838  decompress-depth: 0\n\
3839 ";
3840  ConfCreateContextBackup();
3841  ConfInit();
3842  HtpConfigCreateBackup();
3843  ConfYamlLoadString(input, strlen(input));
3844  HTPConfigure();
3845  TcpSession ssn;
3846  Packet *p1 = NULL;
3847  Packet *p2 = NULL;
3848  ThreadVars th_v;
3849  DetectEngineCtx *de_ctx = NULL;
3850  DetectEngineThreadCtx *det_ctx = NULL;
3851  HtpState *http_state = NULL;
3852  Flow f;
3853  uint8_t http_buf1[] =
3854  "GET /file.swf HTTP/1.0\r\n"
3855  "Host: www.openinfosecfoundation.org\r\n"
3856  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3857  "\r\n";
3858  uint32_t http_len1 = sizeof(http_buf1) - 1;
3859  uint8_t http_buf2[] = {
3860  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
3861  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
3862  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
3863  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
3864  0x0d, 0x0a,
3865  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
3866  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
3867  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
3868  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
3869  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
3870  };
3871  uint32_t http_len2 = sizeof(http_buf2);
3872  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3873  FAIL_IF_NULL(alp_tctx);
3874 
3875  memset(&th_v, 0, sizeof(th_v));
3876  memset(&f, 0, sizeof(f));
3877  memset(&ssn, 0, sizeof(ssn));
3878 
3879  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3880  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3881 
3882  FLOW_INITIALIZE(&f);
3883  f.protoctx = (void *)&ssn;
3884  f.proto = IPPROTO_TCP;
3885  f.flags |= FLOW_IPV4;
3886 
3887  p1->flow = &f;
3888  p1->flowflags |= FLOW_PKT_TOSERVER;
3889  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3890  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3891  p2->flow = &f;
3892  p2->flowflags |= FLOW_PKT_TOCLIENT;
3893  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3894  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3895  f.alproto = ALPROTO_HTTP1;
3896 
3897  StreamTcpInitConfig(true);
3898 
3899  de_ctx = DetectEngineCtxInit();
3900  FAIL_IF_NULL(de_ctx);
3901 
3902  de_ctx->flags |= DE_QUIET;
3903 
3904  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
3905  "(flow:established,from_server; "
3906  "file_data; content:\"FWS\"; "
3907  "sid:1;)");
3908  FAIL_IF_NULL(de_ctx->sig_list);
3909 
3910  SigGroupBuild(de_ctx);
3911  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3912 
3913  int r = AppLayerParserParse(
3914  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
3915  FAIL_IF(r != 0);
3916 
3917  http_state = f.alstate;
3918  FAIL_IF_NULL(http_state);
3919 
3920  /* do detect */
3921  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3922 
3923  FAIL_IF((PacketAlertCheck(p1, 1)));
3924 
3925  r = AppLayerParserParse(
3926  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
3927  FAIL_IF(r != 0);
3928 
3929  /* do detect */
3930  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3931 
3932  FAIL_IF(!(PacketAlertCheck(p2, 1)));
3933 
3934  AppLayerParserThreadCtxFree(alp_tctx);
3935  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3936  DetectEngineCtxFree(de_ctx);
3937 
3938  HTPFreeConfig();
3939  HtpConfigRestoreBackup();
3940  ConfRestoreContextBackup();
3941 
3942  StreamTcpFreeConfig(true);
3943  FLOW_DESTROY(&f);
3944  UTHFreePackets(&p1, 1);
3945  UTHFreePackets(&p2, 1);
3946  PASS;
3947 }
3948 
3949 static int DetectEngineHttpServerBodyFileDataTest20(void)
3950 {
3951  char input[] = "\
3952 %YAML 1.1\n\
3953 ---\n\
3954 libhtp:\n\
3955 \n\
3956  default-config:\n\
3957 \n\
3958  swf-decompression:\n\
3959  enabled: no\n\
3960  type: both\n\
3961  compress-depth: 0\n\
3962  decompress-depth: 0\n\
3963 ";
3964 
3965  ConfCreateContextBackup();
3966  ConfInit();
3967  HtpConfigCreateBackup();
3968 
3969  ConfYamlLoadString(input, strlen(input));
3970  HTPConfigure();
3971 
3972  TcpSession ssn;
3973  Packet *p1 = NULL;
3974  Packet *p2 = NULL;
3975  ThreadVars th_v;
3976  DetectEngineCtx *de_ctx = NULL;
3977  DetectEngineThreadCtx *det_ctx = NULL;
3978  HtpState *http_state = NULL;
3979  Flow f;
3980  uint8_t http_buf1[] =
3981  "GET /file.swf HTTP/1.0\r\n"
3982  "Host: www.openinfosecfoundation.org\r\n"
3983  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3984  "\r\n";
3985  uint32_t http_len1 = sizeof(http_buf1) - 1;
3986  uint8_t http_buf2[] = {
3987  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
3988  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
3989  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
3990  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
3991  0x0d, 0x0a,
3992  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
3993  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
3994  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
3995  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
3996  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
3997  };
3998  uint32_t http_len2 = sizeof(http_buf2);
3999  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4000  FAIL_IF_NULL(alp_tctx);
4001 
4002  memset(&th_v, 0, sizeof(th_v));
4003  memset(&f, 0, sizeof(f));
4004  memset(&ssn, 0, sizeof(ssn));
4005 
4006  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4007  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4008 
4009  FLOW_INITIALIZE(&f);
4010  f.protoctx = (void *)&ssn;
4011  f.proto = IPPROTO_TCP;
4012  f.flags |= FLOW_IPV4;
4013 
4014  p1->flow = &f;
4015  p1->flowflags |= FLOW_PKT_TOSERVER;
4016  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4017  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4018  p2->flow = &f;
4019  p2->flowflags |= FLOW_PKT_TOCLIENT;
4020  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4021  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4022  f.alproto = ALPROTO_HTTP1;
4023 
4024  StreamTcpInitConfig(true);
4025 
4026  de_ctx = DetectEngineCtxInit();
4027  FAIL_IF_NULL(de_ctx);
4028 
4029  de_ctx->flags |= DE_QUIET;
4030 
4031  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4032  "(flow:established,from_server; "
4033  "file_data; content:\"CWS\"; "
4034  "sid:1;)");
4035  FAIL_IF_NULL(de_ctx->sig_list);
4036 
4037  SigGroupBuild(de_ctx);
4038  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4039 
4040  int r = AppLayerParserParse(
4041  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4042  FAIL_IF(r != 0);
