26 #include "../suricata-common.h"
27 #include "../conf-yaml-loader.h"
28 #include "../decode.h"
30 #include "../detect.h"
31 #include "../detect-engine-build.h"
32 #include "../detect-engine-alert.h"
37 static int DetectHttpServerBodyParserTest01(
void)
40 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_client; content:\"abc\"; nocase; http_server_body; sid:1;)",
true));
41 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_client; content:\"abc\"; endswith; http_server_body; sid:1;)",
true));
42 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; http_server_body; sid:1;)",
true));
43 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; endswith; http_server_body; sid:1;)",
true));
45 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_client; content:\"abc\"; rawbytes; http_server_body; sid:1;)",
false));
54 static int DetectHttpServerBodyParserTest02(
void)
57 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; nocase; sid:1;)",
true));
58 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; endswith; sid:1;)",
true));
59 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; sid:1;)",
true));
60 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; endswith; sid:1;)",
true));
63 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; rawbytes; sid:1;)",
false));
75 static int RunTest(
struct TestSteps *steps,
const char *sig,
const char *yaml)
84 memset(&th_v, 0,
sizeof(th_v));
85 memset(&f, 0,
sizeof(f));
86 memset(&ssn, 0,
sizeof(ssn));
106 f.
proto = IPPROTO_TCP;
120 while (b->
input != NULL) {
161 static int DetectEngineHttpServerBodyTest01(
void)
171 uint8_t http_buf1[] =
172 "GET /index.html HTTP/1.0\r\n"
173 "Host: www.openinfosecfoundation.org\r\n"
174 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
176 uint32_t http_len1 =
sizeof(http_buf1) - 1;
177 uint8_t http_buf2[] =
178 "HTTP/1.0 200 ok\r\n"
179 "Content-Type: text/html\r\n"
180 "Content-Length: 7\r\n"
183 uint32_t http_len2 =
sizeof(http_buf2) - 1;
187 memset(&th_v, 0,
sizeof(th_v));
188 memset(&f, 0,
sizeof(f));
189 memset(&ssn, 0,
sizeof(ssn));
196 f.
proto = IPPROTO_TCP;
218 "(msg:\"http server body test\"; "
219 "content:\"message\"; http_server_body; "
230 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
236 if (http_state == NULL) {
237 printf(
"no http state: \n");
246 printf(
"sid 1 matched but shouldn't have\n");
253 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
262 printf(
"sid 1 didn't match but should have");
281 static int DetectEngineHttpServerBodyTest02(
void)
290 uint8_t http_buf1[] =
291 "GET /index.html HTTP/1.0\r\n"
292 "Host: www.openinfosecfoundation.org\r\n"
293 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
295 uint32_t http_len1 =
sizeof(http_buf1) - 1;
296 uint8_t http_buf2[] =
297 "HTTP/1.0 200 ok\r\n"
298 "Content-Type: text/html\r\n"
299 "Content-Length: 7\r\n"
302 uint32_t http_len2 =
sizeof(http_buf2) - 1;
306 memset(&th_v, 0,
sizeof(th_v));
307 memset(&f, 0,
sizeof(f));
308 memset(&ssn, 0,
sizeof(ssn));
314 f.
proto = IPPROTO_TCP;
332 "(msg:\"http server body test\"; "
333 "content:\"ABC\"; http_server_body; offset:4; "
344 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
352 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
358 if (http_state == NULL) {
359 printf(
"no http state: \n");
368 printf(
"sid 1 didn't match but should have\n");
386 static int DetectEngineHttpServerBodyTest03(
void)
397 uint8_t http_buf1[] =
398 "GET /index.html HTTP/1.0\r\n"
399 "Host: www.openinfosecfoundation.org\r\n"
400 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
402 uint32_t http_len1 =
sizeof(http_buf1) - 1;
403 uint8_t http_buf2[] =
404 "HTTP/1.0 200 ok\r\n"
405 "Content-Type: text/html\r\n"
406 "Content-Length: 17\r\n"
409 uint32_t http_len2 =
sizeof(http_buf2) - 1;
410 uint8_t http_buf3[] =
412 uint32_t http_len3 =
sizeof(http_buf3) - 1;
415 memset(&th_v, 0,
sizeof(th_v));
416 memset(&f, 0,
sizeof(f));
417 memset(&ssn, 0,
sizeof(ssn));
424 f.
proto = IPPROTO_TCP;
446 "(msg:\"http server body test\"; "
447 "content:\"ABC\"; http_server_body; offset:14; "
458 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
464 if (http_state == NULL) {
465 printf(
"no http state: \n");
474 printf(
"sid 1 matched but shouldn't have\n");
481 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
489 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
498 printf(
"sid 1 didn't match but should have");
517 static int DetectEngineHttpServerBodyTest04(
void)
527 uint8_t http_buf1[] =
528 "GET /index.html HTTP/1.0\r\n"
529 "Host: www.openinfosecfoundation.org\r\n"
530 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
532 uint32_t http_len1 =
sizeof(http_buf1) - 1;
533 uint8_t http_buf2[] =
534 "HTTP/1.0 200 ok\r\n"
535 "Content-Type: text/html\r\n"
536 "Content-Length: 6\r\n"
539 uint32_t http_len2 =
sizeof(http_buf2) - 1;
543 memset(&th_v, 0,
sizeof(th_v));
544 memset(&f, 0,
sizeof(f));
545 memset(&ssn, 0,
sizeof(ssn));
552 f.
proto = IPPROTO_TCP;
574 "(msg:\"http server body test\"; "
575 "content:!\"abc\"; http_server_body; offset:3; "
586 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
592 if (http_state == NULL) {
593 printf(
"no http state: \n");
602 printf(
"sid 1 matched but shouldn't have: ");
609 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
618 printf(
"sid 1 didn't match but should have: ");
637 static int DetectEngineHttpServerBodyTest05(
void)
647 uint8_t http_buf1[] =
648 "GET /index.html HTTP/1.0\r\n"
649 "Host: www.openinfosecfoundation.org\r\n"
650 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
652 uint32_t http_len1 =
sizeof(http_buf1) - 1;
653 uint8_t http_buf2[] =
654 "HTTP/1.0 200 ok\r\n"
655 "Content-Type: text/html\r\n"
656 "Content-Length: 6\r\n"
659 uint32_t http_len2 =
sizeof(http_buf2) - 1;
663 memset(&th_v, 0,
sizeof(th_v));
664 memset(&f, 0,
sizeof(f));
665 memset(&ssn, 0,
sizeof(ssn));
672 f.
proto = IPPROTO_TCP;
694 "(msg:\"http server body test\"; "
695 "content:\"abc\"; http_server_body; depth:3; "
706 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
712 if (http_state == NULL) {
713 printf(
"no http state: \n");
722 printf(
"sid 1 matched but shouldn't have: ");
729 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
738 printf(
"sid 1 didn't match but should have: ");
757 static int DetectEngineHttpServerBodyTest06(
void)
767 uint8_t http_buf1[] =
768 "GET /index.html HTTP/1.0\r\n"
769 "Host: www.openinfosecfoundation.org\r\n"
770 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
772 uint32_t http_len1 =
sizeof(http_buf1) - 1;
773 uint8_t http_buf2[] =
774 "HTTP/1.0 200 ok\r\n"
775 "Content-Type: text/html\r\n"
776 "Content-Length: 6\r\n"
779 uint32_t http_len2 =
sizeof(http_buf2) - 1;
783 memset(&th_v, 0,
sizeof(th_v));
784 memset(&f, 0,
sizeof(f));
785 memset(&ssn, 0,
sizeof(ssn));
792 f.
proto = IPPROTO_TCP;
814 "(msg:\"http server body test\"; "
815 "content:!\"def\"; http_server_body; depth:3; "
826 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
832 if (http_state == NULL) {
833 printf(
"no http state: \n");
842 printf(
"sid 1 matched but shouldn't have: ");
849 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
858 printf(
"sid 1 didn't match but should have: ");
877 static int DetectEngineHttpServerBodyTest07(
void)
887 uint8_t http_buf1[] =
888 "GET /index.html HTTP/1.0\r\n"
889 "Host: www.openinfosecfoundation.org\r\n"
890 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
892 uint32_t http_len1 =
sizeof(http_buf1) - 1;
893 uint8_t http_buf2[] =
894 "HTTP/1.0 200 ok\r\n"
895 "Content-Type: text/html\r\n"
896 "Content-Length: 6\r\n"
899 uint32_t http_len2 =
sizeof(http_buf2) - 1;
903 memset(&th_v, 0,
sizeof(th_v));
904 memset(&f, 0,
sizeof(f));
905 memset(&ssn, 0,
sizeof(ssn));
912 f.
proto = IPPROTO_TCP;
934 "(msg:\"http server body test\"; "
935 "content:!\"def\"; http_server_body; offset:3; "
946 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
952 if (http_state == NULL) {
953 printf(
"no http state: \n");
962 printf(
"sid 1 matched but shouldn't have: ");
969 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
978 printf(
"sid 1 matched but shouldn't have: ");
997 static int DetectEngineHttpServerBodyTest08(
void)
1007 uint8_t http_buf1[] =
1008 "GET /index.html HTTP/1.0\r\n"
1009 "Host: www.openinfosecfoundation.org\r\n"
1010 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1012 uint32_t http_len1 =
sizeof(http_buf1) - 1;
1013 uint8_t http_buf2[] =
1014 "HTTP/1.0 200 ok\r\n"
1015 "Content-Type: text/html\r\n"
1016 "Content-Length: 6\r\n"
1019 uint32_t http_len2 =
sizeof(http_buf2) - 1;
1023 memset(&th_v, 0,
sizeof(th_v));
1024 memset(&f, 0,
sizeof(f));
1025 memset(&ssn, 0,
sizeof(ssn));
1032 f.
proto = IPPROTO_TCP;
1054 "(msg:\"http server body test\"; "
1055 "content:!\"abc\"; http_server_body; depth:3; "
1066 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1072 if (http_state == NULL) {
1073 printf(
"no http state: \n");
1082 printf(
"sid 1 matched but shouldn't have: ");
1089 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
1098 printf(
"sid 1 matched but shouldn't have: ");
1117 static int DetectEngineHttpServerBodyTest09(
void)
1127 uint8_t http_buf1[] =
1128 "GET /index.html HTTP/1.0\r\n"
1129 "Host: www.openinfosecfoundation.org\r\n"
1130 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1132 uint32_t http_len1 =
sizeof(http_buf1) - 1;
1133 uint8_t http_buf2[] =
1134 "HTTP/1.0 200 ok\r\n"
1135 "Content-Type: text/html\r\n"
1136 "Content-Length: 6\r\n"
1139 uint32_t http_len2 =
sizeof(http_buf2) - 1;
1143 memset(&th_v, 0,
sizeof(th_v));
1144 memset(&f, 0,
sizeof(f));
1145 memset(&ssn, 0,
sizeof(ssn));
1152 f.
proto = IPPROTO_TCP;
1174 "(msg:\"http server body test\"; "
1175 "content:\"abc\"; http_server_body; depth:3; "
1176 "content:\"def\"; http_server_body; within:3; "
1187 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1193 if (http_state == NULL) {
1194 printf(
"no http state: \n");
1203 printf(
"sid 1 matched but shouldn't have: ");
1210 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
1219 printf(
"sid 1 didn't match but should have: ");
1238 static int DetectEngineHttpServerBodyTest10(
void)
1248 uint8_t http_buf1[] =
1249 "GET /index.html HTTP/1.0\r\n"
1250 "Host: www.openinfosecfoundation.org\r\n"
1251 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1253 uint32_t http_len1 =
sizeof(http_buf1) - 1;
1254 uint8_t http_buf2[] =
1255 "HTTP/1.0 200 ok\r\n"
1256 "Content-Type: text/html\r\n"
1257 "Content-Length: 6\r\n"
1260 uint32_t http_len2 =
sizeof(http_buf2) - 1;
1264 memset(&th_v, 0,
sizeof(th_v));
1265 memset(&f, 0,
sizeof(f));
1266 memset(&ssn, 0,
sizeof(ssn));
1273 f.
proto = IPPROTO_TCP;
1295 "(msg:\"http server body test\"; "
1296 "content:\"abc\"; http_server_body; depth:3; "
1297 "content:!\"xyz\"; http_server_body; within:3; "
1308 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1314 if (http_state == NULL) {
1315 printf(
"no http state: \n");
1324 printf(
"sid 1 matched but shouldn't have: ");
1331 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
1340 printf(
"sid 1 didn't match but should have: ");
1359 static int DetectEngineHttpServerBodyTest11(
void)
1369 uint8_t http_buf1[] =
1370 "GET /index.html HTTP/1.0\r\n"
1371 "Host: www.openinfosecfoundation.org\r\n"
1372 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1374 uint32_t http_len1 =
sizeof(http_buf1) - 1;
1375 uint8_t http_buf2[] =
1376 "HTTP/1.0 200 ok\r\n"
1377 "Content-Type: text/html\r\n"
1378 "Content-Length: 6\r\n"
1381 uint32_t http_len2 =
sizeof(http_buf2) - 1;
1385 memset(&th_v, 0,
sizeof(th_v));
1386 memset(&f, 0,
sizeof(f));
1387 memset(&ssn, 0,
sizeof(ssn));
1394 f.
