suricata
detect-http-server-body.c
Go to the documentation of this file.
1 /* Copyright (C) 2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Giuseppe Longo <giuseppe@glongo.it>
22  *
23  * Tests for the hsbd with swf files
24  */
25 
26 #include "../suricata-common.h"
27 #include "../conf-yaml-loader.h"
28 #include "../decode.h"
29 #include "../flow.h"
30 #include "../detect.h"
31 #include "../detect-engine-build.h"
32 #include "../detect-engine-alert.h"
33 
34 /**
35  * \test Test parser accepting valid rules and rejecting invalid rules
36  */
37 static int DetectHttpServerBodyParserTest01(void)
38 {
39  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", true));
40  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; nocase; http_server_body; sid:1;)", true));
41  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; endswith; http_server_body; sid:1;)", true));
42  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; http_server_body; sid:1;)", true));
43  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; endswith; http_server_body; sid:1;)", true));
44 
45  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; rawbytes; http_server_body; sid:1;)", false));
46  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http_server_body; sid:1;)", false));
47  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", false));
48  PASS;
49 }
50 
51 /**
52  * \test Test parser accepting valid rules and rejecting invalid rules
53  */
54 static int DetectHttpServerBodyParserTest02(void)
55 {
56  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", true));
57  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; nocase; sid:1;)", true));
58  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; endswith; sid:1;)", true));
59  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; sid:1;)", true));
60  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; endswith; sid:1;)", true));
61  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; bsize:10; sid:1;)", true));
62 
63  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; rawbytes; sid:1;)", false));
64  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http.response_body; sid:1;)", false));
65  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", false));
66  PASS;
67 }
68 struct TestSteps {
69  const uint8_t *input;
70  size_t input_size; /**< if 0 strlen will be used */
71  int direction; /**< STREAM_TOSERVER, STREAM_TOCLIENT */
72  int expect;
73 };
74 
75 static int RunTest(struct TestSteps *steps, const char *sig, const char *yaml)
76 {
77  TcpSession ssn;
78  Flow f;
79  ThreadVars th_v;
80  DetectEngineThreadCtx *det_ctx = NULL;
83 
84  memset(&th_v, 0, sizeof(th_v));
85  memset(&f, 0, sizeof(f));
86  memset(&ssn, 0, sizeof(ssn));
87 
88  if (yaml) {
90  ConfInit();
92 
93  ConfYamlLoadString(yaml, strlen(yaml));
94  HTPConfigure();
96  }
97 
98  StreamTcpInitConfig(true);
99 
102  de_ctx->flags |= DE_QUIET;
103 
104  FLOW_INITIALIZE(&f);
105  f.protoctx = (void *)&ssn;
106  f.proto = IPPROTO_TCP;
107  f.flags |= FLOW_IPV4;
109 
110  SCLogDebug("sig %s", sig);
111  Signature *s = DetectEngineAppendSig(de_ctx, (char *)sig);
112  FAIL_IF_NULL(s);
113 
115  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
116  FAIL_IF_NULL(det_ctx);
117 
118  struct TestSteps *b = steps;
119  int i = 0;
120  while (b->input != NULL) {
121  SCLogDebug("chunk %p %d", b, i);
122  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
123  FAIL_IF_NULL(p);
124  p->flow = &f;
125  p->flowflags = (b->direction == STREAM_TOSERVER) ? FLOW_PKT_TOSERVER : FLOW_PKT_TOCLIENT;
128 
129  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, b->direction,
130  (uint8_t *)b->input,
131  b->input_size ? b->input_size : strlen((const char *)b->input));
132  FAIL_IF_NOT(r == 0);
133 
134  /* do detect */
135  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
136 
137  int match = PacketAlertCheck(p, 1);
138  FAIL_IF_NOT(b->expect == match);
139 
140  UTHFreePackets(&p, 1);
141  b++;
142  i++;
143  }
144 
145  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
148 
149  StreamTcpFreeConfig(true);
150  FLOW_DESTROY(&f);
151 
152  if (yaml) {
156  }
157  PASS;
158 }
159 
160 static int DetectEngineHttpServerBodyTest01(void)
161 {
162  TcpSession ssn;
163  Packet *p1 = NULL;
164  Packet *p2 = NULL;
165  ThreadVars th_v;
166  DetectEngineCtx *de_ctx = NULL;
167  DetectEngineThreadCtx *det_ctx = NULL;
168  HtpState *http_state = NULL;
169  Flow f;
170  uint8_t http_buf1[] =
171  "GET /index.html HTTP/1.0\r\n"
172  "Host: www.openinfosecfoundation.org\r\n"
173  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
174  "\r\n";
175  uint32_t http_len1 = sizeof(http_buf1) - 1;
176  uint8_t http_buf2[] =
177  "HTTP/1.0 200 ok\r\n"
178  "Content-Type: text/html\r\n"
179  "Content-Length: 7\r\n"
180  "\r\n"
181  "message";
182  uint32_t http_len2 = sizeof(http_buf2) - 1;
183  int result = 0;
185 
186  memset(&th_v, 0, sizeof(th_v));
187  memset(&f, 0, sizeof(f));
188  memset(&ssn, 0, sizeof(ssn));
189 
190  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
191  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
192 
193  FLOW_INITIALIZE(&f);
194  f.protoctx = (void *)&ssn;
195  f.proto = IPPROTO_TCP;
196  f.flags |= FLOW_IPV4;
197 
198  p1->flow = &f;
202  p2->flow = &f;
207 
208  StreamTcpInitConfig(true);
209 
211  if (de_ctx == NULL)
212  goto end;
213 
214  de_ctx->flags |= DE_QUIET;
215 
216  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
217  "(msg:\"http server body test\"; "
218  "content:\"message\"; http_server_body; "
219  "sid:1;)");
220  if (de_ctx->sig_list == NULL)
221  goto end;
222 
224  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
225 
226  int r = AppLayerParserParse(
227  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
228  if (r != 0) {
229  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
230  result = 0;
231  goto end;
232  }
233 
234  http_state = f.alstate;
235  if (http_state == NULL) {
236  printf("no http state: \n");
237  result = 0;
238  goto end;
239  }
240 
241  /* do detect */
242  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
243 
244  if ((PacketAlertCheck(p1, 1))) {
245  printf("sid 1 matched but shouldn't have\n");
246  goto end;
247  }
248 
250  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
251  if (r != 0) {
252  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
253  result = 0;
254  goto end;
255  }
256 
257  /* do detect */
258  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
259 
260  if (!(PacketAlertCheck(p2, 1))) {
261  printf("sid 1 didn't match but should have");
262  goto end;
263  }
264 
265  result = 1;
266 
267 end:
268  if (alp_tctx != NULL)
270  if (de_ctx != NULL)
272 
273  StreamTcpFreeConfig(true);
274  FLOW_DESTROY(&f);
275  UTHFreePackets(&p1, 1);
276  UTHFreePackets(&p2, 1);
277  return result;
278 }
279 
280 static int DetectEngineHttpServerBodyTest02(void)
281 {
282  TcpSession ssn;
283  Packet *p1 = NULL;
284  ThreadVars th_v;
285  DetectEngineCtx *de_ctx = NULL;
286  DetectEngineThreadCtx *det_ctx = NULL;
287  HtpState *http_state = NULL;
288  Flow f;
289  uint8_t http_buf1[] =
290  "GET /index.html HTTP/1.0\r\n"
291  "Host: www.openinfosecfoundation.org\r\n"
292  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
293  "\r\n";
294  uint32_t http_len1 = sizeof(http_buf1) - 1;
295  uint8_t http_buf2[] =
296  "HTTP/1.0 200 ok\r\n"
297  "Content-Type: text/html\r\n"
298  "Content-Length: 7\r\n"
299  "\r\n"
300  "xxxxABC";
301  uint32_t http_len2 = sizeof(http_buf2) - 1;
302  int result = 0;
304 
305  memset(&th_v, 0, sizeof(th_v));
306  memset(&f, 0, sizeof(f));
307  memset(&ssn, 0, sizeof(ssn));
308 
309  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
310 
311  FLOW_INITIALIZE(&f);
312  f.protoctx = (void *)&ssn;
313  f.proto = IPPROTO_TCP;
314  f.flags |= FLOW_IPV4;
315 
316  p1->flow = &f;
321 
322  StreamTcpInitConfig(true);
323 
325  if (de_ctx == NULL)
326  goto end;
327 
328  de_ctx->flags |= DE_QUIET;
329 
330  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
331  "(msg:\"http server body test\"; "
332  "content:\"ABC\"; http_server_body; offset:4; "
333  "sid:1;)");
334  if (de_ctx->sig_list == NULL)
335  goto end;
336 
338  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
339 
340  int r = AppLayerParserParse(
341  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
342  if (r != 0) {
343  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
344  result = 0;
345  goto end;
346  }
347 
349  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
350  if (r != 0) {
351  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
352  result = 0;
353  goto end;
354  }
355 
356  http_state = f.alstate;
357  if (http_state == NULL) {
358  printf("no http state: \n");
359  result = 0;
360  goto end;
361  }
362 
363  /* do detect */
364  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
365 
366  if (!(PacketAlertCheck(p1, 1))) {
367  printf("sid 1 didn't match but should have\n");
368  goto end;
369  }
370 
371  result = 1;
372 
373 end:
374  if (alp_tctx != NULL)
376  if (de_ctx != NULL)
378 
379  StreamTcpFreeConfig(true);
380  FLOW_DESTROY(&f);
381  UTHFreePackets(&p1, 1);
382  return result;
383 }
384 
385 static int DetectEngineHttpServerBodyTest03(void)
386 {
387  TcpSession ssn;
388  Packet *p1 = NULL;
389  Packet *p2 = NULL;
390  ThreadVars th_v;
391  DetectEngineCtx *de_ctx = NULL;
392  DetectEngineThreadCtx *det_ctx = NULL;
393  HtpState *http_state = NULL;
394  Flow f;
395  int result = 0;
396  uint8_t http_buf1[] =
397  "GET /index.html HTTP/1.0\r\n"
398  "Host: www.openinfosecfoundation.org\r\n"
399  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
400  "\r\n";
401  uint32_t http_len1 = sizeof(http_buf1) - 1;
402  uint8_t http_buf2[] =
403  "HTTP/1.0 200 ok\r\n"
404  "Content-Type: text/html\r\n"
405  "Content-Length: 17\r\n"
406  "\r\n"
407  "1234567";
408  uint32_t http_len2 = sizeof(http_buf2) - 1;
409  uint8_t http_buf3[] =
410  "8901234ABC";
411  uint32_t http_len3 = sizeof(http_buf3) - 1;
413 
414  memset(&th_v, 0, sizeof(th_v));
415  memset(&f, 0, sizeof(f));
416  memset(&ssn, 0, sizeof(ssn));
417 
418  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
419  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
420 
421  FLOW_INITIALIZE(&f);
422  f.protoctx = (void *)&ssn;
423  f.proto = IPPROTO_TCP;
424  f.flags |= FLOW_IPV4;
425 
426  p1->flow = &f;
430  p2->flow = &f;
435 
436  StreamTcpInitConfig(true);
437 
439  if (de_ctx == NULL)
440  goto end;
441 
442  de_ctx->flags |= DE_QUIET;
443 
444  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
445  "(msg:\"http server body test\"; "
446  "content:\"ABC\"; http_server_body; offset:14; "
447  "sid:1;)");
448  if (de_ctx->sig_list == NULL)
449  goto end;
450 
452  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
453 
454  int r = AppLayerParserParse(
455  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
456  if (r != 0) {
457  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
458  result = 0;
459  goto end;
460  }
461 
462  http_state = f.alstate;
463  if (http_state == NULL) {
464  printf("no http state: \n");
465  result = 0;
466  goto end;
467  }
468 
469  /* do detect */
470  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
471 
472  if (PacketAlertCheck(p1, 1)) {
473  printf("sid 1 matched but shouldn't have\n");
474  goto end;
475  }
476 
478  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
479  if (r != 0) {
480  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
481  result = 0;
482  goto end;
483  }
484 
486  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf3, http_len3);
487  if (r != 0) {
488  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
489  result = 0;
490  goto end;
491  }
492 
493  /* do detect */
494  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
495 
496  if (!(PacketAlertCheck(p2, 1))) {
497  printf("sid 1 didn't match but should have");
498  goto end;
499  }
500 
501  result = 1;
502 
503 end:
504  if (alp_tctx != NULL)
506  if (de_ctx != NULL)
508 
509  StreamTcpFreeConfig(true);
510  FLOW_DESTROY(&f);
511  UTHFreePackets(&p1, 1);
512  UTHFreePackets(&p2, 1);
513  return result;
514 }
515 
516 static int DetectEngineHttpServerBodyTest04(void)
517 {
518  TcpSession ssn;
519  Packet *p1 = NULL;
520  Packet *p2 = NULL;
521  ThreadVars th_v;
522  DetectEngineCtx *de_ctx = NULL;
523  DetectEngineThreadCtx *det_ctx = NULL;
524  HtpState *http_state = NULL;
525  Flow f;
526  uint8_t http_buf1[] =
527  "GET /index.html HTTP/1.0\r\n"
528  "Host: www.openinfosecfoundation.org\r\n"
529  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
530  "\r\n";
531  uint32_t http_len1 = sizeof(http_buf1) - 1;
532  uint8_t http_buf2[] =
533  "HTTP/1.0 200 ok\r\n"
534  "Content-Type: text/html\r\n"
535  "Content-Length: 6\r\n"
536  "\r\n"
537  "abcdef";
538  uint32_t http_len2 = sizeof(http_buf2) - 1;
539  int result = 0;
541 
542  memset(&th_v, 0, sizeof(th_v));
543  memset(&f, 0, sizeof(f));
544  memset(&ssn, 0, sizeof(ssn));
545 
546  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
547  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
548 
549  FLOW_INITIALIZE(&f);
550  f.protoctx = (void *)&ssn;
551  f.proto = IPPROTO_TCP;
552  f.flags |= FLOW_IPV4;
553 
554  p1->flow = &f;
558  p2->flow = &f;
563 
564  StreamTcpInitConfig(true);
565 
567  if (de_ctx == NULL)
568  goto end;
569 
570  de_ctx->flags |= DE_QUIET;
571 
572  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
573  "(msg:\"http server body test\"; "
574  "content:!\"abc\"; http_server_body; offset:3; "
575  "sid:1;)");
576  if (de_ctx->sig_list == NULL)
577  goto end;
578 
580  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
581 
582  int r = AppLayerParserParse(
583  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
584  if (r != 0) {
585  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
586  result = 0;
587  goto end;
588  }
589 
590  http_state = f.alstate;
591  if (http_state == NULL) {
592  printf("no http state: \n");
593  result = 0;
594  goto end;
595  }
596 
597  /* do detect */
598  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
599 
600  if (PacketAlertCheck(p1, 1)) {
601  printf("sid 1 matched but shouldn't have: ");
602  goto end;
603  }
604 
606  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
607  if (r != 0) {
608  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
609  result = 0;
610  goto end;
611  }
612 
613  /* do detect */
614  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
615 
616  if (!PacketAlertCheck(p2, 1)) {
617  printf("sid 1 didn't match but should have: ");
618  goto end;
619  }
620 
621  result = 1;
622 
623 end:
624  if (alp_tctx != NULL)
626  if (de_ctx != NULL)
628 
629  StreamTcpFreeConfig(true);
630  FLOW_DESTROY(&f);
631  UTHFreePackets(&p1, 1);
632  UTHFreePackets(&p2, 1);
633  return result;
634 }
635 
636 static int DetectEngineHttpServerBodyTest05(void)
637 {
638  TcpSession ssn;
639  Packet *p1 = NULL;
640  Packet *p2 = NULL;
641  ThreadVars th_v;
642  DetectEngineCtx *de_ctx = NULL;
643  DetectEngineThreadCtx *det_ctx = NULL;
644  HtpState *http_state = NULL;
645  Flow f;
646  uint8_t http_buf1[] =
647  "GET /index.html HTTP/1.0\r\n"
648  "Host: www.openinfosecfoundation.org\r\n"
649  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
650  "\r\n";
651  uint32_t http_len1 = sizeof(http_buf1) - 1;
652  uint8_t http_buf2[] =
653  "HTTP/1.0 200 ok\r\n"
654  "Content-Type: text/html\r\n"
655  "Content-Length: 6\r\n"
656  "\r\n"
657  "abcdef";
658  uint32_t http_len2 = sizeof(http_buf2) - 1;
659  int result = 0;
661 
662  memset(&th_v, 0, sizeof(th_v));
663  memset(&f, 0, sizeof(f));
664  memset(&ssn, 0, sizeof(ssn));
665 
666  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
667  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
668 
669  FLOW_INITIALIZE(&f);
670  f.protoctx = (void *)&ssn;
671  f.proto = IPPROTO_TCP;
672  f.flags |= FLOW_IPV4;
673 
674  p1->flow = &f;
678  p2->flow = &f;
683 
684  StreamTcpInitConfig(true);
685 
687  if (de_ctx == NULL)
688  goto end;
689 
690  de_ctx->flags |= DE_QUIET;
691 
692  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
693  "(msg:\"http server body test\"; "
694  "content:\"abc\"; http_server_body; depth:3; "
695  "sid:1;)");
696  if (de_ctx->sig_list == NULL)
697  goto end;
698 
700  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
701 
702  int r = AppLayerParserParse(
703  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
704  if (r != 0) {
705  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
706  result = 0;
707  goto end;