4043 
4044  http_state = f.alstate;
4045  FAIL_IF_NULL(http_state);
4046 
4047  /* do detect */
4048  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4049 
4050  FAIL_IF((PacketAlertCheck(p1, 1)));
4051 
4052  r = AppLayerParserParse(
4053  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4054  FAIL_IF(r != 0);
4055 
4056  /* do detect */
4057  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4058 
4059  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4060 
4061  AppLayerParserThreadCtxFree(alp_tctx);
4062  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4063  DetectEngineCtxFree(de_ctx);
4064 
4065  HTPFreeConfig();
4066  HtpConfigRestoreBackup();
4067  ConfRestoreContextBackup();
4068 
4069  StreamTcpFreeConfig(true);
4070  FLOW_DESTROY(&f);
4071  UTHFreePackets(&p1, 1);
4072  UTHFreePackets(&p2, 1);
4073  PASS;
4074 }
4075 
4076 static int DetectEngineHttpServerBodyFileDataTest21(void)
4077 {
4078  char input[] = "\
4079 %YAML 1.1\n\
4080 ---\n\
4081 libhtp:\n\
4082 \n\
4083  default-config:\n\
4084 \n\
4085  swf-decompression:\n\
4086  enabled: yes\n\
4087  type: deflate\n\
4088  compress-depth: 0\n\
4089  decompress-depth: 0\n\
4090 ";
4091 
4092  ConfCreateContextBackup();
4093  ConfInit();
4094  HtpConfigCreateBackup();
4095 
4096  ConfYamlLoadString(input, strlen(input));
4097  HTPConfigure();
4098 
4099  TcpSession ssn;
4100  Packet *p1 = NULL;
4101  Packet *p2 = NULL;
4102  ThreadVars th_v;
4103  DetectEngineCtx *de_ctx = NULL;
4104  DetectEngineThreadCtx *det_ctx = NULL;
4105  HtpState *http_state = NULL;
4106  Flow f;
4107  uint8_t http_buf1[] =
4108  "GET /file.swf HTTP/1.0\r\n"
4109  "Host: www.openinfosecfoundation.org\r\n"
4110  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4111  "\r\n";
4112  uint32_t http_len1 = sizeof(http_buf1) - 1;
4113  uint8_t http_buf2[] = {
4114  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4115  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
4116  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4117  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
4118  0x0d, 0x0a,
4119  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
4120  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
4121  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
4122  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
4123  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
4124  };
4125  uint32_t http_len2 = sizeof(http_buf2);
4126  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4127  FAIL_IF_NULL(alp_tctx);
4128 
4129  memset(&th_v, 0, sizeof(th_v));
4130  memset(&f, 0, sizeof(f));
4131  memset(&ssn, 0, sizeof(ssn));
4132 
4133  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4134  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4135 
4136  FLOW_INITIALIZE(&f);
4137  f.protoctx = (void *)&ssn;
4138  f.proto = IPPROTO_TCP;
4139  f.flags |= FLOW_IPV4;
4140 
4141  p1->flow = &f;
4142  p1->flowflags |= FLOW_PKT_TOSERVER;
4143  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4144  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4145  p2->flow = &f;
4146  p2->flowflags |= FLOW_PKT_TOCLIENT;
4147  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4148  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4149  f.alproto = ALPROTO_HTTP1;
4150 
4151  StreamTcpInitConfig(true);
4152 
4153  de_ctx = DetectEngineCtxInit();
4154  FAIL_IF_NULL(de_ctx);
4155 
4156  de_ctx->flags |= DE_QUIET;
4157 
4158  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4159  "(flow:established,from_server; "
4160  "file_data; content:\"FWS\"; "
4161  "sid:1;)");
4162  FAIL_IF_NULL(de_ctx->sig_list);
4163 
4164  SigGroupBuild(de_ctx);
4165  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4166 
4167  int r = AppLayerParserParse(
4168  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4169  FAIL_IF(r != 0);
4170 
4171  http_state = f.alstate;
4172  FAIL_IF_NULL(http_state);
4173 
4174  /* do detect */
4175  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4176 
4177  FAIL_IF((PacketAlertCheck(p1, 1)));
4178 
4179  r = AppLayerParserParse(
4180  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4181  FAIL_IF(r != 0);
4182 
4183  /* do detect */
4184  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4185 
4186  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4187 
4188  AppLayerParserThreadCtxFree(alp_tctx);
4189  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4190  DetectEngineCtxFree(de_ctx);
4191 
4192  HTPFreeConfig();
4193  HtpConfigRestoreBackup();
4194  ConfRestoreContextBackup();
4195 
4196  StreamTcpFreeConfig(true);
4197  FLOW_DESTROY(&f);
4198  UTHFreePackets(&p1, 1);
4199  UTHFreePackets(&p2, 1);
4200  PASS;
4201 }
4202 
4203 static int DetectEngineHttpServerBodyFileDataTest22(void)
4204 {
4205  char input[] = "\
4206 %YAML 1.1\n\
4207 ---\n\
4208 libhtp:\n\
4209 \n\
4210  default-config:\n\
4211 \n\
4212  swf-decompression:\n\
4213  enabled: yes\n\
4214  type: lzma\n\
4215  compress-depth: 0\n\
4216  decompress-depth: 0\n\
4217 ";
4218 
4219  ConfCreateContextBackup();
4220  ConfInit();
4221  HtpConfigCreateBackup();
4222 
4223  ConfYamlLoadString(input, strlen(input));
4224  HTPConfigure();
4225 
4226  TcpSession ssn;
4227  Packet *p1 = NULL;
4228  Packet *p2 = NULL;
4229  ThreadVars th_v;
4230  DetectEngineCtx *de_ctx = NULL;
4231  DetectEngineThreadCtx *det_ctx = NULL;
4232  HtpState *http_state = NULL;
4233  Flow f;
4234  uint8_t http_buf1[] =
4235  "GET /file.swf HTTP/1.0\r\n"
4236  "Host: www.openinfosecfoundation.org\r\n"
4237  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4238  "\r\n";
4239  uint32_t http_len1 = sizeof(http_buf1) - 1;
4240  uint8_t http_buf2[] = {
4241  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4242  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
4243  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4244  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
4245  0x0d, 0x0a,
4246  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
4247  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
4248  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
4249  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
4250  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
4251  };
4252  uint32_t http_len2 = sizeof(http_buf2);
4253  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4254  FAIL_IF_NULL(alp_tctx);
4255 
4256  memset(&th_v, 0, sizeof(th_v));
4257  memset(&f, 0, sizeof(f));
4258  memset(&ssn, 0, sizeof(ssn));
4259 