proto = IPPROTO_TCP;
1416 "(msg:\"http server body test\"; "
1417 "content:\"abc\"; http_server_body; depth:3; "
1418 "content:\"xyz\"; http_server_body; within:3; "
1429 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1435 if (http_state == NULL) {
1436 printf(
"no http state: \n");
1445 printf(
"sid 1 matched but shouldn't have: ");
1452 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
1461 printf(
"sid 1 did match but should not have: ");
1480 static int DetectEngineHttpServerBodyTest12(
void)
1490 uint8_t http_buf1[] =
1491 "GET /index.html HTTP/1.0\r\n"
1492 "Host: www.openinfosecfoundation.org\r\n"
1493 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1495 uint32_t http_len1 =
sizeof(http_buf1) - 1;
1496 uint8_t http_buf2[] =
1497 "HTTP/1.0 200 ok\r\n"
1498 "Content-Type: text/html\r\n"
1499 "Content-Length: 6\r\n"
1502 uint32_t http_len2 =
sizeof(http_buf2) - 1;
1506 memset(&th_v, 0,
sizeof(th_v));
1507 memset(&f, 0,
sizeof(f));
1508 memset(&ssn, 0,
sizeof(ssn));
1515 f.
proto = IPPROTO_TCP;
1537 "(msg:\"http server body test\"; "
1538 "content:\"ab\"; http_server_body; depth:2; "
1539 "content:\"ef\"; http_server_body; distance:2; "
1550 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1556 if (http_state == NULL) {
1557 printf(
"no http state: \n");
1566 printf(
"sid 1 matched but shouldn't have: ");
1573 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
1582 printf(
"sid 1 did not match but should have: ");
1601 static int DetectEngineHttpServerBodyTest13(
void)
1611 uint8_t http_buf1[] =
1612 "GET /index.html HTTP/1.0\r\n"
1613 "Host: www.openinfosecfoundation.org\r\n"
1614 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1616 uint32_t http_len1 =
sizeof(http_buf1) - 1;
1617 uint8_t http_buf2[] =
1618 "HTTP/1.0 200 ok\r\n"
1619 "Content-Type: text/html\r\n"
1620 "Content-Length: 6\r\n"
1623 uint32_t http_len2 =
sizeof(http_buf2) - 1;
1627 memset(&th_v, 0,
sizeof(th_v));
1628 memset(&f, 0,
sizeof(f));
1629 memset(&ssn, 0,
sizeof(ssn));
1636 f.
proto = IPPROTO_TCP;
1658 "(msg:\"http server body test\"; "
1659 "content:\"ab\"; http_server_body; depth:3; "
1660 "content:!\"yz\"; http_server_body; distance:2; "
1671 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1677 if (http_state == NULL) {
1678 printf(
"no http state: \n");
1687 printf(
"sid 1 matched but shouldn't have: ");
1694 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
1703 printf(
"sid 1 did not match but should have: ");
1722 static int DetectEngineHttpServerBodyTest14(
void)
1732 uint8_t http_buf1[] =
1733 "GET /index.html HTTP/1.0\r\n"
1734 "Host: www.openinfosecfoundation.org\r\n"
1735 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1737 uint32_t http_len1 =
sizeof(http_buf1) - 1;
1738 uint8_t http_buf2[] =
1739 "HTTP/1.0 200 ok\r\n"
1740 "Content-Type: text/html\r\n"
1741 "Content-Length: 6\r\n"
1744 uint32_t http_len2 =
sizeof(http_buf2) - 1;
1748 memset(&th_v, 0,
sizeof(th_v));
1749 memset(&f, 0,
sizeof(f));
1750 memset(&ssn, 0,
sizeof(ssn));
1757 f.
proto = IPPROTO_TCP;
1779 "(msg:\"http server body test\"; "
1781 "content:\"ef\"; http_server_body; distance:2; "
1792 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1798 if (http_state == NULL) {
1799 printf(
"no http state: \n");
1808 printf(
"sid 1 matched but shouldn't have: ");
1815 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
1824 printf(
"sid 1 did not match but should have: ");
1843 static int DetectEngineHttpServerBodyTest15(
void)
1853 uint8_t http_buf1[] =
1854 "GET /index.html HTTP/1.0\r\n"
1855 "Host: www.openinfosecfoundation.org\r\n"
1856 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1858 uint32_t http_len1 =
sizeof(http_buf1) - 1;
1859 uint8_t http_buf2[] =
1860 "HTTP/1.0 200 ok\r\n"
1861 "Content-Type: text/html\r\n"
1862 "Content-Length: 6\r\n"
1865 uint32_t http_len2 =
sizeof(http_buf2) - 1;
1869 memset(&th_v, 0,
sizeof(th_v));
1870 memset(&f, 0,
sizeof(f));
1871 memset(&ssn, 0,
sizeof(ssn));
1878 f.
proto = IPPROTO_TCP;
1900 "(msg:\"http server body test\"; "
1902 "content:!\"xyz\"; http_server_body; distance:0; within:3; "
1913 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1919 if (http_state == NULL) {
1920 printf(
"no http state: \n");
1929 printf(
"sid 1 matched but shouldn't have: ");
1936 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
1945 printf(
"sid 1 did not match but should have: ");
1964 static int DetectEngineHttpServerBodyTest16(
void)
1973 request-body-limit: 0\n\
1974 response-body-limit: 0\n\
1976 request-body-inspect-window: 0\n\
1977 response-body-inspect-window: 0\n\
1978 request-body-minimal-inspect-size: 0\n\
1979 response-body-minimal-inspect-size: 0\n\
1996 uint8_t http_buf1[] =
1997 "GET /index.html HTTP/1.0\r\n"
1998 "Host: www.openinfosecfoundation.org\r\n"
1999 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2001 uint32_t http_len1 =
sizeof(http_buf1) - 1;
2002 uint8_t http_buf2[] =
2003 "HTTP/1.0 200 ok\r\n"
2004 "Content-Type: text/html\r\n"
2005 "Content-Length: 17\r\n"
2008 uint32_t http_len2 =
sizeof(http_buf2) - 1;
2009 uint8_t http_buf3[] =
2011 uint32_t http_len3 =
sizeof(http_buf3) - 1;
2014 memset(&th_v, 0,
sizeof(th_v));
2015 memset(&f, 0,
sizeof(f));
2016 memset(&ssn, 0,
sizeof(ssn));
2023 f.
proto = IPPROTO_TCP;
2043 "content:\"890\"; within:3; http_server_body; "
2086 static int DetectEngineHttpServerBodyTest17(
void)
2095 request-body-limit: 0\n\
2096 response-body-limit: 0\n\
2098 request-body-inspect-window: 0\n\
2099 response-body-inspect-window: 0\n\
2100 request-body-minimal-inspect-size: 0\n\
2101 response-body-minimal-inspect-size: 0\n\
2119 uint8_t http_buf1[] =
2120 "GET /index.html HTTP/1.0\r\n"
2121 "Host: www.openinfosecfoundation.org\r\n"
2122 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2124 uint32_t http_len1 =
sizeof(http_buf1) - 1;
2125 uint8_t http_buf2[] =
2126 "HTTP/1.0 200 ok\r\n"
2127 "Content-Type: text/html\r\n"
2128 "Content-Length: 17\r\n"
2131 uint32_t http_len2 =
sizeof(http_buf2) - 1;
2132 uint8_t http_buf3[] =
2134 uint32_t http_len3 =
sizeof(http_buf3) - 1;
2137 memset(&th_v, 0,
sizeof(th_v));
2138 memset(&f, 0,
sizeof(f));
2139 memset(&ssn, 0,
sizeof(ssn));
2146 f.
proto = IPPROTO_TCP;
2166 "content:\"890\"; depth:3; http_server_body; "
2219 static int DetectEngineHttpServerBodyTest18(
void)
2229 uint8_t http_buf1[] =
2230 "GET /index.html HTTP/1.0\r\n"
2231 "Host: www.openinfosecfoundation.org\r\n"
2232 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2234 uint32_t http_len1 =
sizeof(http_buf1) - 1;
2235 uint8_t http_buf2[] = {
2236 'H',
'T',
'T',
'P',
'/',
'1',
'.',
'1',
' ',
'2',
'0',
'0',
'o',
'k', 0x0d, 0x0a,
2237 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'L',
'e',
'n',
'g',
't',
'h',
':',
' ',
'5',
'1', 0x0d, 0x0a,
2238 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'E',
'n',
'c',
'o',
'd',
'i',
'n',
'g',
':',
' ',
'g',
'z',
'i',
'p', 0x0d, 0x0a,
2240 0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51,
2241 0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
2242 0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2243 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2244 0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2245 0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
2248 uint32_t http_len2 =
sizeof(http_buf2);
2252 memset(&th_v, 0,
sizeof(th_v));
2253 memset(&f, 0,
sizeof(f));
2254 memset(&ssn, 0,
sizeof(ssn));
2261 f.
proto = IPPROTO_TCP;
2283 "(msg:\"http server body test\"; "
2284 "content:\"file\"; http_server_body; "
2295 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2301 if (http_state == NULL) {
2302 printf(
"no http state: \n");
2311 printf(
"sid 1 matched but shouldn't have\n");
2318 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
2327 printf(
"sid 1 didn't match but should have");
2349 static int DetectEngineHttpServerBodyTest19(
void)
2359 uint8_t http_buf1[] =
2360 "GET /index.html HTTP/1.0\r\n"
2361 "Host: www.openinfosecfoundation.org\r\n"
2362 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2364 uint32_t http_len1 =
sizeof(http_buf1) - 1;
2365 uint8_t http_buf2[] = {
2366 'H',
'T',
'T',
'P',
'/',
'1',
'.',
'1',
' ',
'2',
'0',
'0',
'o',
'k', 0x0d, 0x0a,
2367 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'L',
'e',
'n',
'g',
't',
'h',
':',
' ',
'2',
'4', 0x0d, 0x0a,
2368 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'E',
'n',
'c',
'o',
'd',
'i',
'n',
'g',
':',
' ',
'd',
'e',
'f',
'l',
'a',
't',
'e', 0x0d, 0x0a,
2370 0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2371 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2372 0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2376 uint32_t http_len2 =
sizeof(http_buf2);
2380 memset(&th_v, 0,
sizeof(th_v));
2381 memset(&f, 0,
sizeof(f));
2382 memset(&ssn, 0,
sizeof(ssn));
2389 f.
proto = IPPROTO_TCP;
2411 "(msg:\"http server body test\"; "
2412 "content:\"file\"; http_server_body; "
2423 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2429 if (http_state == NULL) {
2430 printf(
"no http state: \n");
2439 printf(
"sid 1 matched but shouldn't have\n");
2446 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
2455 printf(
"sid 1 didn't match but should have");
2477 static int DetectEngineHttpServerBodyTest20(
void)
2487 uint8_t http_buf1[] =
2488 "GET /index.html HTTP/1.0\r\n"
2489 "Host: www.openinfosecfoundation.org\r\n"
2490 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2492 uint32_t http_len1 =
sizeof(http_buf1) - 1;
2493 uint8_t http_buf2[] = {
2494 'H',
'T',
'T',
'P',
'/',
'1',
'.',
'1',
' ',
'2',
'0',
'0',
'o',
'k', 0x0d, 0x0a,
2495 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'L',
'e',
'n',
'g',
't',
'h',
':',
' ',
'2',
'4', 0x0d, 0x0a,
2496 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'E',
'n',
'c',
'o',
'd',
'i',
'n',
'g',
':',
' ',
'g',
'z',
'i',
'p', 0x0d, 0x0a,
2498 0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2499 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2500 0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2504 uint32_t http_len2 =
sizeof(http_buf2);
2508 memset(&th_v, 0,
sizeof(th_v));
2509 memset(&f, 0,
sizeof(f));
2510 memset(&ssn, 0,
sizeof(ssn));
2517 f.