708  }
709 
710  http_state = f.alstate;
711  if (http_state == NULL) {
712  printf("no http state: \n");
713  result = 0;
714  goto end;
715  }
716 
717  /* do detect */
718  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
719 
720  if (PacketAlertCheck(p1, 1)) {
721  printf("sid 1 matched but shouldn't have: ");
722  goto end;
723  }
724 
726  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
727  if (r != 0) {
728  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
729  result = 0;
730  goto end;
731  }
732 
733  /* do detect */
734  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
735 
736  if (!PacketAlertCheck(p2, 1)) {
737  printf("sid 1 didn't match but should have: ");
738  goto end;
739  }
740 
741  result = 1;
742 
743 end:
744  if (alp_tctx != NULL)
746  if (de_ctx != NULL)
748 
749  StreamTcpFreeConfig(true);
750  FLOW_DESTROY(&f);
751  UTHFreePackets(&p1, 1);
752  UTHFreePackets(&p2, 1);
753  return result;
754 }
755 
756 static int DetectEngineHttpServerBodyTest06(void)
757 {
758  TcpSession ssn;
759  Packet *p1 = NULL;
760  Packet *p2 = NULL;
761  ThreadVars th_v;
762  DetectEngineCtx *de_ctx = NULL;
763  DetectEngineThreadCtx *det_ctx = NULL;
764  HtpState *http_state = NULL;
765  Flow f;
766  uint8_t http_buf1[] =
767  "GET /index.html HTTP/1.0\r\n"
768  "Host: www.openinfosecfoundation.org\r\n"
769  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
770  "\r\n";
771  uint32_t http_len1 = sizeof(http_buf1) - 1;
772  uint8_t http_buf2[] =
773  "HTTP/1.0 200 ok\r\n"
774  "Content-Type: text/html\r\n"
775  "Content-Length: 6\r\n"
776  "\r\n"
777  "abcdef";
778  uint32_t http_len2 = sizeof(http_buf2) - 1;
779  int result = 0;
781 
782  memset(&th_v, 0, sizeof(th_v));
783  memset(&f, 0, sizeof(f));
784  memset(&ssn, 0, sizeof(ssn));
785 
786  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
787  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
788 
789  FLOW_INITIALIZE(&f);
790  f.protoctx = (void *)&ssn;
791  f.proto = IPPROTO_TCP;
792  f.flags |= FLOW_IPV4;
793 
794  p1->flow = &f;
798  p2->flow = &f;
803 
804  StreamTcpInitConfig(true);
805 
807  if (de_ctx == NULL)
808  goto end;
809 
810  de_ctx->flags |= DE_QUIET;
811 
812  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
813  "(msg:\"http server body test\"; "
814  "content:!\"def\"; http_server_body; depth:3; "
815  "sid:1;)");
816  if (de_ctx->sig_list == NULL)
817  goto end;
818 
820  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
821 
822  int r = AppLayerParserParse(
823  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
824  if (r != 0) {
825  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
826  result = 0;
827  goto end;
828  }
829 
830  http_state = f.alstate;
831  if (http_state == NULL) {
832  printf("no http state: \n");
833  result = 0;
834  goto end;
835  }
836 
837  /* do detect */
838  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
839 
840  if (PacketAlertCheck(p1, 1)) {
841  printf("sid 1 matched but shouldn't have: ");
842  goto end;
843  }
844 
846  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
847  if (r != 0) {
848  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
849  result = 0;
850  goto end;
851  }
852 
853  /* do detect */
854  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
855 
856  if (!PacketAlertCheck(p2, 1)) {
857  printf("sid 1 didn't match but should have: ");
858  goto end;
859  }
860 
861  result = 1;
862 
863 end:
864  if (alp_tctx != NULL)
866  if (de_ctx != NULL)
868 
869  StreamTcpFreeConfig(true);
870  FLOW_DESTROY(&f);
871  UTHFreePackets(&p1, 1);
872  UTHFreePackets(&p2, 1);
873  return result;
874 }
875 
876 static int DetectEngineHttpServerBodyTest07(void)
877 {
878  TcpSession ssn;
879  Packet *p1 = NULL;
880  Packet *p2 = NULL;
881  ThreadVars th_v;
882  DetectEngineCtx *de_ctx = NULL;
883  DetectEngineThreadCtx *det_ctx = NULL;
884  HtpState *http_state = NULL;
885  Flow f;
886  uint8_t http_buf1[] =
887  "GET /index.html HTTP/1.0\r\n"
888  "Host: www.openinfosecfoundation.org\r\n"
889  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
890  "\r\n";
891  uint32_t http_len1 = sizeof(http_buf1) - 1;
892  uint8_t http_buf2[] =
893  "HTTP/1.0 200 ok\r\n"
894  "Content-Type: text/html\r\n"
895  "Content-Length: 6\r\n"
896  "\r\n"
897  "abcdef";
898  uint32_t http_len2 = sizeof(http_buf2) - 1;
899  int result = 0;
901 
902  memset(&th_v, 0, sizeof(th_v));
903  memset(&f, 0, sizeof(f));
904  memset(&ssn, 0, sizeof(ssn));
905 
906  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
907  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
908 
909  FLOW_INITIALIZE(&f);
910  f.protoctx = (void *)&ssn;
911  f.proto = IPPROTO_TCP;
912  f.flags |= FLOW_IPV4;
913 
914  p1->flow = &f;
918  p2->flow = &f;
923 
924  StreamTcpInitConfig(true);
925 
927  if (de_ctx == NULL)
928  goto end;
929 
930  de_ctx->flags |= DE_QUIET;
931 
932  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
933  "(msg:\"http server body test\"; "
934  "content:!\"def\"; http_server_body; offset:3; "
935  "sid:1;)");
936  if (de_ctx->sig_list == NULL)
937  goto end;
938 
940  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
941 
942  int r = AppLayerParserParse(
943  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
944  if (r != 0) {
945  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
946  result = 0;
947  goto end;
948  }
949 
950  http_state = f.alstate;
951  if (http_state == NULL) {
952  printf("no http state: \n");
953  result = 0;
954  goto end;
955  }
956 
957  /* do detect */
958  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
959 
960  if (PacketAlertCheck(p1, 1)) {
961  printf("sid 1 matched but shouldn't have: ");
962  goto end;
963  }
964 
966  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
967  if (r != 0) {
968  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
969  result = 0;
970  goto end;
971  }
972 
973  /* do detect */
974  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
975 
976  if (PacketAlertCheck(p2, 1)) {
977  printf("sid 1 matched but shouldn't have: ");
978  goto end;
979  }
980 
981  result = 1;
982 
983 end:
984  if (alp_tctx != NULL)
986  if (de_ctx != NULL)
988 
989  StreamTcpFreeConfig(true);
990  FLOW_DESTROY(&f);
991  UTHFreePackets(&p1, 1);
992  UTHFreePackets(&p2, 1);
993  return result;
994 }
995 
996 static int DetectEngineHttpServerBodyTest08(void)
997 {
998  TcpSession ssn;
999  Packet *p1 = NULL;
1000  Packet *p2 = NULL;
1001  ThreadVars th_v;
1002  DetectEngineCtx *de_ctx = NULL;
1003  DetectEngineThreadCtx *det_ctx = NULL;
1004  HtpState *http_state = NULL;
1005  Flow f;
1006  uint8_t http_buf1[] =
1007  "GET /index.html HTTP/1.0\r\n"
1008  "Host: www.openinfosecfoundation.org\r\n"
1009  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1010  "\r\n";
1011  uint32_t http_len1 = sizeof(http_buf1) - 1;
1012  uint8_t http_buf2[] =
1013  "HTTP/1.0 200 ok\r\n"
1014  "Content-Type: text/html\r\n"
1015  "Content-Length: 6\r\n"
1016  "\r\n"
1017  "abcdef";
1018  uint32_t http_len2 = sizeof(http_buf2) - 1;
1019  int result = 0;
1021 
1022  memset(&th_v, 0, sizeof(th_v));
1023  memset(&f, 0, sizeof(f));
1024  memset(&ssn, 0, sizeof(ssn));
1025 
1026  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1027  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1028 
1029  FLOW_INITIALIZE(&f);
1030  f.protoctx = (void *)&ssn;
1031  f.proto = IPPROTO_TCP;
1032  f.flags |= FLOW_IPV4;
1033 
1034  p1->flow = &f;
1038  p2->flow = &f;
1042  f.alproto = ALPROTO_HTTP1;
1043 
1044  StreamTcpInitConfig(true);
1045 
1047  if (de_ctx == NULL)
1048  goto end;
1049 
1050  de_ctx->flags |= DE_QUIET;
1051 
1052  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1053  "(msg:\"http server body test\"; "
1054  "content:!\"abc\"; http_server_body; depth:3; "
1055  "sid:1;)");
1056  if (de_ctx->sig_list == NULL)
1057  goto end;
1058 
1060  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1061 
1062  int r = AppLayerParserParse(
1063  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1064  if (r != 0) {
1065  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1066  result = 0;
1067  goto end;
1068  }
1069 
1070  http_state = f.alstate;
1071  if (http_state == NULL) {
1072  printf("no http state: \n");
1073  result = 0;
1074  goto end;
1075  }
1076 
1077  /* do detect */
1078  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1079 
1080  if (PacketAlertCheck(p1, 1)) {
1081  printf("sid 1 matched but shouldn't have: ");
1082  goto end;
1083  }
1084 
1085  r = AppLayerParserParse(
1086  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1087  if (r != 0) {
1088  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1089  result = 0;
1090  goto end;
1091  }
1092 
1093  /* do detect */
1094  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1095 
1096  if (PacketAlertCheck(p2, 1)) {
1097  printf("sid 1 matched but shouldn't have: ");
1098  goto end;
1099  }
1100 
1101  result = 1;
1102 
1103 end:
1104  if (alp_tctx != NULL)
1106  if (de_ctx != NULL)
1108 
1109  StreamTcpFreeConfig(true);
1110  FLOW_DESTROY(&f);
1111  UTHFreePackets(&p1, 1);
1112  UTHFreePackets(&p2, 1);
1113  return result;
1114 }
1115 
1116 static int DetectEngineHttpServerBodyTest09(void)
1117 {
1118  TcpSession ssn;
1119  Packet *p1 = NULL;
1120  Packet *p2 = NULL;
1121  ThreadVars th_v;
1122  DetectEngineCtx *de_ctx = NULL;
1123  DetectEngineThreadCtx *det_ctx = NULL;
1124  HtpState *http_state = NULL;
1125  Flow f;
1126  uint8_t http_buf1[] =
1127  "GET /index.html HTTP/1.0\r\n"
1128  "Host: www.openinfosecfoundation.org\r\n"
1129  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1130  "\r\n";
1131  uint32_t http_len1 = sizeof(http_buf1) - 1;
1132  uint8_t http_buf2[] =
1133  "HTTP/1.0 200 ok\r\n"
1134  "Content-Type: text/html\r\n"
1135  "Content-Length: 6\r\n"
1136  "\r\n"
1137  "abcdef";
1138  uint32_t http_len2 = sizeof(http_buf2) - 1;
1139  int result = 0;
1141 
1142  memset(&th_v, 0, sizeof(th_v));
1143  memset(&f, 0, sizeof(f));
1144  memset(&ssn, 0, sizeof(ssn));
1145 
1146  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1147  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1148 
1149  FLOW_INITIALIZE(&f);
1150  f.protoctx = (void *)&ssn;
1151  f.proto = IPPROTO_TCP;
1152  f.flags |= FLOW_IPV4;
1153 
1154  p1->flow = &f;
1158  p2->flow = &f;
1162  f.alproto = ALPROTO_HTTP1;
1163 
1164  StreamTcpInitConfig(true);
1165 
1167  if (de_ctx == NULL)
1168  goto end;
1169 
1170  de_ctx->flags |= DE_QUIET;
1171 
1172  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1173  "(msg:\"http server body test\"; "
1174  "content:\"abc\"; http_server_body; depth:3; "
1175  "content:\"def\"; http_server_body; within:3; "
1176  "sid:1;)");
1177  if (de_ctx->sig_list == NULL)
1178  goto end;
1179 
1181  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1182 
1183  int r = AppLayerParserParse(
1184  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1185  if (r != 0) {
1186  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1187  result = 0;
1188  goto end;
1189  }
1190 
1191  http_state = f.alstate;
1192  if (http_state == NULL) {
1193  printf("no http state: \n");
1194  result = 0;
1195  goto end;
1196  }
1197 
1198  /* do detect */
1199  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1200 
1201  if (PacketAlertCheck(p1, 1)) {
1202  printf("sid 1 matched but shouldn't have: ");
1203  goto end;
1204  }
1205 
1206  r = AppLayerParserParse(
1207  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1208  if (r != 0) {
1209  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1210  result = 0;
1211  goto end;
1212  }
1213 
1214  /* do detect */
1215  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1216 
1217  if (!PacketAlertCheck(p2, 1)) {
1218  printf("sid 1 didn't match but should have: ");
1219  goto end;
1220  }
1221 
1222  result = 1;
1223 
1224 end:
1225  if (alp_tctx != NULL)
1227  if (de_ctx != NULL)
1229 
1230  StreamTcpFreeConfig(true);
1231  FLOW_DESTROY(&f);
1232  UTHFreePackets(&p1, 1);
1233  UTHFreePackets(&p2, 1);
1234  return result;
1235 }
1236 
1237 static int DetectEngineHttpServerBodyTest10(void)
1238 {
1239  TcpSession ssn;
1240  Packet *p1 = NULL;
1241  Packet *p2 = NULL;
1242  ThreadVars th_v;
1243  DetectEngineCtx *de_ctx = NULL;
1244  DetectEngineThreadCtx *det_ctx = NULL;
1245  HtpState *http_state = NULL;
1246  Flow f;
1247  uint8_t http_buf1[] =
1248  "GET /index.html HTTP/1.0\r\n"
1249  "Host: www.openinfosecfoundation.org\r\n"
1250  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1251  "\r\n";
1252  uint32_t http_len1 = sizeof(http_buf1) - 1;
1253  uint8_t http_buf2[] =
1254  "HTTP/1.0 200 ok\r\n"
1255  "Content-Type: text/html\r\n"
1256  "Content-Length: 6\r\n"
1257  "\r\n"
1258  "abcdef";
1259  uint32_t http_len2 = sizeof(http_buf2) - 1;
1260  int result = 0;
1262 
1263  memset(&th_v, 0, sizeof(th_v));
1264  memset(&f, 0, sizeof(f));
1265  memset(&ssn, 0, sizeof(ssn));
1266 
1267  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1268  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1269 
1270  FLOW_INITIALIZE(&f);
1271  f.protoctx = (void *)&ssn;
1272  f.proto = IPPROTO_TCP;
1273  f.flags |= FLOW_IPV4;
1274 
1275  p1->flow = &f;
1279  p2->flow = &f;
1283  f.alproto = ALPROTO_HTTP1;
1284 
1285  StreamTcpInitConfig(true);
1286 
1288  if (de_ctx == NULL)
1289  goto end;
1290 
1291  de_ctx->flags |= DE_QUIET;
1292 
1293  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1294  "(msg:\"http server body test\"; "
1295  "content:\"abc\"; http_server_body; depth:3; "
1296  "content:!\"xyz\"; http_server_body; within:3; "
1297  "sid:1;)");
1298  if (de_ctx->sig_list == NULL)
1299  goto end;
1300 
1302  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1303 
1304  int r = AppLayerParserParse(
1305  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1306  if (r != 0) {
1307  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1308  result = 0;
1309  goto end;
1310  }
1311 
1312  http_state = f.alstate;
1313  if (http_state == NULL) {
1314  printf("no http state: \n");
1315  result = 0;
1316  goto end;
1317  }
1318 
1319  /* do detect */
1320  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1321 
1322  if (PacketAlertCheck(p1, 1)) {
1323  printf("sid 1 matched but shouldn't have: ");
1324  goto end;
1325  }
1326 
1327  r = AppLayerParserParse(
1328  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1329  if (r != 0) {
1330  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1331  result = 0;
1332  goto end;
1333  }
1334 
1335  /* do detect */
1336  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1337 
1338  if (!PacketAlertCheck(p2, 1)) {
1339  printf("sid 1 didn't match but should have: ");
1340  goto end;
1341  }
1342 
1343  result = 1;
1344 
1345 end:
1346  if (alp_tctx != NULL)
1348  if (de_ctx != NULL)
1350 
1351  StreamTcpFreeConfig(true);
1352  FLOW_DESTROY(&f);
1353  UTHFreePackets(&p1, 1);
1354  UTHFreePackets(&p2, 1);
1355  return result;
1356 }
1357 
1358 static int DetectEngineHttpServerBodyTest11(void)
1359 {
1360  TcpSession ssn;
1361  Packet *p1 = NULL;
1362  Packet *p2 = NULL;
1363  ThreadVars th_v;
1364  DetectEngineCtx *de_ctx = NULL;
1365  DetectEngineThreadCtx *det_ctx = NULL;
1366  HtpState *http_state = NULL;
1367  Flow f;
1368  uint8_t http_buf1[] =
1369  "GET /index.html HTTP/1.0\r\n"
1370  "Host: www.openinfosecfoundation.org\r\n"
1371  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1372  "\r\n";
1373  uint32_t http_len1 = sizeof(http_buf1) - 1;
1374  uint8_t http_buf2[] =
1375  "HTTP/1.0 200 ok\r\n"
1376  "Content-Type: text/html\r\n"
1377  "Content-Length: 6\r\n"
1378  "\r\n"
1379  "abcdef";
1380  uint32_t http_len2 = sizeof(http_buf2) - 1;
1381  int result = 0;
1383 
1384  memset(&th_v, 0, sizeof(th_v));
1385  memset(&f, 0, sizeof(f));
1386  memset(&ssn, 0, sizeof(ssn));
1387 
1388  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1389  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1390 
1391  FLOW_INITIALIZE(&f);
1392  f.protoctx = (void *)&ssn;
1393  f.proto = IPPROTO_TCP;
1394  f.flags |= FLOW_IPV4;
1395 
1396  p1->flow = &f;
1400  p2->flow = &f;
1404  f.alproto = ALPROTO_HTTP1;
1405 
1406  StreamTcpInitConfig(true);
1407 
1409  if (de_ctx == NULL)
1410  goto end;
1411 
1412  de_ctx->flags |= DE_QUIET;
1413 
1414  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1415  "(msg:\"http server body test\"; "
1416  "content:\"abc\"; http_server_body; depth:3; "
1417  "content:\"xyz\"; http_server_body; within:3; "
1418  "sid:1;)");
1419  if (de_ctx->sig_list == NULL)
1420  goto end;
1421 
1423  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1424 