4260  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4261  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4262 
4263  FLOW_INITIALIZE(&f);
4264  f.protoctx = (void *)&ssn;
4265  f.proto = IPPROTO_TCP;
4266  f.flags |= FLOW_IPV4;
4267 
4268  p1->flow = &f;
4269  p1->flowflags |= FLOW_PKT_TOSERVER;
4270  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4271  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4272  p2->flow = &f;
4273  p2->flowflags |= FLOW_PKT_TOCLIENT;
4274  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4275  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4276  f.alproto = ALPROTO_HTTP1;
4277 
4278  StreamTcpInitConfig(true);
4279 
4280  de_ctx = DetectEngineCtxInit();
4281  FAIL_IF_NULL(de_ctx);
4282 
4283  de_ctx->flags |= DE_QUIET;
4284 
4285  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4286  "(flow:established,from_server; "
4287  "file_data; content:\"CWS\"; "
4288  "sid:1;)");
4289  FAIL_IF_NULL(de_ctx->sig_list);
4290 
4291  SigGroupBuild(de_ctx);
4292  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4293 
4294  int r = AppLayerParserParse(
4295  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4296  FAIL_IF(r != 0);
4297 
4298  http_state = f.alstate;
4299  FAIL_IF_NULL(http_state);
4300 
4301  /* do detect */
4302  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4303 
4304  FAIL_IF((PacketAlertCheck(p1, 1)));
4305 
4306  r = AppLayerParserParse(
4307  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4308  FAIL_IF(r != 0);
4309 
4310  /* do detect */
4311  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4312 
4313  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4314 
4315  AppLayerParserThreadCtxFree(alp_tctx);
4316  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4317  DetectEngineCtxFree(de_ctx);
4318 
4319  HTPFreeConfig();
4320  HtpConfigRestoreBackup();
4321  ConfRestoreContextBackup();
4322 
4323  StreamTcpFreeConfig(true);
4324  FLOW_DESTROY(&f);
4325  UTHFreePackets(&p1, 1);
4326  UTHFreePackets(&p2, 1);
4327  PASS;
4328 }
4329 
4330 static int DetectEngineHttpServerBodyFileDataTest23(void)
4331 {
4332  char input[] = "\
4333 %YAML 1.1\n\
4334 ---\n\
4335 libhtp:\n\
4336 \n\
4337  default-config:\n\
4338 \n\
4339  swf-decompression:\n\
4340  enabled: yes\n\
4341  type: both\n\
4342  compress-depth: 0\n\
4343  decompress-depth: 0\n\
4344 ";
4345 
4346  ConfCreateContextBackup();
4347  ConfInit();
4348  HtpConfigCreateBackup();
4349 
4350  ConfYamlLoadString(input, strlen(input));
4351  HTPConfigure();
4352 
4353  TcpSession ssn;
4354  Packet *p1 = NULL;
4355  Packet *p2 = NULL;
4356  ThreadVars th_v;
4357  DetectEngineCtx *de_ctx = NULL;
4358  DetectEngineThreadCtx *det_ctx = NULL;
4359  HtpState *http_state = NULL;
4360  Flow f;
4361  uint8_t http_buf1[] =
4362  "GET /file.swf HTTP/1.0\r\n"
4363  "Host: www.openinfosecfoundation.org\r\n"
4364  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4365  "\r\n";
4366  uint32_t http_len1 = sizeof(http_buf1) - 1;
4367  uint8_t http_buf2[] = {
4368  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4369  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
4370  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4371  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
4372  0x0d, 0x0a,
4373  0x43, 0x57, 0x53, 0x01, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
4374  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
4375  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
4376  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
4377  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
4378  };
4379  uint32_t http_len2 = sizeof(http_buf2);
4380  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4381  FAIL_IF_NULL(alp_tctx);
4382 
4383  memset(&th_v, 0, sizeof(th_v));
4384  memset(&f, 0, sizeof(f));
4385  memset(&ssn, 0, sizeof(ssn));
4386 
4387  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4388  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4389 
4390  FLOW_INITIALIZE(&f);
4391  f.protoctx = (void *)&ssn;
4392  f.proto = IPPROTO_TCP;
4393  f.flags |= FLOW_IPV4;
4394 
4395  p1->flow = &f;
4396  p1->flowflags |= FLOW_PKT_TOSERVER;
4397  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4398  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4399  p2->flow = &f;
4400  p2->flowflags |= FLOW_PKT_TOCLIENT;
4401  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4402  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4403  f.alproto = ALPROTO_HTTP1;
4404 
4405  StreamTcpInitConfig(true);
4406 
4407  de_ctx = DetectEngineCtxInit();
4408  FAIL_IF_NULL(de_ctx);
4409 
4410  de_ctx->flags |= DE_QUIET;
4411 
4412  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4413  "(flow:established,from_server; "
4414  "file_data; content:\"CWS\"; "
4415  "sid:1;)");
4416  FAIL_IF_NULL(de_ctx->sig_list);
4417 
4418  SigGroupBuild(de_ctx);
4419  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4420 
4421  int r = AppLayerParserParse(
4422  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4423  FAIL_IF(r != 0);
4424 
4425  http_state = f.alstate;
4426  FAIL_IF_NULL(http_state);
4427 
4428  /* do detect */
4429  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4430 
4431  FAIL_IF((PacketAlertCheck(p1, 1)));
4432 
4433  r = AppLayerParserParse(
4434  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4435  FAIL_IF(r != 0);
4436 
4437  /* do detect */
4438  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4439 
4440  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4441 
4442  AppLayerParserThreadCtxFree(alp_tctx);
4443  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4444  DetectEngineCtxFree(de_ctx);
4445 
4446  HTPFreeConfig();
4447  HtpConfigRestoreBackup();
4448  ConfRestoreContextBackup();
4449 
4450  StreamTcpFreeConfig(true);
4451  FLOW_DESTROY(&f);
4452  UTHFreePackets(&p1, 1);
4453  UTHFreePackets(&p2, 1);
4454  PASS;
4455 }
4456 
4457 static int DetectEngineHttpServerBodyFileDataTest24(void)
4458 {
4459  char input[] = "\
4460 %YAML 1.1\n\
4461 ---\n\
4462 libhtp:\n\
4463 \n\
4464  default-config:\n\
4465 \n\
4466  swf-decompression:\n\
4467  enabled: yes\n\
4468  type: both\n\
4469  compress-depth: 0\n\
4470  decompress-depth: 0\n\
4471 ";
4472 
4473  ConfCreateContextBackup();
4474  ConfInit();
4475  HtpConfigCreateBackup();
4476 
4477  ConfYamlLoadString(input, strlen(input));
4478  HTPConfigure();
4479 
4480  TcpSession ssn;
4481  Packet *p1 = NULL;
4482  Packet *p2 = NULL;
4483  ThreadVars th_v;
4484  DetectEngineCtx *de_ctx = NULL;