proto = IPPROTO_TCP;
2539 "(msg:\"http server body test\"; "
2540 "content:\"file\"; http_server_body; "
2551 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2557 if (http_state == NULL) {
2558 printf(
"no http state: \n");
2567 printf(
"sid 1 matched but shouldn't have\n");
2574 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
2582 #ifdef HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT
2604 static int DetectEngineHttpServerBodyTest21(
void)
2614 uint8_t http_buf1[] =
2615 "GET /index.html HTTP/1.0\r\n"
2616 "Host: www.openinfosecfoundation.org\r\n"
2617 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2619 uint32_t http_len1 =
sizeof(http_buf1) - 1;
2620 uint8_t http_buf2[] = {
2621 'H',
'T',
'T',
'P',
'/',
'1',
'.',
'1',
' ',
'2',
'0',
'0',
'o',
'k', 0x0d, 0x0a,
2622 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'L',
'e',
'n',
'g',
't',
'h',
':',
' ',
'5',
'1', 0x0d, 0x0a,
2623 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'E',
'n',
'c',
'o',
'd',
'i',
'n',
'g',
':',
' ',
'd',
'e',
'f',
'l',
'a',
't',
'e', 0x0d, 0x0a,
2625 0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51,
2626 0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
2627 0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2628 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2629 0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2630 0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
2633 uint32_t http_len2 =
sizeof(http_buf2);
2637 memset(&th_v, 0,
sizeof(th_v));
2638 memset(&f, 0,
sizeof(f));
2639 memset(&ssn, 0,
sizeof(ssn));
2646 f.
proto = IPPROTO_TCP;
2668 "(msg:\"http server body test\"; "
2669 "content:\"file\"; http_server_body; "
2680 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2686 if (http_state == NULL) {
2687 printf(
"no http state: \n");
2696 printf(
"sid 1 matched but shouldn't have\n");
2703 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
2711 #ifdef HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT
2734 static int DetectEngineHttpServerBodyTest22(
void)
2744 uint8_t http_buf1[] =
2745 "GET /index.html HTTP/1.0\r\n"
2746 "Host: www.openinfosecfoundation.org\r\n"
2747 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2749 uint32_t http_len1 =
sizeof(http_buf1) - 1;
2750 uint8_t http_buf2[] = {
2751 'H',
'T',
'T',
'P',
'/',
'1',
'.',
'1',
' ',
'2',
'0',
'0',
'o',
'k', 0x0d, 0x0a,
2752 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'L',
'e',
'n',
'g',
't',
'h',
':',
' ',
'5',
'1', 0x0d, 0x0a,
2753 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'E',
'n',
'c',
'o',
'd',
'i',
'n',
'g',
':',
' ',
'g',
'z',
'i',
'p', 0x0d, 0x0a,
2754 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'E',
'n',
'c',
'o',
'd',
'i',
'n',
'g',
':',
' ',
'd',
'e',
'f',
'l',
'a',
't',
'e', 0x0d, 0x0a,
2756 0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51,
2757 0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
2758 0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2759 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2760 0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2761 0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
2764 uint32_t http_len2 =
sizeof(http_buf2);
2768 memset(&th_v, 0,
sizeof(th_v));
2769 memset(&f, 0,
sizeof(f));
2770 memset(&ssn, 0,
sizeof(ssn));
2777 f.
proto = IPPROTO_TCP;
2799 "(msg:\"http server body test\"; "
2800 "content:\"file\"; http_server_body; "
2811 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2817 if (http_state == NULL) {
2818 printf(
"no http state: \n");
2827 printf(
"sid 1 matched but shouldn't have: ");
2834 printf(
"toserver chunk 2 returned %" PRId32
", expected 0: \n", r);
2842 #ifdef HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT
2861 static int DetectEngineHttpServerBodyFileDataTest01(
void)
2871 uint8_t http_buf1[] =
2872 "GET /index.html HTTP/1.0\r\n"
2873 "Host: www.openinfosecfoundation.org\r\n"
2874 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2876 uint32_t http_len1 =
sizeof(http_buf1) - 1;
2877 uint8_t http_buf2[] =
2878 "HTTP/1.0 200 ok\r\n"
2879 "Content-Type: text/html\r\n"
2880 "Content-Length: 6\r\n"
2883 uint32_t http_len2 =
sizeof(http_buf2) - 1;
2887 memset(&th_v, 0,
sizeof(th_v));
2888 memset(&f, 0,
sizeof(f));
2889 memset(&ssn, 0,
sizeof(ssn));
2896 f.
proto = IPPROTO_TCP;
2918 "(msg:\"http server body test\"; "
2919 "file_data; pcre:/ab/; "
2920 "content:\"ef\"; distance:2; "
2931 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2937 if (http_state == NULL) {
2938 printf(
"no http state: \n");
2947 printf(
"sid 1 matched but shouldn't have: ");
2954 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
2963 printf(
"sid 1 did not match but should have: ");
2982 static int DetectEngineHttpServerBodyFileDataTest02(
void)
2992 uint8_t http_buf1[] =
2993 "GET /index.html HTTP/1.0\r\n"
2994 "Host: www.openinfosecfoundation.org\r\n"
2995 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2997 uint32_t http_len1 =
sizeof(http_buf1) - 1;
2998 uint8_t http_buf2[] =
2999 "HTTP/1.0 200 ok\r\n"
3000 "Content-Type: text/html\r\n"
3001 "Content-Length: 6\r\n"
3004 uint32_t http_len2 =
sizeof(http_buf2) - 1;
3008 memset(&th_v, 0,
sizeof(th_v));
3009 memset(&f, 0,
sizeof(f));
3010 memset(&ssn, 0,
sizeof(ssn));
3017 f.
proto = IPPROTO_TCP;
3039 "(msg:\"http server body test\"; "
3040 "file_data; pcre:/abc/; "
3041 "content:!\"xyz\"; distance:0; within:3; "
3052 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3058 if (http_state == NULL) {
3059 printf(
"no http state: \n");
3068 printf(
"sid 1 matched but shouldn't have: ");
3075 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
3084 printf(
"sid 1 did not match but should have: ");
3104 static int DetectEngineHttpServerBodyFileDataTest03(
void)
3113 uint8_t http_buf1[] =
3114 "GET /index.html HTTP/1.0\r\n"
3115 "Host: www.openinfosecfoundation.org\r\n"
3116 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3118 uint32_t http_len1 =
sizeof(http_buf1) - 1;
3119 uint8_t http_buf2[] =
3120 "HTTP/1.0 200 ok\r\n"
3121 "Content-Type: text/html\r\n"
3122 "Content-Length: 33\r\n"
3124 "XYZ_klm_1234abcd_XYZ_klm_5678abcd";
3125 uint32_t http_len2 =
sizeof(http_buf2) - 1;
3128 memset(&th_v, 0,
sizeof(th_v));
3129 memset(&f, 0,
sizeof(f));
3130 memset(&ssn, 0,
sizeof(ssn));
3137 f.
proto = IPPROTO_TCP;
3157 "alert http any any -> any any "
3158 "(msg:\"match on 1st\"; "
3159 "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; "
3160 "distance:4; byte_test:4,=,1234,-8,relative,string;"
3164 "alert http any any -> any any "
3165 "(msg:\"match on 2nd\"; "
3166 "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; "
3167 "distance:4; byte_test:4,=,5678,-8,relative,string;"
3203 static int DetectEngineHttpServerBodyFileDataTest04(
void)
3206 const char yaml[] =
"\
3213 http-body-inline: yes\n\
3214 response-body-minimal-inspect-size: 6\n\
3215 response-body-inspect-window: 3\n\
3219 { (
const uint8_t *)
"GET /index.html HTTP/1.0\r\n"
3220 "Host: www.openinfosecfoundation.org\r\n"
3221 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3223 0, STREAM_TOSERVER, 0 },
3224 { (
const uint8_t *)
"HTTP/1.0 200 ok\r\n"
3225 "Content-Type: text/html\r\n"
3226 "Content-Length: 6\r\n"
3229 0, STREAM_TOCLIENT, 0 },
3230 { (
const uint8_t *)
"cd",
3231 0, STREAM_TOCLIENT, 1 },
3232 { (
const uint8_t *)
"ef",
3233 0, STREAM_TOCLIENT, 0 },
3237 const char *sig =
"alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)";
3238 return RunTest(steps, sig, yaml);
3241 static int DetectEngineHttpServerBodyFileDataTest05(
void)
3244 const char yaml[] =
"\
3251 http-body-inline: yes\n\
3252 response-body-minimal-inspect-size: 6\n\
3253 response-body-inspect-window: 3\n\
3257 { (
const uint8_t *)
"GET /index.html HTTP/1.0\r\n"
3258 "Host: www.openinfosecfoundation.org\r\n"
3259 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3261 0, STREAM_TOSERVER, 0 },
3262 { (
const uint8_t *)
"HTTP/1.0 200 ok\r\n"
3263 "Content-Type: text/html\r\n"
3264 "Content-Length: 6\r\n"
3267 0, STREAM_TOCLIENT, 0 },
3268 { (
const uint8_t *)
"cd",
3269 0, STREAM_TOCLIENT, 0 },
3270 { (
const uint8_t *)
"ef",
3271 0, STREAM_TOCLIENT, 1 },
3275 const char *sig =
"alert http any any -> any any (file_data; content:\"abcdef\"; sid:1;)";
3276 return RunTest(steps, sig, yaml);
3279 static int DetectEngineHttpServerBodyFileDataTest06(
void)
3282 const char yaml[] =
"\
3289 http-body-inline: yes\n\
3290 response-body-minimal-inspect-size: 6\n\
3291 response-body-inspect-window: 3\n\
3295 { (
const uint8_t *)
"GET /index.html HTTP/1.0\r\n"
3296 "Host: www.openinfosecfoundation.org\r\n"
3297 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3299 0, STREAM_TOSERVER, 0 },
3300 { (
const uint8_t *)
"HTTP/1.0 200 ok\r\n"
3301 "Content-Type: text/html\r\n"
3302 "Content-Length: 6\r\n"
3305 0, STREAM_TOCLIENT, 0 },
3306 { (
const uint8_t *)
"cd",
3307 0, STREAM_TOCLIENT, 0 },
3308 { (
const uint8_t *)
"ef",
3309 0, STREAM_TOCLIENT, 1 },
3313 const char *sig =
"alert http any any -> any any (file_data; content:\"bcdef\"; offset:1; sid:1;)";
3314 return RunTest(steps, sig, yaml);
3317 static int DetectEngineHttpServerBodyFileDataTest07(
void)
3320 const char yaml[] =
"\
3327 http-body-inline: yes\n\
3328 response-body-minimal-inspect-size: 6\n\
3329 response-body-inspect-window: 3\n\
3333 { (
const uint8_t *)
"GET /index.html HTTP/1.0\r\n"
3334 "Host: www.openinfosecfoundation.org\r\n"
3335 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3337 0, STREAM_TOSERVER, 0 },
3338 { (
const uint8_t *)
"HTTP/1.0 200 ok\r\n"
3339 "Content-Type: text/html\r\n"
3340 "Content-Length: 13\r\n"
3343 0, STREAM_TOCLIENT, 0 },
3344 { (
const uint8_t *)
"cd",
3345 0, STREAM_TOCLIENT, 1 },
3346 { (
const uint8_t *)
"123456789",
3347 0, STREAM_TOCLIENT, 0 },
3351 const char *sig =
"alert http any any -> any any (file_data; content:\"bc\"; offset:1; depth:2; sid:1;)";
3352 return RunTest(steps, sig, yaml);
3355 static int DetectEngineHttpServerBodyFileDataTest08(
void)
3358 const char yaml[] =
"\
3365 http-body-inline: yes\n\
3366 response-body-minimal-inspect-size: 6\n\
3367 response-body-inspect-window: 3\n\
3371 { (
const uint8_t *)
"GET /index.html HTTP/1.0\r\n"
3372 "Host: www.openinfosecfoundation.org\r\n"
3373 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3375 0, STREAM_TOSERVER, 0 },
3376 { (
const uint8_t *)
"HTTP/1.0 200 ok\r\n"
3377 "Content-Type: text/html\r\n"
3378 "Content-Length: 14\r\n"
3381 0, STREAM_TOCLIENT, 0 },
3382 { (
const uint8_t *)
"cd",
3383 0, STREAM_TOCLIENT, 0 },
3384 { (
const uint8_t *)
"1234567890",
3385 0, STREAM_TOCLIENT, 1 },
3389 const char *sig =
"alert http any any -> any any (file_data; content:\"d123456789\"; offset:3; sid:1;)";
3390 return RunTest(steps, sig, yaml);
3393 static int DetectEngineHttpServerBodyFileDataTest09(
void)
3396 const char yaml[] =
"\
3403 http-body-inline: yes\n\
3404 response-body-minimal-inspect-size: 6\n\
3405 response-body-inspect-window: 3\n\
