suricata
detect-http-server-body.c
Go to the documentation of this file.
1 /* Copyright (C) 2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Giuseppe Longo <giuseppe@glongo.it>
22  *
23  * Tests for the hsbd with swf files
24  */
25 
26 #include "../suricata-common.h"
27 #include "../conf-yaml-loader.h"
28 #include "../decode.h"
29 #include "../flow.h"
30 #include "../detect.h"
31 #include "../detect-engine-build.h"
32 #include "../detect-engine-alert.h"
33 
34 /**
35  * \test Test parser accepting valid rules and rejecting invalid rules
36  */
37 static int DetectHttpServerBodyParserTest01(void)
38 {
39  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", true));
40  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; nocase; http_server_body; sid:1;)", true));
41  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; endswith; http_server_body; sid:1;)", true));
42  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; http_server_body; sid:1;)", true));
43  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; endswith; http_server_body; sid:1;)", true));
44 
45  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; rawbytes; http_server_body; sid:1;)", false));
46  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http_server_body; sid:1;)", false));
47  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", false));
48  PASS;
49 }
50 
51 /**
52  * \test Test parser accepting valid rules and rejecting invalid rules
53  */
54 static int DetectHttpServerBodyParserTest02(void)
55 {
56  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", true));
57  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; nocase; sid:1;)", true));
58  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; endswith; sid:1;)", true));
59  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; sid:1;)", true));
60  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; endswith; sid:1;)", true));
61  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; bsize:10; sid:1;)", true));
62 
63  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; rawbytes; sid:1;)", false));
64  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http.response_body; sid:1;)", false));
65  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", false));
66  PASS;
67 }
68 struct TestSteps {
69  const uint8_t *input;
70  size_t input_size; /**< if 0 strlen will be used */
71  int direction; /**< STREAM_TOSERVER, STREAM_TOCLIENT */
72  int expect;
73 };
74 
75 static int RunTest(struct TestSteps *steps, const char *sig, const char *yaml)
76 {
77  TcpSession ssn;
78  Flow f;
79  ThreadVars th_v;
80  DetectEngineThreadCtx *det_ctx = NULL;
81  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
82  FAIL_IF_NULL(alp_tctx);
83 
84  memset(&th_v, 0, sizeof(th_v));
85  StatsThreadInit(&th_v.stats);
86  memset(&f, 0, sizeof(f));
87  memset(&ssn, 0, sizeof(ssn));
88 
89  if (yaml) {
90  SCConfCreateContextBackup();
91  SCConfInit();
92  HtpConfigCreateBackup();
93 
94  SCConfYamlLoadString(yaml, strlen(yaml));
95  HTPConfigure();
96  EngineModeSetIPS();
97  }
98 
99  StreamTcpInitConfig(true);
100 
101  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
102  FAIL_IF_NULL(de_ctx);
103  de_ctx->flags |= DE_QUIET;
104 
105  FLOW_INITIALIZE(&f);
106  f.protoctx = (void *)&ssn;
107  f.proto = IPPROTO_TCP;
108  f.flags |= FLOW_IPV4;
109  f.alproto = ALPROTO_HTTP1;
110 
111  SCLogDebug("sig %s", sig);
112  Signature *s = DetectEngineAppendSig(de_ctx, (char *)sig);
113  FAIL_IF_NULL(s);
114 
115  SigGroupBuild(de_ctx);
116  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
117  FAIL_IF_NULL(det_ctx);
118 
119  struct TestSteps *b = steps;
120  int i = 0;
121  while (b->input != NULL) {
122  SCLogDebug("chunk %p %d", b, i);
123  (void)i;
124  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
125  FAIL_IF_NULL(p);
126  p->flow = &f;
127  p->flowflags = (b->direction == STREAM_TOSERVER) ? FLOW_PKT_TOSERVER : FLOW_PKT_TOCLIENT;
128  p->flowflags |= FLOW_PKT_ESTABLISHED;
129  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
130 
131  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, b->direction,
132  (uint8_t *)b->input,
133  b->input_size ? b->input_size : strlen((const char *)b->input));
134  FAIL_IF_NOT(r == 0);
135 
136  /* do detect */
137  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
138 
139  int match = PacketAlertCheck(p, 1);
140  FAIL_IF_NOT(b->expect == match);
141 
142  UTHFreePackets(&p, 1);
143  b++;
144  i++;
145  }
146 
147  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
148  AppLayerParserThreadCtxFree(alp_tctx);
149  DetectEngineCtxFree(de_ctx);
150 
151  StreamTcpFreeConfig(true);
152  FLOW_DESTROY(&f);
153 
154  if (yaml) {
155  HTPFreeConfig();
156  SCConfDeInit();
157  HtpConfigRestoreBackup();
158  SCConfRestoreContextBackup();
159  EngineModeSetIDS();
160  }
161  StatsThreadCleanup(&th_v.stats);
162  PASS;
163 }
164 
165 static int DetectEngineHttpServerBodyTest01(void)
166 {
167  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
168  "Host: www.openinfosecfoundation.org\r\n"
169  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
170  "Gecko/20091221 Firefox/3.5.7\r\n"
171  "\r\n";
172  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
173  "Content-Type: text/html\r\n"
174  "Content-Length: 7\r\n"
175  "\r\n"
176  "message";
177  struct TestSteps steps[] = {
178  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
179  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
180  { NULL, 0, 0, 0 },
181  };
182 
183  const char *sig = "alert http any any -> any any "
184  "(msg:\"http server body test\"; "
185  "content:\"message\"; http_server_body; "
186  "sid:1;)";
187  return RunTest(steps, sig, NULL);
188 }
189 
190 static int DetectEngineHttpServerBodyTest02(void)
191 {
192  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
193  "Host: www.openinfosecfoundation.org\r\n"
194  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
195  "Gecko/20091221 Firefox/3.5.7\r\n"
196  "\r\n";
197  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
198  "Content-Type: text/html\r\n"
199  "Content-Length: 7\r\n"
200  "\r\n"
201  "xxxxABC";
202  struct TestSteps steps[] = {
203  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
204  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
205  { NULL, 0, 0, 0 },
206  };
207 
208  const char *sig = "alert http any any -> any any "
209  "(msg:\"http server body test\"; "
210  "content:\"ABC\"; http_server_body; offset:4; "
211  "sid:1;)";
212  return RunTest(steps, sig, NULL);
213 }
214 
215 static int DetectEngineHttpServerBodyTest03(void)
216 {
217  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
218  "Host: www.openinfosecfoundation.org\r\n"
219  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
220  "Gecko/20091221 Firefox/3.5.7\r\n"
221  "\r\n";
222  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
223  "Content-Type: text/html\r\n"
224  "Content-Length: 17\r\n"
225  "\r\n"
226  "1234567";
227  uint8_t http_buf3[] = "8901234ABC";
228  struct TestSteps steps[] = {
229  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
230  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
231  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
232  { NULL, 0, 0, 0 },
233  };
234 
235  const char *sig = "alert http any any -> any any "
236  "(msg:\"http server body test\"; "
237  "content:\"ABC\"; http_server_body; offset:14; "
238  "sid:1;)";
239  return RunTest(steps, sig, NULL);
240 }
241 
242 static int DetectEngineHttpServerBodyTest04(void)
243 {
244  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
245  "Host: www.openinfosecfoundation.org\r\n"
246  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
247  "Gecko/20091221 Firefox/3.5.7\r\n"
248  "\r\n";
249  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
250  "Content-Type: text/html\r\n"
251  "Content-Length: 6\r\n"
252  "\r\n"
253  "abcdef";
254  struct TestSteps steps[] = {
255  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
256  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
257  { NULL, 0, 0, 0 },
258  };
259  const char *sig = "alert http any any -> any any "
260  "(msg:\"http server body test\"; "
261  "content:!\"abc\"; http_server_body; offset:3; "
262  "sid:1;)";
263  return RunTest(steps, sig, NULL);
264 }
265 
266 static int DetectEngineHttpServerBodyTest05(void)
267 {
268  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
269  "Host: www.openinfosecfoundation.org\r\n"