4485  DetectEngineThreadCtx *det_ctx = NULL;
4486  HtpState *http_state = NULL;
4487  Flow f;
4488  uint8_t http_buf1[] =
4489  "GET /file.swf HTTP/1.0\r\n"
4490  "Host: www.openinfosecfoundation.org\r\n"
4491  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4492  "\r\n";
4493  uint32_t http_len1 = sizeof(http_buf1) - 1;
4494  uint8_t http_buf2[] = {
4495  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4496  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '1', '0', '3', 0x0d, 0x0a,
4497  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4498  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
4499  0x0d, 0x0a,
4500  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
4501  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
4502  0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe,
4503  0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37,
4504  0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
4505  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08, 0xe9,
4506  0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86
4507  };
4508  uint32_t http_len2 = sizeof(http_buf2);
4509  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4510  FAIL_IF_NULL(alp_tctx);
4511 
4512  memset(&th_v, 0, sizeof(th_v));
4513  memset(&f, 0, sizeof(f));
4514  memset(&ssn, 0, sizeof(ssn));
4515 
4516  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4517  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4518 
4519  FLOW_INITIALIZE(&f);
4520  f.protoctx = (void *)&ssn;
4521  f.proto = IPPROTO_TCP;
4522  f.flags |= FLOW_IPV4;
4523 
4524  p1->flow = &f;
4525  p1->flowflags |= FLOW_PKT_TOSERVER;
4526  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4527  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4528  p2->flow = &f;
4529  p2->flowflags |= FLOW_PKT_TOCLIENT;
4530  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4531  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4532  f.alproto = ALPROTO_HTTP1;
4533 
4534  StreamTcpInitConfig(true);
4535 
4536  de_ctx = DetectEngineCtxInit();
4537  FAIL_IF_NULL(de_ctx);
4538 
4539 
4540  de_ctx->flags |= DE_QUIET;
4541 
4542  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4543  "(flow:established,from_server; "
4544  "file_data; content:\"FWS\"; "
4545  "sid:1;)");
4546  FAIL_IF_NULL(de_ctx->sig_list);
4547 
4548  SigGroupBuild(de_ctx);
4549  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4550 
4551  int r = AppLayerParserParse(
4552  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4553  FAIL_IF(r != 0);
4554 
4555  http_state = f.alstate;
4556  FAIL_IF_NULL(http_state);
4557 
4558  /* do detect */
4559  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4560 
4561  FAIL_IF((PacketAlertCheck(p1, 1)));
4562 
4563  r = AppLayerParserParse(
4564  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4565  FAIL_IF(r != 0);
4566 
4567  /* do detect */
4568  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4569 
4570  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4571 
4572  AppLayerParserThreadCtxFree(alp_tctx);
4573  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4574  DetectEngineCtxFree(de_ctx);
4575 
4576  HTPFreeConfig();
4577  HtpConfigRestoreBackup();
4578  ConfRestoreContextBackup();
4579 
4580  StreamTcpFreeConfig(true);
4581  FLOW_DESTROY(&f);
4582  UTHFreePackets(&p1, 1);
4583  UTHFreePackets(&p2, 1);
4584  PASS;
4585 }
4586 
4587 static int DetectEngineHttpServerBodyFileDataTest25(void)
4588 {
4589  char input[] = "\
4590 %YAML 1.1\n\
4591 ---\n\
4592 libhtp:\n\
4593 \n\
4594  default-config:\n\
4595 \n\
4596  swf-decompression:\n\
4597  enabled: no\n\
4598  type: both\n\
4599  compress-depth: 0\n\
4600  decompress-depth: 0\n\
4601 ";
4602 
4603  ConfCreateContextBackup();
4604  ConfInit();
4605  HtpConfigCreateBackup();
4606 
4607  ConfYamlLoadString(input, strlen(input));
4608  HTPConfigure();
4609 
4610  TcpSession ssn;
4611  Packet *p1 = NULL;
4612  Packet *p2 = NULL;
4613  ThreadVars th_v;
4614  DetectEngineCtx *de_ctx = NULL;
4615  DetectEngineThreadCtx *det_ctx = NULL;
4616  HtpState *http_state = NULL;
4617  Flow f;
4618  uint8_t http_buf1[] =
4619  "GET /file.swf HTTP/1.0\r\n"
4620  "Host: www.openinfosecfoundation.org\r\n"
4621  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4622  "\r\n";
4623  uint32_t http_len1 = sizeof(http_buf1) - 1;
4624  uint8_t http_buf2[] = {
4625  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4626  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '1', '0', '3', 0x0d, 0x0a,
4627  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4628  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
4629  0x0d, 0x0a,
4630  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20, 0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19,
4631  0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05,
4632  0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2,
4633  0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0, 0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59,
4634  0x56, 0x06, 0x08, 0xe9, 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86
4635  };
4636  uint32_t http_len2 = sizeof(http_buf2);
4637  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4638  FAIL_IF_NULL(alp_tctx);
4639 
4640  memset(&th_v, 0, sizeof(th_v));
4641  memset(&f, 0, sizeof(f));
4642  memset(&ssn, 0, sizeof(ssn));
4643 
4644  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4645  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4646 
4647  FLOW_INITIALIZE(&f);
4648  f.protoctx = (void *)&ssn;
4649  f.proto = IPPROTO_TCP;
4650  f.flags |= FLOW_IPV4;
4651 
4652  p1->flow = &f;
4653  p1->flowflags |= FLOW_PKT_TOSERVER;
4654  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4655  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4656  p2->flow = &f;
4657  p2->flowflags |= FLOW_PKT_TOCLIENT;
4658  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4659  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4660  f.alproto = ALPROTO_HTTP1;
4661 
4662  StreamTcpInitConfig(true);
4663 
4664  de_ctx = DetectEngineCtxInit();
4665  FAIL_IF_NULL(de_ctx);
4666 
4667  de_ctx->flags |= DE_QUIET;
4668 
4669  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4670  "(flow:established,from_server; "
4671  "file_data; content:\"ZWS\"; "
4672  "sid:1;)");
4673  FAIL_IF_NULL(de_ctx->sig_list);
4674 
4675  SigGroupBuild(de_ctx);
4676  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4677 
4678  int r = AppLayerParserParse(
4679  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4680  FAIL_IF(r != 0);