3409 { (
const uint8_t *)
"GET /index.html HTTP/1.0\r\n"
3410 "Host: www.openinfosecfoundation.org\r\n"
3411 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3413 0, STREAM_TOSERVER, 0 },
3414 { (
const uint8_t *)
"HTTP/1.0 200 ok\r\n"
3415 "Content-Type: text/html\r\n"
3416 "Content-Length: 13\r\n"
3419 0, STREAM_TOCLIENT, 0 },
3420 { (
const uint8_t *)
"cd",
3421 0, STREAM_TOCLIENT, 0 },
3422 { (
const uint8_t *)
"123456789",
3423 0, STREAM_TOCLIENT, 1 },
3427 const char *sig =
"alert http any any -> any any (file_data; content:\"abcd12\"; depth:6; sid:1;)";
3428 return RunTest(steps, sig, yaml);
3431 static int DetectEngineHttpServerBodyFileDataTest10(
void)
3434 const char yaml[] =
"\
3441 http-body-inline: yes\n\
3442 response-body-minimal-inspect-size: 6\n\
3443 response-body-inspect-window: 3\n\
3447 { (
const uint8_t *)
"GET /index.html HTTP/1.0\r\n"
3448 "Host: www.openinfosecfoundation.org\r\n"
3449 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3451 0, STREAM_TOSERVER, 0 },
3452 { (
const uint8_t *)
"HTTP/1.0 200 ok\r\n"
3453 "Content-Type: text/html\r\n"
3454 "Content-Length: 5\r\n"
3457 0, STREAM_TOCLIENT, 0 },
3458 { (
const uint8_t *)
"c",
3459 0, STREAM_TOCLIENT, 1 },
3460 { (
const uint8_t *)
"de",
3461 0, STREAM_TOCLIENT, 0 },
3465 const char *sig =
"alert http any any -> any any (file_data; content:\"abc\"; depth:3; sid:1;)";
3466 return RunTest(steps, sig, yaml);
3469 static int DetectEngineHttpServerBodyFileDataTest11(
void)
3472 const char yaml[] =
"\
3479 http-body-inline: yes\n\
3480 response-body-minimal-inspect-size: 6\n\
3481 response-body-inspect-window: 3\n\
3485 { (
const uint8_t *)
"GET /index.html HTTP/1.0\r\n"
3486 "Host: www.openinfosecfoundation.org\r\n"
3487 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3489 0, STREAM_TOSERVER, 0 },
3490 { (
const uint8_t *)
"HTTP/1.0 200 ok\r\n"
3491 "Content-Type: text/html\r\n"
3492 "Content-Length: 5\r\n"
3495 0, STREAM_TOCLIENT, 0 },
3496 { (
const uint8_t *)
"c",
3497 0, STREAM_TOCLIENT, 0 },
3498 { (
const uint8_t *)
"de",
3499 0, STREAM_TOCLIENT, 1 },
3503 const char *sig =
"alert http any any -> any any (file_data; content:\"bcde\"; offset:1; depth:4; sid:1;)";
3504 return RunTest(steps, sig, yaml);
3507 static int DetectEngineHttpServerBodyFileDataTest12(
void)
3510 const char yaml[] =
"\
3517 http-body-inline: yes\n\
3518 response-body-minimal-inspect-size: 6\n\
3519 response-body-inspect-window: 3\n\
3523 { (
const uint8_t *)
"GET /index.html HTTP/1.0\r\n"
3524 "Host: www.openinfosecfoundation.org\r\n"
3525 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3527 0, STREAM_TOSERVER, 0 },
3528 { (
const uint8_t *)
"HTTP/1.0 200 ok\r\n"
3529 "Content-Type: text/html\r\n"
3530 "Content-Length: 13\r\n"
3533 0, STREAM_TOCLIENT, 0 },
3534 { (
const uint8_t *)
"b",
3535 0, STREAM_TOCLIENT, 0 },
3536 { (
const uint8_t *)
"c",
3537 0, STREAM_TOCLIENT, 0 },
3538 { (
const uint8_t *)
"d",
3539 0, STREAM_TOCLIENT, 1 },
3540 { (
const uint8_t *)
"efghijklm",
3541 0, STREAM_TOCLIENT, 0 },
3545 const char *sig =
"alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)";
3546 return RunTest(steps, sig, yaml);
3549 static int DetectEngineHttpServerBodyFileDataTest13(
void)
3552 const char yaml[] =
"\
3559 http-body-inline: yes\n\
3560 response-body-minimal-inspect-size: 9\n\
3561 response-body-inspect-window: 12\n\
3565 { (
const uint8_t *)
"GET /index.html HTTP/1.0\r\n"
3566 "Host: www.openinfosecfoundation.org\r\n"
3567 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3569 0, STREAM_TOSERVER, 0 },
3570 { (
const uint8_t *)
"HTTP/1.0 200 ok\r\n"
3571 "Content-Type: text/html\r\n"
3572 "Content-Length: 13\r\n"
3575 0, STREAM_TOCLIENT, 0 },
3576 { (
const uint8_t *)
"b",
3577 0, STREAM_TOCLIENT, 0 },
3578 { (
const uint8_t *)
"c",
3579 0, STREAM_TOCLIENT, 0 },
3580 { (
const uint8_t *)
"d",
3581 0, STREAM_TOCLIENT, 0 },
3582 { (
const uint8_t *)
"efghijklm",
3583 0, STREAM_TOCLIENT, 1 },
3587 const char *sig =
"alert http any any -> any any (file_data; content:\"abcdefghijklm\"; sid:1;)";
3588 return RunTest(steps, sig, yaml);
3591 static int DetectEngineHttpServerBodyFileDataTest14(
void)
3594 const char yaml[] =
"\
3601 http-body-inline: yes\n\
3602 response-body-minimal-inspect-size: 9\n\
3603 response-body-inspect-window: 12\n\
3607 { (
const uint8_t *)
"GET /index.html HTTP/1.0\r\n"
3608 "Host: www.openinfosecfoundation.org\r\n"
3609 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3611 0, STREAM_TOSERVER, 0 },
3612 { (
const uint8_t *)
"HTTP/1.0 200 ok\r\n"
3613 "Content-Type: text/html\r\n"
3614 "Content-Length: 20\r\n"
3617 0, STREAM_TOCLIENT, 0 },
3618 { (
const uint8_t *)
"abcdefghi",
3619 0, STREAM_TOCLIENT, 1 },
3623 const char *sig =
"alert http any any -> any any (file_data; content:\"890abcdefghi\"; sid:1;)";
3624 return RunTest(steps, sig, yaml);
3627 static int DetectEngineHttpServerBodyFileDataTest15(
void)
3630 const char yaml[] =
"\
3637 http-body-inline: yes\n\
3638 response-body-minimal-inspect-size: 9\n\
3639 response-body-inspect-window: 12\n\
3643 { (
const uint8_t *)
"GET /index.html HTTP/1.0\r\n"
3644 "Host: www.openinfosecfoundation.org\r\n"
3645 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3647 0, STREAM_TOSERVER, 0 },
3648 { (
const uint8_t *)
"HTTP/1.0 200 ok\r\n"
3649 "Content-Type: text/html\r\n"
3650 "Content-Length: 20\r\n"
3653 0, STREAM_TOCLIENT, 0 },
3654 { (
const uint8_t *)
"abcdefghi",
3655 0, STREAM_TOCLIENT, 0 },
3659 const char *sig =
"alert http any any -> any any (file_data; content:\"7890ab\"; depth:6; sid:1;)";
3660 return RunTest(steps, sig, yaml);
3663 static int DetectEngineHttpServerBodyFileDataTest16(
void)
3666 const char yaml[] =
"\
3673 http-body-inline: yes\n\
3674 response-body-minimal-inspect-size: 9\n\
3675 response-body-inspect-window: 12\n\
3679 { (
const uint8_t *)
"GET /index.html HTTP/1.0\r\n"
3680 "Host: www.openinfosecfoundation.org\r\n"
3681 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3683 0, STREAM_TOSERVER, 0 },
3684 { (
const uint8_t *)
"HTTP/1.0 200 ok\r\n"
3685 "Content-Type: text/html\r\n"
3686 "Content-Length: 20\r\n"
3689 0, STREAM_TOCLIENT, 0 },
3690 { (
const uint8_t *)
"bbbbc",
3691 0, STREAM_TOCLIENT, 0 },
3692 { (
const uint8_t *)
"ccccd",
3693 0, STREAM_TOCLIENT, 0 },
3694 { (
const uint8_t *)
"dddde",
3695 0, STREAM_TOCLIENT, 0 },
3699 const char *sig =
"alert http any any -> any any (file_data; content:\"aabb\"; depth:4; sid:1;)";
3700 return RunTest(steps, sig, yaml);
3703 static int DetectEngineHttpServerBodyFileDataTest17(
void)
3706 const char yaml[] =
"\
3713 http-body-inline: yes\n\
3714 response-body-minimal-inspect-size: 8\n\
3715 response-body-inspect-window: 4\n\
3719 { (
const uint8_t *)
"GET /index.html HTTP/1.0\r\n"
3720 "Host: www.openinfosecfoundation.org\r\n"
3721 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3723 0, STREAM_TOSERVER, 0 },
3724 { (
const uint8_t *)
"HTTP/1.0 200 ok\r\n"
3725 "Content-Type: text/html\r\n"
3726 "Content-Length: 20\r\n"
3729 0, STREAM_TOCLIENT, 0 },
3730 { (
const uint8_t *)
"bbbbc",
3731 0, STREAM_TOCLIENT, 0 },
3732 { (
const uint8_t *)
"ccccd",
3733 0, STREAM_TOCLIENT, 0 },
3734 { (
const uint8_t *)
"dddde",
3735 0, STREAM_TOCLIENT, 0 },
3739 const char *sig =
"alert http any any -> any any (file_data; content:\"bbbc\"; depth:4; sid:1;)";
3740 return RunTest(steps, sig, yaml);
3743 static int DetectEngineHttpServerBodyFileDataTest18(
void)
3746 const char yaml[] =
"\
3753 http-body-inline: yes\n\
3754 response-body-minimal-inspect-size: 8\n\
3755 response-body-inspect-window: 4\n\
3759 { (
const uint8_t *)
"GET /index.html HTTP/1.0\r\n"
3760 "Host: www.openinfosecfoundation.org\r\n"
3761 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3763 0, STREAM_TOSERVER, 0 },
3764 { (
const uint8_t *)
"HTTP/1.0 200 ok\r\n"
3765 "Content-Type: text/html\r\n"
3766 "Content-Length: 20\r\n"
3769 0, STREAM_TOCLIENT, 0 },
3770 { (
const uint8_t *)
"bbbbc",
3771 0, STREAM_TOCLIENT, 0 },
3772 { (
const uint8_t *)
"ccccd",
3773 0, STREAM_TOCLIENT, 0 },
3774 { (
const uint8_t *)
"dddde",
3775 0, STREAM_TOCLIENT, 0 },
3779 const char *sig =
"alert http any any -> any any (file_data; content:\"bccd\"; depth:4; sid:1;)";
3780 return RunTest(steps, sig, yaml);
3782 static int DetectEngineHttpServerBodyFileDataTest19(
void)
3791 swf-decompression:\n\
3794 compress-depth: 0\n\
3795 decompress-depth: 0\n\
3810 uint8_t http_buf1[] =
3811 "GET /file.swf HTTP/1.0\r\n"
3812 "Host: www.openinfosecfoundation.org\r\n"
3813 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3815 uint32_t http_len1 =
sizeof(http_buf1) - 1;
3816 uint8_t http_buf2[] = {
3817 'H',
'T',
'T',
'P',
'/',
'1',
'.',
'1',
' ',
'2',
'0',
'0',
'o',
'k', 0x0d, 0x0a,
3818 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'L',
'e',
'n',
'g',
't',
'h',
':',
' ',
'8',
'0', 0x0d, 0x0a,
3819 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'T',
'y',
'p',
'e',
':',
' ',
3820 'a',
'p',
'p',
'l',
'i',
'c',
'a',
't',
'i',
'o',
'n',
'/',
'x',
'-',
's',
'h',
'o',
'c',
'k',
'w',
'a',
'v',
'e',
'-',
'f',
'l',
'a',
's',
'h', 0x0d, 0x0a,
3822 0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
3823 0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
3824 0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
3825 0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
3826 0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
3828 uint32_t http_len2 =
sizeof(http_buf2);
3832 memset(&th_v, 0,
sizeof(th_v));
3833 memset(&f, 0,
sizeof(f));
3834 memset(&ssn, 0,
sizeof(ssn));
3841 f.
proto = IPPROTO_TCP;
3862 "(flow:established,from_server; "
3863 "file_data; content:\"FWS\"; "
3906 static int DetectEngineHttpServerBodyFileDataTest20(
void)
3915 swf-decompression:\n\
3918 compress-depth: 0\n\
3919 decompress-depth: 0\n\
3937 uint8_t http_buf1[] =
3938 "GET /file.swf HTTP/1.0\r\n"
3939 "Host: www.openinfosecfoundation.org\r\n"
3940 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3942 uint32_t http_len1 =
sizeof(http_buf1) - 1;
3943 uint8_t http_buf2[] = {
3944 'H',
'T',
'T',
'P',
'/',
'1',
'.',
'1',
' ',
'2',
'0',
'0',
'o',
'k', 0x0d, 0x0a,
3945 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'L',
'e',
'n',
'g',
't',
'h',
':',
' ',
'8',
'0', 0x0d, 0x0a,
3946 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'T',
'y',
'p',
'e',
':',
' ',
3947 'a',
'p',
'p',
'l',
'i',
'c',
'a',
't',
'i',
'o',
'n',
'/',
'x',
'-',
's',
'h',
'o',
'c',
'k',
'w',
'a',
'v',
'e',
'-',
'f',
'l',
'a',
's',
'h', 0x0d, 0x0a,
3949 0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
3950 0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
3951 0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
3952 0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
3953 0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
3955 uint32_t http_len2 =
sizeof(http_buf2);
3959 memset(&th_v, 0,
sizeof(th_v));
3960 memset(&f, 0,
sizeof(f));
3961 memset(&ssn, 0,
sizeof(ssn));
3968 f.