1425  int r = AppLayerParserParse(
1426  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1427  if (r != 0) {
1428  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1429  result = 0;
1430  goto end;
1431  }
1432 
1433  http_state = f.alstate;
1434  if (http_state == NULL) {
1435  printf("no http state: \n");
1436  result = 0;
1437  goto end;
1438  }
1439 
1440  /* do detect */
1441  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1442 
1443  if (PacketAlertCheck(p1, 1)) {
1444  printf("sid 1 matched but shouldn't have: ");
1445  goto end;
1446  }
1447 
1448  r = AppLayerParserParse(
1449  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1450  if (r != 0) {
1451  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1452  result = 0;
1453  goto end;
1454  }
1455 
1456  /* do detect */
1457  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1458 
1459  if (PacketAlertCheck(p2, 1)) {
1460  printf("sid 1 did match but should not have: ");
1461  goto end;
1462  }
1463 
1464  result = 1;
1465 
1466 end:
1467  if (alp_tctx != NULL)
1469  if (de_ctx != NULL)
1471 
1472  StreamTcpFreeConfig(true);
1473  FLOW_DESTROY(&f);
1474  UTHFreePackets(&p1, 1);
1475  UTHFreePackets(&p2, 1);
1476  return result;
1477 }
1478 
1479 static int DetectEngineHttpServerBodyTest12(void)
1480 {
1481  TcpSession ssn;
1482  Packet *p1 = NULL;
1483  Packet *p2 = NULL;
1484  ThreadVars th_v;
1485  DetectEngineCtx *de_ctx = NULL;
1486  DetectEngineThreadCtx *det_ctx = NULL;
1487  HtpState *http_state = NULL;
1488  Flow f;
1489  uint8_t http_buf1[] =
1490  "GET /index.html HTTP/1.0\r\n"
1491  "Host: www.openinfosecfoundation.org\r\n"
1492  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1493  "\r\n";
1494  uint32_t http_len1 = sizeof(http_buf1) - 1;
1495  uint8_t http_buf2[] =
1496  "HTTP/1.0 200 ok\r\n"
1497  "Content-Type: text/html\r\n"
1498  "Content-Length: 6\r\n"
1499  "\r\n"
1500  "abcdef";
1501  uint32_t http_len2 = sizeof(http_buf2) - 1;
1502  int result = 0;
1504 
1505  memset(&th_v, 0, sizeof(th_v));
1506  memset(&f, 0, sizeof(f));
1507  memset(&ssn, 0, sizeof(ssn));
1508 
1509  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1510  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1511 
1512  FLOW_INITIALIZE(&f);
1513  f.protoctx = (void *)&ssn;
1514  f.proto = IPPROTO_TCP;
1515  f.flags |= FLOW_IPV4;
1516 
1517  p1->flow = &f;
1521  p2->flow = &f;
1525  f.alproto = ALPROTO_HTTP1;
1526 
1527  StreamTcpInitConfig(true);
1528 
1530  if (de_ctx == NULL)
1531  goto end;
1532 
1533  de_ctx->flags |= DE_QUIET;
1534 
1535  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1536  "(msg:\"http server body test\"; "
1537  "content:\"ab\"; http_server_body; depth:2; "
1538  "content:\"ef\"; http_server_body; distance:2; "
1539  "sid:1;)");
1540  if (de_ctx->sig_list == NULL)
1541  goto end;
1542 
1544  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1545 
1546  int r = AppLayerParserParse(
1547  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1548  if (r != 0) {
1549  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1550  result = 0;
1551  goto end;
1552  }
1553 
1554  http_state = f.alstate;
1555  if (http_state == NULL) {
1556  printf("no http state: \n");
1557  result = 0;
1558  goto end;
1559  }
1560 
1561  /* do detect */
1562  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1563 
1564  if (PacketAlertCheck(p1, 1)) {
1565  printf("sid 1 matched but shouldn't have: ");
1566  goto end;
1567  }
1568 
1569  r = AppLayerParserParse(
1570  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1571  if (r != 0) {
1572  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1573  result = 0;
1574  goto end;
1575  }
1576 
1577  /* do detect */
1578  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1579 
1580  if (!PacketAlertCheck(p2, 1)) {
1581  printf("sid 1 did not match but should have: ");
1582  goto end;
1583  }
1584 
1585  result = 1;
1586 
1587 end:
1588  if (alp_tctx != NULL)
1590  if (de_ctx != NULL)
1592 
1593  StreamTcpFreeConfig(true);
1594  FLOW_DESTROY(&f);
1595  UTHFreePackets(&p1, 1);
1596  UTHFreePackets(&p2, 1);
1597  return result;
1598 }
1599 
1600 static int DetectEngineHttpServerBodyTest13(void)
1601 {
1602  TcpSession ssn;
1603  Packet *p1 = NULL;
1604  Packet *p2 = NULL;
1605  ThreadVars th_v;
1606  DetectEngineCtx *de_ctx = NULL;
1607  DetectEngineThreadCtx *det_ctx = NULL;
1608  HtpState *http_state = NULL;
1609  Flow f;
1610  uint8_t http_buf1[] =
1611  "GET /index.html HTTP/1.0\r\n"
1612  "Host: www.openinfosecfoundation.org\r\n"
1613  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1614  "\r\n";
1615  uint32_t http_len1 = sizeof(http_buf1) - 1;
1616  uint8_t http_buf2[] =
1617  "HTTP/1.0 200 ok\r\n"
1618  "Content-Type: text/html\r\n"
1619  "Content-Length: 6\r\n"
1620  "\r\n"
1621  "abcdef";
1622  uint32_t http_len2 = sizeof(http_buf2) - 1;
1623  int result = 0;
1625 
1626  memset(&th_v, 0, sizeof(th_v));
1627  memset(&f, 0, sizeof(f));
1628  memset(&ssn, 0, sizeof(ssn));
1629 
1630  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1631  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1632 
1633  FLOW_INITIALIZE(&f);
1634  f.protoctx = (void *)&ssn;
1635  f.proto = IPPROTO_TCP;
1636  f.flags |= FLOW_IPV4;
1637 
1638  p1->flow = &f;
1642  p2->flow = &f;
1646  f.alproto = ALPROTO_HTTP1;
1647 
1648  StreamTcpInitConfig(true);
1649 
1651  if (de_ctx == NULL)
1652  goto end;
1653 
1654  de_ctx->flags |= DE_QUIET;
1655 
1656  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1657  "(msg:\"http server body test\"; "
1658  "content:\"ab\"; http_server_body; depth:3; "
1659  "content:!\"yz\"; http_server_body; distance:2; "
1660  "sid:1;)");
1661  if (de_ctx->sig_list == NULL)
1662  goto end;
1663 
1665  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1666 
1667  int r = AppLayerParserParse(
1668  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1669  if (r != 0) {
1670  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1671  result = 0;
1672  goto end;
1673  }
1674 
1675  http_state = f.alstate;
1676  if (http_state == NULL) {
1677  printf("no http state: \n");
1678  result = 0;
1679  goto end;
1680  }
1681 
1682  /* do detect */
1683  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1684 
1685  if (PacketAlertCheck(p1, 1)) {
1686  printf("sid 1 matched but shouldn't have: ");
1687  goto end;
1688  }
1689 
1690  r = AppLayerParserParse(
1691  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1692  if (r != 0) {
1693  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1694  result = 0;
1695  goto end;
1696  }
1697 
1698  /* do detect */
1699  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1700 
1701  if (!PacketAlertCheck(p2, 1)) {
1702  printf("sid 1 did not match but should have: ");
1703  goto end;
1704  }
1705 
1706  result = 1;
1707 
1708 end:
1709  if (alp_tctx != NULL)
1711  if (de_ctx != NULL)
1713 
1714  StreamTcpFreeConfig(true);
1715  FLOW_DESTROY(&f);
1716  UTHFreePackets(&p1, 1);
1717  UTHFreePackets(&p2, 1);
1718  return result;
1719 }
1720 
1721 static int DetectEngineHttpServerBodyTest14(void)
1722 {
1723  TcpSession ssn;
1724  Packet *p1 = NULL;
1725  Packet *p2 = NULL;
1726  ThreadVars th_v;
1727  DetectEngineCtx *de_ctx = NULL;
1728  DetectEngineThreadCtx *det_ctx = NULL;
1729  HtpState *http_state = NULL;
1730  Flow f;
1731  uint8_t http_buf1[] =
1732  "GET /index.html HTTP/1.0\r\n"
1733  "Host: www.openinfosecfoundation.org\r\n"
1734  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1735  "\r\n";
1736  uint32_t http_len1 = sizeof(http_buf1) - 1;
1737  uint8_t http_buf2[] =
1738  "HTTP/1.0 200 ok\r\n"
1739  "Content-Type: text/html\r\n"
1740  "Content-Length: 6\r\n"
1741  "\r\n"
1742  "abcdef";
1743  uint32_t http_len2 = sizeof(http_buf2) - 1;
1744  int result = 0;
1746 
1747  memset(&th_v, 0, sizeof(th_v));
1748  memset(&f, 0, sizeof(f));
1749  memset(&ssn, 0, sizeof(ssn));
1750 
1751  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1752  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1753 
1754  FLOW_INITIALIZE(&f);
1755  f.protoctx = (void *)&ssn;
1756  f.proto = IPPROTO_TCP;
1757  f.flags |= FLOW_IPV4;
1758 
1759  p1->flow = &f;
1763  p2->flow = &f;
1767  f.alproto = ALPROTO_HTTP1;
1768 
1769  StreamTcpInitConfig(true);
1770 
1772  if (de_ctx == NULL)
1773  goto end;
1774 
1775  de_ctx->flags |= DE_QUIET;
1776 
1777  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1778  "(msg:\"http server body test\"; "
1779  "pcre:/ab/Q; "
1780  "content:\"ef\"; http_server_body; distance:2; "
1781  "sid:1;)");
1782  if (de_ctx->sig_list == NULL)
1783  goto end;
1784 
1786  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1787 
1788  int r = AppLayerParserParse(
1789  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1790  if (r != 0) {
1791  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1792  result = 0;
1793  goto end;
1794  }
1795 
1796  http_state = f.alstate;
1797  if (http_state == NULL) {
1798  printf("no http state: \n");
1799  result = 0;
1800  goto end;
1801  }
1802 
1803  /* do detect */
1804  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1805 
1806  if (PacketAlertCheck(p1, 1)) {
1807  printf("sid 1 matched but shouldn't have: ");
1808  goto end;
1809  }
1810 
1811  r = AppLayerParserParse(
1812  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1813  if (r != 0) {
1814  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1815  result = 0;
1816  goto end;
1817  }
1818 
1819  /* do detect */
1820  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1821 
1822  if (!PacketAlertCheck(p2, 1)) {
1823  printf("sid 1 did not match but should have: ");
1824  goto end;
1825  }
1826 
1827  result = 1;
1828 
1829 end:
1830  if (alp_tctx != NULL)
1832  if (de_ctx != NULL)
1834 
1835  StreamTcpFreeConfig(true);
1836  FLOW_DESTROY(&f);
1837  UTHFreePackets(&p1, 1);
1838  UTHFreePackets(&p2, 1);
1839  return result;
1840 }
1841 
1842 static int DetectEngineHttpServerBodyTest15(void)
1843 {
1844  TcpSession ssn;
1845  Packet *p1 = NULL;
1846  Packet *p2 = NULL;
1847  ThreadVars th_v;
1848  DetectEngineCtx *de_ctx = NULL;
1849  DetectEngineThreadCtx *det_ctx = NULL;
1850  HtpState *http_state = NULL;
1851  Flow f;
1852  uint8_t http_buf1[] =
1853  "GET /index.html HTTP/1.0\r\n"
1854  "Host: www.openinfosecfoundation.org\r\n"
1855  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1856  "\r\n";
1857  uint32_t http_len1 = sizeof(http_buf1) - 1;
1858  uint8_t http_buf2[] =
1859  "HTTP/1.0 200 ok\r\n"
1860  "Content-Type: text/html\r\n"
1861  "Content-Length: 6\r\n"
1862  "\r\n"
1863  "abcdef";
1864  uint32_t http_len2 = sizeof(http_buf2) - 1;
1865  int result = 0;
1867 
1868  memset(&th_v, 0, sizeof(th_v));
1869  memset(&f, 0, sizeof(f));
1870  memset(&ssn, 0, sizeof(ssn));
1871 
1872  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1873  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1874 
1875  FLOW_INITIALIZE(&f);
1876  f.protoctx = (void *)&ssn;
1877  f.proto = IPPROTO_TCP;
1878  f.flags |= FLOW_IPV4;
1879 
1880  p1->flow = &f;
1884  p2->flow = &f;
1888  f.alproto = ALPROTO_HTTP1;
1889 
1890  StreamTcpInitConfig(true);
1891 
1893  if (de_ctx == NULL)
1894  goto end;
1895 
1896  de_ctx->flags |= DE_QUIET;
1897 
1898  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1899  "(msg:\"http server body test\"; "
1900  "pcre:/abc/Q; "
1901  "content:!\"xyz\"; http_server_body; distance:0; within:3; "
1902  "sid:1;)");
1903  if (de_ctx->sig_list == NULL)
1904  goto end;
1905 
1907  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1908 
1909  int r = AppLayerParserParse(
1910  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1911  if (r != 0) {
1912  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1913  result = 0;
1914  goto end;
1915  }
1916 
1917  http_state = f.alstate;
1918  if (http_state == NULL) {
1919  printf("no http state: \n");
1920  result = 0;
1921  goto end;
1922  }
1923 
1924  /* do detect */
1925  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1926 
1927  if (PacketAlertCheck(p1, 1)) {
1928  printf("sid 1 matched but shouldn't have: ");
1929  goto end;
1930  }
1931 
1932  r = AppLayerParserParse(
1933  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1934  if (r != 0) {
1935  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1936  result = 0;
1937  goto end;
1938  }
1939 
1940  /* do detect */
1941  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1942 
1943  if (!PacketAlertCheck(p2, 1)) {
1944  printf("sid 1 did not match but should have: ");
1945  goto end;
1946  }
1947 
1948  result = 1;
1949 
1950 end:
1951  if (alp_tctx != NULL)
1953  if (de_ctx != NULL)
1955 
1956  StreamTcpFreeConfig(true);
1957  FLOW_DESTROY(&f);
1958  UTHFreePackets(&p1, 1);
1959  UTHFreePackets(&p2, 1);
1960  return result;
1961 }
1962 
1963 static int DetectEngineHttpServerBodyTest16(void)
1964 {
1965  char input[] = "\
1966 %YAML 1.1\n\
1967 ---\n\
1968 libhtp:\n\
1969 \n\
1970  default-config:\n\
1971  personality: IDS\n\
1972  request-body-limit: 0\n\
1973  response-body-limit: 0\n\
1974 \n\
1975  request-body-inspect-window: 0\n\
1976  response-body-inspect-window: 0\n\
1977  request-body-minimal-inspect-size: 0\n\
1978  response-body-minimal-inspect-size: 0\n\
1979 ";
1980 
1982  ConfInit();
1984 
1985  ConfYamlLoadString(input, strlen(input));
1986  HTPConfigure();
1987 
1988  TcpSession ssn;
1989  Packet *p1 = NULL;
1990  Packet *p2 = NULL;
1991  ThreadVars th_v;
1992  DetectEngineCtx *de_ctx = NULL;
1993  DetectEngineThreadCtx *det_ctx = NULL;
1994  HtpState *http_state = NULL;
1995  Flow f;
1996  int result = 0;
1997  uint8_t http_buf1[] =
1998  "GET /index.html HTTP/1.0\r\n"
1999  "Host: www.openinfosecfoundation.org\r\n"
2000  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2001  "\r\n";
2002  uint32_t http_len1 = sizeof(http_buf1) - 1;
2003  uint8_t http_buf2[] =
2004  "HTTP/1.0 200 ok\r\n"
2005  "Content-Type: text/html\r\n"
2006  "Content-Length: 17\r\n"
2007  "\r\n"
2008  "1234567";
2009  uint32_t http_len2 = sizeof(http_buf2) - 1;
2010  uint8_t http_buf3[] =
2011  "8901234ABC";
2012  uint32_t http_len3 = sizeof(http_buf3) - 1;
2014 
2015  memset(&th_v, 0, sizeof(th_v));
2016  memset(&f, 0, sizeof(f));
2017  memset(&ssn, 0, sizeof(ssn));
2018 
2019  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2020  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2021 
2022  FLOW_INITIALIZE(&f);
2023  f.protoctx = (void *)&ssn;
2024  f.proto = IPPROTO_TCP;
2025  f.flags |= FLOW_IPV4;
2026 
2027  p1->flow = &f;
2031  p2->flow = &f;
2035  f.alproto = ALPROTO_HTTP1;
2036 
2037  StreamTcpInitConfig(true);
2038 
2040  if (de_ctx == NULL)
2041  goto end;
2042 
2043  de_ctx->flags |= DE_QUIET;
2044 
2045  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2046  "(msg:\"http server body test\"; "
2047  "content:\"890\"; within:3; http_server_body; "
2048  "sid:1;)");
2049  if (de_ctx->sig_list == NULL)
2050  goto end;
2051 
2053  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2054 
2055  int r = AppLayerParserParse(
2056  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2057  if (r != 0) {
2058  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2059  result = 0;
2060  goto end;
2061  }
2062 
2063  http_state = f.alstate;
2064  if (http_state == NULL) {
2065  printf("no http state: \n");
2066  result = 0;
2067  goto end;
2068  }
2069 
2070  /* do detect */
2071  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2072 
2073  if (PacketAlertCheck(p1, 1)) {
2074  printf("sid 1 matched but shouldn't have\n");
2075  goto end;
2076  }
2077 
2078  r = AppLayerParserParse(
2079  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2080  if (r != 0) {
2081  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2082  result = 0;
2083  goto end;
2084  }
2085 
2086  /* do detect */
2087  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2088 
2089  if (PacketAlertCheck(p2, 1)) {
2090  printf("sid 1 matched but shouldn't have\n");
2091  goto end;
2092  }
2093 
2094  r = AppLayerParserParse(
2095  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf3, http_len3);
2096  if (r != 0) {
2097  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2098  result = 0;
2099  goto end;
2100  }
2101 
2102  /* do detect */
2103  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2104 
2105  if (PacketAlertCheck(p2, 1)) {
2106  printf("sid 1 matched but shouldn't have\n");
2107  goto end;
2108  }
2109 
2110  result = 1;
2111 
2112 end:
2113  if (alp_tctx != NULL)
2115  HTPFreeConfig();
2118 
2119  if (de_ctx != NULL)
2121 
2122  StreamTcpFreeConfig(true);
2123  FLOW_DESTROY(&f);
2124  UTHFreePackets(&p1, 1);