270  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
271  "Gecko/20091221 Firefox/3.5.7\r\n"
272  "\r\n";
273  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
274  "Content-Type: text/html\r\n"
275  "Content-Length: 6\r\n"
276  "\r\n"
277  "abcdef";
278  struct TestSteps steps[] = {
279  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
280  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
281  { NULL, 0, 0, 0 },
282  };
283  const char *sig = "alert http any any -> any any "
284  "(msg:\"http server body test\"; "
285  "content:\"abc\"; http_server_body; depth:3; "
286  "sid:1;)";
287  return RunTest(steps, sig, NULL);
288 }
289 
290 static int DetectEngineHttpServerBodyTest06(void)
291 {
292  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
293  "Host: www.openinfosecfoundation.org\r\n"
294  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
295  "Gecko/20091221 Firefox/3.5.7\r\n"
296  "\r\n";
297  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
298  "Content-Type: text/html\r\n"
299  "Content-Length: 6\r\n"
300  "\r\n"
301  "abcdef";
302  struct TestSteps steps[] = {
303  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
304  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
305  { NULL, 0, 0, 0 },
306  };
307  const char *sig = "alert http any any -> any any "
308  "(msg:\"http server body test\"; "
309  "content:!\"def\"; http_server_body; depth:3; "
310  "sid:1;)";
311  return RunTest(steps, sig, NULL);
312 }
313 
314 static int DetectEngineHttpServerBodyTest07(void)
315 {
316  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
317  "Host: www.openinfosecfoundation.org\r\n"
318  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
319  "Gecko/20091221 Firefox/3.5.7\r\n"
320  "\r\n";
321  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
322  "Content-Type: text/html\r\n"
323  "Content-Length: 6\r\n"
324  "\r\n"
325  "abcdef";
326  struct TestSteps steps[] = {
327  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
328  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
329  { NULL, 0, 0, 0 },
330  };
331  const char *sig = "alert http any any -> any any "
332  "(msg:\"http server body test\"; "
333  "content:!\"def\"; http_server_body; offset:3; "
334  "sid:1;)";
335  return RunTest(steps, sig, NULL);
336 }
337 
338 static int DetectEngineHttpServerBodyTest08(void)
339 {
340  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
341  "Host: www.openinfosecfoundation.org\r\n"
342  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
343  "Gecko/20091221 Firefox/3.5.7\r\n"
344  "\r\n";
345  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
346  "Content-Type: text/html\r\n"
347  "Content-Length: 6\r\n"
348  "\r\n"
349  "abcdef";
350 
351  struct TestSteps steps[] = {
352  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
353  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
354  { NULL, 0, 0, 0 },
355  };
356  const char *sig = "alert http any any -> any any "
357  "(msg:\"http server body test\"; "
358  "content:!\"abc\"; http_server_body; depth:3; "
359  "sid:1;)";
360  return RunTest(steps, sig, NULL);
361 }
362 
363 static int DetectEngineHttpServerBodyTest09(void)
364 {
365  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
366  "Host: www.openinfosecfoundation.org\r\n"
367  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
368  "Gecko/20091221 Firefox/3.5.7\r\n"
369  "\r\n";
370  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
371  "Content-Type: text/html\r\n"
372  "Content-Length: 6\r\n"
373  "\r\n"
374  "abcdef";
375  struct TestSteps steps[] = {
376  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
377  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
378  { NULL, 0, 0, 0 },
379  };
380  const char *sig = "alert http any any -> any any "
381  "(msg:\"http server body test\"; "
382  "content:\"abc\"; http_server_body; depth:3; "
383  "content:\"def\"; http_server_body; within:3; "
384  "sid:1;)";
385  return RunTest(steps, sig, NULL);
386 }
387 
388 static int DetectEngineHttpServerBodyTest10(void)
389 {
390  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
391  "Host: www.openinfosecfoundation.org\r\n"
392  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
393  "Gecko/20091221 Firefox/3.5.7\r\n"
394  "\r\n";
395  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
396  "Content-Type: text/html\r\n"
397  "Content-Length: 6\r\n"
398  "\r\n"
399  "abcdef";
400  struct TestSteps steps[] = {
401  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
402  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
403  { NULL, 0, 0, 0 },
404  };
405  const char *sig = "alert http any any -> any any "
406  "(msg:\"http server body test\"; "
407  "content:\"abc\"; http_server_body; depth:3; "
408  "content:!\"xyz\"; http_server_body; within:3; "
409  "sid:1;)";
410  return RunTest(steps, sig, NULL);
411 }
412 
413 static int DetectEngineHttpServerBodyTest11(void)
414 {
415  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
416  "Host: www.openinfosecfoundation.org\r\n"
417  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
418  "Gecko/20091221 Firefox/3.5.7\r\n"
419  "\r\n";
420  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
421  "Content-Type: text/html\r\n"
422  "Content-Length: 6\r\n"
423  "\r\n"
424  "abcdef";
425  struct TestSteps steps[] = {
426  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
427  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
428  { NULL, 0, 0, 0 },
429  };
430  const char *sig = "alert http any any -> any any "
431  "(msg:\"http server body test\"; "
432  "content:\"abc\"; http_server_body; depth:3; "
433  "content:\"xyz\"; http_server_body; within:3; "
434  "sid:1;)";
435  return RunTest(steps, sig, NULL);
436 }
437 
438 static int DetectEngineHttpServerBodyTest12(void)
439 {
440  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
441  "Host: www.openinfosecfoundation.org\r\n"
442  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
443  "Gecko/20091221 Firefox/3.5.7\r\n"
444  "\r\n";
445  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
446  "Content-Type: text/html\r\n"
447  "Content-Length: 6\r\n"
448  "\r\n"
449  "abcdef";
450  struct TestSteps steps[] = {
451  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
452  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
453  { NULL, 0, 0, 0 },
454  };
455  const char *sig = "alert http any any -> any any "
456  "(msg:\"http server body test\"; "
457  "content:\"ab\"; http_server_body; depth:2; "
458  "content:\"ef\"; http_server_body; distance:2; "
459  "sid:1;)";
460  return RunTest(steps, sig, NULL);
461 }
462 
463 static int DetectEngineHttpServerBodyTest13(void)
464 {
465  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
466  "Host: www.openinfosecfoundation.org\r\n"
467  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
468  "Gecko/20091221 Firefox/3.5.7\r\n"
469  "\r\n";
470  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
471  "Content-Type: text/html\r\n"
472  "Content-Length: 6\r\n"
473  "\r\n"
474  "abcdef";
475  struct TestSteps steps[] = {
476  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
477  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
478  { NULL, 0, 0, 0 },
479  };
480  const char *sig = "alert http any any -> any any "
481  "(msg:\"http server body test\"; "
482  "content:\"ab\"; http_server_body; depth:3; "
483  "content:!\"yz\"; http_server_body; distance:2; "
484  "sid:1;)";
485  return RunTest(steps, sig, NULL);
486 }
487 
488 static int DetectEngineHttpServerBodyTest14(void)
489 {
490  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
491  "Host: www.openinfosecfoundation.org\r\n"
492  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
493  "Gecko/20091221 Firefox/3.5.7\r\n"
494  "\r\n";
495  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
496  "Content-Type: text/html\r\n"
497  "Content-Length: 6\r\n"
498  "\r\n"
499  "abcdef";
500  struct TestSteps steps[] = {
501  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
502  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
503  { NULL, 0, 0, 0 },
504  };
505  const char *sig = "alert http any any -> any any "
506  "(msg:\"http server body test\"; "
507  "pcre:/ab/Q; "
508  "content:\"ef\"; http_server_body; distance:2; "
509  "sid:1;)";
510  return RunTest(steps, sig, NULL);
511 }
512 
513 static int DetectEngineHttpServerBodyTest15(void)
514 {
515  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