proto = IPPROTO_TCP;
3989 "(flow:established,from_server; "
3990 "file_data; content:\"CWS\"; "
4033 static int DetectEngineHttpServerBodyFileDataTest21(
void)
4042 swf-decompression:\n\
4045 compress-depth: 0\n\
4046 decompress-depth: 0\n\
4064 uint8_t http_buf1[] =
4065 "GET /file.swf HTTP/1.0\r\n"
4066 "Host: www.openinfosecfoundation.org\r\n"
4067 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4069 uint32_t http_len1 =
sizeof(http_buf1) - 1;
4070 uint8_t http_buf2[] = {
4071 'H',
'T',
'T',
'P',
'/',
'1',
'.',
'1',
' ',
'2',
'0',
'0',
'o',
'k', 0x0d, 0x0a,
4072 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'L',
'e',
'n',
'g',
't',
'h',
':',
' ',
'8',
'0', 0x0d, 0x0a,
4073 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'T',
'y',
'p',
'e',
':',
' ',
4074 'a',
'p',
'p',
'l',
'i',
'c',
'a',
't',
'i',
'o',
'n',
'/',
'x',
'-',
's',
'h',
'o',
'c',
'k',
'w',
'a',
'v',
'e',
'-',
'f',
'l',
'a',
's',
'h', 0x0d, 0x0a,
4076 0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
4077 0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
4078 0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
4079 0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
4080 0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
4082 uint32_t http_len2 =
sizeof(http_buf2);
4086 memset(&th_v, 0,
sizeof(th_v));
4087 memset(&f, 0,
sizeof(f));
4088 memset(&ssn, 0,
sizeof(ssn));
4095 f.
proto = IPPROTO_TCP;
4116 "(flow:established,from_server; "
4117 "file_data; content:\"FWS\"; "
4160 static int DetectEngineHttpServerBodyFileDataTest22(
void)
4169 swf-decompression:\n\
4172 compress-depth: 0\n\
4173 decompress-depth: 0\n\
4191 uint8_t http_buf1[] =
4192 "GET /file.swf HTTP/1.0\r\n"
4193 "Host: www.openinfosecfoundation.org\r\n"
4194 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4196 uint32_t http_len1 =
sizeof(http_buf1) - 1;
4197 uint8_t http_buf2[] = {
4198 'H',
'T',
'T',
'P',
'/',
'1',
'.',
'1',
' ',
'2',
'0',
'0',
'o',
'k', 0x0d, 0x0a,
4199 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'L',
'e',
'n',
'g',
't',
'h',
':',
' ',
'8',
'0', 0x0d, 0x0a,
4200 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'T',
'y',
'p',
'e',
':',
' ',
4201 'a',
'p',
'p',
'l',
'i',
'c',
'a',
't',
'i',
'o',
'n',
'/',
'x',
'-',
's',
'h',
'o',
'c',
'k',
'w',
'a',
'v',
'e',
'-',
'f',
'l',
'a',
's',
'h', 0x0d, 0x0a,
4203 0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
4204 0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
4205 0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
4206 0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
4207 0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
4209 uint32_t http_len2 =
sizeof(http_buf2);
4213 memset(&th_v, 0,
sizeof(th_v));
4214 memset(&f, 0,
sizeof(f));
4215 memset(&ssn, 0,
sizeof(ssn));
4222 f.
proto = IPPROTO_TCP;
4243 "(flow:established,from_server; "
4244 "file_data; content:\"CWS\"; "
4287 static int DetectEngineHttpServerBodyFileDataTest23(
void)
4296 swf-decompression:\n\
4299 compress-depth: 0\n\
4300 decompress-depth: 0\n\
4318 uint8_t http_buf1[] =
4319 "GET /file.swf HTTP/1.0\r\n"
4320 "Host: www.openinfosecfoundation.org\r\n"
4321 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4323 uint32_t http_len1 =
sizeof(http_buf1) - 1;
4324 uint8_t http_buf2[] = {
4325 'H',
'T',
'T',
'P',
'/',
'1',
'.',
'1',
' ',
'2',
'0',
'0',
'o',
'k', 0x0d, 0x0a,
4326 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'L',
'e',
'n',
'g',
't',
'h',
':',
' ',
'8',
'0', 0x0d, 0x0a,
4327 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'T',
'y',
'p',
'e',
':',
' ',
4328 'a',
'p',
'p',
'l',
'i',
'c',
'a',
't',
'i',
'o',
'n',
'/',
'x',
'-',
's',
'h',
'o',
'c',
'k',
'w',
'a',
'v',
'e',
'-',
'f',
'l',
'a',
's',
'h', 0x0d, 0x0a,
4330 0x43, 0x57, 0x53, 0x01, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
4331 0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
4332 0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
4333 0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
4334 0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
4336 uint32_t http_len2 =
sizeof(http_buf2);
4340 memset(&th_v, 0,
sizeof(th_v));
4341 memset(&f, 0,
sizeof(f));
4342 memset(&ssn, 0,
sizeof(ssn));
4349 f.
proto = IPPROTO_TCP;
4370 "(flow:established,from_server; "
4371 "file_data; content:\"CWS\"; "
4414 static int DetectEngineHttpServerBodyFileDataTest24(
void)
4423 swf-decompression:\n\
4426 compress-depth: 0\n\
4427 decompress-depth: 0\n\
4445 uint8_t http_buf1[] =
4446 "GET /file.swf HTTP/1.0\r\n"
4447 "Host: www.openinfosecfoundation.org\r\n"
4448 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4450 uint32_t http_len1 =
sizeof(http_buf1) - 1;
4451 uint8_t http_buf2[] = {
4452 'H',
'T',
'T',
'P',
'/',
'1',
'.',
'1',
' ',
'2',
'0',
'0',
'o',
'k', 0x0d, 0x0a,
4453 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'L',
'e',
'n',
'g',
't',
'h',
':',
' ',
'1',
'0',
'3', 0x0d, 0x0a,
4454 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'T',
'y',
'p',
'e',
':',
' ',
4455 'a',
'p',
'p',
'l',
'i',
'c',
'a',
't',
'i',
'o',
'n',
'/',
'o',
'c',
't',
'e',
't',
'-',
's',
't',
'r',
'e',
'a',
'm', 0x0d, 0x0a,
4457 0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
4458 0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
4459 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe,
4460 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37,
4461 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
4462 0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08, 0xe9,
4463 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86
4465 uint32_t http_len2 =
sizeof(http_buf2);
4469 memset(&th_v, 0,
sizeof(th_v));
4470 memset(&f, 0,
sizeof(f));
4471 memset(&ssn, 0,
sizeof(ssn));
4478 f.
proto = IPPROTO_TCP;
4500 "(flow:established,from_server; "
4501 "file_data; content:\"FWS\"; "
4544 static int DetectEngineHttpServerBodyFileDataTest25(
void)
4553 swf-decompression:\n\
4556 compress-depth: 0\n\
4557 decompress-depth: 0\n\
4575 uint8_t http_buf1[] =
4576 "GET /file.swf HTTP/1.0\r\n"
4577 "Host: www.openinfosecfoundation.org\r\n"
4578 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4580 uint32_t http_len1 =
sizeof(http_buf1) - 1;
4581 uint8_t http_buf2[] = {
4582 'H',
'T',
'T',
'P',
'/',
'1',
'.',
'1',
' ',
'2',
'0',
'0',
'o',
'k', 0x0d, 0x0a,
4583 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'L',
'e',
'n',
'g',
't',
'h',
':',
' ',
'1',
'0',
'3', 0x0d, 0x0a,
4584 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'T',
'y',
'p',
'e',
':',
' ',
4585 'a',
'p',
'p',
'l',
'i',
'c',
'a',
't',
'i',
'o',
'n',
'/',
'o',
'c',
't',
'e',
't',
'-',
's',
't',
'r',
'e',
'a',
'm', 0x0d, 0x0a,
4587 0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20, 0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19,
4588 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05,
4589 0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2,
4590 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0, 0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59,
4591 0x56, 0x06, 0x08, 0xe9, 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86
4593 uint32_t http_len2 =
sizeof(http_buf2);
4597 memset(&th_v, 0,
sizeof(th_v));
4598 memset(&f, 0,
sizeof(f));
4599 memset(&ssn, 0,
sizeof(ssn));
4606 f.
proto = IPPROTO_TCP;
4627 "(flow:established,from_server; "
4628 "file_data; content:\"ZWS\"; "
4671 static int DetectEngineHttpServerBodyFileDataTest26(
void)
4680 swf-decompression:\n\
4683 compress-depth: 0\n\
4684 decompress-depth: 0\n\
4702 uint8_t http_buf1[] =
4703 "GET /file.swf HTTP/1.0\r\n"
4704 "Host: www.openinfosecfoundation.org\r\n"
4705 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4707 uint32_t http_len1 =
sizeof(http_buf1) - 1;
4708 uint8_t http_buf2[] = {
4709 'H',
'T',
'T',
'P',
'/',
'1',
'.',
'1',
' ',
'2',
'0',
'0',
'o',
'k', 0x0d, 0x0a,
4710 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'L',
'e',
'n',
'g',
't',
'h',
':',
' ',
'1',
'0',
'3', 0x0d, 0x0a,
4711 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'T',
'y',
'p',
'e',
':',
' ',
4712 'a',
'p',
'p',
'l',
'i',
'c',
'a',
't',
'i',
'o',
'n',
'/',
'o',
'c',
't',
'e',
't',
'-',
's',
't',
'r',
'e',
'a',
'm', 0x0d, 0x0a,
4714 0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
4715 0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
4716 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe,
4717 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37,
4718 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
4719 0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08, 0xe9,
4720 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86
4722 uint32_t http_len2 =
sizeof(http_buf2);
4726 memset(&th_v, 0,
sizeof(th_v));
4727 memset(&f, 0,
sizeof(f));
4728 memset(&ssn, 0,
sizeof(ssn));
4735 f.
proto = IPPROTO_TCP;
4756 "(flow:established,from_server; "
4757 "file_data; content:\"FWS\"; "
4800 static int DetectEngineHttpServerBodyFileDataTest27(
void)
4809 swf-decompression:\n\
4812 compress-depth: 0\n\
4813 decompress-depth: 0\n\
4831 uint8_t http_buf1[] =
4832 "GET /file.swf HTTP/1.0\r\n"
4833 "Host: www.openinfosecfoundation.org\r\n"
4834 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4836 uint32_t http_len1 =
sizeof(http_buf1) - 1;
4837 uint8_t http_buf2[] = {
4838 'H',
'T',
'T',
'P',
'/',
'1',
'.',
'1',
' ',
'2',
'0',
'0',
'o',
'k', 0x0d, 0x0a,
4839 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'L',
'e',
'n',
'g',
't',
'h',
':',
' ',
'8',
'0', 0x0d, 0x0a,
4840 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'T',
'y',
'p',
'e',
':',
' ',
4841 'a',
'p',
'p',
'l',
'i',
'c',
'a',
't',
'i',
'o',
'n',
'/',
'o',
'c',
't',
'e',
't',
'-',
's',
't',
'r',
'e',
'a',
'm', 0x0d, 0x0a,
4843 0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
4844 0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
4845 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61,
4846 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b,
4847 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1,
4849 uint32_t http_len2 =
sizeof(http_buf2);
4853 memset(&th_v, 0,
sizeof(th_v));
4854 memset(&f, 0,
sizeof(f));
4855 memset(&ssn, 0,
sizeof(ssn));
4862 f.
proto = IPPROTO_TCP;
4883 "(flow:established,from_server; "
4884 "file_data; content:\"ZWS\"; "
4927 static int DetectEngineHttpServerBodyFileDataTest28(
void)
4936 swf-decompression:\n\
4939 compress-depth: 0\n\
4940 decompress-depth: 0\n\
4958 uint8_t http_buf1[] =
4959 "GET /file.swf HTTP/1.0\r\n"
4960 "Host: www.openinfosecfoundation.org\r\n"
4961 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4963 uint32_t http_len1 =
sizeof(http_buf1) - 1;
4964 uint8_t http_buf2[] = {
4965 'H',
'T',
'T',
'P',
'/',
'1',
'.',
'1',
' ',
'2',
'0',
'0',
'o',
'k', 0x0d, 0x0a,
4966 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'L',
'e',
'n',
'g',
't',
'h',
':',
' ',
'8',
'0', 0x0d, 0x0a,
4967 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'T',
'y',
'p',
'e',
':',
' ',
4968 'a',
'p',
'p',
'l',
'i',
'c',
'a',
't',
'i',
'o',
'n',
'/',
'o',
'c',
't',
'e',
't',
'-',
's',
't',
'r',
'e',
'a',
'm', 0x0d, 0x0a,
4970 0x5a, 0x57, 0x53, 0x01, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
4971 0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
4972 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61,
4973 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b,
4974 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1,
4976 uint32_t http_len2 =
sizeof(http_buf2);
4980 memset(&th_v, 0,
sizeof(th_v));
4981 memset(&f, 0,
sizeof(f));
4982 memset(&ssn, 0,
sizeof(ssn));
4989 f.