2125  UTHFreePackets(&p2, 1);
2126  return result;
2127 }
2128 
2129 static int DetectEngineHttpServerBodyTest17(void)
2130 {
2131  char input[] = "\
2132 %YAML 1.1\n\
2133 ---\n\
2134 libhtp:\n\
2135 \n\
2136  default-config:\n\
2137  personality: IDS\n\
2138  request-body-limit: 0\n\
2139  response-body-limit: 0\n\
2140 \n\
2141  request-body-inspect-window: 0\n\
2142  response-body-inspect-window: 0\n\
2143  request-body-minimal-inspect-size: 0\n\
2144  response-body-minimal-inspect-size: 0\n\
2145 ";
2146 
2148  ConfInit();
2150 
2151  ConfYamlLoadString(input, strlen(input));
2152  HTPConfigure();
2153 
2154  TcpSession ssn;
2155  Packet *p1 = NULL;
2156  Packet *p2 = NULL;
2157  ThreadVars th_v;
2158  DetectEngineCtx *de_ctx = NULL;
2159  DetectEngineThreadCtx *det_ctx = NULL;
2160  HtpState *http_state = NULL;
2161  Flow f;
2162  uint8_t http_buf1[] =
2163  "GET /index.html HTTP/1.0\r\n"
2164  "Host: www.openinfosecfoundation.org\r\n"
2165  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2166  "\r\n";
2167  uint32_t http_len1 = sizeof(http_buf1) - 1;
2168  uint8_t http_buf2[] =
2169  "HTTP/1.0 200 ok\r\n"
2170  "Content-Type: text/html\r\n"
2171  "Content-Length: 17\r\n"
2172  "\r\n"
2173  "1234567";
2174  uint32_t http_len2 = sizeof(http_buf2) - 1;
2175  uint8_t http_buf3[] =
2176  "8901234ABC";
2177  uint32_t http_len3 = sizeof(http_buf3) - 1;
2179 
2180  memset(&th_v, 0, sizeof(th_v));
2181  memset(&f, 0, sizeof(f));
2182  memset(&ssn, 0, sizeof(ssn));
2183 
2184  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2185  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2186 
2187  FLOW_INITIALIZE(&f);
2188  f.protoctx = (void *)&ssn;
2189  f.proto = IPPROTO_TCP;
2190  f.flags |= FLOW_IPV4;
2191 
2192  p1->flow = &f;
2196  p2->flow = &f;
2200  f.alproto = ALPROTO_HTTP1;
2201 
2202  StreamTcpInitConfig(true);
2203 
2206  de_ctx->flags |= DE_QUIET;
2207 
2208  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any ("
2209  "content:\"890\"; depth:3; http_server_body; "
2210  "sid:1;)");
2211  FAIL_IF_NULL(s);
2212 
2214  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2215 
2216  int r = AppLayerParserParse(
2217  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2218  FAIL_IF_NOT(r == 0);
2219 
2220  http_state = f.alstate;
2221  FAIL_IF_NULL(http_state);
2222 
2223  /* do detect */
2224  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2225  FAIL_IF(PacketAlertCheck(p1, 1));
2226 
2227  SCLogDebug("chunk http_buf2");
2228  r = AppLayerParserParse(
2229  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2230  FAIL_IF_NOT(r == 0);
2231 
2232  /* do detect */
2233  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2234  FAIL_IF(PacketAlertCheck(p2, 1));
2235 
2236  SCLogDebug("chunk http_buf3");
2237  r = AppLayerParserParse(
2238  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf3, http_len3);
2239  FAIL_IF_NOT(r == 0);
2240 
2241  /* do detect */
2242  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2243  FAIL_IF(PacketAlertCheck(p2, 1));
2244 
2246  HTPFreeConfig();
2249 
2251 
2252  StreamTcpFreeConfig(true);
2253  FLOW_DESTROY(&f);
2254  UTHFreePackets(&p1, 1);
2255  UTHFreePackets(&p2, 1);
2256  PASS;
2257 }
2258 
2259 /*
2260  * gzip stream
2261  */
2262 static int DetectEngineHttpServerBodyTest18(void)
2263 {
2264  TcpSession ssn;
2265  Packet *p1 = NULL;
2266  Packet *p2 = NULL;
2267  ThreadVars th_v;
2268  DetectEngineCtx *de_ctx = NULL;
2269  DetectEngineThreadCtx *det_ctx = NULL;
2270  HtpState *http_state = NULL;
2271  Flow f;
2272  uint8_t http_buf1[] =
2273  "GET /index.html HTTP/1.0\r\n"
2274  "Host: www.openinfosecfoundation.org\r\n"
2275  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2276  "\r\n";
2277  uint32_t http_len1 = sizeof(http_buf1) - 1;
2278  uint8_t http_buf2[] = {
2279  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2280  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
2281  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'g', 'z', 'i', 'p', 0x0d, 0x0a,
2282  0x0d, 0x0a,
2283  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51,
2284  0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
2285  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2286  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2287  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2288  0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
2289  0x00, 0x00, 0x00,
2290  };
2291  uint32_t http_len2 = sizeof(http_buf2);
2292  int result = 0;
2294 
2295  memset(&th_v, 0, sizeof(th_v));
2296  memset(&f, 0, sizeof(f));
2297  memset(&ssn, 0, sizeof(ssn));
2298 
2299  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2300  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2301 
2302  FLOW_INITIALIZE(&f);
2303  f.protoctx = (void *)&ssn;
2304  f.proto = IPPROTO_TCP;
2305  f.flags |= FLOW_IPV4;
2306 
2307  p1->flow = &f;
2311  p2->flow = &f;
2315  f.alproto = ALPROTO_HTTP1;
2316 
2317  StreamTcpInitConfig(true);
2318 
2320  if (de_ctx == NULL)
2321  goto end;
2322 
2323  de_ctx->flags |= DE_QUIET;
2324 
2325  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2326  "(msg:\"http server body test\"; "
2327  "content:\"file\"; http_server_body; "
2328  "sid:1;)");
2329  if (de_ctx->sig_list == NULL)
2330  goto end;
2331 
2333  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2334 
2335  int r = AppLayerParserParse(
2336  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2337  if (r != 0) {
2338  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2339  result = 0;
2340  goto end;
2341  }
2342 
2343  http_state = f.alstate;
2344  if (http_state == NULL) {
2345  printf("no http state: \n");
2346  result = 0;
2347  goto end;
2348  }
2349 
2350  /* do detect */
2351  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2352 
2353  if ((PacketAlertCheck(p1, 1))) {
2354  printf("sid 1 matched but shouldn't have\n");
2355  goto end;
2356  }
2357 
2358  r = AppLayerParserParse(
2359  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2360  if (r != 0) {
2361  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2362  result = 0;
2363  goto end;
2364  }
2365 
2366  /* do detect */
2367  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2368 
2369  if (!(PacketAlertCheck(p2, 1))) {
2370  printf("sid 1 didn't match but should have");
2371  goto end;
2372  }
2373 
2374  result = 1;
2375 
2376 end:
2377  if (alp_tctx != NULL)
2379  if (de_ctx != NULL)
2381 
2382  StreamTcpFreeConfig(true);
2383  FLOW_DESTROY(&f);
2384  UTHFreePackets(&p1, 1);
2385  UTHFreePackets(&p2, 1);
2386  return result;
2387 }
2388 
2389 /*
2390  * deflate stream
2391  */
2392 static int DetectEngineHttpServerBodyTest19(void)
2393 {
2394  TcpSession ssn;
2395  Packet *p1 = NULL;
2396  Packet *p2 = NULL;
2397  ThreadVars th_v;
2398  DetectEngineCtx *de_ctx = NULL;
2399  DetectEngineThreadCtx *det_ctx = NULL;
2400  HtpState *http_state = NULL;
2401  Flow f;
2402  uint8_t http_buf1[] =
2403  "GET /index.html HTTP/1.0\r\n"
2404  "Host: www.openinfosecfoundation.org\r\n"
2405  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2406  "\r\n";
2407  uint32_t http_len1 = sizeof(http_buf1) - 1;
2408  uint8_t http_buf2[] = {
2409  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2410  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '2', '4', 0x0d, 0x0a,
2411  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
2412  0x0d, 0x0a,
2413  0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2414  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2415  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2416  0x8f, 0x0b, 0x00,
2417  };
2418  // 0xb2, 0x7d, 0xac, 0x9b, 0x19, 0x00, 0x00, 0x00,
2419  uint32_t http_len2 = sizeof(http_buf2);
2420  int result = 0;
2422 
2423  memset(&th_v, 0, sizeof(th_v));
2424  memset(&f, 0, sizeof(f));
2425  memset(&ssn, 0, sizeof(ssn));
2426 
2427  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2428  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2429 
2430  FLOW_INITIALIZE(&f);
2431  f.protoctx = (void *)&ssn;
2432  f.proto = IPPROTO_TCP;
2433  f.flags |= FLOW_IPV4;
2434 
2435  p1->flow = &f;
2439  p2->flow = &f;
2443  f.alproto = ALPROTO_HTTP1;
2444 
2445  StreamTcpInitConfig(true);
2446 
2448  if (de_ctx == NULL)
2449  goto end;
2450 
2451  de_ctx->flags |= DE_QUIET;
2452 
2453  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2454  "(msg:\"http server body test\"; "
2455  "content:\"file\"; http_server_body; "
2456  "sid:1;)");
2457  if (de_ctx->sig_list == NULL)
2458  goto end;
2459 
2461  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2462 
2463  int r = AppLayerParserParse(
2464  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2465  if (r != 0) {
2466  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2467  result = 0;
2468  goto end;
2469  }
2470 
2471  http_state = f.alstate;
2472  if (http_state == NULL) {
2473  printf("no http state: \n");
2474  result = 0;
2475  goto end;
2476  }
2477 
2478  /* do detect */
2479  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2480 
2481  if ((PacketAlertCheck(p1, 1))) {
2482  printf("sid 1 matched but shouldn't have\n");
2483  goto end;
2484  }
2485 
2486  r = AppLayerParserParse(
2487  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2488  if (r != 0) {
2489  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2490  result = 0;
2491  goto end;
2492  }
2493 
2494  /* do detect */
2495  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2496 
2497  if (!(PacketAlertCheck(p2, 1))) {
2498  printf("sid 1 didn't match but should have");
2499  goto end;
2500  }
2501 
2502  result = 1;
2503 
2504 end:
2505  if (alp_tctx != NULL)
2507  if (de_ctx != NULL)
2509 
2510  StreamTcpFreeConfig(true);
2511  FLOW_DESTROY(&f);
2512  UTHFreePackets(&p1, 1);
2513  UTHFreePackets(&p2, 1);
2514  return result;
2515 }
2516 
2517 /*
2518  * deflate stream with gzip set as content-encoding
2519  */
2520 static int DetectEngineHttpServerBodyTest20(void)
2521 {
2522  TcpSession ssn;
2523  Packet *p1 = NULL;
2524  Packet *p2 = NULL;
2525  ThreadVars th_v;
2526  DetectEngineCtx *de_ctx = NULL;
2527  DetectEngineThreadCtx *det_ctx = NULL;
2528  HtpState *http_state = NULL;
2529  Flow f;
2530  uint8_t http_buf1[] =
2531  "GET /index.html HTTP/1.0\r\n"
2532  "Host: www.openinfosecfoundation.org\r\n"
2533  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2534  "\r\n";
2535  uint32_t http_len1 = sizeof(http_buf1) - 1;
2536  uint8_t http_buf2[] = {
2537  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2538  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '2', '4', 0x0d, 0x0a,
2539  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'g', 'z', 'i', 'p', 0x0d, 0x0a,
2540  0x0d, 0x0a,
2541  0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2542  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2543  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2544  0x8f, 0x0b, 0x00,
2545  };
2546  // 0xb2, 0x7d, 0xac, 0x9b, 0x19, 0x00, 0x00, 0x00,
2547  uint32_t http_len2 = sizeof(http_buf2);
2548  int result = 0;
2550 
2551  memset(&th_v, 0, sizeof(th_v));
2552  memset(&f, 0, sizeof(f));
2553  memset(&ssn, 0, sizeof(ssn));
2554 
2555  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2556  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2557 
2558  FLOW_INITIALIZE(&f);
2559  f.protoctx = (void *)&ssn;
2560  f.proto = IPPROTO_TCP;
2561  f.flags |= FLOW_IPV4;
2562 
2563  p1->flow = &f;
2567  p2->flow = &f;
2571  f.alproto = ALPROTO_HTTP1;
2572 
2573  StreamTcpInitConfig(true);
2574 
2576  if (de_ctx == NULL)
2577  goto end;
2578 
2579  de_ctx->flags |= DE_QUIET;
2580 
2581  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2582  "(msg:\"http server body test\"; "
2583  "content:\"file\"; http_server_body; "
2584  "sid:1;)");
2585  if (de_ctx->sig_list == NULL)
2586  goto end;
2587 
2589  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2590 
2591  int r = AppLayerParserParse(
2592  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2593  if (r != 0) {
2594  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2595  result = 0;
2596  goto end;
2597  }
2598 
2599  http_state = f.alstate;
2600  if (http_state == NULL) {
2601  printf("no http state: \n");
2602  result = 0;
2603  goto end;
2604  }
2605 
2606  /* do detect */
2607  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2608 
2609  if ((PacketAlertCheck(p1, 1))) {
2610  printf("sid 1 matched but shouldn't have\n");
2611  goto end;
2612  }
2613 
2614  r = AppLayerParserParse(
2615  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2616  if (r != 0) {
2617  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2618  result = 0;
2619  goto end;
2620  }
2621 
2622  /* do detect */
2623  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2624 
2625 #ifdef HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT
2626  FAIL_IF(!(PacketAlertCheck(p2, 1)));
2627 #endif
2628 
2629  result = 1;
2630 
2631 end:
2632  if (alp_tctx != NULL)
2634  if (de_ctx != NULL)
2636 
2637  StreamTcpFreeConfig(true);
2638  FLOW_DESTROY(&f);
2639  UTHFreePackets(&p1, 1);
2640  UTHFreePackets(&p2, 1);
2641  return result;
2642 }
2643 
2644 /*
2645  * gzip stream with deflate set as content-encoding.
2646  */
2647 static int DetectEngineHttpServerBodyTest21(void)
2648 {
2649  TcpSession ssn;
2650  Packet *p1 = NULL;
2651  Packet *p2 = NULL;
2652  ThreadVars th_v;
2653  DetectEngineCtx *de_ctx = NULL;
2654  DetectEngineThreadCtx *det_ctx = NULL;
2655  HtpState *http_state = NULL;
2656  Flow f;
2657  uint8_t http_buf1[] =
2658  "GET /index.html HTTP/1.0\r\n"
2659  "Host: www.openinfosecfoundation.org\r\n"
2660  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2661  "\r\n";
2662  uint32_t http_len1 = sizeof(http_buf1) - 1;
2663  uint8_t http_buf2[] = {
2664  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2665  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
2666  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
2667  0x0d, 0x0a,
2668  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51,
2669  0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
2670  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2671  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2672  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2673  0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
2674  0x00, 0x00, 0x00,
2675  };
2676  uint32_t http_len2 = sizeof(http_buf2);
2677  int result = 0;
2679 
2680  memset(&th_v, 0, sizeof(th_v));
2681  memset(&f, 0, sizeof(f));
2682  memset(&ssn, 0, sizeof(ssn));
2683 
2684  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2685  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2686 
2687  FLOW_INITIALIZE(&f);
2688  f.protoctx = (void *)&ssn;
2689  f.proto = IPPROTO_TCP;
2690  f.flags |= FLOW_IPV4;
2691 
2692  p1->flow = &f;
2696  p2->flow = &f;
2700  f.alproto = ALPROTO_HTTP1;
2701 
2702  StreamTcpInitConfig(true);
2703 
2705  if (de_ctx == NULL)
2706  goto end;
2707 
2708  de_ctx->flags |= DE_QUIET;
2709 
2710  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2711  "(msg:\"http server body test\"; "
2712  "content:\"file\"; http_server_body; "
2713  "sid:1;)");
2714  if (de_ctx->sig_list == NULL)
2715  goto end;
2716 
2718  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2719 
2720  int r = AppLayerParserParse(
2721  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2722  if (r != 0) {
2723  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2724  result = 0;
2725  goto end;
2726  }
2727 
2728  http_state = f.alstate;
2729  if (http_state == NULL) {
2730  printf("no http state: \n");
2731  result = 0;
2732  goto end;
2733  }
2734 
2735  /* do detect */
2736  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2737 
2738  if ((PacketAlertCheck(p1, 1))) {
2739  printf("sid 1 matched but shouldn't have\n");
2740  goto end;
2741  }
2742 
2743  r = AppLayerParserParse(
2744  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2745  if (r != 0) {
2746  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2747  result = 0;
2748  goto end;
2749  }
2750 
2751  /* do detect */
2752  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2753 
2754 #ifdef HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT
2755  FAIL_IF(!(PacketAlertCheck(p2, 1)));
2756 #endif
2757 
2758  result = 1;
2759 
2760 end:
2761  if (alp_tctx != NULL)
2763  if (de_ctx != NULL)
2765 
2766  StreamTcpFreeConfig(true);
2767  FLOW_DESTROY(&f);
2768  UTHFreePackets(&p1, 1);
2769  UTHFreePackets(&p2, 1);
2770  return result;
2771 }
2772 
2773 /*
2774  * gzip stream.
2775  * We have 2 content-encoding headers. First gzip and second deflate.