516  "Host: www.openinfosecfoundation.org\r\n"
517  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
518  "Gecko/20091221 Firefox/3.5.7\r\n"
519  "\r\n";
520  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
521  "Content-Type: text/html\r\n"
522  "Content-Length: 6\r\n"
523  "\r\n"
524  "abcdef";
525  struct TestSteps steps[] = {
526  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
527  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
528  { NULL, 0, 0, 0 },
529  };
530  const char *sig = "alert http any any -> any any "
531  "(msg:\"http server body test\"; "
532  "pcre:/abc/Q; "
533  "content:!\"xyz\"; http_server_body; distance:0; within:3; "
534  "sid:1;)";
535  return RunTest(steps, sig, NULL);
536 }
537 
538 static int DetectEngineHttpServerBodyTest16(void)
539 {
540  char input[] = "\
541 %YAML 1.1\n\
542 ---\n\
543 libhtp:\n\
544 \n\
545  default-config:\n\
546  personality: IDS\n\
547  request-body-limit: 0\n\
548  response-body-limit: 0\n\
549 \n\
550  request-body-inspect-window: 0\n\
551  response-body-inspect-window: 0\n\
552  request-body-minimal-inspect-size: 0\n\
553  response-body-minimal-inspect-size: 0\n\
554 ";
555  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
556  "Host: www.openinfosecfoundation.org\r\n"
557  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
558  "Gecko/20091221 Firefox/3.5.7\r\n"
559  "\r\n";
560  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
561  "Content-Type: text/html\r\n"
562  "Content-Length: 17\r\n"
563  "\r\n"
564  "1234567";
565  uint8_t http_buf3[] = "8901234ABC";
566  struct TestSteps steps[] = {
567  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
568  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
569  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
570  { NULL, 0, 0, 0 },
571  };
572  const char *sig = "alert http any any -> any any ("
573  "content:\"890\"; within:3; http_server_body; "
574  "sid:1;)";
575  return RunTest(steps, sig, input);
576 }
577 
578 static int DetectEngineHttpServerBodyTest17(void)
579 {
580  char input[] = "\
581 %YAML 1.1\n\
582 ---\n\
583 libhtp:\n\
584 \n\
585  default-config:\n\
586  personality: IDS\n\
587  request-body-limit: 0\n\
588  response-body-limit: 0\n\
589 \n\
590  request-body-inspect-window: 0\n\
591  response-body-inspect-window: 0\n\
592  request-body-minimal-inspect-size: 0\n\
593  response-body-minimal-inspect-size: 0\n\
594 ";
595  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
596  "Host: www.openinfosecfoundation.org\r\n"
597  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
598  "Gecko/20091221 Firefox/3.5.7\r\n"
599  "\r\n";
600  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
601  "Content-Type: text/html\r\n"
602  "Content-Length: 17\r\n"
603  "\r\n"
604  "1234567";
605  uint8_t http_buf3[] = "8901234ABC";
606  struct TestSteps steps[] = {
607  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
608  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
609  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
610  { NULL, 0, 0, 0 },
611  };
612  const char *sig = "alert http any any -> any any ("
613  "content:\"890\"; depth:3; http_server_body; "
614  "sid:1;)";
615  return RunTest(steps, sig, input);
616 }
617 
618 /*
619  * gzip stream
620  */
621 static int DetectEngineHttpServerBodyTest18(void)
622 {
623  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
624  "Host: www.openinfosecfoundation.org\r\n"
625  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
626  "Gecko/20091221 Firefox/3.5.7\r\n"
627  "\r\n";
628  // clang-format off
629  uint8_t http_buf2[] = {
630  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
631  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
632  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
633  'g', 'z', 'i', 'p', 0x0d, 0x0a,
634  0x0d, 0x0a,
635  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51, 0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
636  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
637  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
638  0x00, 0x00, 0x00,
639  };
640  // clang-format on
641  struct TestSteps steps[] = {
642  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
643  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
644  { NULL, 0, 0, 0 },
645  };
646  const char *sig = "alert http any any -> any any "
647  "(msg:\"http server body test\"; "
648  "content:\"file\"; http_server_body; "
649  "sid:1;)";
650  return RunTest(steps, sig, NULL);
651 }
652 
653 /*
654  * deflate stream
655  */
656 static int DetectEngineHttpServerBodyTest19(void)
657 {
658  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
659  "Host: www.openinfosecfoundation.org\r\n"
660  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
661  "Gecko/20091221 Firefox/3.5.7\r\n"
662  "\r\n";
663  // clang-format off
664  uint8_t http_buf2[] = {
665  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
666  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '2', '4', 0x0d, 0x0a,
667  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
668  'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
669  0x0d, 0x0a,
670  0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54, 0x85, 0xcc, 0x3c,
671  0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00,
672  };
673  // clang-format on
674  // 0xb2, 0x7d, 0xac, 0x9b, 0x19, 0x00, 0x00, 0x00,
675  struct TestSteps steps[] = {
676  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
677  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
678  { NULL, 0, 0, 0 },
679  };
680  const char *sig = "alert http any any -> any any "
681  "(msg:\"http server body test\"; "
682  "content:\"file\"; http_server_body; "
683  "sid:1;)";
684  return RunTest(steps, sig, NULL);
685 }
686 
687 /*
688  * deflate stream with gzip set as content-encoding
689  */
690 static int DetectEngineHttpServerBodyTest20(void)
691 {
692  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
693  "Host: www.openinfosecfoundation.org\r\n"
694  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
695  "Gecko/20091221 Firefox/3.5.7\r\n"
696  "\r\n";
697  // clang-format off
698  uint8_t http_buf2[] = {
699  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
700  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '2', '4', 0x0d, 0x0a,
701  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
702  'g', 'z', 'i', 'p', 0x0d, 0x0a,
703  0x0d, 0x0a,
704  0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54, 0x85, 0xcc, 0x3c,
705  0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00,
706  };
707  // clang-format on
708  // 0xb2, 0x7d, 0xac, 0x9b, 0x19, 0x00, 0x00, 0x00,
709  struct TestSteps steps[] = {
710  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
711  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
712  { NULL, 0, 0, 0 },
713  };
714  const char *sig = "alert http any any -> any any "
715  "(msg:\"http server body test\"; "
716  "content:\"file\"; http_server_body; "
717  "sid:1;)";
718  return RunTest(steps, sig, NULL);
719 }
720 
721 /*
722  * gzip stream with deflate set as content-encoding.
723  */
724 static int DetectEngineHttpServerBodyTest21(void)
725 {
726  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
727  "Host: www.openinfosecfoundation.org\r\n"
728  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
729  "Gecko/20091221 Firefox/3.5.7\r\n"
730  "\r\n";
731  // clang-format off
732  uint8_t http_buf2[] = {
733  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
734  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
735  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
736  'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
737  0x0d, 0x0a,
738  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51, 0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
739  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
740  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
741  0x00, 0x00, 0x00,
742  };
743  // clang-format on
744  struct TestSteps steps[] = {
745  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
746  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
747  { NULL, 0, 0, 0 },
748  };
749  const char *sig = "alert http any any -> any any "
750  "(msg:\"http server body test\"; "
751  "content:\"file\"; http_server_body; "
752  "sid:1;)";
753  return RunTest(steps, sig, NULL);
754 }
755 
756 /*
757  * gzip stream.
758  * We have 2 content-encoding headers. First gzip and second deflate.