proto = IPPROTO_TCP;
5010 "(flow:established,from_server; "
5011 "file_data; content:\"ZWS\"; "
5054 static int DetectEngineHttpServerBodyFileDataTest29(
void)
5063 swf-decompression:\n\
5066 compress-depth: 1000\n\
5067 decompress-depth: 0\n\
5084 uint8_t http_buf1[] =
5085 "GET /file.swf HTTP/1.0\r\n"
5086 "Host: www.openinfosecfoundation.org\r\n"
5087 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5089 uint32_t http_len1 =
sizeof(http_buf1) - 1;
5090 uint8_t http_buf2[] = {
5091 'H',
'T',
'T',
'P',
'/',
'1',
'.',
'1',
' ',
'2',
'0',
'0',
'o',
'k', 0x0d, 0x0a,
5092 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'L',
'e',
'n',
'g',
't',
'h',
':',
' ',
'8',
'0', 0x0d, 0x0a,
5093 'C',
'o',
'n',
't',
'e',
'n',
't',
'-',
'T',
'y',
'p',
'e',
':',
' ',
5094 'a',
'p',
'p',
'l',
'i',
'c',
'a',
't',
'i',
'o',
'n',
'/',
'x',
'-',
's',
'h',
'o',
'c',
'k',
'w',
'a',
'v',
'e',
'-',
'f',
'l',
'a',
's',
'h', 0x0d, 0x0a,
5096 0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
5097 0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
5098 0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
5099 0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
5100 0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
5102 uint32_t http_len2 =
sizeof(http_buf2);
5106 memset(&th_v, 0,
sizeof(th_v));
5107 memset(&f, 0,
sizeof(f));
5108 memset(&ssn, 0,
sizeof(ssn));
5115 f.
proto = IPPROTO_TCP;
5136 "(flow:established,from_server; "
5137 "file_data; content:\"FWS\"; "
5184 static int DetectHttpServerBodyTest06(
void)
5193 uint8_t http_buf[] =
5194 "GET /index.html HTTP/1.0\r\n"
5195 "Host: www.openinfosecfoundation.org\r\n"
5196 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5198 uint32_t http_len =
sizeof(http_buf) - 1;
5199 uint8_t http_buf2[] =
5200 "HTTP/1.0 200 ok\r\n"
5201 "Content-Type: text/html\r\n"
5202 "Content-Length: 7\r\n"
5205 uint32_t http_len2 =
sizeof(http_buf2) - 1;
5209 memset(&th_v, 0,
sizeof(th_v));
5210 memset(&f, 0,
sizeof(f));
5211 memset(&ssn, 0,
sizeof(ssn));
5217 f.
proto = IPPROTO_TCP;
5235 "(msg:\"http server body test\"; "
5236 "content:\"message\"; http_server_body; "
5245 STREAM_TOSERVER | STREAM_START | STREAM_EOF, http_buf, http_len);
5247 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5252 STREAM_TOCLIENT | STREAM_START | STREAM_EOF, http_buf2, http_len2);
5254 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5260 if (http_state == NULL) {
5261 printf(
"no http state: \n");
5270 printf(
"sid 1 didn't match but should have: ");
5291 static int DetectHttpServerBodyTest07(
void)
5301 uint8_t http_buf1[] =
5302 "GET /index.html HTTP/1.0\r\n"
5303 "Host: www.openinfosecfoundation.org\r\n"
5304 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5306 uint32_t http_len1 =
sizeof(http_buf1) - 1;
5307 uint8_t http_buf2[] =
5308 "HTTP/1.0 200 ok\r\n"
5309 "Content-Type: text/html\r\n"
5310 "Content-Length: 14\r\n"
5312 uint32_t http_len2 =
sizeof(http_buf2) - 1;
5313 uint8_t http_buf3[] =
5315 uint32_t http_len3 =
sizeof(http_buf3) - 1;
5319 memset(&th_v, 0,
sizeof(th_v));
5320 memset(&f, 0,
sizeof(f));
5321 memset(&ssn, 0,
sizeof(ssn));
5328 f.
proto = IPPROTO_TCP;
5351 "(msg:\"http server body test\"; "
5352 "content:\"message\"; http_server_body; "
5361 http_buf1, http_len1);
5363 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5368 http_buf2, http_len2);
5370 printf(
"toserver chunk 2 returned %" PRId32
", expected 0: ", r);
5375 if (http_state == NULL) {
5376 printf(
"no http state: ");
5384 printf(
"sid 1 matched on chunk2 but shouldn't have: ");
5391 printf(
"toserver chunk 3 returned %" PRId32
", expected 0: ", r);
5398 printf(
"sid 1 didn't match on p2 (chunk3) but should have: ");
5420 static int DetectHttpServerBodyTest08(
void)
5430 uint8_t http_buf1[] =
5431 "GET /index.html HTTP/1.0\r\n"
5432 "Host: www.openinfosecfoundation.org\r\n"
5433 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5435 uint32_t http_len1 =
sizeof(http_buf1) - 1;
5436 uint8_t http_buf2[] =
5437 "HTTP/1.0 200 ok\r\n"
5438 "Content-Type: text/html\r\n"
5439 "Content-Length: 14\r\n"
5442 uint32_t http_len2 =
sizeof(http_buf2) - 1;
5443 uint8_t http_buf3[] =
5445 uint32_t http_len3 =
sizeof(http_buf3) - 1;
5449 memset(&th_v, 0,
sizeof(th_v));
5450 memset(&f, 0,
sizeof(f));
5451 memset(&ssn, 0,
sizeof(ssn));
5458 f.
proto = IPPROTO_TCP;
5480 "(msg:\"http client body test\"; "
5481 "content:\"message\"; http_server_body; "
5490 http_buf1, http_len1);
5492 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5498 if (http_state == NULL) {
5499 printf(
"no http state: ");
5505 http_buf2, http_len2);
5507 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5516 printf(
"sid 1 matched but shouldn't have: ");
5523 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5532 printf(
"sid 1 didn't match but should have: ");
5554 static int DetectHttpServerBodyTest09(
void)
5564 uint8_t http_buf1[] =
5565 "GET /index.html HTTP/1.0\r\n"
5566 "Host: www.openinfosecfoundation.org\r\n"
5567 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5569 uint32_t http_len1 =
sizeof(http_buf1) - 1;
5570 uint8_t http_buf2[] =
5571 "HTTP/1.0 200 ok\r\n"
5572 "Content-Type: text/html\r\n"
5573 "Content-Length: 14\r\n"
5576 uint32_t http_len2 =
sizeof(http_buf2) - 1;
5577 uint8_t http_buf3[] =
5579 uint32_t http_len3 =
sizeof(http_buf3) - 1;
5580 uint8_t http_buf4[] =
5582 uint32_t http_len4 =
sizeof(http_buf4) - 1;
5586 memset(&th_v, 0,
sizeof(th_v));
5587 memset(&f, 0,
sizeof(f));
5588 memset(&ssn, 0,
sizeof(ssn));
5595 f.
proto = IPPROTO_TCP;
5617 "(msg:\"http client body test\"; "
5618 "content:\"message\"; http_server_body; "
5627 http_buf1, http_len1);
5629 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5635 if (http_state == NULL) {
5636 printf(
"no http state: ");
5642 http_buf2, http_len2);
5644 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5653 printf(
"sid 1 matched but shouldn't have: ");
5660 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5668 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5677 printf(
"sid 1 didn't match but should have: ");
5699 static int DetectHttpServerBodyTest10(
void)
5709 uint8_t http_buf1[] =
5710 "GET /index.html HTTP/1.0\r\n"
5711 "Host: www.openinfosecfoundation.org\r\n"
5712 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5714 uint32_t http_len1 =
sizeof(http_buf1) - 1;
5715 uint8_t http_buf2[] =
5716 "HTTP/1.0 200 ok\r\n"
5717 "Content-Type: text/html\r\n"
5718 "Content-Length: 14\r\n"
5721 uint32_t http_len2 =
sizeof(http_buf2) - 1;
5722 uint8_t http_buf3[] =
5724 uint32_t http_len3 =
sizeof(http_buf3) - 1;
5725 uint8_t http_buf4[] =
5727 uint32_t http_len4 =
sizeof(http_buf4) - 1;
5731 memset(&th_v, 0,
sizeof(th_v));
5732 memset(&f, 0,
sizeof(f));
5733 memset(&ssn, 0,
sizeof(ssn));
5740 f.
proto = IPPROTO_TCP;
5762 "(msg:\"http client body test\"; "
5763 "content:\"MeSSaGE\"; http_server_body; nocase; "
5772 http_buf1, http_len1);
5774 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5780 if (http_state == NULL) {
5781 printf(
"no http state: ");
5787 http_buf2, http_len2);
5789 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5798 printf(
"sid 1 matched but shouldn't have: ");
5805 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5813 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5822 printf(
"sid 1 didn't match but should have: ");
5844 static int DetectHttpServerBodyTest11(
void)
5854 uint8_t http_buf1[] =
5855 "GET /index.html HTTP/1.0\r\n"
5856 "Host: www.openinfosecfoundation.org\r\n"
5857 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5859 uint32_t http_len1 =
sizeof(http_buf1) - 1;
5860 uint8_t http_buf2[] =
5861 "HTTP/1.0 200 ok\r\n"
5862 "Content-Type: text/html\r\n"
5863 "Content-Length: 14\r\n"
5865 uint32_t http_len2 =
sizeof(http_buf2) - 1;
5866 uint8_t http_buf3[] =
5868 uint32_t http_len3 =
sizeof(http_buf3) - 1;
5872 memset(&th_v, 0,
sizeof(th_v));
5873 memset(&f, 0,
sizeof(f));
5874 memset(&ssn, 0,
sizeof(ssn));
5881 f.
proto = IPPROTO_TCP;
5903 "(msg:\"http client body test\"; "
5904 "content:!\"MaSSaGE\"; http_server_body; nocase; "
5913 http_buf1, http_len1);
5915 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5921 if (http_state == NULL) {
5922 printf(
"no http state: ");
5928 http_buf2, http_len2);
5930 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5939 printf(
"sid 1 matched but shouldn't have (p1): ");
5946 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5955 printf(
"sid 1 didn't match but should have (p2): ");
5977 static int DetectHttpServerBodyTest12(
void)
5987 uint8_t http_buf1[] =
5988 "GET /index.html HTTP/1.0\r\n"
5989 "Host: www.openinfosecfoundation.org\r\n"
5990 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5992 uint32_t http_len1 =
sizeof(http_buf1) - 1;
5993 uint8_t http_buf2[] =
5994 "HTTP/1.0 200 ok\r\n"
5995 "Content-Type: text/html\r\n"
5996 "Content-Length: 14\r\n"
5998 uint32_t http_len2 =
sizeof(http_buf2) - 1;
5999 uint8_t http_buf3[] =
6001 uint32_t http_len3 =
sizeof(http_buf3) - 1;
6005 memset(&th_v, 0,
sizeof(th_v));
6006 memset(&f, 0,
sizeof(f));
6007 memset(&ssn, 0,
sizeof(ssn));
6014 f.
proto = IPPROTO_TCP;
6036 "(msg:\"http client body test\"; "
6037 "content:!\"MeSSaGE\"; http_server_body; nocase; "
6046 http_buf1, http_len1);
6048 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6054 if (http_state == NULL) {
6055 printf(
"no http state: ");
6061 http_buf2, http_len2);
6063 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6072 printf(
"sid 1 matched but shouldn't have (p1): ");
6079 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6088 printf(
"sid 1 matched but shouldn't have (p2): ");
6106 static int DetectHttpServerBodyTest13(
void)
6115 uint8_t http_buf[] =
6116 "GET /index.html HTTP/1.0\r\n"
6117 "Host: www.openinfosecfoundation.org\r\n"
6118 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
6120 uint32_t http_len =
sizeof(http_buf) - 1;
6121 uint8_t http_buf2[] =
6122 "HTTP/1.0 200 ok\r\n"
6123 "Content-Type: text/html\r\n"
6124 "Content-Length: 55\r\n"
6126 "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend";
6127 uint32_t http_len2 =
sizeof(http_buf2) - 1;
6131 memset(&th_v, 0,
sizeof(th_v));
6132 memset(&f, 0,
sizeof(f));
6133 memset(&ssn, 0,
sizeof(ssn));
6139 f.