2776  */
2777 static int DetectEngineHttpServerBodyTest22(void)
2778 {
2779  TcpSession ssn;
2780  Packet *p1 = NULL;
2781  Packet *p2 = NULL;
2782  ThreadVars th_v;
2783  DetectEngineCtx *de_ctx = NULL;
2784  DetectEngineThreadCtx *det_ctx = NULL;
2785  HtpState *http_state = NULL;
2786  Flow f;
2787  uint8_t http_buf1[] =
2788  "GET /index.html HTTP/1.0\r\n"
2789  "Host: www.openinfosecfoundation.org\r\n"
2790  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2791  "\r\n";
2792  uint32_t http_len1 = sizeof(http_buf1) - 1;
2793  uint8_t http_buf2[] = {
2794  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2795  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
2796  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'g', 'z', 'i', 'p', 0x0d, 0x0a,
2797  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
2798  0x0d, 0x0a,
2799  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51,
2800  0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
2801  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2802  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2803  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2804  0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
2805  0x00, 0x00, 0x00,
2806  };
2807  uint32_t http_len2 = sizeof(http_buf2);
2808  int result = 0;
2810 
2811  memset(&th_v, 0, sizeof(th_v));
2812  memset(&f, 0, sizeof(f));
2813  memset(&ssn, 0, sizeof(ssn));
2814 
2815  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2816  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2817 
2818  FLOW_INITIALIZE(&f);
2819  f.protoctx = (void *)&ssn;
2820  f.proto = IPPROTO_TCP;
2821  f.flags |= FLOW_IPV4;
2822 
2823  p1->flow = &f;
2827  p2->flow = &f;
2831  f.alproto = ALPROTO_HTTP1;
2832 
2833  StreamTcpInitConfig(true);
2834 
2836  if (de_ctx == NULL)
2837  goto end;
2838 
2839  de_ctx->flags |= DE_QUIET;
2840 
2841  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2842  "(msg:\"http server body test\"; "
2843  "content:\"file\"; http_server_body; "
2844  "sid:1;)");
2845  if (de_ctx->sig_list == NULL)
2846  goto end;
2847 
2849  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2850 
2851  int r = AppLayerParserParse(
2852  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2853  if (r != 0) {
2854  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2855  result = 0;
2856  goto end;
2857  }
2858 
2859  http_state = f.alstate;
2860  if (http_state == NULL) {
2861  printf("no http state: \n");
2862  result = 0;
2863  goto end;
2864  }
2865 
2866  /* do detect */
2867  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2868 
2869  if ((PacketAlertCheck(p1, 1))) {
2870  printf("sid 1 matched but shouldn't have: ");
2871  goto end;
2872  }
2873 
2874  r = AppLayerParserParse(
2875  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2876  if (r != 0) {
2877  printf("toserver chunk 2 returned %" PRId32 ", expected 0: \n", r);
2878  result = 0;
2879  goto end;
2880  }
2881 
2882  /* do detect */
2883  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2884 
2885 #ifdef HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT
2886  FAIL_IF(!(PacketAlertCheck(p2, 1)));
2887 #endif
2888 
2889  result = 1;
2890 
2891 end:
2892  if (alp_tctx != NULL)
2894  if (de_ctx != NULL)
2896 
2897  StreamTcpFreeConfig(true);
2898  FLOW_DESTROY(&f);
2899  UTHFreePackets(&p1, 1);
2900  UTHFreePackets(&p2, 1);
2901  return result;
2902 }
2903 
2904 static int DetectEngineHttpServerBodyFileDataTest01(void)
2905 {
2906  TcpSession ssn;
2907  Packet *p1 = NULL;
2908  Packet *p2 = NULL;
2909  ThreadVars th_v;
2910  DetectEngineCtx *de_ctx = NULL;
2911  DetectEngineThreadCtx *det_ctx = NULL;
2912  HtpState *http_state = NULL;
2913  Flow f;
2914  uint8_t http_buf1[] =
2915  "GET /index.html HTTP/1.0\r\n"
2916  "Host: www.openinfosecfoundation.org\r\n"
2917  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2918  "\r\n";
2919  uint32_t http_len1 = sizeof(http_buf1) - 1;
2920  uint8_t http_buf2[] =
2921  "HTTP/1.0 200 ok\r\n"
2922  "Content-Type: text/html\r\n"
2923  "Content-Length: 6\r\n"
2924  "\r\n"
2925  "abcdef";
2926  uint32_t http_len2 = sizeof(http_buf2) - 1;
2927  int result = 0;
2929 
2930  memset(&th_v, 0, sizeof(th_v));
2931  memset(&f, 0, sizeof(f));
2932  memset(&ssn, 0, sizeof(ssn));
2933 
2934  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2935  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2936 
2937  FLOW_INITIALIZE(&f);
2938  f.protoctx = (void *)&ssn;
2939  f.proto = IPPROTO_TCP;
2940  f.flags |= FLOW_IPV4;
2941 
2942  p1->flow = &f;
2946  p2->flow = &f;
2950  f.alproto = ALPROTO_HTTP1;
2951 
2952  StreamTcpInitConfig(true);
2953 
2955  if (de_ctx == NULL)
2956  goto end;
2957 
2958  de_ctx->flags |= DE_QUIET;
2959 
2960  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2961  "(msg:\"http server body test\"; "
2962  "file_data; pcre:/ab/; "
2963  "content:\"ef\"; distance:2; "
2964  "sid:1;)");
2965  if (de_ctx->sig_list == NULL)
2966  goto end;
2967 
2969  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2970 
2971  int r = AppLayerParserParse(
2972  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2973  if (r != 0) {
2974  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2975  result = 0;
2976  goto end;
2977  }
2978 
2979  http_state = f.alstate;
2980  if (http_state == NULL) {
2981  printf("no http state: \n");
2982  result = 0;
2983  goto end;
2984  }
2985 
2986  /* do detect */
2987  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2988 
2989  if (PacketAlertCheck(p1, 1)) {
2990  printf("sid 1 matched but shouldn't have: ");
2991  goto end;
2992  }
2993 
2994  r = AppLayerParserParse(
2995  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2996  if (r != 0) {
2997  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2998  result = 0;
2999  goto end;
3000  }
3001 
3002  /* do detect */
3003  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3004 
3005  if (!PacketAlertCheck(p2, 1)) {
3006  printf("sid 1 did not match but should have: ");
3007  goto end;
3008  }
3009 
3010  result = 1;
3011 
3012 end:
3013  if (alp_tctx != NULL)
3015  if (de_ctx != NULL)
3017 
3018  StreamTcpFreeConfig(true);
3019  FLOW_DESTROY(&f);
3020  UTHFreePackets(&p1, 1);
3021  UTHFreePackets(&p2, 1);
3022  return result;
3023 }
3024 
3025 static int DetectEngineHttpServerBodyFileDataTest02(void)
3026 {
3027  TcpSession ssn;
3028  Packet *p1 = NULL;
3029  Packet *p2 = NULL;
3030  ThreadVars th_v;
3031  DetectEngineCtx *de_ctx = NULL;
3032  DetectEngineThreadCtx *det_ctx = NULL;
3033  HtpState *http_state = NULL;
3034  Flow f;
3035  uint8_t http_buf1[] =
3036  "GET /index.html HTTP/1.0\r\n"
3037  "Host: www.openinfosecfoundation.org\r\n"
3038  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3039  "\r\n";
3040  uint32_t http_len1 = sizeof(http_buf1) - 1;
3041  uint8_t http_buf2[] =
3042  "HTTP/1.0 200 ok\r\n"
3043  "Content-Type: text/html\r\n"
3044  "Content-Length: 6\r\n"
3045  "\r\n"
3046  "abcdef";
3047  uint32_t http_len2 = sizeof(http_buf2) - 1;
3048  int result = 0;
3050 
3051  memset(&th_v, 0, sizeof(th_v));
3052  memset(&f, 0, sizeof(f));
3053  memset(&ssn, 0, sizeof(ssn));
3054 
3055  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3056  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3057 
3058  FLOW_INITIALIZE(&f);
3059  f.protoctx = (void *)&ssn;
3060  f.proto = IPPROTO_TCP;
3061  f.flags |= FLOW_IPV4;
3062 
3063  p1->flow = &f;
3067  p2->flow = &f;
3071  f.alproto = ALPROTO_HTTP1;
3072 
3073  StreamTcpInitConfig(true);
3074 
3076  if (de_ctx == NULL)
3077  goto end;
3078 
3079  de_ctx->flags |= DE_QUIET;
3080 
3081  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3082  "(msg:\"http server body test\"; "
3083  "file_data; pcre:/abc/; "
3084  "content:!\"xyz\"; distance:0; within:3; "
3085  "sid:1;)");
3086  if (de_ctx->sig_list == NULL)
3087  goto end;
3088 
3090  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3091 
3092  int r = AppLayerParserParse(
3093  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
3094  if (r != 0) {
3095  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3096  result = 0;
3097  goto end;
3098  }
3099 
3100  http_state = f.alstate;
3101  if (http_state == NULL) {
3102  printf("no http state: \n");
3103  result = 0;
3104  goto end;
3105  }
3106 
3107  /* do detect */
3108  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3109 
3110  if (PacketAlertCheck(p1, 1)) {
3111  printf("sid 1 matched but shouldn't have: ");
3112  goto end;
3113  }
3114 
3115  r = AppLayerParserParse(
3116  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
3117  if (r != 0) {
3118  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3119  result = 0;
3120  goto end;
3121  }
3122 
3123  /* do detect */
3124  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3125 
3126  if (!PacketAlertCheck(p2, 1)) {
3127  printf("sid 1 did not match but should have: ");
3128  goto end;
3129  }
3130 
3131  result = 1;
3132 
3133 end:
3134  if (alp_tctx != NULL)
3136  if (de_ctx != NULL)
3138 
3139  StreamTcpFreeConfig(true);
3140  FLOW_DESTROY(&f);
3141  UTHFreePackets(&p1, 1);
3142  UTHFreePackets(&p2, 1);
3143  return result;
3144 }
3145 
3146 /* \test recursive relative byte test */
3147 static int DetectEngineHttpServerBodyFileDataTest03(void)
3148 {
3149  TcpSession ssn;
3150  Packet *p1 = NULL;
3151  Packet *p2 = NULL;
3152  ThreadVars th_v;
3153  DetectEngineCtx *de_ctx = NULL;
3154  DetectEngineThreadCtx *det_ctx = NULL;
3155  HtpState *http_state = NULL;
3156  Flow f;
3157  uint8_t http_buf1[] =
3158  "GET /index.html HTTP/1.0\r\n"
3159  "Host: www.openinfosecfoundation.org\r\n"
3160  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3161  "\r\n";
3162  uint32_t http_len1 = sizeof(http_buf1) - 1;
3163  uint8_t http_buf2[] =
3164  "HTTP/1.0 200 ok\r\n"
3165  "Content-Type: text/html\r\n"
3166  "Content-Length: 33\r\n"
3167  "\r\n"
3168  "XYZ_klm_1234abcd_XYZ_klm_5678abcd";
3169  uint32_t http_len2 = sizeof(http_buf2) - 1;
3170  int result = 0;
3172 
3173  memset(&th_v, 0, sizeof(th_v));
3174  memset(&f, 0, sizeof(f));
3175  memset(&ssn, 0, sizeof(ssn));
3176 
3177  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3178  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3179 
3180  FLOW_INITIALIZE(&f);
3181  f.protoctx = (void *)&ssn;
3182  f.proto = IPPROTO_TCP;
3183  f.flags |= FLOW_IPV4;
3184 
3185  p1->flow = &f;
3189  p2->flow = &f;
3193  f.alproto = ALPROTO_HTTP1;
3194 
3195  StreamTcpInitConfig(true);
3196 
3198  if (de_ctx == NULL)
3199  goto end;
3200 
3201  de_ctx->flags |= DE_QUIET;
3202 
3203  if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
3204  "(msg:\"match on 1st\"; "
3205  "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; distance:4; byte_test:4,=,1234,-8,relative,string;"
3206  "sid:1;)")))
3207  goto end;
3208  if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
3209  "(msg:\"match on 2nd\"; "
3210  "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; distance:4; byte_test:4,=,5678,-8,relative,string;"
3211  "sid:2;)")))
3212  goto end;
3213 
3215  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3216 
3217  int r = AppLayerParserParse(
3218  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
3219  if (r != 0) {
3220  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3221  result = 0;
3222  goto end;
3223  }
3224 
3225  http_state = f.alstate;
3226  if (http_state == NULL) {
3227  printf("no http state: \n");
3228  result = 0;
3229  goto end;
3230  }
3231 
3232  /* do detect */
3233  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3234 
3235  if (PacketAlertCheck(p1, 1)) {
3236  printf("sid 1 matched but shouldn't have: ");
3237  goto end;
3238  }
3239 
3240  r = AppLayerParserParse(
3241  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
3242  if (r != 0) {
3243  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3244  result = 0;
3245  goto end;
3246  }
3247 
3248  /* do detect */
3249  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3250 
3251  if (!PacketAlertCheck(p2, 1)) {
3252  printf("sid 1 did not match but should have: ");
3253  goto end;
3254  }
3255  if (!PacketAlertCheck(p2, 2)) {
3256  printf("sid 2 did not match but should have: ");
3257  goto end;
3258  }
3259 
3260  result = 1;
3261 
3262 end:
3263  if (alp_tctx != NULL)
3265  if (de_ctx != NULL)
3267 
3268  StreamTcpFreeConfig(true);
3269  FLOW_DESTROY(&f);
3270  UTHFreePackets(&p1, 1);
3271  UTHFreePackets(&p2, 1);
3272  return result;
3273 }
3274 
3275 static int DetectEngineHttpServerBodyFileDataTest04(void)
3276 {
3277 
3278  const char yaml[] = "\
3279 %YAML 1.1\n\
3280 ---\n\
3281 libhtp:\n\
3282 \n\
3283  default-config:\n\
3284 \n\
3285  http-body-inline: yes\n\
3286  response-body-minimal-inspect-size: 6\n\
3287  response-body-inspect-window: 3\n\
3288 ";
3289 
3290  struct TestSteps steps[] = {
3291  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3292  "Host: www.openinfosecfoundation.org\r\n"
3293  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3294  "\r\n",
3295  0, STREAM_TOSERVER, 0 },
3296  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3297  "Content-Type: text/html\r\n"
3298  "Content-Length: 6\r\n"
3299  "\r\n"
3300  "ab",
3301  0, STREAM_TOCLIENT, 0 },
3302  { (const uint8_t *)"cd",
3303  0, STREAM_TOCLIENT, 1 },
3304  { (const uint8_t *)"ef",
3305  0, STREAM_TOCLIENT, 0 },
3306  { NULL, 0, 0, 0 },
3307  };
3308 
3309  const char *sig = "alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)";
3310  return RunTest(steps, sig, yaml);
3311 }
3312 
3313 static int DetectEngineHttpServerBodyFileDataTest05(void)
3314 {
3315 
3316  const char yaml[] = "\
3317 %YAML 1.1\n\
3318 ---\n\
3319 libhtp:\n\
3320 \n\
3321  default-config:\n\
3322 \n\
3323  http-body-inline: yes\n\
3324  response-body-minimal-inspect-size: 6\n\
3325  response-body-inspect-window: 3\n\
3326 ";
3327 
3328  struct TestSteps steps[] = {
3329  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3330  "Host: www.openinfosecfoundation.org\r\n"
3331  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3332  "\r\n",
3333  0, STREAM_TOSERVER, 0 },
3334  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3335  "Content-Type: text/html\r\n"
3336  "Content-Length: 6\r\n"
3337  "\r\n"
3338  "ab",
3339  0, STREAM_TOCLIENT, 0 },
3340  { (const uint8_t *)"cd",
3341  0, STREAM_TOCLIENT, 0 },
3342  { (const uint8_t *)"ef",
3343  0, STREAM_TOCLIENT, 1 },
3344  { NULL, 0, 0, 0 },
3345  };
3346 
3347  const char *sig = "alert http any any -> any any (file_data; content:\"abcdef\"; sid:1;)";
3348  return RunTest(steps, sig, yaml);
3349 }
3350 
3351 static int DetectEngineHttpServerBodyFileDataTest06(void)
3352 {
3353 
3354  const char yaml[] = "\
3355 %YAML 1.1\n\
3356 ---\n\
3357 libhtp:\n\
3358 \n\
3359  default-config:\n\
3360 \n\
3361  http-body-inline: yes\n\
3362  response-body-minimal-inspect-size: 6\n\
3363  response-body-inspect-window: 3\n\
3364 ";
3365 
3366  struct TestSteps steps[] = {
3367  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3368  "Host: www.openinfosecfoundation.org\r\n"
3369  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3370  "\r\n",
3371  0, STREAM_TOSERVER, 0 },
3372  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3373  "Content-Type: text/html\r\n"
3374  "Content-Length: 6\r\n"
3375  "\r\n"
3376  "ab",
3377  0, STREAM_TOCLIENT, 0 },
3378  { (const uint8_t *)"cd",
3379  0, STREAM_TOCLIENT, 0 },
3380  { (const uint8_t *)"ef",
3381  0, STREAM_TOCLIENT, 1 },
3382  { NULL, 0, 0, 0 },
3383  };
3384 
3385  const char *sig = "alert http any any -> any any (file_data; content:\"bcdef\"; offset:1; sid:1;)";
3386  return RunTest(steps, sig, yaml);
3387 }
3388 
3389 static int DetectEngineHttpServerBodyFileDataTest07(void)
3390 {
3391 
3392  const char yaml[] = "\
3393 %YAML 1.1\n\
3394 ---\n\
3395 libhtp:\n\
3396 \n\
3397  default-config:\n\
3398 \n\
3399  http-body-inline: yes\n\
3400  response-body-minimal-inspect-size: 6\n\
3401  response-body-inspect-window: 3\n\
3402 ";
3403 
3404  struct TestSteps steps[] = {
3405  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3406  "Host: www.openinfosecfoundation.org\r\n"
3407  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3408  "\r\n",
3409  0, STREAM_TOSERVER, 0 },
3410  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3411  "Content-Type: text/html\r\n"
3412  "Content-Length: 13\r\n"
3413  "\r\n"
3414  "ab",
3415  0, STREAM_TOCLIENT, 0 },
3416  { (const uint8_t *)"cd",
3417  0, STREAM_TOCLIENT, 1 },
3418  { (const uint8_t *)"123456789",
3419  0, STREAM_TOCLIENT, 0 },
3420  { NULL, 0, 0, 0 },
3421  };
3422 
3423  const char *sig = "alert http any any -> any any (file_data; content:\"bc\"; offset:1; depth:2; sid:1;)";
3424  return RunTest(steps, sig, yaml);
3425 }
3426 
3427 static int DetectEngineHttpServerBodyFileDataTest08(void)
3428 {
3429 
3430  const char yaml[] = "\
3431 %YAML 1.1\n\
3432 ---\n\
3433 libhtp:\n\
3434 \n\
3435  default-config:\n\
3436 \n\
3437  http-body-inline: yes\n\
3438  response-body-minimal-inspect-size: 6\n\
3439  response-body-inspect-window: 3\n\
3440 ";
3441 
3442  struct TestSteps steps[] = {
3443  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3444  "Host: www.openinfosecfoundation.org\r\n"
3445  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3446  "\r\n",
3447  0, STREAM_TOSERVER, 0 },
3448  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3449  "Content-Type: text/html\r\n"
3450  "Content-Length: 14\r\n"
3451  "\r\n"
3452  "ab",
3453  0, STREAM_TOCLIENT, 0 },
3454  { (const uint8_t *)"cd",