759  */
760 static int DetectEngineHttpServerBodyTest22(void)
761 {
762  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
763  "Host: www.openinfosecfoundation.org\r\n"
764  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
765  "Gecko/20091221 Firefox/3.5.7\r\n"
766  "\r\n";
767  // clang-format off
768  uint8_t http_buf2[] = {
769  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
770  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
771  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
772  'g', 'z', 'i', 'p', 0x0d, 0x0a,
773  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
774  'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
775  0x0d, 0x0a,
776  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51, 0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
777  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
778  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
779  0x00, 0x00, 0x00,
780  };
781  // clang-format on
782  struct TestSteps steps[] = {
783  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
784  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
785  { NULL, 0, 0, 0 },
786  };
787  const char *sig = "alert http any any -> any any "
788  "(msg:\"http server body test\"; "
789  "content:\"file\"; http_server_body; "
790  "sid:1;)";
791  return RunTest(steps, sig, NULL);
792 }
793 
794 static int DetectEngineHttpServerBodyFileDataTest01(void)
795 {
796  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
797  "Host: www.openinfosecfoundation.org\r\n"
798  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
799  "Gecko/20091221 Firefox/3.5.7\r\n"
800  "\r\n";
801  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
802  "Content-Type: text/html\r\n"
803  "Content-Length: 6\r\n"
804  "\r\n"
805  "abcdef";
806  struct TestSteps steps[] = {
807  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
808  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
809  { NULL, 0, 0, 0 },
810  };
811  const char *sig = "alert http any any -> any any "
812  "(msg:\"http server body test\"; "
813  "file_data; pcre:/ab/; "
814  "content:\"ef\"; distance:2; "
815  "sid:1;)";
816  return RunTest(steps, sig, NULL);
817 }
818 
819 static int DetectEngineHttpServerBodyFileDataTest02(void)
820 {
821  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
822  "Host: www.openinfosecfoundation.org\r\n"
823  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
824  "Gecko/20091221 Firefox/3.5.7\r\n"
825  "\r\n";
826  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
827  "Content-Type: text/html\r\n"
828  "Content-Length: 6\r\n"
829  "\r\n"
830  "abcdef";
831  struct TestSteps steps[] = {
832  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
833  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
834  { NULL, 0, 0, 0 },
835  };
836  const char *sig = "alert http any any -> any any "
837  "(msg:\"http server body test\"; "
838  "file_data; pcre:/abc/; "
839  "content:!\"xyz\"; distance:0; within:3; "
840  "sid:1;)";
841  return RunTest(steps, sig, NULL);
842 }
843 
844 /* \test recursive relative byte test */
845 static int DetectEngineHttpServerBodyFileDataTest03(void)
846 {
847  TcpSession ssn;
848  Packet *p1 = NULL;
849  Packet *p2 = NULL;
850  ThreadVars th_v;
851  DetectEngineThreadCtx *det_ctx = NULL;
852  HtpState *http_state = NULL;
853  Flow f;
854  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
855  "Host: www.openinfosecfoundation.org\r\n"
856  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
857  "Gecko/20091221 Firefox/3.5.7\r\n"
858  "\r\n";
859  uint32_t http_len1 = sizeof(http_buf1) - 1;
860  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
861  "Content-Type: text/html\r\n"
862  "Content-Length: 33\r\n"
863  "\r\n"
864  "XYZ_klm_1234abcd_XYZ_klm_5678abcd";
865  uint32_t http_len2 = sizeof(http_buf2) - 1;
866  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
867 
868  memset(&th_v, 0, sizeof(th_v));
869  StatsThreadInit(&th_v.stats);
870  memset(&f, 0, sizeof(f));
871  memset(&ssn, 0, sizeof(ssn));
872 
873  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
874  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
875 
876  FLOW_INITIALIZE(&f);
877  f.protoctx = (void *)&ssn;
878  f.proto = IPPROTO_TCP;
879  f.flags |= FLOW_IPV4;
880 
881  p1->flow = &f;
882  p1->flowflags |= FLOW_PKT_TOSERVER;
883  p1->flowflags |= FLOW_PKT_ESTABLISHED;
884  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
885  p2->flow = &f;
886  p2->flowflags |= FLOW_PKT_TOCLIENT;
887  p2->flowflags |= FLOW_PKT_ESTABLISHED;
888  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
889  f.alproto = ALPROTO_HTTP1;
890 
891  StreamTcpInitConfig(true);
892 
893  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
894  FAIL_IF_NULL(de_ctx);
895  de_ctx->flags |= DE_QUIET;
896 
897  Signature *s = DetectEngineAppendSig(de_ctx,
898  "alert http any any -> any any "
899  "(msg:\"match on 1st\"; "
900  "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; "
901  "distance:4; byte_test:4,=,1234,-8,relative,string;"
902  "sid:1;)");
903  FAIL_IF_NULL(s);
904  s = DetectEngineAppendSig(de_ctx,
905  "alert http any any -> any any "
906  "(msg:\"match on 2nd\"; "
907  "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; "
908  "distance:4; byte_test:4,=,5678,-8,relative,string;"
909  "sid:2;)");
910  FAIL_IF_NULL(s);
911 
912  SigGroupBuild(de_ctx);
913  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
914 
915  int r = AppLayerParserParse(
916  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
917  FAIL_IF(r != 0);
918  http_state = f.alstate;
919  FAIL_IF_NULL(http_state);
920 
921  /* do detect */
922  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
923  FAIL_IF(PacketAlertCheck(p1, 1));
924 
925  r = AppLayerParserParse(
926  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
927  FAIL_IF(r != 0);
928 
929  /* do detect */
930  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
931 
932  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
933  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
934 
935  AppLayerParserThreadCtxFree(alp_tctx);
936  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
937  DetectEngineCtxFree(de_ctx);
938  StreamTcpFreeConfig(true);
939  FLOW_DESTROY(&f);
940  UTHFreePackets(&p1, 1);
941  UTHFreePackets(&p2, 1);
942  StatsThreadCleanup(&th_v.stats);
943  PASS;
944 }
945 
946 static int DetectEngineHttpServerBodyFileDataTest04(void)
947 {
948 
949  const char yaml[] = "\
950 %YAML 1.1\n\
951 ---\n\
952 libhtp:\n\
953 \n\
954  default-config:\n\
955 \n\
956  http-body-inline: yes\n\
957  response-body-minimal-inspect-size: 6\n\
958  response-body-inspect-window: 3\n\
959 ";
960 
961  struct TestSteps steps[] = {
962  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
963  "Host: www.openinfosecfoundation.org\r\n"
964  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
965  "Gecko/20091221 Firefox/3.5.7\r\n"
966  "\r\n",
967  0, STREAM_TOSERVER, 0 },
968  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
969  "Content-Type: text/html\r\n"
970  "Content-Length: 6\r\n"
971  "\r\n"
972  "ab",
973  0, STREAM_TOCLIENT, 0 },
974  { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 1 },
975  { (const uint8_t *)"ef", 0, STREAM_TOCLIENT, 0 },
976  { NULL, 0, 0, 0 },
977  };
978 
979  const char *sig = "alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)";
980  return RunTest(steps, sig, yaml);
981 }
982 
983 static int DetectEngineHttpServerBodyFileDataTest05(void)
984 {
985 
986  const char yaml[] = "\
987 %YAML 1.1\n\
988 ---\n\
989 libhtp:\n\
990 \n\
991  default-config:\n\
992 \n\
993  http-body-inline: yes\n\
994  response-body-minimal-inspect-size: 6\n\
995  response-body-inspect-window: 3\n\
996 ";
997 
998  struct TestSteps steps[] = {
999  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1000  "Host: www.openinfosecfoundation.org\r\n"
1001  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1002  "Gecko/20091221 Firefox/3.5.7\r\n"
1003  "\r\n",
1004  0, STREAM_TOSERVER, 0 },
1005  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1006  "Content-Type: text/html\r\n"
1007  "Content-Length: 6\r\n"
1008  "\r\n"
1009  "ab",
1010  0, STREAM_TOCLIENT, 0 },
1011  { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 0 },
1012  { (const uint8_t *)"ef", 0, STREAM_TOCLIENT, 1 },
1013  { NULL, 0, 0, 0 },
1014  };
1015 
1016  const char *sig = "alert http any any -> any any (file_data; content:\"abcdef\"; sid:1;)";
1017  return RunTest(steps, sig, yaml);
1018 }
1019 
1020 static int DetectEngineHttpServerBodyFileDataTest06(void)
1021 {
1022 
1023  const char yaml[] = "\
1024 %YAML 1.1\n\
1025 ---\n\
1026 libhtp:\n\
1027 \n\
1028  default-config:\n\
1029 \n\
1030  http-body-inline: yes\n\
1031  response-body-minimal-inspect-size: 6\n\
1032  response-body-inspect-window: 3\n\
1033 ";
1034 
1035  struct TestSteps steps[] = {
1036  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1037  "Host: www.openinfosecfoundation.org\r\n"
1038  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1039  "Gecko/20091221 Firefox/3.5.7\r\n"