4681 
4682  http_state = f.alstate;
4683  FAIL_IF_NULL(http_state);
4684 
4685  /* do detect */
4686  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4687 
4688  FAIL_IF((PacketAlertCheck(p1, 1)));
4689 
4690  r = AppLayerParserParse(
4691  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4692  FAIL_IF(r != 0);
4693 
4694  /* do detect */
4695  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4696 
4697  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4698 
4699  AppLayerParserThreadCtxFree(alp_tctx);
4700  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4701  DetectEngineCtxFree(de_ctx);
4702 
4703  HTPFreeConfig();
4704  HtpConfigRestoreBackup();
4705  ConfRestoreContextBackup();
4706 
4707  StreamTcpFreeConfig(true);
4708  FLOW_DESTROY(&f);
4709  UTHFreePackets(&p1, 1);
4710  UTHFreePackets(&p2, 1);
4711  PASS;
4712 }
4713 
4714 static int DetectEngineHttpServerBodyFileDataTest26(void)
4715 {
4716  char input[] = "\
4717 %YAML 1.1\n\
4718 ---\n\
4719 libhtp:\n\
4720 \n\
4721  default-config:\n\
4722 \n\
4723  swf-decompression:\n\
4724  enabled: yes\n\
4725  type: lzma\n\
4726  compress-depth: 0\n\
4727  decompress-depth: 0\n\
4728 ";
4729 
4730  ConfCreateContextBackup();
4731  ConfInit();
4732  HtpConfigCreateBackup();
4733 
4734  ConfYamlLoadString(input, strlen(input));
4735  HTPConfigure();
4736 
4737  TcpSession ssn;
4738  Packet *p1 = NULL;
4739  Packet *p2 = NULL;
4740  ThreadVars th_v;
4741  DetectEngineCtx *de_ctx = NULL;
4742  DetectEngineThreadCtx *det_ctx = NULL;
4743  HtpState *http_state = NULL;
4744  Flow f;
4745  uint8_t http_buf1[] =
4746  "GET /file.swf HTTP/1.0\r\n"
4747  "Host: www.openinfosecfoundation.org\r\n"
4748  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4749  "\r\n";
4750  uint32_t http_len1 = sizeof(http_buf1) - 1;
4751  uint8_t http_buf2[] = {
4752  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4753  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '1', '0', '3', 0x0d, 0x0a,
4754  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4755  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
4756  0x0d, 0x0a,
4757  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
4758  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
4759  0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe,
4760  0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37,
4761  0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
4762  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08, 0xe9,
4763  0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86
4764  };
4765  uint32_t http_len2 = sizeof(http_buf2);
4766  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4767  FAIL_IF_NULL(alp_tctx);
4768 
4769  memset(&th_v, 0, sizeof(th_v));
4770  memset(&f, 0, sizeof(f));
4771  memset(&ssn, 0, sizeof(ssn));
4772 
4773  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4774  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4775 
4776  FLOW_INITIALIZE(&f);
4777  f.protoctx = (void *)&ssn;
4778  f.proto = IPPROTO_TCP;
4779  f.flags |= FLOW_IPV4;
4780 
4781  p1->flow = &f;
4782  p1->flowflags |= FLOW_PKT_TOSERVER;
4783  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4784  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4785  p2->flow = &f;
4786  p2->flowflags |= FLOW_PKT_TOCLIENT;
4787  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4788  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4789  f.alproto = ALPROTO_HTTP1;
4790 
4791  StreamTcpInitConfig(true);
4792 
4793  de_ctx = DetectEngineCtxInit();
4794  FAIL_IF_NULL(de_ctx);
4795 
4796  de_ctx->flags |= DE_QUIET;
4797 
4798  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4799  "(flow:established,from_server; "
4800  "file_data; content:\"FWS\"; "
4801  "sid:1;)");
4802  FAIL_IF_NULL(de_ctx->sig_list);
4803 
4804  SigGroupBuild(de_ctx);
4805  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4806 
4807  int r = AppLayerParserParse(
4808  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4809  FAIL_IF(r != 0);
4810 
4811  http_state = f.alstate;
4812  FAIL_IF_NULL(http_state);
4813 
4814  /* do detect */
4815  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4816 
4817  FAIL_IF((PacketAlertCheck(p1, 1)));
4818 
4819  r = AppLayerParserParse(
4820  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4821  FAIL_IF(r != 0);
4822 
4823  /* do detect */
4824  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4825 
4826  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4827 
4828  AppLayerParserThreadCtxFree(alp_tctx);
4829  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4830  DetectEngineCtxFree(de_ctx);
4831 
4832  HTPFreeConfig();
4833  HtpConfigRestoreBackup();
4834  ConfRestoreContextBackup();
4835 
4836  StreamTcpFreeConfig(true);
4837  FLOW_DESTROY(&f);
4838  UTHFreePackets(&p1, 1);
4839  UTHFreePackets(&p2, 1);
4840  PASS;
4841 }
4842 
4843 static int DetectEngineHttpServerBodyFileDataTest27(void)
4844 {
4845  char input[] = "\
4846 %YAML 1.1\n\
4847 ---\n\
4848 libhtp:\n\
4849 \n\
4850  default-config:\n\
4851 \n\
4852  swf-decompression:\n\
4853  enabled: yes\n\
4854  type: deflate\n\
4855  compress-depth: 0\n\
4856  decompress-depth: 0\n\
4857 ";
4858 
4859  ConfCreateContextBackup();
4860  ConfInit();
4861  HtpConfigCreateBackup();
4862 
4863  ConfYamlLoadString(input, strlen(input));
4864  HTPConfigure();
4865 
4866  TcpSession ssn;
4867  Packet *p1 = NULL;
4868  Packet *p2 = NULL;
4869  ThreadVars th_v;
4870  DetectEngineCtx *de_ctx = NULL;
4871  DetectEngineThreadCtx *det_ctx = NULL;
4872  HtpState *http_state = NULL;
4873  Flow f;
4874  uint8_t http_buf1[] =
4875  "GET /file.swf HTTP/1.0\r\n"
4876  "Host: www.openinfosecfoundation.org\r\n"
4877  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4878  "\r\n";
4879  uint32_t http_len1 = sizeof(http_buf1) - 1;
4880  uint8_t http_buf2[] = {
4881  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4882  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
4883  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4884  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
4885  0x0d, 0x0a,
4886  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
4887  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
4888  0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61,
4889  0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b,
4890  0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1,
4891  };
4892  uint32_t http_len2 = sizeof(http_buf2);