3455  0, STREAM_TOCLIENT, 0 },
3456  { (const uint8_t *)"1234567890",
3457  0, STREAM_TOCLIENT, 1 },
3458  { NULL, 0, 0, 0 },
3459  };
3460 
3461  const char *sig = "alert http any any -> any any (file_data; content:\"d123456789\"; offset:3; sid:1;)";
3462  return RunTest(steps, sig, yaml);
3463 }
3464 
3465 static int DetectEngineHttpServerBodyFileDataTest09(void)
3466 {
3467 
3468  const char yaml[] = "\
3469 %YAML 1.1\n\
3470 ---\n\
3471 libhtp:\n\
3472 \n\
3473  default-config:\n\
3474 \n\
3475  http-body-inline: yes\n\
3476  response-body-minimal-inspect-size: 6\n\
3477  response-body-inspect-window: 3\n\
3478 ";
3479 
3480  struct TestSteps steps[] = {
3481  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3482  "Host: www.openinfosecfoundation.org\r\n"
3483  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3484  "\r\n",
3485  0, STREAM_TOSERVER, 0 },
3486  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3487  "Content-Type: text/html\r\n"
3488  "Content-Length: 13\r\n"
3489  "\r\n"
3490  "ab",
3491  0, STREAM_TOCLIENT, 0 },
3492  { (const uint8_t *)"cd",
3493  0, STREAM_TOCLIENT, 0 },
3494  { (const uint8_t *)"123456789",
3495  0, STREAM_TOCLIENT, 1 },
3496  { NULL, 0, 0, 0 },
3497  };
3498 
3499  const char *sig = "alert http any any -> any any (file_data; content:\"abcd12\"; depth:6; sid:1;)";
3500  return RunTest(steps, sig, yaml);
3501 }
3502 
3503 static int DetectEngineHttpServerBodyFileDataTest10(void)
3504 {
3505 
3506  const char yaml[] = "\
3507 %YAML 1.1\n\
3508 ---\n\
3509 libhtp:\n\
3510 \n\
3511  default-config:\n\
3512 \n\
3513  http-body-inline: yes\n\
3514  response-body-minimal-inspect-size: 6\n\
3515  response-body-inspect-window: 3\n\
3516 ";
3517 
3518  struct TestSteps steps[] = {
3519  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3520  "Host: www.openinfosecfoundation.org\r\n"
3521  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3522  "\r\n",
3523  0, STREAM_TOSERVER, 0 },
3524  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3525  "Content-Type: text/html\r\n"
3526  "Content-Length: 5\r\n"
3527  "\r\n"
3528  "ab",
3529  0, STREAM_TOCLIENT, 0 },
3530  { (const uint8_t *)"c",
3531  0, STREAM_TOCLIENT, 1 },
3532  { (const uint8_t *)"de",
3533  0, STREAM_TOCLIENT, 0 },
3534  { NULL, 0, 0, 0 },
3535  };
3536 
3537  const char *sig = "alert http any any -> any any (file_data; content:\"abc\"; depth:3; sid:1;)";
3538  return RunTest(steps, sig, yaml);
3539 }
3540 
3541 static int DetectEngineHttpServerBodyFileDataTest11(void)
3542 {
3543 
3544  const char yaml[] = "\
3545 %YAML 1.1\n\
3546 ---\n\
3547 libhtp:\n\
3548 \n\
3549  default-config:\n\
3550 \n\
3551  http-body-inline: yes\n\
3552  response-body-minimal-inspect-size: 6\n\
3553  response-body-inspect-window: 3\n\
3554 ";
3555 
3556  struct TestSteps steps[] = {
3557  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3558  "Host: www.openinfosecfoundation.org\r\n"
3559  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3560  "\r\n",
3561  0, STREAM_TOSERVER, 0 },
3562  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3563  "Content-Type: text/html\r\n"
3564  "Content-Length: 5\r\n"
3565  "\r\n"
3566  "ab",
3567  0, STREAM_TOCLIENT, 0 },
3568  { (const uint8_t *)"c",
3569  0, STREAM_TOCLIENT, 0 },
3570  { (const uint8_t *)"de",
3571  0, STREAM_TOCLIENT, 1 },
3572  { NULL, 0, 0, 0 },
3573  };
3574 
3575  const char *sig = "alert http any any -> any any (file_data; content:\"bcde\"; offset:1; depth:4; sid:1;)";
3576  return RunTest(steps, sig, yaml);
3577 }
3578 
3579 static int DetectEngineHttpServerBodyFileDataTest12(void)
3580 {
3581 
3582  const char yaml[] = "\
3583 %YAML 1.1\n\
3584 ---\n\
3585 libhtp:\n\
3586 \n\
3587  default-config:\n\
3588 \n\
3589  http-body-inline: yes\n\
3590  response-body-minimal-inspect-size: 6\n\
3591  response-body-inspect-window: 3\n\
3592 ";
3593 
3594  struct TestSteps steps[] = {
3595  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3596  "Host: www.openinfosecfoundation.org\r\n"
3597  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3598  "\r\n",
3599  0, STREAM_TOSERVER, 0 },
3600  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3601  "Content-Type: text/html\r\n"
3602  "Content-Length: 13\r\n"
3603  "\r\n"
3604  "a",
3605  0, STREAM_TOCLIENT, 0 },
3606  { (const uint8_t *)"b",
3607  0, STREAM_TOCLIENT, 0 },
3608  { (const uint8_t *)"c",
3609  0, STREAM_TOCLIENT, 0 },
3610  { (const uint8_t *)"d",
3611  0, STREAM_TOCLIENT, 1 },
3612  { (const uint8_t *)"efghijklm",
3613  0, STREAM_TOCLIENT, 0 },
3614  { NULL, 0, 0, 0 },
3615  };
3616 
3617  const char *sig = "alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)";
3618  return RunTest(steps, sig, yaml);
3619 }
3620 
3621 static int DetectEngineHttpServerBodyFileDataTest13(void)
3622 {
3623 
3624  const char yaml[] = "\
3625 %YAML 1.1\n\
3626 ---\n\
3627 libhtp:\n\
3628 \n\
3629  default-config:\n\
3630 \n\
3631  http-body-inline: yes\n\
3632  response-body-minimal-inspect-size: 9\n\
3633  response-body-inspect-window: 12\n\
3634 ";
3635 
3636  struct TestSteps steps[] = {
3637  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3638  "Host: www.openinfosecfoundation.org\r\n"
3639  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3640  "\r\n",
3641  0, STREAM_TOSERVER, 0 },
3642  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3643  "Content-Type: text/html\r\n"
3644  "Content-Length: 13\r\n"
3645  "\r\n"
3646  "a",
3647  0, STREAM_TOCLIENT, 0 },
3648  { (const uint8_t *)"b",
3649  0, STREAM_TOCLIENT, 0 },
3650  { (const uint8_t *)"c",
3651  0, STREAM_TOCLIENT, 0 },
3652  { (const uint8_t *)"d",
3653  0, STREAM_TOCLIENT, 0 },
3654  { (const uint8_t *)"efghijklm",
3655  0, STREAM_TOCLIENT, 1 },
3656  { NULL, 0, 0, 0 },
3657  };
3658 
3659  const char *sig = "alert http any any -> any any (file_data; content:\"abcdefghijklm\"; sid:1;)";
3660  return RunTest(steps, sig, yaml);
3661 }
3662 
3663 static int DetectEngineHttpServerBodyFileDataTest14(void)
3664 {
3665 
3666  const char yaml[] = "\
3667 %YAML 1.1\n\
3668 ---\n\
3669 libhtp:\n\
3670 \n\
3671  default-config:\n\
3672 \n\
3673  http-body-inline: yes\n\
3674  response-body-minimal-inspect-size: 9\n\
3675  response-body-inspect-window: 12\n\
3676 ";
3677 
3678  struct TestSteps steps[] = {
3679  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3680  "Host: www.openinfosecfoundation.org\r\n"
3681  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3682  "\r\n",
3683  0, STREAM_TOSERVER, 0 },
3684  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3685  "Content-Type: text/html\r\n"
3686  "Content-Length: 20\r\n"
3687  "\r\n"
3688  "1234567890",
3689  0, STREAM_TOCLIENT, 0 },
3690  { (const uint8_t *)"abcdefghi",
3691  0, STREAM_TOCLIENT, 1 },
3692  { NULL, 0, 0, 0 },
3693  };
3694 
3695  const char *sig = "alert http any any -> any any (file_data; content:\"890abcdefghi\"; sid:1;)";
3696  return RunTest(steps, sig, yaml);
3697 }
3698 
3699 static int DetectEngineHttpServerBodyFileDataTest15(void)
3700 {
3701 
3702  const char yaml[] = "\
3703 %YAML 1.1\n\
3704 ---\n\
3705 libhtp:\n\
3706 \n\
3707  default-config:\n\
3708 \n\
3709  http-body-inline: yes\n\
3710  response-body-minimal-inspect-size: 9\n\
3711  response-body-inspect-window: 12\n\
3712 ";
3713 
3714  struct TestSteps steps[] = {
3715  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3716  "Host: www.openinfosecfoundation.org\r\n"
3717  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3718  "\r\n",
3719  0, STREAM_TOSERVER, 0 },
3720  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3721  "Content-Type: text/html\r\n"
3722  "Content-Length: 20\r\n"
3723  "\r\n"
3724  "1234567890",
3725  0, STREAM_TOCLIENT, 0 },
3726  { (const uint8_t *)"abcdefghi",
3727  0, STREAM_TOCLIENT, 0 },
3728  { NULL, 0, 0, 0 },
3729  };
3730 
3731  const char *sig = "alert http any any -> any any (file_data; content:\"7890ab\"; depth:6; sid:1;)";
3732  return RunTest(steps, sig, yaml);
3733 }
3734 
3735 static int DetectEngineHttpServerBodyFileDataTest16(void)
3736 {
3737 
3738  const char yaml[] = "\
3739 %YAML 1.1\n\
3740 ---\n\
3741 libhtp:\n\
3742 \n\
3743  default-config:\n\
3744 \n\
3745  http-body-inline: yes\n\
3746  response-body-minimal-inspect-size: 9\n\
3747  response-body-inspect-window: 12\n\
3748 ";
3749 
3750  struct TestSteps steps[] = {
3751  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3752  "Host: www.openinfosecfoundation.org\r\n"
3753  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3754  "\r\n",
3755  0, STREAM_TOSERVER, 0 },
3756  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3757  "Content-Type: text/html\r\n"
3758  "Content-Length: 20\r\n"
3759  "\r\n"
3760  "aaaab",
3761  0, STREAM_TOCLIENT, 0 },
3762  { (const uint8_t *)"bbbbc",
3763  0, STREAM_TOCLIENT, 0 },
3764  { (const uint8_t *)"ccccd",
3765  0, STREAM_TOCLIENT, 0 },
3766  { (const uint8_t *)"dddde",
3767  0, STREAM_TOCLIENT, 0 },
3768  { NULL, 0, 0, 0 },
3769  };
3770 
3771  const char *sig = "alert http any any -> any any (file_data; content:\"aabb\"; depth:4; sid:1;)";
3772  return RunTest(steps, sig, yaml);
3773 }
3774 
3775 static int DetectEngineHttpServerBodyFileDataTest17(void)
3776 {
3777 
3778  const char yaml[] = "\
3779 %YAML 1.1\n\
3780 ---\n\
3781 libhtp:\n\
3782 \n\
3783  default-config:\n\
3784 \n\
3785  http-body-inline: yes\n\
3786  response-body-minimal-inspect-size: 8\n\
3787  response-body-inspect-window: 4\n\
3788 ";
3789 
3790  struct TestSteps steps[] = {
3791  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3792  "Host: www.openinfosecfoundation.org\r\n"
3793  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3794  "\r\n",
3795  0, STREAM_TOSERVER, 0 },
3796  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3797  "Content-Type: text/html\r\n"
3798  "Content-Length: 20\r\n"
3799  "\r\n"
3800  "aaaab",
3801  0, STREAM_TOCLIENT, 0 },
3802  { (const uint8_t *)"bbbbc",
3803  0, STREAM_TOCLIENT, 0 },
3804  { (const uint8_t *)"ccccd",
3805  0, STREAM_TOCLIENT, 0 },
3806  { (const uint8_t *)"dddde",
3807  0, STREAM_TOCLIENT, 0 },
3808  { NULL, 0, 0, 0 },
3809  };
3810 
3811  const char *sig = "alert http any any -> any any (file_data; content:\"bbbc\"; depth:4; sid:1;)";
3812  return RunTest(steps, sig, yaml);
3813 }
3814 
3815 static int DetectEngineHttpServerBodyFileDataTest18(void)
3816 {
3817 
3818  const char yaml[] = "\
3819 %YAML 1.1\n\
3820 ---\n\
3821 libhtp:\n\
3822 \n\
3823  default-config:\n\
3824 \n\
3825  http-body-inline: yes\n\
3826  response-body-minimal-inspect-size: 8\n\
3827  response-body-inspect-window: 4\n\
3828 ";
3829 
3830  struct TestSteps steps[] = {
3831  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3832  "Host: www.openinfosecfoundation.org\r\n"
3833  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3834  "\r\n",
3835  0, STREAM_TOSERVER, 0 },
3836  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3837  "Content-Type: text/html\r\n"
3838  "Content-Length: 20\r\n"
3839  "\r\n"
3840  "aaaab",
3841  0, STREAM_TOCLIENT, 0 },
3842  { (const uint8_t *)"bbbbc",
3843  0, STREAM_TOCLIENT, 0 },
3844  { (const uint8_t *)"ccccd",
3845  0, STREAM_TOCLIENT, 0 },
3846  { (const uint8_t *)"dddde",
3847  0, STREAM_TOCLIENT, 0 },
3848  { NULL, 0, 0, 0 },
3849  };
3850 
3851  const char *sig = "alert http any any -> any any (file_data; content:\"bccd\"; depth:4; sid:1;)";
3852  return RunTest(steps, sig, yaml);
3853 }
3854 static int DetectEngineHttpServerBodyFileDataTest19(void)
3855 {
3856  char input[] = "\
3857 %YAML 1.1\n\
3858 ---\n\
3859 libhtp:\n\
3860 \n\
3861  default-config:\n\
3862 \n\
3863  swf-decompression:\n\
3864  enabled: yes\n\
3865  type: both\n\
3866  compress-depth: 0\n\
3867  decompress-depth: 0\n\
3868 ";
3870  ConfInit();
3872  ConfYamlLoadString(input, strlen(input));
3873  HTPConfigure();
3874  TcpSession ssn;
3875  Packet *p1 = NULL;
3876  Packet *p2 = NULL;
3877  ThreadVars th_v;
3878  DetectEngineCtx *de_ctx = NULL;
3879  DetectEngineThreadCtx *det_ctx = NULL;
3880  HtpState *http_state = NULL;
3881  Flow f;
3882  uint8_t http_buf1[] =
3883  "GET /file.swf HTTP/1.0\r\n"
3884  "Host: www.openinfosecfoundation.org\r\n"
3885  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3886  "\r\n";
3887  uint32_t http_len1 = sizeof(http_buf1) - 1;
3888  uint8_t http_buf2[] = {
3889  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
3890  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
3891  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
3892  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
3893  0x0d, 0x0a,
3894  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
3895  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
3896  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
3897  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
3898  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
3899  };
3900  uint32_t http_len2 = sizeof(http_buf2);
3903 
3904  memset(&th_v, 0, sizeof(th_v));
3905  memset(&f, 0, sizeof(f));
3906  memset(&ssn, 0, sizeof(ssn));
3907 
3908  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3909  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3910 
3911  FLOW_INITIALIZE(&f);
3912  f.protoctx = (void *)&ssn;
3913  f.proto = IPPROTO_TCP;
3914  f.flags |= FLOW_IPV4;
3915 
3916  p1->flow = &f;
3920  p2->flow = &f;
3924  f.alproto = ALPROTO_HTTP1;
3925 
3926  StreamTcpInitConfig(true);
3927 
3930 
3931  de_ctx->flags |= DE_QUIET;
3932 
3933  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
3934  "(flow:established,from_server; "
3935  "file_data; content:\"FWS\"; "
3936  "sid:1;)");
3938 
3940  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3941 
3942  int r = AppLayerParserParse(
3943  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
3944  FAIL_IF(r != 0);
3945 
3946  http_state = f.alstate;
3947  FAIL_IF_NULL(http_state);
3948 
3949  /* do detect */
3950  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3951 
3952  FAIL_IF((PacketAlertCheck(p1, 1)));
3953 
3954  r = AppLayerParserParse(
3955  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
3956  FAIL_IF(r != 0);
3957 
3958  /* do detect */
3959  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3960 
3961  FAIL_IF(!(PacketAlertCheck(p2, 1)));
3962 
3964  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3966 
3967  HTPFreeConfig();
3970 
3971  StreamTcpFreeConfig(true);
3972  FLOW_DESTROY(&f);
3973  UTHFreePackets(&p1, 1);
3974  UTHFreePackets(&p2, 1);
3975  PASS;
3976 }
3977 
3978 static int DetectEngineHttpServerBodyFileDataTest20(void)
3979 {
3980  char input[] = "\
3981 %YAML 1.1\n\
3982 ---\n\
3983 libhtp:\n\
3984 \n\
3985  default-config:\n\
3986 \n\
3987  swf-decompression:\n\
3988  enabled: no\n\
3989  type: both\n\
3990  compress-depth: 0\n\
3991  decompress-depth: 0\n\
3992 ";
3993 
3995  ConfInit();
3997 
3998  ConfYamlLoadString(input, strlen(input));
3999  HTPConfigure();
4000 
4001  TcpSession ssn;
4002  Packet *p1 = NULL;
4003  Packet *p2 = NULL;
4004  ThreadVars th_v;
4005  DetectEngineCtx *de_ctx = NULL;
4006  DetectEngineThreadCtx *det_ctx = NULL;
4007  HtpState *http_state = NULL;
4008  Flow f;
4009  uint8_t http_buf1[] =
4010  "GET /file.swf HTTP/1.0\r\n"
4011  "Host: www.openinfosecfoundation.org\r\n"
4012  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4013  "\r\n";
4014  uint32_t http_len1 = sizeof(http_buf1) - 1;
4015  uint8_t http_buf2[] = {
4016  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4017  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
4018  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4019  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
4020  0x0d, 0x0a,
4021  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
4022  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
4023  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
4024  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
4025  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
4026  };
4027  uint32_t http_len2 = sizeof(http_buf2);
4030 
4031  memset(&th_v, 0, sizeof(th_v));
4032  memset(&f, 0, sizeof(f));
4033  memset(&ssn, 0, sizeof(ssn));
4034 
4035  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4036  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4037 
4038  FLOW_INITIALIZE(&f);
4039  f.protoctx = (void *)&ssn;
4040  f.proto = IPPROTO_TCP;
4041  f.flags |= FLOW_IPV4;
4042 
4043  p1->flow = &f;
4047  p2->flow = &f;
4051  f.alproto = ALPROTO_HTTP1;
4052 
4053  StreamTcpInitConfig(true);
4054 
4057 
4058  de_ctx->flags |= DE_QUIET;
4059 
4060  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4061  "(flow:established,from_server; "
4062  "file_data; content:\"CWS\"; "
4063  "sid:1;)");
4065 
4067  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4068 
4069  int r = AppLayerParserParse(
4070  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4071  FAIL_IF(r != 0);
4072 
4073  http_state = f.alstate;
4074  FAIL_IF_NULL(http_state);
4075 
4076  /* do detect */
4077  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4078 
4079  FAIL_IF((PacketAlertCheck(p1, 1)));
4080 
4081  r = AppLayerParserParse(
4082  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4083  FAIL_IF(r != 0);
4084 
4085  /* do detect */
4086  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4087 
4088  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4089 
4091  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4093 
4094  HTPFreeConfig();
4097 
4098  StreamTcpFreeConfig(true);
4099  FLOW_DESTROY(&f);
4100  UTHFreePackets(&p1, 1);
4101  UTHFreePackets(&p2, 1);