1040  "\r\n",
1041  0, STREAM_TOSERVER, 0 },
1042  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1043  "Content-Type: text/html\r\n"
1044  "Content-Length: 6\r\n"
1045  "\r\n"
1046  "ab",
1047  0, STREAM_TOCLIENT, 0 },
1048  { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 0 },
1049  { (const uint8_t *)"ef", 0, STREAM_TOCLIENT, 1 },
1050  { NULL, 0, 0, 0 },
1051  };
1052 
1053  const char *sig =
1054  "alert http any any -> any any (file_data; content:\"bcdef\"; offset:1; sid:1;)";
1055  return RunTest(steps, sig, yaml);
1056 }
1057 
1058 static int DetectEngineHttpServerBodyFileDataTest07(void)
1059 {
1060 
1061  const char yaml[] = "\
1062 %YAML 1.1\n\
1063 ---\n\
1064 libhtp:\n\
1065 \n\
1066  default-config:\n\
1067 \n\
1068  http-body-inline: yes\n\
1069  response-body-minimal-inspect-size: 6\n\
1070  response-body-inspect-window: 3\n\
1071 ";
1072 
1073  struct TestSteps steps[] = {
1074  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1075  "Host: www.openinfosecfoundation.org\r\n"
1076  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1077  "Gecko/20091221 Firefox/3.5.7\r\n"
1078  "\r\n",
1079  0, STREAM_TOSERVER, 0 },
1080  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1081  "Content-Type: text/html\r\n"
1082  "Content-Length: 13\r\n"
1083  "\r\n"
1084  "ab",
1085  0, STREAM_TOCLIENT, 0 },
1086  { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 1 },
1087  { (const uint8_t *)"123456789", 0, STREAM_TOCLIENT, 0 },
1088  { NULL, 0, 0, 0 },
1089  };
1090 
1091  const char *sig =
1092  "alert http any any -> any any (file_data; content:\"bc\"; offset:1; depth:2; sid:1;)";
1093  return RunTest(steps, sig, yaml);
1094 }
1095 
1096 static int DetectEngineHttpServerBodyFileDataTest08(void)
1097 {
1098 
1099  const char yaml[] = "\
1100 %YAML 1.1\n\
1101 ---\n\
1102 libhtp:\n\
1103 \n\
1104  default-config:\n\
1105 \n\
1106  http-body-inline: yes\n\
1107  response-body-minimal-inspect-size: 6\n\
1108  response-body-inspect-window: 3\n\
1109 ";
1110 
1111  struct TestSteps steps[] = {
1112  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1113  "Host: www.openinfosecfoundation.org\r\n"
1114  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1115  "Gecko/20091221 Firefox/3.5.7\r\n"
1116  "\r\n",
1117  0, STREAM_TOSERVER, 0 },
1118  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1119  "Content-Type: text/html\r\n"
1120  "Content-Length: 14\r\n"
1121  "\r\n"
1122  "ab",
1123  0, STREAM_TOCLIENT, 0 },
1124  { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 0 },
1125  { (const uint8_t *)"1234567890", 0, STREAM_TOCLIENT, 1 },
1126  { NULL, 0, 0, 0 },
1127  };
1128 
1129  const char *sig =
1130  "alert http any any -> any any (file_data; content:\"d123456789\"; offset:3; sid:1;)";
1131  return RunTest(steps, sig, yaml);
1132 }
1133 
1134 static int DetectEngineHttpServerBodyFileDataTest09(void)
1135 {
1136 
1137  const char yaml[] = "\
1138 %YAML 1.1\n\
1139 ---\n\
1140 libhtp:\n\
1141 \n\
1142  default-config:\n\
1143 \n\
1144  http-body-inline: yes\n\
1145  response-body-minimal-inspect-size: 6\n\
1146  response-body-inspect-window: 3\n\
1147 ";
1148 
1149  struct TestSteps steps[] = {
1150  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1151  "Host: www.openinfosecfoundation.org\r\n"
1152  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1153  "Gecko/20091221 Firefox/3.5.7\r\n"
1154  "\r\n",
1155  0, STREAM_TOSERVER, 0 },
1156  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1157  "Content-Type: text/html\r\n"
1158  "Content-Length: 13\r\n"
1159  "\r\n"
1160  "ab",
1161  0, STREAM_TOCLIENT, 0 },
1162  { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 0 },
1163  { (const uint8_t *)"123456789", 0, STREAM_TOCLIENT, 1 },
1164  { NULL, 0, 0, 0 },
1165  };
1166 
1167  const char *sig =
1168  "alert http any any -> any any (file_data; content:\"abcd12\"; depth:6; sid:1;)";
1169  return RunTest(steps, sig, yaml);
1170 }
1171 
1172 static int DetectEngineHttpServerBodyFileDataTest10(void)
1173 {
1174 
1175  const char yaml[] = "\
1176 %YAML 1.1\n\
1177 ---\n\
1178 libhtp:\n\
1179 \n\
1180  default-config:\n\
1181 \n\
1182  http-body-inline: yes\n\
1183  response-body-minimal-inspect-size: 6\n\
1184  response-body-inspect-window: 3\n\
1185 ";
1186 
1187  struct TestSteps steps[] = {
1188  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1189  "Host: www.openinfosecfoundation.org\r\n"
1190  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1191  "Gecko/20091221 Firefox/3.5.7\r\n"
1192  "\r\n",
1193  0, STREAM_TOSERVER, 0 },
1194  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1195  "Content-Type: text/html\r\n"
1196  "Content-Length: 5\r\n"
1197  "\r\n"
1198  "ab",
1199  0, STREAM_TOCLIENT, 0 },
1200  { (const uint8_t *)"c", 0, STREAM_TOCLIENT, 1 },
1201  { (const uint8_t *)"de", 0, STREAM_TOCLIENT, 0 },
1202  { NULL, 0, 0, 0 },
1203  };
1204 
1205  const char *sig = "alert http any any -> any any (file_data; content:\"abc\"; depth:3; sid:1;)";
1206  return RunTest(steps, sig, yaml);
1207 }
1208 
1209 static int DetectEngineHttpServerBodyFileDataTest11(void)
1210 {
1211 
1212  const char yaml[] = "\
1213 %YAML 1.1\n\
1214 ---\n\
1215 libhtp:\n\
1216 \n\
1217  default-config:\n\
1218 \n\
1219  http-body-inline: yes\n\
1220  response-body-minimal-inspect-size: 6\n\
1221  response-body-inspect-window: 3\n\
1222 ";
1223 
1224  struct TestSteps steps[] = {
1225  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1226  "Host: www.openinfosecfoundation.org\r\n"
1227  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1228  "Gecko/20091221 Firefox/3.5.7\r\n"
1229  "\r\n",
1230  0, STREAM_TOSERVER, 0 },
1231  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1232  "Content-Type: text/html\r\n"
1233  "Content-Length: 5\r\n"
1234  "\r\n"
1235  "ab",
1236  0, STREAM_TOCLIENT, 0 },
1237  { (const uint8_t *)"c", 0, STREAM_TOCLIENT, 0 },
1238  { (const uint8_t *)"de", 0, STREAM_TOCLIENT, 1 },
1239  { NULL, 0, 0, 0 },
1240  };
1241 
1242  const char *sig = "alert http any any -> any any (file_data; content:\"bcde\"; offset:1; "
1243  "depth:4; sid:1;)";
1244  return RunTest(steps, sig, yaml);
1245 }
1246 
1247 static int DetectEngineHttpServerBodyFileDataTest12(void)
1248 {
1249 
1250  const char yaml[] = "\
1251 %YAML 1.1\n\
1252 ---\n\
1253 libhtp:\n\
1254 \n\
1255  default-config:\n\
1256 \n\
1257  http-body-inline: yes\n\
1258  response-body-minimal-inspect-size: 6\n\
1259  response-body-inspect-window: 3\n\
1260 ";
1261 
1262  struct TestSteps steps[] = {
1263  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1264  "Host: www.openinfosecfoundation.org\r\n"
1265  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1266  "Gecko/20091221 Firefox/3.5.7\r\n"
1267  "\r\n",
1268  0, STREAM_TOSERVER, 0 },
1269  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1270  "Content-Type: text/html\r\n"
1271  "Content-Length: 13\r\n"
1272  "\r\n"
1273  "a",
1274  0, STREAM_TOCLIENT, 0 },
1275  { (const uint8_t *)"b", 0, STREAM_TOCLIENT, 0 },
1276  { (const uint8_t *)"c", 0, STREAM_TOCLIENT, 0 },
1277  { (const uint8_t *)"d", 0, STREAM_TOCLIENT, 1 },
1278  { (const uint8_t *)"efghijklm", 0, STREAM_TOCLIENT, 0 },
1279  { NULL, 0, 0, 0 },
1280  };
1281 
1282  const char *sig = "alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)";
1283  return RunTest(steps, sig, yaml);
1284 }
1285 
1286 static int DetectEngineHttpServerBodyFileDataTest13(void)
1287 {
1288 
1289  const char yaml[] = "\
1290 %YAML 1.1\n\
1291 ---\n\
1292 libhtp:\n\
1293 \n\
1294  default-config:\n\
1295 \n\
1296  http-body-inline: yes\n\
1297  response-body-minimal-inspect-size: 9\n\
1298  response-body-inspect-window: 12\n\
1299 ";
1300 
1301  struct TestSteps steps[] = {
1302  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1303  "Host: www.openinfosecfoundation.org\r\n"
1304  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1305  "Gecko/20091221 Firefox/3.5.7\r\n"
1306  "\r\n",
1307  0, STREAM_TOSERVER, 0 },
1308  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1309  "Content-Type: text/html\r\n"
1310  "Content-Length: 13\r\n"
1311  "\r\n"
1312  "a",
1313  0, STREAM_TOCLIENT, 0 },
1314  { (const uint8_t *)"b", 0, STREAM_TOCLIENT, 0 },
1315  { (const uint8_t *)"c", 0, STREAM_TOCLIENT, 0 },
1316  { (const uint8_t *)"d", 0, STREAM_TOCLIENT, 0 },
1317  { (const uint8_t *)"efghijklm", 0, STREAM_TOCLIENT, 1 },
1318  { NULL, 0, 0, 0 },
1319  };
1320 
1321  const char *sig =
1322  "alert http any any -> any any (file_data; content:\"abcdefghijklm\"; sid:1;)";
1323  return RunTest(steps, sig, yaml);
1324 }
1325 
1326 static int DetectEngineHttpServerBodyFileDataTest14(void)
1327 {
1328 
1329  const char yaml[] = "\
1330 %YAML 1.1\n\
1331 ---\n\
1332 libhtp:\n\
1333 \n\
1334  default-config:\n\
1335 \n\
1336  http-body-inline: yes\n\
1337  response-body-minimal-inspect-size: 9\n\
1338  response-body-inspect-window: 12\n\
1339 ";
1340 
1341  struct TestSteps steps[] = {
1342  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1343  "Host: www.openinfosecfoundation.org\r\n"