4893  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4894  FAIL_IF_NULL(alp_tctx);
4895 
4896  memset(&th_v, 0, sizeof(th_v));
4897  memset(&f, 0, sizeof(f));
4898  memset(&ssn, 0, sizeof(ssn));
4899 
4900  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4901  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4902 
4903  FLOW_INITIALIZE(&f);
4904  f.protoctx = (void *)&ssn;
4905  f.proto = IPPROTO_TCP;
4906  f.flags |= FLOW_IPV4;
4907 
4908  p1->flow = &f;
4909  p1->flowflags |= FLOW_PKT_TOSERVER;
4910  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4911  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4912  p2->flow = &f;
4913  p2->flowflags |= FLOW_PKT_TOCLIENT;
4914  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4915  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4916  f.alproto = ALPROTO_HTTP1;
4917 
4918  StreamTcpInitConfig(true);
4919 
4920  de_ctx = DetectEngineCtxInit();
4921  FAIL_IF_NULL(de_ctx);
4922 
4923  de_ctx->flags |= DE_QUIET;
4924 
4925  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4926  "(flow:established,from_server; "
4927  "file_data; content:\"ZWS\"; "
4928  "sid:1;)");
4929  FAIL_IF_NULL(de_ctx->sig_list);
4930 
4931  SigGroupBuild(de_ctx);
4932  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4933 
4934  int r = AppLayerParserParse(
4935  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4936  FAIL_IF(r != 0);
4937 
4938  http_state = f.alstate;
4939  FAIL_IF_NULL(http_state);
4940 
4941  /* do detect */
4942  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4943 
4944  FAIL_IF((PacketAlertCheck(p1, 1)));
4945 
4946  r = AppLayerParserParse(
4947  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4948  FAIL_IF(r != 0);
4949 
4950  /* do detect */
4951  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4952 
4953  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4954 
4955  AppLayerParserThreadCtxFree(alp_tctx);
4956  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4957  DetectEngineCtxFree(de_ctx);
4958 
4959  HTPFreeConfig();
4960  HtpConfigRestoreBackup();
4961  ConfRestoreContextBackup();
4962 
4963  StreamTcpFreeConfig(true);
4964  FLOW_DESTROY(&f);
4965  UTHFreePackets(&p1, 1);
4966  UTHFreePackets(&p2, 1);
4967  PASS;
4968 }
4969 
4970 static int DetectEngineHttpServerBodyFileDataTest28(void)
4971 {
4972  char input[] = "\
4973 %YAML 1.1\n\
4974 ---\n\
4975 libhtp:\n\
4976 \n\
4977  default-config:\n\
4978 \n\
4979  swf-decompression:\n\
4980  enabled: yes\n\
4981  type: both\n\
4982  compress-depth: 0\n\
4983  decompress-depth: 0\n\
4984 ";
4985 
4986  ConfCreateContextBackup();
4987  ConfInit();
4988  HtpConfigCreateBackup();
4989 
4990  ConfYamlLoadString(input, strlen(input));
4991  HTPConfigure();
4992 
4993  TcpSession ssn;
4994  Packet *p1 = NULL;
4995  Packet *p2 = NULL;
4996  ThreadVars th_v;
4997  DetectEngineCtx *de_ctx = NULL;
4998  DetectEngineThreadCtx *det_ctx = NULL;
4999  HtpState *http_state = NULL;
5000  Flow f;
5001  uint8_t http_buf1[] =
5002  "GET /file.swf HTTP/1.0\r\n"
5003  "Host: www.openinfosecfoundation.org\r\n"
5004  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5005  "\r\n";
5006  uint32_t http_len1 = sizeof(http_buf1) - 1;
5007  uint8_t http_buf2[] = {
5008  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
5009  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
5010  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
5011  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
5012  0x0d, 0x0a,
5013  0x5a, 0x57, 0x53, 0x01, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
5014  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
5015  0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61,
5016  0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b,
5017  0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1,
5018  };
5019  uint32_t http_len2 = sizeof(http_buf2);
5020  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5021  FAIL_IF_NULL(alp_tctx);
5022 
5023  memset(&th_v, 0, sizeof(th_v));
5024  memset(&f, 0, sizeof(f));
5025  memset(&ssn, 0, sizeof(ssn));
5026 
5027  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5028  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5029 
5030  FLOW_INITIALIZE(&f);
5031  f.protoctx = (void *)&ssn;
5032  f.proto = IPPROTO_TCP;
5033  f.flags |= FLOW_IPV4;
5034 
5035  p1->flow = &f;
5036  p1->flowflags |= FLOW_PKT_TOSERVER;
5037  p1->flowflags |= FLOW_PKT_ESTABLISHED;
5038  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5039  p2->flow = &f;
5040  p2->flowflags |= FLOW_PKT_TOCLIENT;
5041  p2->flowflags |= FLOW_PKT_ESTABLISHED;
5042  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5043  f.alproto = ALPROTO_HTTP1;
5044 
5045  StreamTcpInitConfig(true);
5046 
5047  de_ctx = DetectEngineCtxInit();
5048  FAIL_IF_NULL(de_ctx);
5049 
5050  de_ctx->flags |= DE_QUIET;
5051 
5052  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
5053  "(flow:established,from_server; "
5054  "file_data; content:\"ZWS\"; "
5055  "sid:1;)");
5056  FAIL_IF_NULL(de_ctx->sig_list);
5057 
5058  SigGroupBuild(de_ctx);
5059  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5060 
5061  int r = AppLayerParserParse(
5062  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
5063  FAIL_IF(r != 0);
5064 
5065  http_state = f.alstate;
5066  FAIL_IF_NULL(http_state);
5067 
5068  /* do detect */
5069  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5070 
5071  FAIL_IF((PacketAlertCheck(p1, 1)));
5072 
5073  r = AppLayerParserParse(
5074  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
5075  FAIL_IF(r != 0);
5076 
5077  /* do detect */
5078  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5079 
5080  FAIL_IF(!(PacketAlertCheck(p2, 1)));
5081 
5082  AppLayerParserThreadCtxFree(alp_tctx);
5083  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
5084  DetectEngineCtxFree(de_ctx);
5085 
5086  HTPFreeConfig();
5087  HtpConfigRestoreBackup();
5088  ConfRestoreContextBackup();
5089 
5090  StreamTcpFreeConfig(true);
5091  FLOW_DESTROY(&f);
5092  UTHFreePackets(&p1, 1);
5093  UTHFreePackets(&p2, 1);
5094  PASS;
5095 }
5096 
5097 static int DetectEngineHttpServerBodyFileDataTest29(void)
5098 {
5099  char input[] = "\
5100 %YAML 1.1\n\
5101 ---\n\
5102 libhtp:\n\
5103 \n\
5104  default-config:\n\
5105 \n\
5106  swf-decompression:\n\
5107  enabled: yes\n\
5108  type: both\n\
5109  compress-depth: 1000\n\
5110  decompress-depth: 0\n\
5111 ";
5112 
5113  ConfCreateContextBackup();
5114  ConfInit();
5115  HtpConfigCreateBackup();
5116  ConfYamlLoadString(input, strlen(input));