4102  PASS;
4103 }
4104 
4105 static int DetectEngineHttpServerBodyFileDataTest21(void)
4106 {
4107  char input[] = "\
4108 %YAML 1.1\n\
4109 ---\n\
4110 libhtp:\n\
4111 \n\
4112  default-config:\n\
4113 \n\
4114  swf-decompression:\n\
4115  enabled: yes\n\
4116  type: deflate\n\
4117  compress-depth: 0\n\
4118  decompress-depth: 0\n\
4119 ";
4120 
4122  ConfInit();
4124 
4125  ConfYamlLoadString(input, strlen(input));
4126  HTPConfigure();
4127 
4128  TcpSession ssn;
4129  Packet *p1 = NULL;
4130  Packet *p2 = NULL;
4131  ThreadVars th_v;
4132  DetectEngineCtx *de_ctx = NULL;
4133  DetectEngineThreadCtx *det_ctx = NULL;
4134  HtpState *http_state = NULL;
4135  Flow f;
4136  uint8_t http_buf1[] =
4137  "GET /file.swf HTTP/1.0\r\n"
4138  "Host: www.openinfosecfoundation.org\r\n"
4139  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4140  "\r\n";
4141  uint32_t http_len1 = sizeof(http_buf1) - 1;
4142  uint8_t http_buf2[] = {
4143  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4144  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
4145  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4146  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
4147  0x0d, 0x0a,
4148  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
4149  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
4150  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
4151  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
4152  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
4153  };
4154  uint32_t http_len2 = sizeof(http_buf2);
4157 
4158  memset(&th_v, 0, sizeof(th_v));
4159  memset(&f, 0, sizeof(f));
4160  memset(&ssn, 0, sizeof(ssn));
4161 
4162  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4163  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4164 
4165  FLOW_INITIALIZE(&f);
4166  f.protoctx = (void *)&ssn;
4167  f.proto = IPPROTO_TCP;
4168  f.flags |= FLOW_IPV4;
4169 
4170  p1->flow = &f;
4174  p2->flow = &f;
4178  f.alproto = ALPROTO_HTTP1;
4179 
4180  StreamTcpInitConfig(true);
4181 
4184 
4185  de_ctx->flags |= DE_QUIET;
4186 
4187  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4188  "(flow:established,from_server; "
4189  "file_data; content:\"FWS\"; "
4190  "sid:1;)");
4192 
4194  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4195 
4196  int r = AppLayerParserParse(
4197  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4198  FAIL_IF(r != 0);
4199 
4200  http_state = f.alstate;
4201  FAIL_IF_NULL(http_state);
4202 
4203  /* do detect */
4204  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4205 
4206  FAIL_IF((PacketAlertCheck(p1, 1)));
4207 
4208  r = AppLayerParserParse(
4209  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4210  FAIL_IF(r != 0);
4211 
4212  /* do detect */
4213  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4214 
4215  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4216 
4218  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4220 
4221  HTPFreeConfig();
4224 
4225  StreamTcpFreeConfig(true);
4226  FLOW_DESTROY(&f);
4227  UTHFreePackets(&p1, 1);
4228  UTHFreePackets(&p2, 1);
4229  PASS;
4230 }
4231 
4232 static int DetectEngineHttpServerBodyFileDataTest22(void)
4233 {
4234  char input[] = "\
4235 %YAML 1.1\n\
4236 ---\n\
4237 libhtp:\n\
4238 \n\
4239  default-config:\n\
4240 \n\
4241  swf-decompression:\n\
4242  enabled: yes\n\
4243  type: lzma\n\
4244  compress-depth: 0\n\
4245  decompress-depth: 0\n\
4246 ";
4247 
4249  ConfInit();
4251 
4252  ConfYamlLoadString(input, strlen(input));
4253  HTPConfigure();
4254 
4255  TcpSession ssn;
4256  Packet *p1 = NULL;
4257  Packet *p2 = NULL;
4258  ThreadVars th_v;
4259  DetectEngineCtx *de_ctx = NULL;
4260  DetectEngineThreadCtx *det_ctx = NULL;
4261  HtpState *http_state = NULL;
4262  Flow f;
4263  uint8_t http_buf1[] =
4264  "GET /file.swf HTTP/1.0\r\n"
4265  "Host: www.openinfosecfoundation.org\r\n"
4266  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4267  "\r\n";
4268  uint32_t http_len1 = sizeof(http_buf1) - 1;
4269  uint8_t http_buf2[] = {
4270  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4271  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
4272  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4273  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
4274  0x0d, 0x0a,
4275  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
4276  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
4277  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
4278  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
4279  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
4280  };
4281  uint32_t http_len2 = sizeof(http_buf2);
4284 
4285  memset(&th_v, 0, sizeof(th_v));
4286  memset(&f, 0, sizeof(f));
4287  memset(&ssn, 0, sizeof(ssn));
4288 
4289  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4290  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4291 
4292  FLOW_INITIALIZE(&f);
4293  f.protoctx = (void *)&ssn;
4294  f.proto = IPPROTO_TCP;
4295  f.flags |= FLOW_IPV4;
4296 
4297  p1->flow = &f;
4301  p2->flow = &f;
4305  f.alproto = ALPROTO_HTTP1;
4306 
4307  StreamTcpInitConfig(true);
4308 
4311 
4312  de_ctx->flags |= DE_QUIET;
4313 
4314  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4315  "(flow:established,from_server; "
4316  "file_data; content:\"CWS\"; "
4317  "sid:1;)");
4319 
4321  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4322 
4323  int r = AppLayerParserParse(
4324  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4325  FAIL_IF(r != 0);
4326 
4327  http_state = f.alstate;
4328  FAIL_IF_NULL(http_state);
4329 
4330  /* do detect */
4331  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4332 
4333  FAIL_IF((PacketAlertCheck(p1, 1)));
4334 
4335  r = AppLayerParserParse(
4336  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4337  FAIL_IF(r != 0);
4338 
4339  /* do detect */
4340  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4341 
4342  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4343 
4345  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4347 
4348  HTPFreeConfig();
4351 
4352  StreamTcpFreeConfig(true);
4353  FLOW_DESTROY(&f);
4354  UTHFreePackets(&p1, 1);
4355  UTHFreePackets(&p2, 1);
4356  PASS;
4357 }
4358 
4359 static int DetectEngineHttpServerBodyFileDataTest23(void)
4360 {
4361  char input[] = "\
4362 %YAML 1.1\n\
4363 ---\n\
4364 libhtp:\n\
4365 \n\
4366  default-config:\n\
4367 \n\
4368  swf-decompression:\n\
4369  enabled: yes\n\
4370  type: both\n\
4371  compress-depth: 0\n\
4372  decompress-depth: 0\n\
4373 ";
4374 
4376  ConfInit();
4378 
4379  ConfYamlLoadString(input, strlen(input));
4380  HTPConfigure();
4381 
4382  TcpSession ssn;
4383  Packet *p1 = NULL;
4384  Packet *p2 = NULL;
4385  ThreadVars th_v;
4386  DetectEngineCtx *de_ctx = NULL;
4387  DetectEngineThreadCtx *det_ctx = NULL;
4388  HtpState *http_state = NULL;
4389  Flow f;
4390  uint8_t http_buf1[] =
4391  "GET /file.swf HTTP/1.0\r\n"
4392  "Host: www.openinfosecfoundation.org\r\n"
4393  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4394  "\r\n";
4395  uint32_t http_len1 = sizeof(http_buf1) - 1;
4396  uint8_t http_buf2[] = {
4397  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4398  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
4399  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4400  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
4401  0x0d, 0x0a,
4402  0x43, 0x57, 0x53, 0x01, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
4403  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
4404  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
4405  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
4406  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
4407  };
4408  uint32_t http_len2 = sizeof(http_buf2);
4411 
4412  memset(&th_v, 0, sizeof(th_v));
4413  memset(&f, 0, sizeof(f));
4414  memset(&ssn, 0, sizeof(ssn));
4415 
4416  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4417  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4418 
4419  FLOW_INITIALIZE(&f);
4420  f.protoctx = (void *)&ssn;
4421  f.proto = IPPROTO_TCP;
4422  f.flags |= FLOW_IPV4;
4423 
4424  p1->flow = &f;
4428  p2->flow = &f;
4432  f.alproto = ALPROTO_HTTP1;
4433 
4434  StreamTcpInitConfig(true);
4435 
4438 
4439  de_ctx->flags |= DE_QUIET;
4440 
4441  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4442  "(flow:established,from_server; "
4443  "file_data; content:\"CWS\"; "
4444  "sid:1;)");
4446 
4448  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4449 
4450  int r = AppLayerParserParse(
4451  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4452  FAIL_IF(r != 0);
4453 
4454  http_state = f.alstate;
4455  FAIL_IF_NULL(http_state);
4456 
4457  /* do detect */
4458  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4459 
4460  FAIL_IF((PacketAlertCheck(p1, 1)));
4461 
4462  r = AppLayerParserParse(
4463  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4464  FAIL_IF(r != 0);
4465 
4466  /* do detect */
4467  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4468 
4469  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4470 
4472  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4474 
4475  HTPFreeConfig();
4478 
4479  StreamTcpFreeConfig(true);
4480  FLOW_DESTROY(&f);
4481  UTHFreePackets(&p1, 1);
4482  UTHFreePackets(&p2, 1);
4483  PASS;
4484 }
4485 
4486 static int DetectEngineHttpServerBodyFileDataTest24(void)
4487 {
4488  char input[] = "\
4489 %YAML 1.1\n\
4490 ---\n\
4491 libhtp:\n\
4492 \n\
4493  default-config:\n\
4494 \n\
4495  swf-decompression:\n\
4496  enabled: yes\n\
4497  type: both\n\
4498  compress-depth: 0\n\
4499  decompress-depth: 0\n\
4500 ";
4501 
4503  ConfInit();
4505 
4506  ConfYamlLoadString(input, strlen(input));
4507  HTPConfigure();
4508 
4509  TcpSession ssn;
4510  Packet *p1 = NULL;
4511  Packet *p2 = NULL;
4512  ThreadVars th_v;
4513  DetectEngineCtx *de_ctx = NULL;
4514  DetectEngineThreadCtx *det_ctx = NULL;
4515  HtpState *http_state = NULL;
4516  Flow f;
4517  uint8_t http_buf1[] =
4518  "GET /file.swf HTTP/1.0\r\n"
4519  "Host: www.openinfosecfoundation.org\r\n"
4520  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4521  "\r\n";
4522  uint32_t http_len1 = sizeof(http_buf1) - 1;
4523  uint8_t http_buf2[] = {
4524  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4525  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '1', '0', '3', 0x0d, 0x0a,
4526  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4527  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
4528  0x0d, 0x0a,
4529  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
4530  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
4531  0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe,
4532  0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37,
4533  0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
4534  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08, 0xe9,
4535  0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86
4536  };
4537  uint32_t http_len2 = sizeof(http_buf2);
4540 
4541  memset(&th_v, 0, sizeof(th_v));
4542  memset(&f, 0, sizeof(f));
4543  memset(&ssn, 0, sizeof(ssn));
4544 
4545  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4546  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4547 
4548  FLOW_INITIALIZE(&f);
4549  f.protoctx = (void *)&ssn;
4550  f.proto = IPPROTO_TCP;
4551  f.flags |= FLOW_IPV4;
4552 
4553  p1->flow = &f;
4557  p2->flow = &f;
4561  f.alproto = ALPROTO_HTTP1;
4562 
4563  StreamTcpInitConfig(true);
4564 
4567 
4568 
4569  de_ctx->flags |= DE_QUIET;
4570 
4571  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4572  "(flow:established,from_server; "
4573  "file_data; content:\"FWS\"; "
4574  "sid:1;)");
4576 
4578  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4579 
4580  int r = AppLayerParserParse(
4581  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4582  FAIL_IF(r != 0);
4583 
4584  http_state = f.alstate;
4585  FAIL_IF_NULL(http_state);
4586 
4587  /* do detect */
4588  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4589 
4590  FAIL_IF((PacketAlertCheck(p1, 1)));
4591 
4592  r = AppLayerParserParse(
4593  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4594  FAIL_IF(r != 0);
4595 
4596  /* do detect */
4597  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4598 
4599  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4600 
4602  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4604 
4605  HTPFreeConfig();
4608 
4609  StreamTcpFreeConfig(true);
4610  FLOW_DESTROY(&f);
4611  UTHFreePackets(&p1, 1);
4612  UTHFreePackets(&p2, 1);
4613  PASS;
4614 }
4615 
4616 static int DetectEngineHttpServerBodyFileDataTest25(void)
4617 {
4618  char input[] = "\
4619 %YAML 1.1\n\
4620 ---\n\
4621 libhtp:\n\
4622 \n\
4623  default-config:\n\
4624 \n\
4625  swf-decompression:\n\
4626  enabled: no\n\
4627  type: both\n\
4628  compress-depth: 0\n\
4629  decompress-depth: 0\n\
4630 ";
4631 
4633  ConfInit();
4635 
4636  ConfYamlLoadString(input, strlen(input));
4637  HTPConfigure();
4638 
4639  TcpSession ssn;
4640  Packet *p1 = NULL;
4641  Packet *p2 = NULL;
4642  ThreadVars th_v;
4643  DetectEngineCtx *de_ctx = NULL;
4644  DetectEngineThreadCtx *det_ctx = NULL;
4645  HtpState *http_state = NULL;
4646  Flow f;
4647  uint8_t http_buf1[] =
4648  "GET /file.swf HTTP/1.0\r\n"
4649  "Host: www.openinfosecfoundation.org\r\n"
4650  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4651  "\r\n";
4652  uint32_t http_len1 = sizeof(http_buf1) - 1;
4653  uint8_t http_buf2[] = {
4654  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4655  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '1', '0', '3', 0x0d, 0x0a,
4656  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4657  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
4658  0x0d, 0x0a,
4659  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20, 0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19,
4660  0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05,
4661  0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2,
4662  0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0, 0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59,
4663  0x56, 0x06, 0x08, 0xe9, 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86
4664  };
4665  uint32_t http_len2 = sizeof(http_buf2);
4668 
4669  memset(&th_v, 0, sizeof(th_v));
4670  memset(&f, 0, sizeof(f));
4671  memset(&ssn, 0, sizeof(ssn));
4672 
4673  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4674  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4675 
4676  FLOW_INITIALIZE(&f);
4677  f.protoctx = (void *)&ssn;
4678  f.proto = IPPROTO_TCP;
4679  f.flags |= FLOW_IPV4;
4680 
4681  p1->flow = &f;
4685  p2->flow = &f;
4689  f.alproto = ALPROTO_HTTP1;
4690 
4691  StreamTcpInitConfig(true);
4692 
4695 
4696  de_ctx->flags |= DE_QUIET;
4697 
4698  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4699  "(flow:established,from_server; "
4700  "file_data; content:\"ZWS\"; "
4701  "sid:1;)");
4703 
4705  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4706 
4707  int r = AppLayerParserParse(
4708  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4709  FAIL_IF(r != 0);
4710 
4711  http_state = f.alstate;
4712  FAIL_IF_NULL(http_state);
4713 
4714  /* do detect */
4715  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4716 
4717  FAIL_IF((PacketAlertCheck(p1, 1)));
4718 
4719  r = AppLayerParserParse(
4720  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4721  FAIL_IF(r != 0);
4722 
4723  /* do detect */
4724  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4725 
4726  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4727 
4729  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4731 
4732  HTPFreeConfig();
4735 
4736  StreamTcpFreeConfig(true);
4737  FLOW_DESTROY(&f);
4738  UTHFreePackets(&p1, 1);
4739  UTHFreePackets(&p2, 1);
4740  PASS;
4741 }
4742 
4743 static int DetectEngineHttpServerBodyFileDataTest26(void)
4744 {
4745  char input[] = "\
4746 %YAML 1.1\n\
4747 ---\n\
4748 libhtp:\n\
4749 \n\
4750  default-config:\n\
4751 \n\
4752  swf-decompression:\n\
4753  enabled: yes\n\
4754  type: lzma\n\
4755  compress-depth: 0\n\
4756  decompress-depth: 0\n\
4757 ";
4758 
4760  ConfInit();
4762 
4763  ConfYamlLoadString(input, strlen(input));
4764  HTPConfigure();
4765 
4766  TcpSession ssn;
4767  Packet *p1 = NULL;
4768  Packet *p2 = NULL;
4769  ThreadVars th_v;
4770  DetectEngineCtx *de_ctx = NULL;
4771  DetectEngineThreadCtx *det_ctx = NULL;
4772  HtpState *http_state = NULL;
4773  Flow f;
4774  uint8_t http_buf1[] =
4775  "GET /file.swf HTTP/1.0\r\n"
4776  "Host: www.openinfosecfoundation.org\r\n"
4777  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4778  "\r\n";
4779  uint32_t http_len1 = sizeof(http_buf1) - 1;
4780  uint8_t http_buf2[] = {
4781  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4782  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '1', '0', '3', 0x0d, 0x0a,
4783  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4784  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
4785  0x0d, 0x0a,
4786  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
4787  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
4788  0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe,
4789  0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37,
4790  0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
4791  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08, 0xe9,
4792  0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86