1344  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1345  "Gecko/20091221 Firefox/3.5.7\r\n"
1346  "\r\n",
1347  0, STREAM_TOSERVER, 0 },
1348  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1349  "Content-Type: text/html\r\n"
1350  "Content-Length: 20\r\n"
1351  "\r\n"
1352  "1234567890",
1353  0, STREAM_TOCLIENT, 0 },
1354  { (const uint8_t *)"abcdefghi", 0, STREAM_TOCLIENT, 1 },
1355  { NULL, 0, 0, 0 },
1356  };
1357 
1358  const char *sig = "alert http any any -> any any (file_data; content:\"890abcdefghi\"; sid:1;)";
1359  return RunTest(steps, sig, yaml);
1360 }
1361 
1362 static int DetectEngineHttpServerBodyFileDataTest15(void)
1363 {
1364 
1365  const char yaml[] = "\
1366 %YAML 1.1\n\
1367 ---\n\
1368 libhtp:\n\
1369 \n\
1370  default-config:\n\
1371 \n\
1372  http-body-inline: yes\n\
1373  response-body-minimal-inspect-size: 9\n\
1374  response-body-inspect-window: 12\n\
1375 ";
1376 
1377  struct TestSteps steps[] = {
1378  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1379  "Host: www.openinfosecfoundation.org\r\n"
1380  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1381  "Gecko/20091221 Firefox/3.5.7\r\n"
1382  "\r\n",
1383  0, STREAM_TOSERVER, 0 },
1384  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1385  "Content-Type: text/html\r\n"
1386  "Content-Length: 20\r\n"
1387  "\r\n"
1388  "1234567890",
1389  0, STREAM_TOCLIENT, 0 },
1390  { (const uint8_t *)"abcdefghi", 0, STREAM_TOCLIENT, 0 },
1391  { NULL, 0, 0, 0 },
1392  };
1393 
1394  const char *sig =
1395  "alert http any any -> any any (file_data; content:\"7890ab\"; depth:6; sid:1;)";
1396  return RunTest(steps, sig, yaml);
1397 }
1398 
1399 static int DetectEngineHttpServerBodyFileDataTest16(void)
1400 {
1401 
1402  const char yaml[] = "\
1403 %YAML 1.1\n\
1404 ---\n\
1405 libhtp:\n\
1406 \n\
1407  default-config:\n\
1408 \n\
1409  http-body-inline: yes\n\
1410  response-body-minimal-inspect-size: 9\n\
1411  response-body-inspect-window: 12\n\
1412 ";
1413 
1414  struct TestSteps steps[] = {
1415  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1416  "Host: www.openinfosecfoundation.org\r\n"
1417  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1418  "Gecko/20091221 Firefox/3.5.7\r\n"
1419  "\r\n",
1420  0, STREAM_TOSERVER, 0 },
1421  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1422  "Content-Type: text/html\r\n"
1423  "Content-Length: 20\r\n"
1424  "\r\n"
1425  "aaaab",
1426  0, STREAM_TOCLIENT, 0 },
1427  { (const uint8_t *)"bbbbc", 0, STREAM_TOCLIENT, 0 },
1428  { (const uint8_t *)"ccccd", 0, STREAM_TOCLIENT, 0 },
1429  { (const uint8_t *)"dddde", 0, STREAM_TOCLIENT, 0 },
1430  { NULL, 0, 0, 0 },
1431  };
1432 
1433  const char *sig =
1434  "alert http any any -> any any (file_data; content:\"aabb\"; depth:4; sid:1;)";
1435  return RunTest(steps, sig, yaml);
1436 }
1437 
1438 static int DetectEngineHttpServerBodyFileDataTest17(void)
1439 {
1440 
1441  const char yaml[] = "\
1442 %YAML 1.1\n\
1443 ---\n\
1444 libhtp:\n\
1445 \n\
1446  default-config:\n\
1447 \n\
1448  http-body-inline: yes\n\
1449  response-body-minimal-inspect-size: 8\n\
1450  response-body-inspect-window: 4\n\
1451 ";
1452 
1453  struct TestSteps steps[] = {
1454  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1455  "Host: www.openinfosecfoundation.org\r\n"
1456  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1457  "Gecko/20091221 Firefox/3.5.7\r\n"
1458  "\r\n",
1459  0, STREAM_TOSERVER, 0 },
1460  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1461  "Content-Type: text/html\r\n"
1462  "Content-Length: 20\r\n"
1463  "\r\n"
1464  "aaaab",
1465  0, STREAM_TOCLIENT, 0 },
1466  { (const uint8_t *)"bbbbc", 0, STREAM_TOCLIENT, 0 },
1467  { (const uint8_t *)"ccccd", 0, STREAM_TOCLIENT, 0 },
1468  { (const uint8_t *)"dddde", 0, STREAM_TOCLIENT, 0 },
1469  { NULL, 0, 0, 0 },
1470  };
1471 
1472  const char *sig =
1473  "alert http any any -> any any (file_data; content:\"bbbc\"; depth:4; sid:1;)";
1474  return RunTest(steps, sig, yaml);
1475 }
1476 
1477 static int DetectEngineHttpServerBodyFileDataTest18(void)
1478 {
1479 
1480  const char yaml[] = "\
1481 %YAML 1.1\n\
1482 ---\n\
1483 libhtp:\n\
1484 \n\
1485  default-config:\n\
1486 \n\
1487  http-body-inline: yes\n\
1488  response-body-minimal-inspect-size: 8\n\
1489  response-body-inspect-window: 4\n\
1490 ";
1491 
1492  struct TestSteps steps[] = {
1493  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1494  "Host: www.openinfosecfoundation.org\r\n"
1495  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1496  "Gecko/20091221 Firefox/3.5.7\r\n"
1497  "\r\n",
1498  0, STREAM_TOSERVER, 0 },
1499  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1500  "Content-Type: text/html\r\n"
1501  "Content-Length: 20\r\n"
1502  "\r\n"
1503  "aaaab",
1504  0, STREAM_TOCLIENT, 0 },
1505  { (const uint8_t *)"bbbbc", 0, STREAM_TOCLIENT, 0 },
1506  { (const uint8_t *)"ccccd", 0, STREAM_TOCLIENT, 0 },
1507  { (const uint8_t *)"dddde", 0, STREAM_TOCLIENT, 0 },
1508  { NULL, 0, 0, 0 },
1509  };
1510 
1511  const char *sig =
1512  "alert http any any -> any any (file_data; content:\"bccd\"; depth:4; sid:1;)";
1513  return RunTest(steps, sig, yaml);
1514 }
1515 static int DetectEngineHttpServerBodyFileDataTest19(void)
1516 {
1517  char input[] = "\
1518 %YAML 1.1\n\
1519 ---\n\
1520 libhtp:\n\
1521 \n\
1522  default-config:\n\
1523 \n\
1524  swf-decompression:\n\
1525  enabled: yes\n\
1526  type: both\n\
1527  compress-depth: 0\n\
1528  decompress-depth: 0\n\
1529 ";
1530  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1531  "Host: www.openinfosecfoundation.org\r\n"
1532  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1533  "Gecko/20091221 Firefox/3.5.7\r\n"
1534  "\r\n";
1535  // clang-format off
1536  uint8_t http_buf2[] = {
1537  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1538  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '1', '0', '3', 0x0d, 0x0a,
1539  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1540  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
1541  0x0d, 0x0a,
1542  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
1543  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
1544  0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe,
1545  0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37,
1546  0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
1547  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08, 0xe9,
1548  0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86
1549  };
1550  // clang-format on
1551  struct TestSteps steps[] = {
1552  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1553  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1554  { NULL, 0, 0, 0 },
1555  };
1556  const char *sig = "alert tcp any any -> any any "
1557  "(flow:established,from_server; "
1558  "file_data; content:\"FWS\"; "
1559  "sid:1;)";
1560  return RunTest(steps, sig, input);
1561 }
1562 
1563 static int DetectEngineHttpServerBodyFileDataTest20(void)
1564 {
1565  char input[] = "\
1566 %YAML 1.1\n\
1567 ---\n\
1568 libhtp:\n\
1569 \n\
1570  default-config:\n\
1571 \n\
1572  swf-decompression:\n\
1573  enabled: no\n\
1574  type: both\n\
1575  compress-depth: 0\n\
1576  decompress-depth: 0\n\
1577 ";
1578  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1579  "Host: www.openinfosecfoundation.org\r\n"
1580  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1581  "Gecko/20091221 Firefox/3.5.7\r\n"
1582  "\r\n";
1583  // clang-format off
1584  uint8_t http_buf2[] = {
1585  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1586  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1587  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1588  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1589  0x0d, 0x0a,
1590  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1591  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
1592  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
1593  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
1594  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
1595  };
1596  // clang-format on
1597  struct TestSteps steps[] = {
1598  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1599  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1600  { NULL, 0, 0, 0 },
1601  };
1602  const char *sig = "alert tcp any any -> any any "
1603  "(flow:established,from_server; "
1604  "file_data; content:\"CWS\"; "
1605  "sid:1;)";
1606  return RunTest(steps, sig, input);
1607 }
1608 
1609 static int DetectEngineHttpServerBodyFileDataTest21(void)
1610 {
1611  char input[] = "\
1612 %YAML 1.1\n\
1613 ---\n\
1614 libhtp:\n\
1615 \n\
1616  default-config:\n\
1617 \n\
1618  swf-decompression:\n\
1619  enabled: yes\n\
1620  type: deflate\n\
1621  compress-depth: 0\n\
1622  decompress-depth: 0\n\
1623 ";
1624  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1625  "Host: www.openinfosecfoundation.org\r\n"
1626  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1627  "Gecko/20091221 Firefox/3.5.7\r\n"
1628  "\r\n";
1629  // clang-format off