5117  HTPConfigure();
5118 
5119  TcpSession ssn;
5120  Packet *p1 = NULL;
5121  Packet *p2 = NULL;
5122  ThreadVars th_v;
5123  DetectEngineCtx *de_ctx = NULL;
5124  DetectEngineThreadCtx *det_ctx = NULL;
5125  HtpState *http_state = NULL;
5126  Flow f;
5127  uint8_t http_buf1[] =
5128  "GET /file.swf HTTP/1.0\r\n"
5129  "Host: www.openinfosecfoundation.org\r\n"
5130  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5131  "\r\n";
5132  uint32_t http_len1 = sizeof(http_buf1) - 1;
5133  uint8_t http_buf2[] = {
5134  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
5135  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
5136  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
5137  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
5138  0x0d, 0x0a,
5139  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
5140  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
5141  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
5142  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
5143  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
5144  };
5145  uint32_t http_len2 = sizeof(http_buf2);
5146  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5147  FAIL_IF_NULL(alp_tctx);
5148 
5149  memset(&th_v, 0, sizeof(th_v));
5150  memset(&f, 0, sizeof(f));
5151  memset(&ssn, 0, sizeof(ssn));
5152 
5153  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5154  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5155 
5156  FLOW_INITIALIZE(&f);
5157  f.protoctx = (void *)&ssn;
5158  f.proto = IPPROTO_TCP;
5159  f.flags |= FLOW_IPV4;
5160 
5161  p1->flow = &f;
5162  p1->flowflags |= FLOW_PKT_TOSERVER;
5163  p1->flowflags |= FLOW_PKT_ESTABLISHED;
5164  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5165  p2->flow = &f;
5166  p2->flowflags |= FLOW_PKT_TOCLIENT;
5167  p2->flowflags |= FLOW_PKT_ESTABLISHED;
5168  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5169  f.alproto = ALPROTO_HTTP1;
5170 
5171  StreamTcpInitConfig(true);
5172 
5173  de_ctx = DetectEngineCtxInit();
5174  FAIL_IF_NULL(de_ctx);
5175 
5176  de_ctx->flags |= DE_QUIET;
5177 
5178  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
5179  "(flow:established,from_server; "
5180  "file_data; content:\"FWS\"; "
5181  "sid:1;)");
5182  FAIL_IF_NULL(de_ctx->sig_list);
5183 
5184  SigGroupBuild(de_ctx);
5185  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5186 
5187  int r = AppLayerParserParse(
5188  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
5189  FAIL_IF(r != 0);
5190 
5191  http_state = f.alstate;
5192  FAIL_IF_NULL(http_state);
5193 
5194  /* do detect */
5195  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5196 
5197  FAIL_IF((PacketAlertCheck(p1, 1)));
5198 
5199  r = AppLayerParserParse(
5200  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
5201  FAIL_IF(r != 0);
5202 
5203  /* do detect */
5204  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5205 
5206  FAIL_IF(!(PacketAlertCheck(p2, 1)));
5207 
5208  AppLayerParserThreadCtxFree(alp_tctx);
5209  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
5210  DetectEngineCtxFree(de_ctx);
5211 
5212  HTPFreeConfig();
5213  HtpConfigRestoreBackup();
5214  ConfRestoreContextBackup();
5215 
5216  StreamTcpFreeConfig(true);
5217  FLOW_DESTROY(&f);
5218  UTHFreePackets(&p1, 1);
5219  UTHFreePackets(&p2, 1);
5220  PASS;
5221 }
5222 
5223 /**
5224  *\test Test that the http_server_body content matches against a http request
5225  * which holds the content.
5226  */
5227 static int DetectHttpServerBodyTest06(void)
5228 {
5229  TcpSession ssn;
5230  Packet *p = NULL;
5231  ThreadVars th_v;
5232  DetectEngineCtx *de_ctx = NULL;
5233  DetectEngineThreadCtx *det_ctx = NULL;
5234  HtpState *http_state = NULL;
5235  Flow f;
5236  uint8_t http_buf[] =
5237  "GET /index.html HTTP/1.0\r\n"
5238  "Host: www.openinfosecfoundation.org\r\n"
5239  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5240  "\r\n";
5241  uint32_t http_len = sizeof(http_buf) - 1;
5242  uint8_t http_buf2[] =
5243  "HTTP/1.0 200 ok\r\n"
5244  "Content-Type: text/html\r\n"
5245  "Content-Length: 7\r\n"
5246  "\r\n"
5247  "message";
5248  uint32_t http_len2 = sizeof(http_buf2) - 1;
5249  int result = 0;
5250  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5251 
5252  memset(&th_v, 0, sizeof(th_v));
5253  memset(&f, 0, sizeof(f));
5254  memset(&ssn, 0, sizeof(ssn));
5255 
5256  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5257 
5258  FLOW_INITIALIZE(&f);
5259  f.protoctx = (void *)&ssn;
5260  f.proto = IPPROTO_TCP;
5261  f.flags |= FLOW_IPV4;
5262 
5263  p->flow = &f;
5264  p->flowflags |= FLOW_PKT_TOCLIENT;
5265  p->flowflags |= FLOW_PKT_ESTABLISHED;
5266  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5267  f.alproto = ALPROTO_HTTP1;
5268 
5269  StreamTcpInitConfig(true);
5270 
5271  de_ctx = DetectEngineCtxInit();
5272  if (de_ctx == NULL)
5273  goto end;
5274 
5275  de_ctx->flags |= DE_QUIET;
5276 
5277  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5278  "(msg:\"http server body test\"; "
5279  "content:\"message\"; http_server_body; "
5280  "sid:1;)");
5281  if (de_ctx->sig_list == NULL)
5282  goto end;
5283 
5284  SigGroupBuild(de_ctx);
5285  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5286 
5287  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1,
5288  STREAM_TOSERVER | STREAM_START | STREAM_EOF, http_buf, http_len);
5289  if (r != 0) {
5290  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5291  result = 0;
5292  goto end;
5293  }
5294  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1,
5295  STREAM_TOCLIENT | STREAM_START | STREAM_EOF, http_buf2, http_len2);
5296  if (r != 0) {
5297  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5298  result = 0;
5299  goto end;
5300  }
5301 
5302  http_state = f.alstate;
5303  if (http_state == NULL) {
5304  printf("no http state: \n");
5305  result = 0;
5306  goto end;
5307  }
5308 
5309  /* do detect */
5310  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5311 
5312  if (!(PacketAlertCheck(p, 1))) {
5313  printf("sid 1 didn't match but should have: ");
5314  goto end;
5315  }
5316 
5317  result = 1;
5318 end:
5319  if (alp_tctx != NULL)
5320  AppLayerParserThreadCtxFree(alp_tctx);
5321  if (de_ctx != NULL)
5322  DetectEngineCtxFree(de_ctx);
5323 
5324  StreamTcpFreeConfig(true);
5325  FLOW_DESTROY(&f);
5326  UTHFreePackets(&p, 1);
5327  return result;
5328 }
5329 
5330 /**
5331  *\test Test that the http_server_body content matches against a http request
5332  * which holds the content.