proto = IPPROTO_TCP;
6157 "(msg:\"http server body test\"; "
6158 "content:\"longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\"; http_server_body; "
6167 STREAM_TOSERVER | STREAM_START | STREAM_EOF, http_buf, http_len);
6169 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6174 STREAM_TOCLIENT | STREAM_START | STREAM_EOF, http_buf2, http_len2);
6176 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6182 if (http_state == NULL) {
6183 printf(
"no http state: \n");
6192 printf(
"sid 1 didn't match but should have: ");
6210 static int DetectHttpServerBodyTest14(
void)
6219 uint8_t httpbuf1[] =
"GET /index1.html HTTP/1.1\r\n"
6220 "User-Agent: Mozilla/1.0\r\n"
6221 "Host: www.openinfosecfoundation.org\r\n"
6222 "Connection: keep-alive\r\n"
6223 "Cookie: dummy1\r\n\r\n";
6224 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
6225 uint8_t httpbuf2[] =
"HTTP/1.1 200 ok\r\n"
6226 "Content-Type: text/html\r\n"
6227 "Content-Length: 3\r\n"
6230 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
6231 uint8_t httpbuf3[] =
"GET /index2.html HTTP/1.1\r\n"
6232 "User-Agent: Firefox/1.0\r\n"
6233 "Host: www.openinfosecfoundation.org\r\n"
6234 "Connection: keep-alive\r\n"
6235 "Cookie: dummy2\r\n\r\n";
6236 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
6237 uint8_t httpbuf4[] =
"HTTP/1.1 200 ok\r\n"
6238 "Content-Type: text/html\r\n"
6239 "Content-Length: 3\r\n"
6242 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
6245 memset(&th_v, 0,
sizeof(th_v));
6246 memset(&f, 0,
sizeof(f));
6247 memset(&ssn, 0,
sizeof(ssn));
6253 f.
proto = IPPROTO_TCP;
6271 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flow:established,to_client; content:\"one\"; http_server_body; sid:1; rev:1;)");
6273 printf(
"sig parse failed: ");
6276 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flow:established,to_client; content:\"two\"; http_server_body; sid:2; rev:1;)");
6278 printf(
"sig2 parse failed: ");
6290 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6298 printf(
"toserver chunk 2 returned %" PRId32
", expected 0: ", r);
6307 printf(
"sig 1 didn't alert (tx 1): ");
6316 printf(
"toserver chunk 3 returned %" PRId32
", expected 0: ", r);
6325 printf(
"toserver chunk 4 returned %" PRId32
", expected 0: ", r);
6334 printf(
"sig 1 alerted (tx 2): ");
6338 printf(
"sig 2 didn't alert (tx 2): ");
6344 if (htp_state == NULL) {
6345 printf(
"no http state: ");
6350 printf(
"The http app layer doesn't have 2 transactions, but it should: ");
6358 if (det_ctx != NULL) {
6371 static int DetectHttpServerBodyTest15(
void)
6380 uint8_t httpbuf1[] =
"GET /index1.html HTTP/1.1\r\n"
6381 "User-Agent: Mozilla/1.0\r\n"
6382 "Host: www.openinfosecfoundation.org\r\n"
6383 "Connection: keep-alive\r\n"
6384 "Cookie: dummy1\r\n\r\n";
6385 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
6386 uint8_t httpbuf2[] =
"HTTP/1.1 200 ok\r\n"
6387 "Content-Type: text/html\r\n"
6388 "Content-Length: 3\r\n"
6391 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
6392 uint8_t httpbuf3[] =
"GET /index2.html HTTP/1.1\r\n"
6393 "User-Agent: Firefox/1.0\r\n"
6394 "Host: www.openinfosecfoundation.org\r\n"
6395 "Connection: keep-alive\r\n"
6396 "Cookie: dummy2\r\n\r\n";
6397 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
6398 uint8_t httpbuf4[] =
"HTTP/1.1 200 ok\r\n"
6399 "Content-Type: text/html\r\n"
6400 "Content-Length: 3\r\n"
6403 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
6406 memset(&th_v, 0,
sizeof(th_v));
6407 memset(&f, 0,
sizeof(f));
6408 memset(&ssn, 0,
sizeof(ssn));
6414 f.
proto = IPPROTO_TCP;
6432 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flow:established,to_client; content:\"one\"; http_server_body; sid:1; rev:1;)");
6434 printf(
"sig parse failed: ");
6437 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flow:established,to_client; content:\"two\"; http_server_body; sid:2; rev:1;)");
6439 printf(
"sig2 parse failed: ");
6449 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6455 printf(
"toserver chunk 2 returned %" PRId32
", expected 0: ", r);
6462 printf(
"sig 1 didn't alert (tx 1): ");
6466 printf(
"sig 2 alerted (tx 1): ");
6473 printf(
"toserver chunk 3 returned %" PRId32
", expected 0: ", r);
6480 printf(
"toserver chunk 4 returned %" PRId32
", expected 0: ", r);
6487 printf(
"sig 1 alerted (tx 2): ");
6491 printf(
"sig 2 didn't alert (tx 2): ");
6497 if (htp_state == NULL) {
6498 printf(
"no http state: ");
6503 printf(
"The http app layer doesn't have 2 transactions, but it should: ");
6511 if (det_ctx != NULL) {
6528 static int DetectHttpServerBodyFileDataTest01(
void)
6537 uint8_t http_buf[] =
6538 "GET /index.html HTTP/1.0\r\n"
6539 "Host: www.openinfosecfoundation.org\r\n"
6540 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
6542 uint32_t http_len =
sizeof(http_buf) - 1;
6543 uint8_t http_buf2[] =
6544 "HTTP/1.0 200 ok\r\n"
6545 "Content-Type: text/html\r\n"
6546 "Content-Length: 7\r\n"
6549 uint32_t http_len2 =
sizeof(http_buf2) - 1;
6552 memset(&th_v, 0,
sizeof(th_v));
6553 memset(&f, 0,
sizeof(f));
6554 memset(&ssn, 0,
sizeof(ssn));
6560 f.
proto = IPPROTO_TCP;
6576 "(msg:\"http server body test\"; "
6577 "file_data; content:\"message\"; "
6585 STREAM_TOSERVER | STREAM_START | STREAM_EOF, http_buf, http_len);
6588 STREAM_TOCLIENT | STREAM_START | STREAM_EOF, http_buf2, http_len2);
6611 static int DetectHttpServerBodyFileDataTest02(
void)
6621 uint8_t http_buf1[] =
6622 "GET /index.html HTTP/1.0\r\n"
6623 "Host: www.openinfosecfoundation.org\r\n"
6624 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
6626 uint32_t http_len1 =
sizeof(http_buf1) - 1;
6627 uint8_t http_buf2[] =
6628 "HTTP/1.0 200 ok\r\n"
6629 "Content-Type: text/html\r\n"
6630 "Content-Length: 14\r\n"
6632 uint32_t http_len2 =
sizeof(http_buf2) - 1;
6633 uint8_t http_buf3[] =
6635 uint32_t http_len3 =
sizeof(http_buf3) - 1;
6639 memset(&th_v, 0,
sizeof(th_v));
6640 memset(&f, 0,
sizeof(f));
6641 memset(&ssn, 0,
sizeof(ssn));
6648 f.
proto = IPPROTO_TCP;
6671 "(msg:\"http server body test\"; "
6672 "file_data; content:\"message\"; "
6681 http_buf1, http_len1);
6683 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6689 http_buf2, http_len2);
6691 printf(
"toserver chunk 2 returned %" PRId32
", expected 0: ", r);
6697 if (http_state == NULL) {
6698 printf(
"no http state: ");
6706 printf(
"sid 1 matched on p1 but should have: ");
6713 printf(
"toserver chunk 3 returned %" PRId32
", expected 0: ", r);
6720 printf(
"sid 1 didn't match on p2 but should have: ");
6742 static int DetectHttpServerBodyFileDataTest03(
void)
6752 uint8_t http_buf1[] =
6753 "GET /index.html HTTP/1.0\r\n"
6754 "Host: www.openinfosecfoundation.org\r\n"
6755 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
6757 uint32_t http_len1 =
sizeof(http_buf1) - 1;
6758 uint8_t http_buf2[] =
6759 "HTTP/1.0 200 ok\r\n"
6760 "Content-Type: text/html\r\n"
6761 "Content-Length: 14\r\n"
6764 uint32_t http_len2 =
sizeof(http_buf2) - 1;
6765 uint8_t http_buf3[] =
6767 uint32_t http_len3 =
sizeof(http_buf3) - 1;
6771 memset(&th_v, 0,
sizeof(th_v));
6772 memset(&f, 0,
sizeof(f));
6773 memset(&ssn, 0,
sizeof(ssn));
6780 f.
proto = IPPROTO_TCP;
6802 "(msg:\"http client body test\"; "
6803 "file_data; content:\"message\"; "
6812 http_buf1, http_len1);
6814 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6820 if (http_state == NULL) {
6821 printf(
"no http state: ");
6827 http_buf2, http_len2);
6829 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6838 printf(
"sid 1 matched but shouldn't have: ");
6845 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6855 printf(
"sid 1 didn't match but should have: ");
6877 static int DetectHttpServerBodyFileDataTest04(
void)
6887 uint8_t http_buf1[] =
6888 "GET /index.html HTTP/1.0\r\n"
6889 "Host: www.openinfosecfoundation.org\r\n"
6890 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
6892 uint32_t http_len1 =
sizeof(http_buf1) - 1;
6893 uint8_t http_buf2[] =
6894 "HTTP/1.0 200 ok\r\n"
6895 "Content-Type: text/html\r\n"
6896 "Content-Length: 14\r\n"
6899 uint32_t http_len2 =
sizeof(http_buf2) - 1;
6900 uint8_t http_buf3[] =
6902 uint32_t http_len3 =
sizeof(http_buf3) - 1;
6903 uint8_t http_buf4[] =
6905 uint32_t http_len4 =
sizeof(http_buf4) - 1;
6909 memset(&th_v, 0,
sizeof(th_v));
6910 memset(&f, 0,
sizeof(f));
6911 memset(&ssn, 0,
sizeof(ssn));
6918 f.
proto = IPPROTO_TCP;
6940 "(msg:\"http client body test\"; "
6941 "file_data; content:\"message\"; "
6950 http_buf1, http_len1);
6952 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6958 if (http_state == NULL) {
6959 printf(
"no http state: ");
6965 http_buf2, http_len2);
6967 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6976 printf(
"sid 1 matched but shouldn't have: ");
6983 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6991 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
7000 printf(
"sid 1 didn't match but should have: ");
7022 static int DetectHttpServerBodyFileDataTest05(
void)
7032 uint8_t http_buf1[] =
7033 "GET /index.html HTTP/1.0\r\n"
7034 "Host: www.openinfosecfoundation.org\r\n"
7035 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
7037 uint32_t http_len1 =
sizeof(http_buf1) - 1;
7038 uint8_t http_buf2[] =
7039 "HTTP/1.0 200 ok\r\n"
7040 "Content-Type: text/html\r\n"
7041 "Content-Length: 14\r\n"
7044 uint32_t http_len2 =
sizeof(http_buf2) - 1;
7045 uint8_t http_buf3[] =
7047 uint32_t http_len3 =
sizeof(http_buf3) - 1;
7048 uint8_t http_buf4[] =
7050 uint32_t http_len4 =
sizeof(http_buf4) - 1;
7054 memset(&th_v, 0,
sizeof(th_v));
7055 memset(&f, 0,
sizeof(f));
7056 memset(&ssn, 0,
sizeof(ssn));
7063 f.
proto = IPPROTO_TCP;
7085 "(msg:\"http client body test\"; "
7086 "file_data; content:\"MeSSaGE\"; nocase; "
7095 http_buf1, http_len1);
7097 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
7103 if (http_state == NULL) {
7104 printf(
"no http state: ");
7110 http_buf2, http_len2);
7112 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
7121 printf(
"sid 1 matched but shouldn't have: ");
7128 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
7136 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
7145 printf(
"sid 1 didn't match but should have: ");
7167 static int DetectHttpServerBodyFileDataTest06(
void)
7177 uint8_t http_buf1[] =
7178 "GET /index.html HTTP/1.0\r\n"
7179 "Host: www.openinfosecfoundation.org\r\n"
7180 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
7182 uint32_t http_len1 =
sizeof(http_buf1) - 1;
7183 uint8_t http_buf2[] =
7184 "HTTP/1.0 200 ok\r\n"
7185 "Content-Type: text/html\r\n"
7186 "Content-Length: 14\r\n"
7188 uint32_t http_len2 =
sizeof(http_buf2) - 1;
7189 uint8_t http_buf3[] =
7191 uint32_t http_len3 =
sizeof(http_buf3) - 1;
7195 memset(&th_v, 0,
sizeof(th_v));
7196 memset(&f, 0,
sizeof(f));
7197 memset(&ssn, 0,
sizeof(ssn));
7204 f.