4793  };
4794  uint32_t http_len2 = sizeof(http_buf2);
4797 
4798  memset(&th_v, 0, sizeof(th_v));
4799  memset(&f, 0, sizeof(f));
4800  memset(&ssn, 0, sizeof(ssn));
4801 
4802  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4803  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4804 
4805  FLOW_INITIALIZE(&f);
4806  f.protoctx = (void *)&ssn;
4807  f.proto = IPPROTO_TCP;
4808  f.flags |= FLOW_IPV4;
4809 
4810  p1->flow = &f;
4814  p2->flow = &f;
4818  f.alproto = ALPROTO_HTTP1;
4819 
4820  StreamTcpInitConfig(true);
4821 
4824 
4825  de_ctx->flags |= DE_QUIET;
4826 
4827  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4828  "(flow:established,from_server; "
4829  "file_data; content:\"FWS\"; "
4830  "sid:1;)");
4832 
4834  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4835 
4836  int r = AppLayerParserParse(
4837  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4838  FAIL_IF(r != 0);
4839 
4840  http_state = f.alstate;
4841  FAIL_IF_NULL(http_state);
4842 
4843  /* do detect */
4844  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4845 
4846  FAIL_IF((PacketAlertCheck(p1, 1)));
4847 
4848  r = AppLayerParserParse(
4849  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4850  FAIL_IF(r != 0);
4851 
4852  /* do detect */
4853  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4854 
4855  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4856 
4858  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4860 
4861  HTPFreeConfig();
4864 
4865  StreamTcpFreeConfig(true);
4866  FLOW_DESTROY(&f);
4867  UTHFreePackets(&p1, 1);
4868  UTHFreePackets(&p2, 1);
4869  PASS;
4870 }
4871 
4872 static int DetectEngineHttpServerBodyFileDataTest27(void)
4873 {
4874  char input[] = "\
4875 %YAML 1.1\n\
4876 ---\n\
4877 libhtp:\n\
4878 \n\
4879  default-config:\n\
4880 \n\
4881  swf-decompression:\n\
4882  enabled: yes\n\
4883  type: deflate\n\
4884  compress-depth: 0\n\
4885  decompress-depth: 0\n\
4886 ";
4887 
4889  ConfInit();
4891 
4892  ConfYamlLoadString(input, strlen(input));
4893  HTPConfigure();
4894 
4895  TcpSession ssn;
4896  Packet *p1 = NULL;
4897  Packet *p2 = NULL;
4898  ThreadVars th_v;
4899  DetectEngineCtx *de_ctx = NULL;
4900  DetectEngineThreadCtx *det_ctx = NULL;
4901  HtpState *http_state = NULL;
4902  Flow f;
4903  uint8_t http_buf1[] =
4904  "GET /file.swf HTTP/1.0\r\n"
4905  "Host: www.openinfosecfoundation.org\r\n"
4906  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4907  "\r\n";
4908  uint32_t http_len1 = sizeof(http_buf1) - 1;
4909  uint8_t http_buf2[] = {
4910  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4911  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
4912  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4913  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
4914  0x0d, 0x0a,
4915  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
4916  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
4917  0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61,
4918  0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b,
4919  0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1,
4920  };
4921  uint32_t http_len2 = sizeof(http_buf2);
4924 
4925  memset(&th_v, 0, sizeof(th_v));
4926  memset(&f, 0, sizeof(f));
4927  memset(&ssn, 0, sizeof(ssn));
4928 
4929  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4930  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4931 
4932  FLOW_INITIALIZE(&f);
4933  f.protoctx = (void *)&ssn;
4934  f.proto = IPPROTO_TCP;
4935  f.flags |= FLOW_IPV4;
4936 
4937  p1->flow = &f;
4941  p2->flow = &f;
4945  f.alproto = ALPROTO_HTTP1;
4946 
4947  StreamTcpInitConfig(true);
4948 
4951 
4952  de_ctx->flags |= DE_QUIET;
4953 
4954  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4955  "(flow:established,from_server; "
4956  "file_data; content:\"ZWS\"; "
4957  "sid:1;)");
4959 
4961  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4962 
4963  int r = AppLayerParserParse(
4964  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4965  FAIL_IF(r != 0);
4966 
4967  http_state = f.alstate;
4968  FAIL_IF_NULL(http_state);
4969 
4970  /* do detect */
4971  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4972 
4973  FAIL_IF((PacketAlertCheck(p1, 1)));
4974 
4975  r = AppLayerParserParse(
4976  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4977  FAIL_IF(r != 0);
4978 
4979  /* do detect */
4980  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4981 
4982  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4983 
4985  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4987 
4988  HTPFreeConfig();
4991 
4992  StreamTcpFreeConfig(true);
4993  FLOW_DESTROY(&f);
4994  UTHFreePackets(&p1, 1);
4995  UTHFreePackets(&p2, 1);
4996  PASS;
4997 }
4998 
4999 static int DetectEngineHttpServerBodyFileDataTest28(void)
5000 {
5001  char input[] = "\
5002 %YAML 1.1\n\
5003 ---\n\
5004 libhtp:\n\
5005 \n\
5006  default-config:\n\
5007 \n\
5008  swf-decompression:\n\
5009  enabled: yes\n\
5010  type: both\n\
5011  compress-depth: 0\n\
5012  decompress-depth: 0\n\
5013 ";
5014 
5016  ConfInit();
5018 
5019  ConfYamlLoadString(input, strlen(input));
5020  HTPConfigure();
5021 
5022  TcpSession ssn;
5023  Packet *p1 = NULL;
5024  Packet *p2 = NULL;
5025  ThreadVars th_v;
5026  DetectEngineCtx *de_ctx = NULL;
5027  DetectEngineThreadCtx *det_ctx = NULL;
5028  HtpState *http_state = NULL;
5029  Flow f;
5030  uint8_t http_buf1[] =
5031  "GET /file.swf HTTP/1.0\r\n"
5032  "Host: www.openinfosecfoundation.org\r\n"
5033  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5034  "\r\n";
5035  uint32_t http_len1 = sizeof(http_buf1) - 1;
5036  uint8_t http_buf2[] = {
5037  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
5038  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
5039  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
5040  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
5041  0x0d, 0x0a,
5042  0x5a, 0x57, 0x53, 0x01, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
5043  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
5044  0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61,
5045  0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b,
5046  0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1,
5047  };
5048  uint32_t http_len2 = sizeof(http_buf2);
5051 
5052  memset(&th_v, 0, sizeof(th_v));
5053  memset(&f, 0, sizeof(f));
5054  memset(&ssn, 0, sizeof(ssn));
5055 
5056  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5057  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5058 
5059  FLOW_INITIALIZE(&f);
5060  f.protoctx = (void *)&ssn;
5061  f.proto = IPPROTO_TCP;
5062  f.flags |= FLOW_IPV4;
5063 
5064  p1->flow = &f;
5068  p2->flow = &f;
5072  f.alproto = ALPROTO_HTTP1;
5073 
5074  StreamTcpInitConfig(true);
5075 
5078 
5079  de_ctx->flags |= DE_QUIET;
5080 
5081  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
5082  "(flow:established,from_server; "
5083  "file_data; content:\"ZWS\"; "
5084  "sid:1;)");
5086 
5088  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5089 
5090  int r = AppLayerParserParse(
5091  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
5092  FAIL_IF(r != 0);
5093 
5094  http_state = f.alstate;
5095  FAIL_IF_NULL(http_state);
5096 
5097  /* do detect */
5098  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5099 
5100  FAIL_IF((PacketAlertCheck(p1, 1)));
5101 
5102  r = AppLayerParserParse(
5103  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
5104  FAIL_IF(r != 0);
5105 
5106  /* do detect */
5107  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5108 
5109  FAIL_IF(!(PacketAlertCheck(p2, 1)));
5110 
5112  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
5114 
5115  HTPFreeConfig();
5118 
5119  StreamTcpFreeConfig(true);
5120  FLOW_DESTROY(&f);
5121  UTHFreePackets(&p1, 1);
5122  UTHFreePackets(&p2, 1);
5123  PASS;
5124 }
5125 
5126 static int DetectEngineHttpServerBodyFileDataTest29(void)
5127 {
5128  char input[] = "\
5129 %YAML 1.1\n\
5130 ---\n\
5131 libhtp:\n\
5132 \n\
5133  default-config:\n\
5134 \n\
5135  swf-decompression:\n\
5136  enabled: yes\n\
5137  type: both\n\
5138  compress-depth: 1000\n\
5139  decompress-depth: 0\n\
5140 ";
5141 
5143  ConfInit();
5145  ConfYamlLoadString(input, strlen(input));
5146  HTPConfigure();
5147 
5148  TcpSession ssn;
5149  Packet *p1 = NULL;
5150  Packet *p2 = NULL;
5151  ThreadVars th_v;
5152  DetectEngineCtx *de_ctx = NULL;
5153  DetectEngineThreadCtx *det_ctx = NULL;
5154  HtpState *http_state = NULL;
5155  Flow f;
5156  uint8_t http_buf1[] =
5157  "GET /file.swf HTTP/1.0\r\n"
5158  "Host: www.openinfosecfoundation.org\r\n"
5159  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5160  "\r\n";
5161  uint32_t http_len1 = sizeof(http_buf1) - 1;
5162  uint8_t http_buf2[] = {
5163  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
5164  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
5165  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
5166  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
5167  0x0d, 0x0a,
5168  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
5169  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
5170  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
5171  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
5172  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
5173  };
5174  uint32_t http_len2 = sizeof(http_buf2);
5177 
5178  memset(&th_v, 0, sizeof(th_v));
5179  memset(&f, 0, sizeof(f));
5180  memset(&ssn, 0, sizeof(ssn));
5181 
5182  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5183  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5184 
5185  FLOW_INITIALIZE(&f);
5186  f.protoctx = (void *)&ssn;
5187  f.proto = IPPROTO_TCP;
5188  f.flags |= FLOW_IPV4;
5189 
5190  p1->flow = &f;
5194  p2->flow = &f;
5198  f.alproto = ALPROTO_HTTP1;
5199 
5200  StreamTcpInitConfig(true);
5201 
5204 
5205  de_ctx->flags |= DE_QUIET;
5206 
5207  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
5208  "(flow:established,from_server; "
5209  "file_data; content:\"FWS\"; "
5210  "sid:1;)");
5212 
5214  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5215 
5216  int r = AppLayerParserParse(
5217  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
5218  FAIL_IF(r != 0);
5219 
5220  http_state = f.alstate;
5221  FAIL_IF_NULL(http_state);
5222 
5223  /* do detect */
5224  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5225 
5226  FAIL_IF((PacketAlertCheck(p1, 1)));
5227 
5228  r = AppLayerParserParse(
5229  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
5230  FAIL_IF(r != 0);
5231 
5232  /* do detect */
5233  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5234 
5235  FAIL_IF(!(PacketAlertCheck(p2, 1)));
5236 
5238  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
5240 
5241  HTPFreeConfig();
5244 
5245  StreamTcpFreeConfig(true);
5246  FLOW_DESTROY(&f);
5247  UTHFreePackets(&p1, 1);
5248  UTHFreePackets(&p2, 1);
5249  PASS;
5250 }
5251 
5252 /**
5253  * \test Test that a signature containting a http_server_body is correctly parsed
5254  * and the keyword is registered.
5255  */
5256 static int DetectHttpServerBodyTest01(void)
5257 {
5258  DetectEngineCtx *de_ctx = NULL;
5259  int result = 0;
5260  SigMatch *sm = NULL;
5261 
5263  if (de_ctx == NULL)
5264  goto end;
5265 
5266  de_ctx->flags |= DE_QUIET;
5267  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
5268  "(msg:\"Testing http_server_body\"; "
5269  "content:\"one\"; http_server_body; sid:1;)");
5270  if (de_ctx->sig_list == NULL) {
5271  goto end;
5272  }
5273 
5274  /* sm should not be in the MATCH list */
5275  sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_MATCH];
5276  if (sm != NULL) {
5277  goto end;
5278  }
5279 
5280  sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id];
5281  if (sm == NULL) {
5282  goto end;
5283  }
5284 
5285  if (sm->type != DETECT_CONTENT) {
5286  printf("sm type not DETECT_AL_HTTP_SERVER_BODY: ");
5287  goto end;
5288  }
5289 
5290  if (sm->next != NULL) {
5291  goto end;
5292  }
5293 
5294  result = 1;
5295 end:
5297 
5298  return result;
5299 }
5300 
5301 /**
5302  * \test Test that a signature containing an valid http_server_body entry is
5303  * parsed.
5304  */
5305 static int DetectHttpServerBodyTest02(void)
5306 {
5307  DetectEngineCtx *de_ctx = NULL;
5308  int result = 0;
5309 
5311  if (de_ctx == NULL)
5312  goto end;
5313 
5314  de_ctx->flags |= DE_QUIET;
5315  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
5316  "(msg:\"Testing http_server_body\"; "
5317  "content:\"one\"; http_server_body:; sid:1;)");
5318  if (de_ctx->sig_list != NULL)
5319  result = 1;
5320 
5321  end:
5323 
5324  return result;
5325 }
5326 
5327 /**
5328  * \test Test that an invalid signature containing no content but a http_server_body
5329  * is invalidated.
5330  */
5331 static int DetectHttpServerBodyTest03(void)
5332 {
5333  DetectEngineCtx *de_ctx = NULL;
5334  int result = 0;
5335 
5337  if (de_ctx == NULL)
5338  goto end;
5339 
5340  de_ctx->flags |= DE_QUIET;
5341  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
5342  "(msg:\"Testing http_server_body\"; "
5343  "http_server_body; sid:1;)");
5344  if (de_ctx->sig_list == NULL)
5345  result = 1;
5346 
5347  end:
5349 
5350  return result;
5351 }
5352 
5353 /**
5354  * \test Test that an invalid signature containing a rawbytes along with a
5355  * http_server_body is invalidated.
5356  */
5357 static int DetectHttpServerBodyTest04(void)
5358 {
5359  DetectEngineCtx *de_ctx = NULL;
5360  int result = 0;
5361 
5363  if (de_ctx == NULL)
5364  goto end;
5365 
5366  de_ctx->flags |= DE_QUIET;
5367  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
5368  "(msg:\"Testing http_server_body\"; "
5369  "content:\"one\"; rawbytes; http_server_body; sid:1;)");
5370  if (de_ctx->sig_list == NULL)
5371  result = 1;
5372 
5373  end:
5375 
5376  return result;
5377 }
5378 
5379 /**
5380  * \test Test that an invalid signature containing a rawbytes along with a
5381  * http_server_body is invalidated.
5382  */
5383 static int DetectHttpServerBodyTest05(void)
5384 {
5385  DetectEngineCtx *de_ctx = NULL;
5386  int result = 0;
5387 
5389  if (de_ctx == NULL)
5390  goto end;
5391 
5392  de_ctx->flags |= DE_QUIET;
5393  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
5394  "(msg:\"Testing http_server_body\"; "
5395  "content:\"one\"; http_server_body; nocase; sid:1;)");
5396  if (de_ctx->sig_list != NULL)
5397  result = 1;
5398 
5399  end:
5401 
5402  return result;
5403 }
5404 
5405 /**
5406  *\test Test that the http_server_body content matches against a http request
5407  * which holds the content.
5408  */
5409 static int DetectHttpServerBodyTest06(void)
5410 {
5411  TcpSession ssn;
5412  Packet *p = NULL;
5413  ThreadVars th_v;
5414  DetectEngineCtx *de_ctx = NULL;
5415  DetectEngineThreadCtx *det_ctx = NULL;
5416  HtpState *http_state = NULL;
5417  Flow f;
5418  uint8_t http_buf[] =
5419  "GET /index.html HTTP/1.0\r\n"
5420  "Host: www.openinfosecfoundation.org\r\n"
5421  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5422  "\r\n";
5423  uint32_t http_len = sizeof(http_buf) - 1;
5424  uint8_t http_buf2[] =
5425  "HTTP/1.0 200 ok\r\n"
5426  "Content-Type: text/html\r\n"
5427  "Content-Length: 7\r\n"
5428  "\r\n"
5429  "message";
5430  uint32_t http_len2 = sizeof(http_buf2) - 1;
5431  int result = 0;
5433 
5434  memset(&th_v, 0, sizeof(th_v));
5435  memset(&f, 0, sizeof(f));
5436  memset(&ssn, 0, sizeof(ssn));
5437 
5438  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5439 
5440  FLOW_INITIALIZE(&f);
5441  f.protoctx = (void *)&ssn;
5442  f.proto = IPPROTO_TCP;
5443  f.flags |= FLOW_IPV4;
5444 
5445  p->flow = &f;
5449  f.alproto = ALPROTO_HTTP1;
5450 
5451  StreamTcpInitConfig(true);
5452 
5454  if (de_ctx == NULL)
5455  goto end;
5456 
5457  de_ctx->flags |= DE_QUIET;
5458 
5459  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5460  "(msg:\"http server body test\"; "
5461  "content:\"message\"; http_server_body; "
5462  "sid:1;)");
5463  if (de_ctx->sig_list == NULL)
5464  goto end;
5465 
5467  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5468 
5469  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1,
5470  STREAM_TOSERVER | STREAM_START | STREAM_EOF, http_buf, http_len);
5471  if (r != 0) {
5472  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5473  result = 0;
5474  goto end;
5475  }
5477  STREAM_TOCLIENT | STREAM_START | STREAM_EOF, http_buf2, http_len2);
5478  if (r != 0) {
5479  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5480  result = 0;
5481  goto end;
5482  }
5483 
5484  http_state = f.alstate;
5485  if (http_state == NULL) {
5486  printf("no http state: \n");
5487  result = 0;
5488  goto end;
5489  }
5490 
5491  /* do detect */
5492  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5493 
5494  if (!(PacketAlertCheck(p, 1))) {
5495  printf("sid 1 didn't match but should have: ");
5496  goto end;
5497  }
5498 
5499  result = 1;
5500 end:
5501  if (alp_tctx != NULL)
5503  if (de_ctx != NULL)
5505 
5506  StreamTcpFreeConfig(true);
5507  FLOW_DESTROY(&f);
5508  UTHFreePackets(&p, 1);
5509  return result;
5510 }
5511 
5512 /**
5513  *\test Test that the http_server_body content matches against a http request
5514  * which holds the content.
5515  */
5516 static int DetectHttpServerBodyTest07(void)
5517 {
5518  TcpSession ssn;
5519  Packet *p1 = NULL;
5520  Packet *p2 = NULL;
5521  ThreadVars th_v;
5522  DetectEngineCtx *de_ctx = NULL;
5523  DetectEngineThreadCtx *det_ctx = NULL;
5524  HtpState *http_state =