5333  */
5334 static int DetectHttpServerBodyTest07(void)
5335 {
5336  TcpSession ssn;
5337  Packet *p1 = NULL;
5338  Packet *p2 = NULL;
5339  ThreadVars th_v;
5340  DetectEngineCtx *de_ctx = NULL;
5341  DetectEngineThreadCtx *det_ctx = NULL;
5342  HtpState *http_state = NULL;
5343  Flow f;
5344  uint8_t http_buf1[] =
5345  "GET /index.html HTTP/1.0\r\n"
5346  "Host: www.openinfosecfoundation.org\r\n"
5347  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5348  "\r\n";
5349  uint32_t http_len1 = sizeof(http_buf1) - 1;
5350  uint8_t http_buf2[] =
5351  "HTTP/1.0 200 ok\r\n"
5352  "Content-Type: text/html\r\n"
5353  "Content-Length: 14\r\n"
5354  "\r\n";
5355  uint32_t http_len2 = sizeof(http_buf2) - 1;
5356  uint8_t http_buf3[] =
5357  "message";
5358  uint32_t http_len3 = sizeof(http_buf3) - 1;
5359  int result = 0;
5360  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5361 
5362  memset(&th_v, 0, sizeof(th_v));
5363  memset(&f, 0, sizeof(f));
5364  memset(&ssn, 0, sizeof(ssn));
5365 
5366  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5367  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5368 
5369  FLOW_INITIALIZE(&f);
5370  f.protoctx = (void *)&ssn;
5371  f.proto = IPPROTO_TCP;
5372  f.flags |= FLOW_IPV4;
5373 
5374  p1->flow = &f;
5375  p1->flowflags |= FLOW_PKT_TOCLIENT;
5376  p1->flowflags |= FLOW_PKT_ESTABLISHED;
5377  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5378 
5379  p2->flow = &f;
5380  p2->flowflags |= FLOW_PKT_TOCLIENT;
5381  p2->flowflags |= FLOW_PKT_ESTABLISHED;
5382  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5383  f.alproto = ALPROTO_HTTP1;
5384 
5385  StreamTcpInitConfig(true);
5386 
5387  de_ctx = DetectEngineCtxInit();
5388  if (de_ctx == NULL)
5389  goto end;
5390 
5391  de_ctx->flags |= DE_QUIET;
5392 
5393  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5394  "(msg:\"http server body test\"; "
5395  "content:\"message\"; http_server_body; "
5396  "sid:1;)");
5397  if (de_ctx->sig_list == NULL)
5398  goto end;
5399 
5400  SigGroupBuild(de_ctx);
5401  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5402 
5403  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START,
5404  http_buf1, http_len1);
5405  if (r != 0) {
5406  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5407  goto end;
5408  }
5409 
5410  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_START,
5411  http_buf2, http_len2);
5412  if (r != 0) {
5413  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
5414  goto end;
5415  }
5416 
5417  http_state = f.alstate;
5418  if (http_state == NULL) {
5419  printf("no http state: ");
5420  goto end;
5421  }
5422 
5423  /* do detect */
5424  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5425 
5426  if ((PacketAlertCheck(p1, 1))) {
5427  printf("sid 1 matched on chunk2 but shouldn't have: ");
5428  goto end;
5429  }
5430 
5431  r = AppLayerParserParse(
5432  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, http_buf3, http_len3);
5433  if (r != 0) {
5434  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
5435  goto end;
5436  }
5437 
5438  /* do detect */
5439  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5440  if (!(PacketAlertCheck(p2, 1))) {
5441  printf("sid 1 didn't match on p2 (chunk3) but should have: ");
5442  goto end;
5443  }
5444 
5445  result = 1;
5446 end:
5447  if (alp_tctx != NULL)
5448  AppLayerParserThreadCtxFree(alp_tctx);
5449  if (de_ctx != NULL)
5450  DetectEngineCtxFree(de_ctx);
5451 
5452  StreamTcpFreeConfig(true);
5453  FLOW_DESTROY(&f);
5454  UTHFreePackets(&p1, 1);
5455  UTHFreePackets(&p2, 1);
5456  return result;
5457 }
5458 
5459 /**
5460  *\test Test that the http_server_body content matches against a http request
5461  * which holds the content.
5462  */
5463 static int DetectHttpServerBodyTest08(void)
5464 {
5465  TcpSession ssn;
5466  Packet *p1 = NULL;
5467  Packet *p2 = NULL;
5468  ThreadVars th_v;
5469  DetectEngineCtx *de_ctx = NULL;
5470  DetectEngineThreadCtx *det_ctx = NULL;
5471  HtpState *http_state = NULL;
5472  Flow f;
5473  uint8_t http_buf1[] =
5474  "GET /index.html HTTP/1.0\r\n"
5475  "Host: www.openinfosecfoundation.org\r\n"
5476  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5477  "\r\n";
5478  uint32_t http_len1 = sizeof(http_buf1) - 1;
5479  uint8_t http_buf2[] =
5480  "HTTP/1.0 200 ok\r\n"
5481  "Content-Type: text/html\r\n"
5482  "Content-Length: 14\r\n"
5483  "\r\n"
5484  "bigmes";
5485  uint32_t http_len2 = sizeof(http_buf2) - 1;
5486  uint8_t http_buf3[] =
5487  "sage4u!!";
5488  uint32_t http_len3 = sizeof(http_buf3) - 1;
5489  int result = 0;
5490  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5491 
5492  memset(&th_v, 0, sizeof(th_v));
5493  memset(&f, 0, sizeof(f));
5494  memset(&ssn, 0, sizeof(ssn));
5495 
5496  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5497  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5498 
5499  FLOW_INITIALIZE(&f);
5500  f.protoctx = (void *)&ssn;
5501  f.proto = IPPROTO_TCP;
5502  f.flags |= FLOW_IPV4;
5503 
5504  p1->flow = &f;
5505  p1->flowflags |= FLOW_PKT_TOCLIENT;
5506  p1->flowflags |= FLOW_PKT_ESTABLISHED;
5507  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5508  p2->flow = &f;
5509  p2->flowflags |= FLOW_PKT_TOCLIENT;
5510  p2->flowflags |= FLOW_PKT_ESTABLISHED;
5511  p2->flags |=