proto = IPPROTO_TCP;
7226 "(msg:\"http file_data test\"; "
7227 "file_data; content:!\"MaSSaGE\"; nocase; "
7236 http_buf1, http_len1);
7238 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
7244 if (http_state == NULL) {
7245 printf(
"no http state: ");
7251 http_buf2, http_len2);
7253 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
7262 printf(
"sid 1 matched but shouldn't have (p1): ");
7269 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
7278 printf(
"sid 1 didn't match but should have (p2): ");
7300 static int DetectHttpServerBodyFileDataTest07(
void)
7310 uint8_t http_buf1[] =
7311 "GET /index.html HTTP/1.0\r\n"
7312 "Host: www.openinfosecfoundation.org\r\n"
7313 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
7315 uint32_t http_len1 =
sizeof(http_buf1) - 1;
7316 uint8_t http_buf2[] =
7317 "HTTP/1.0 200 ok\r\n"
7318 "Content-Type: text/html\r\n"
7319 "Content-Length: 14\r\n"
7321 uint32_t http_len2 =
sizeof(http_buf2) - 1;
7322 uint8_t http_buf3[] =
7324 uint32_t http_len3 =
sizeof(http_buf3) - 1;
7328 memset(&th_v, 0,
sizeof(th_v));
7329 memset(&f, 0,
sizeof(f));
7330 memset(&ssn, 0,
sizeof(ssn));
7337 f.
proto = IPPROTO_TCP;
7359 "(msg:\"http file_data test\"; "
7360 "file_data; content:!\"MeSSaGE\"; nocase; "
7369 http_buf1, http_len1);
7371 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
7377 if (http_state == NULL) {
7378 printf(
"no http state: ");
7384 http_buf2, http_len2);
7386 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
7395 printf(
"sid 1 matched but shouldn't have (p1): ");
7402 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
7411 printf(
"sid 1 matched but shouldn't have (p2): ");
7429 static int DetectHttpServerBodyFileDataTest08(
void)
7438 uint8_t http_buf[] =
7439 "GET /index.html HTTP/1.0\r\n"
7440 "Host: www.openinfosecfoundation.org\r\n"
7441 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
7443 uint32_t http_len =
sizeof(http_buf) - 1;
7444 uint8_t http_buf2[] =
7445 "HTTP/1.0 200 ok\r\n"
7446 "Content-Type: text/html\r\n"
7447 "Content-Length: 55\r\n"
7449 "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend";
7450 uint32_t http_len2 =
sizeof(http_buf2) - 1;
7454 memset(&th_v, 0,
sizeof(th_v));
7455 memset(&f, 0,
sizeof(f));
7456 memset(&ssn, 0,
sizeof(ssn));
7462 f.
proto = IPPROTO_TCP;
7480 "(msg:\"http server body test\"; "
7481 "file_data; content:\"longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\"; "
7490 STREAM_TOSERVER | STREAM_START | STREAM_EOF, http_buf, http_len);
7492 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
7497 STREAM_TOCLIENT | STREAM_START | STREAM_EOF, http_buf2, http_len2);
7499 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
7505 if (http_state == NULL) {
7506 printf(
"no http state: \n");
7515 printf(
"sid 1 didn't match but should have: ");
7533 static int DetectHttpServerBodyFileDataTest09(
void)
7542 uint8_t httpbuf1[] =
"GET /index1.html HTTP/1.1\r\n"
7543 "User-Agent: Mozilla/1.0\r\n"
7544 "Host: www.openinfosecfoundation.org\r\n"
7545 "Connection: keep-alive\r\n"
7546 "Cookie: dummy1\r\n\r\n";
7547 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
7548 uint8_t httpbuf2[] =
"HTTP/1.1 200 ok\r\n"
7549 "Content-Type: text/html\r\n"
7550 "Content-Length: 3\r\n"
7553 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
7554 uint8_t httpbuf3[] =
"GET /index2.html HTTP/1.1\r\n"
7555 "User-Agent: Firefox/1.0\r\n"
7556 "Host: www.openinfosecfoundation.org\r\n"
7557 "Connection: keep-alive\r\n"
7558 "Cookie: dummy2\r\n\r\n";
7559 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
7560 uint8_t httpbuf4[] =
"HTTP/1.1 200 ok\r\n"
7561 "Content-Type: text/html\r\n"
7562 "Content-Length: 3\r\n"
7565 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
7568 memset(&th_v, 0,
sizeof(th_v));
7569 memset(&f, 0,
sizeof(f));
7570 memset(&ssn, 0,
sizeof(ssn));
7576 f.
proto = IPPROTO_TCP;
7594 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flow:established,to_client; file_data; content:\"one\"; sid:1; rev:1;)");
7596 printf(
"sig parse failed: ");
7599 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flow:established,to_client; file_data; content:\"two\"; sid:2; rev:1;)");
7601 printf(
"sig2 parse failed: ");
7611 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
7617 printf(
"toserver chunk 2 returned %" PRId32
", expected 0: ", r);
7624 printf(
"sig 1 didn't alert (tx 1): ");
7631 printf(
"toserver chunk 3 returned %" PRId32
", expected 0: ", r);
7638 printf(
"toserver chunk 4 returned %" PRId32
", expected 0: ", r);
7645 printf(
"sig 1 alerted (tx 2): ");
7649 printf(
"sig 2 didn't alert (tx 2): ");
7655 if (htp_state == NULL) {
7656 printf(
"no http state: ");
7661 printf(
"The http app layer doesn't have 2 transactions, but it should: ");
7669 if (det_ctx != NULL) {
7682 static int DetectHttpServerBodyFileDataTest10(
void)
7691 uint8_t httpbuf1[] =
"GET /index1.html HTTP/1.1\r\n"
7692 "User-Agent: Mozilla/1.0\r\n"
7693 "Host: www.openinfosecfoundation.org\r\n"
7694 "Connection: keep-alive\r\n"
7695 "Cookie: dummy1\r\n\r\n";
7696 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
7697 uint8_t httpbuf2[] =
"HTTP/1.1 200 ok\r\n"
7698 "Content-Type: text/html\r\n"
7699 "Content-Length: 3\r\n"
7702 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
7703 uint8_t httpbuf3[] =
"GET /index2.html HTTP/1.1\r\n"
7704 "User-Agent: Firefox/1.0\r\n"
7705 "Host: www.openinfosecfoundation.org\r\n"
7706 "Connection: keep-alive\r\n"
7707 "Cookie: dummy2\r\n\r\n";
7708 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
7709 uint8_t httpbuf4[] =
"HTTP/1.1 200 ok\r\n"
7710 "Content-Type: text/html\r\n"
7711 "Content-Length: 3\r\n"
7714 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
7717 memset(&th_v, 0,
sizeof(th_v));
7718 memset(&f, 0,
sizeof(f));
7719 memset(&ssn, 0,
sizeof(ssn));
7725 f.
proto = IPPROTO_TCP;
7743 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flow:established,to_client; file_data; content:\"one\"; sid:1; rev:1;)");
7745 printf(
"sig parse failed: ");
7748 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flow:established,to_client; file_data; content:\"two\"; sid:2; rev:1;)");
7750 printf(
"sig2 parse failed: ");
7760 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
7766 printf(
"toserver chunk 2 returned %" PRId32
", expected 0: ", r);
7773 printf(
"sig 1 didn't alert (tx 1): ");
7780 printf(
"toserver chunk 3 returned %" PRId32
", expected 0: ", r);
7787 printf(
"toserver chunk 4 returned %" PRId32
", expected 0: ", r);
7794 printf(
"sig 1 alerted (tx 2): ");
7798 printf(
"sig 2 didn't alert (tx 2): ");
7804 if (htp_state == NULL) {
7805 printf(
"no http state: ");
7810 printf(
"The http app layer doesn't have 2 transactions, but it should: ");
7818 if (det_ctx != NULL) {
7833 UtRegisterTest(
"DetectHttpServerBodyParserTest01", DetectHttpServerBodyParserTest01);
7834 UtRegisterTest(
"DetectHttpServerBodyParserTest02", DetectHttpServerBodyParserTest02);
7836 UtRegisterTest(
"DetectHttpServerBodyTest06", DetectHttpServerBodyTest06);
7837 UtRegisterTest(
"DetectHttpServerBodyTest07", DetectHttpServerBodyTest07);
7838 UtRegisterTest(
"DetectHttpServerBodyTest08", DetectHttpServerBodyTest08);
7839 UtRegisterTest(
"DetectHttpServerBodyTest09", DetectHttpServerBodyTest09);
7840 UtRegisterTest(
"DetectHttpServerBodyTest10", DetectHttpServerBodyTest10);
7841 UtRegisterTest(
"DetectHttpServerBodyTest11", DetectHttpServerBodyTest11);
7842 UtRegisterTest(
"DetectHttpServerBodyTest12", DetectHttpServerBodyTest12);
7843 UtRegisterTest(
"DetectHttpServerBodyTest13", DetectHttpServerBodyTest13);
7844 UtRegisterTest(
"DetectHttpServerBodyTest14", DetectHttpServerBodyTest14);
7845 UtRegisterTest(
"DetectHttpServerBodyTest15", DetectHttpServerBodyTest15);
7848 DetectHttpServerBodyFileDataTest01);
7850 DetectHttpServerBodyFileDataTest02);
7852 DetectHttpServerBodyFileDataTest03);
7854 DetectHttpServerBodyFileDataTest04);
7856 DetectHttpServerBodyFileDataTest05);
7858 DetectHttpServerBodyFileDataTest06);
7860 DetectHttpServerBodyFileDataTest07);
7862 DetectHttpServerBodyFileDataTest08);
7864 DetectHttpServerBodyFileDataTest09);
7866 DetectHttpServerBodyFileDataTest10);
7869 DetectEngineHttpServerBodyTest01);
7871 DetectEngineHttpServerBodyTest02);
7873 DetectEngineHttpServerBodyTest03);
7875 DetectEngineHttpServerBodyTest04);
7877 DetectEngineHttpServerBodyTest05);
7879 DetectEngineHttpServerBodyTest06);
7881 DetectEngineHttpServerBodyTest07);
7883 DetectEngineHttpServerBodyTest08);
7885 DetectEngineHttpServerBodyTest09);
7887 DetectEngineHttpServerBodyTest10);
7889 DetectEngineHttpServerBodyTest11);
7891 DetectEngineHttpServerBodyTest12);
7893 DetectEngineHttpServerBodyTest13);
7895 DetectEngineHttpServerBodyTest14);
7897 DetectEngineHttpServerBodyTest15);
7899 DetectEngineHttpServerBodyTest16);
7901 DetectEngineHttpServerBodyTest17);
7903 DetectEngineHttpServerBodyTest18);
7905 DetectEngineHttpServerBodyTest19);
7907 DetectEngineHttpServerBodyTest20);
7909 DetectEngineHttpServerBodyTest21);
7911 DetectEngineHttpServerBodyTest22);
7914 DetectEngineHttpServerBodyFileDataTest01);
7916 DetectEngineHttpServerBodyFileDataTest02);
7918 DetectEngineHttpServerBodyFileDataTest03);
7920 DetectEngineHttpServerBodyFileDataTest04);
7922 DetectEngineHttpServerBodyFileDataTest05);
7924 DetectEngineHttpServerBodyFileDataTest06);
7926 DetectEngineHttpServerBodyFileDataTest07);
7928 DetectEngineHttpServerBodyFileDataTest08);
7930 DetectEngineHttpServerBodyFileDataTest09);
7932 DetectEngineHttpServerBodyFileDataTest10);
7934 DetectEngineHttpServerBodyFileDataTest11);
7936 DetectEngineHttpServerBodyFileDataTest12);
7938 DetectEngineHttpServerBodyFileDataTest13);
7940 DetectEngineHttpServerBodyFileDataTest14);
7942 DetectEngineHttpServerBodyFileDataTest15);
7944 DetectEngineHttpServerBodyFileDataTest16);
7946 DetectEngineHttpServerBodyFileDataTest17);
7948 DetectEngineHttpServerBodyFileDataTest18);
7951 DetectEngineHttpServerBodyFileDataTest19);
7953 DetectEngineHttpServerBodyFileDataTest20);
7955 DetectEngineHttpServerBodyFileDataTest21);
7957 DetectEngineHttpServerBodyFileDataTest22);
7959 DetectEngineHttpServerBodyFileDataTest23);
7961 DetectEngineHttpServerBodyFileDataTest24);
7963 DetectEngineHttpServerBodyFileDataTest25);
7965 DetectEngineHttpServerBodyFileDataTest26);
7967 DetectEngineHttpServerBodyFileDataTest27);
7969 DetectEngineHttpServerBodyFileDataTest28);
7971 DetectEngineHttpServerBodyFileDataTest29);