1630  uint8_t http_buf2[] = {
1631  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1632  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1633  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1634  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1635  0x0d, 0x0a,
1636  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1637  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
1638  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
1639  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
1640  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
1641  };
1642  // clang-format on
1643  struct TestSteps steps[] = {
1644  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1645  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1646  { NULL, 0, 0, 0 },
1647  };
1648  const char *sig = "alert tcp any any -> any any "
1649  "(flow:established,from_server; "
1650  "file_data; content:\"FWS\"; "
1651  "sid:1;)";
1652  return RunTest(steps, sig, input);
1653 }
1654 
1655 static int DetectEngineHttpServerBodyFileDataTest22(void)
1656 {
1657  char input[] = "\
1658 %YAML 1.1\n\
1659 ---\n\
1660 libhtp:\n\
1661 \n\
1662  default-config:\n\
1663 \n\
1664  swf-decompression:\n\
1665  enabled: yes\n\
1666  type: lzma\n\
1667  compress-depth: 0\n\
1668  decompress-depth: 0\n\
1669 ";
1670  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1671  "Host: www.openinfosecfoundation.org\r\n"
1672  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1673  "Gecko/20091221 Firefox/3.5.7\r\n"
1674  "\r\n";
1675  // clang-format off
1676  uint8_t http_buf2[] = {
1677  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1678  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1679  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1680  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1681  0x0d, 0x0a,
1682  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1683  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
1684  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
1685  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
1686  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
1687  };
1688  // clang-format on
1689  struct TestSteps steps[] = {
1690  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1691  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1692  { NULL, 0, 0, 0 },
1693  };
1694  const char *sig = "alert tcp any any -> any any "
1695  "(flow:established,from_server; "
1696  "file_data; content:\"CWS\"; "
1697  "sid:1;)";
1698  return RunTest(steps, sig, input);
1699 }
1700 
1701 static int DetectEngineHttpServerBodyFileDataTest23(void)
1702 {
1703  char input[] = "\
1704 %YAML 1.1\n\
1705 ---\n\
1706 libhtp:\n\
1707 \n\
1708  default-config:\n\
1709 \n\
1710  swf-decompression:\n\
1711  enabled: yes\n\
1712  type: both\n\
1713  compress-depth: 0\n\
1714  decompress-depth: 0\n\
1715 ";
1716  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1717  "Host: www.openinfosecfoundation.org\r\n"
1718  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1719  "Gecko/20091221 Firefox/3.5.7\r\n"
1720  "\r\n";
1721  // clang-format off
1722  uint8_t http_buf2[] = {
1723  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1724  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1725  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1726  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1727  0x0d, 0x0a,
1728  0x43, 0x57, 0x53, 0x01, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1729  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
1730  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
1731  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
1732  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
1733  };
1734  // clang-format on
1735  struct TestSteps steps[] = {
1736  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1737  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1738  { NULL, 0, 0, 0 },
1739  };
1740  const char *sig = "alert tcp any any -> any any "
1741  "(flow:established,from_server; "
1742  "file_data; content:\"CWS\"; "
1743  "sid:1;)";
1744  return RunTest(steps, sig, input);
1745 }
1746 
1747 static int DetectEngineHttpServerBodyFileDataTest24(void)
1748 {
1749  char input[] = "\
1750 %YAML 1.1\n\
1751 ---\n\
1752 libhtp:\n\
1753 \n\
1754  default-config:\n\
1755 \n\
1756  swf-decompression:\n\
1757  enabled: yes\n\
1758  type: both\n\
1759  compress-depth: 0\n\
1760  decompress-depth: 0\n\
1761 ";
1762  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1763  "Host: www.openinfosecfoundation.org\r\n"
1764  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1765  "Gecko/20091221 Firefox/3.5.7\r\n"
1766  "\r\n";
1767  uint8_t http_buf2[] = { 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k',
1768  0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ',
1769  '1', '0', '3', 0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':',
1770  ' ', 'a', 'p', 'p', 'l', 'i', 'c', 'a', 't', 'i', 'o', 'n', '/', 'o', 'c', 't', 'e', 't',
1771  '-', 's', 't', 'r', 'e', 'a', 'm', 0x0d, 0x0a, 0x0d, 0x0a, 0x5a, 0x57, 0x53, 0x17, 0x5c,
1772  0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20, 0x00, 0x00, 0x3b, 0xff,
1773  0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f,
1774  0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c,
1775  0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01,
1776  0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
1777  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08,
1778  0xe9, 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86 };
1779  struct TestSteps steps[] = {
1780  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1781  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1782  { NULL, 0, 0, 0 },
1783  };
1784  const char *sig = "alert tcp any any -> any any "
1785  "(flow:established,from_server; "
1786  "file_data; content:\"FWS\"; "
1787  "sid:1;)";
1788  return RunTest(steps, sig, input);
1789 }
1790 
1791 static int DetectEngineHttpServerBodyFileDataTest25(void)
1792 {
1793  char input[] = "\
1794 %YAML 1.1\n\
1795 ---\n\
1796 libhtp:\n\
1797 \n\
1798  default-config:\n\
1799 \n\
1800  swf-decompression:\n\
1801  enabled: no\n\
1802  type: both\n\
1803  compress-depth: 0\n\
1804  decompress-depth: 0\n\
1805 ";
1806  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1807  "Host: www.openinfosecfoundation.org\r\n"
1808  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1809  "Gecko/20091221 Firefox/3.5.7\r\n"
1810  "\r\n";
1811  uint8_t http_buf2[] = { 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k',
1812  0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ',
1813  '1', '0', '3', 0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':',
1814  ' ', 'a', 'p', 'p', 'l', 'i', 'c', 'a', 't', 'i', 'o', 'n', '/', 'o', 'c', 't', 'e', 't',
1815  '-', 's', 't', 'r', 'e', 'a', 'm', 0x0d, 0x0a, 0x0d, 0x0a, 0x5a, 0x57, 0x53, 0x17, 0x5c,
1816  0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20, 0x00, 0x00, 0x3b, 0xff,
1817  0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f,
1818  0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c,
1819  0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01,
1820  0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
1821  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08,
1822  0xe9, 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86 };
1823  struct TestSteps steps[] = {
1824  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1825  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1826  { NULL, 0, 0, 0 },
1827  };
1828  const char *sig = "alert tcp any any -> any any "
1829  "(flow:established,from_server; "
1830  "file_data; content:\"ZWS\"; "
1831  "sid:1;)";
1832  return RunTest(steps, sig, input);
1833 }
1834 
1835 static int DetectEngineHttpServerBodyFileDataTest26(void)
1836 {
1837  char input[] = "\
1838 %YAML 1.1\n\
1839 ---\n\
1840 libhtp:\n\
1841 \n\
1842  default-config:\n\
1843 \n\
1844  swf-decompression:\n\
1845  enabled: yes\n\
1846  type: lzma\n\
1847  compress-depth: 0\n\
1848  decompress-depth: 0\n\
1849 ";
1850  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1851  "Host: www.openinfosecfoundation.org\r\n"
1852  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1853  "Gecko/20091221 Firefox/3.5.7\r\n"
1854  "\r\n";
1855  uint8_t http_buf2[] = { 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k',
1856  0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ',
1857  '1', '0', '3', 0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':',
1858  ' ', 'a', 'p', 'p', 'l', 'i', 'c', 'a', 't', 'i', 'o', 'n', '/', 'o', 'c', 't', 'e', 't',
1859  '-', 's', 't', 'r', 'e', 'a', 'm', 0x0d, 0x0a, 0x0d, 0x0a, 0x5a, 0x57, 0x53, 0x17, 0x5c,
1860  0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20, 0x00, 0x00, 0x3b, 0xff,
1861  0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f,
1862  0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c,
1863  0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01,
1864  0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
1865  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08,
1866  0xe9, 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86 };
1867  struct TestSteps steps[] = {
1868  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1869  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1870  { NULL, 0, 0, 0 },
1871  };
1872  const char *sig = "alert tcp any any -> any any "
1873  "(flow:established,from_server; "
1874  "file_data; content:\"FWS\"; "
1875  "sid:1;)";
1876  return RunTest(steps, sig, input);
1877 }
1878 
1879 static int DetectEngineHttpServerBodyFileDataTest27(void)
1880 {
1881  char input[] = "\
1882 %YAML 1.1\n\
1883 ---\n\
1884 libhtp:\n\
1885 \n\
1886  default-config:\n\
1887 \n\
1888  swf-decompression:\n\
1889  enabled: yes\n\
1890  type: deflate\n\
1891  compress-depth: 0\n\
1892  decompress-depth: 0\n\
1893 ";
1894  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1895  "Host: www.openinfosecfoundation.org\r\n"
1896  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1897  "Gecko/20091221 Firefox/3.5.7\r\n"
1898  "\r\n";
1899  // clang-format off
1900  uint8_t http_buf2[] = {
1901  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1902  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1903  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1904  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
1905  0x0d, 0x0a,
1906  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
1907  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
1908  0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61,
1909  0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b,
1910  0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1,
1911  };
1912  // clang-format on
1913  struct TestSteps steps[] = {
1914  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1915  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1916  { NULL, 0, 0, 0 },
1917  };
1918  const char *sig = "alert tcp any any -> any any "
1919  "(flow:established,from_server; "
1920  "file_data; content:\"ZWS\"; "
1921  "sid:1;)";
1922  return RunTest(steps, sig, input);
1923 }
1924 
1925 static int DetectEngineHttpServerBodyFileDataTest28(void)
1926 {
1927  char input[] = "\
1928 %YAML 1.1\n\
1929 ---\n\
1930 libhtp:\n\
1931 \n\
1932  default-config:\n\
1933 \n\
1934  swf-decompression:\n\
1935  enabled: yes\n\
1936  type: both\n\
1937  compress-depth: 0\n\
1938  decompress-depth: 0\n\
1939 ";
1940  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1941  "Host: www.openinfosecfoundation.org\r\n"
1942  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1943  "Gecko/20091221 Firefox/3.5.7\r\n"
1944  "\r\n";
1945  // clang-format off
1946  uint8_t http_buf2[] = {
1947  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1948  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1949  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1950  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
1951  0x0d, 0x0a,
1952  0x5a, 0x57, 0x53, 0x01, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
1953  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
1954  0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61,
1955  0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b,
1956  0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1,
1957  };
1958  // clang-format on
1959  struct TestSteps steps[] = {
1960  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1961  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1962  { NULL, 0, 0, 0 },
1963  };
1964  const char *sig = "alert tcp any any -> any any "
1965  "(flow:established,from_server; "
1966  "file_data; content:\"ZWS\"; "
1967  "sid:1;)";
1968  return RunTest(steps, sig, input);
1969 }
1970 
1971 static int DetectEngineHttpServerBodyFileDataTest29(void)
1972 {
1973  char input[] = "\
1974 %YAML 1.1\n\
1975 ---\n\
1976 libhtp:\n\
1977 \n\
1978  default-config:\n\
1979 \n\
1980  swf-decompression:\n\
1981  enabled: yes\n\
1982  type: both\n\
1983  compress-depth: 1000\n\
1984  decompress-depth: 0\n\
1985 ";
1986  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1987  "Host: www.openinfosecfoundation.org\r\n"
1988  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1989  "Gecko/20091221 Firefox/3.5.7\r\n"
1990  "\r\n";
1991  // clang-format off
1992  uint8_t http_buf2[] = {
1993  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1994  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1995  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1996  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1997  0x0d, 0x0a,
1998  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1999  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
2000  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
2001  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
2002  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
2003  };
2004  // clang-format on
2005  struct TestSteps steps[] = {
2006  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2007  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
2008  { NULL, 0, 0, 0 },
2009  };
2010  const char *sig = "alert tcp any any -> any any "
2011  "(flow:established,from_server; "
2012  "file_data; content:\"FWS\"; "
2013  "sid:1;)";
2014  return RunTest(steps, sig, input);
2015 }
2016 
2017 /**
2018  *\test Test that the http_server_body content matches against a http request
2019  * which holds the content.
2020  */
2021 static int DetectHttpServerBodyTest06(void)
2022 {
2023  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2024  "Host: www.openinfosecfoundation.org\r\n"
2025  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2026  "Gecko/20091221 Firefox/3.5.7\r\n"
2027  "\r\n";
2028  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2029  "Content-Type: text/html\r\n"
2030  "Content-Length: 7\r\n"
2031  "\r\n"
2032  "message";
2033  struct TestSteps steps[] = {
2034  { (const uint8_t *)http_buf, sizeof(http_buf) - 1, STREAM_TOSERVER, 0 },
2035  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
2036  { NULL, 0, 0, 0 },
2037  };
2038  const char *sig = "alert http any any -> any any "
2039  "(msg:\"http server body test\"; "
2040  "content:\"message\"; http_server_body; "
2041  "sid:1;)";
2042  return RunTest(steps, sig, NULL);
2043 }
2044 
2045 /**
2046  *\test Test that the http_server_body content matches against a http request
2047  * which holds the content.
2048  */
2049 static int DetectHttpServerBodyTest07(void)
2050 {
2051  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2052  "Host: www.openinfosecfoundation.org\r\n"
2053  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2054  "Gecko/20091221 Firefox/3.5.7\r\n"
2055  "\r\n";
2056  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2057  "Content-Type: text/html\r\n"
2058  "Content-Length: 14\r\n"
2059  "\r\n";
2060  uint8_t http_buf3[] = "message";
2061  struct TestSteps steps[] = {
2062  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2063  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2064  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT | STREAM_EOF, 1 },
2065  { NULL, 0, 0, 0 },
2066  };
2067  const char *sig = "alert http any any -> any any "
2068  "(msg:\"http server body test\"; "
2069  "content:\"message\"; http_server_body; "
2070  "sid:1;)";
2071  return RunTest(steps, sig, NULL);
2072 }
2073 
2074 /**
2075  *\test Test that the http_server_body content matches against a http request
2076  * which holds the content.
2077  */
2078 static int DetectHttpServerBodyTest08(void)
2079 {
2080  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2081  "Host: www.openinfosecfoundation.org\r\n"
2082  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2083  "Gecko/20091221 Firefox/3.5.7\r\n"
2084  "\r\n";
2085  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2086  "Content-Type: text/html\r\n"
2087  "Content-Length: 14\r\n"
2088  "\r\n"
2089  "bigmes";
2090  uint8_t http_buf3[] = "sage4u!!";
2091  struct TestSteps steps[] = {
2092  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2093  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2094  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
2095  { NULL, 0, 0, 0 },
2096  };
2097  const char *sig = "alert http any any -> any any "
2098  "(msg:\"http client body test\"; "
2099  "content:\"message\"; http_server_body; "
2100  "sid:1;)";
2101  return RunTest(steps, sig, NULL);
2102 }
2103 
2104 /**
2105  *\test Test that the http_server_body content matches against a http request
2106  * which holds the content.
2107  */
2108 static int DetectHttpServerBodyTest09(void)
2109 {
2110  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2111  "Host: www.openinfosecfoundation.org\r\n"
2112  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2113  "Gecko/20091221 Firefox/3.5.7\r\n"
2114  "\r\n";
2115  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2116  "Content-Type: text/html\r\n"
2117  "Content-Length: 14\r\n"
2118  "\r\n"
2119  "bigmes";
2120  uint8_t http_buf3[] = "sag";
2121  uint8_t http_buf4[] = "e4u!!";
2122  struct TestSteps steps[] = {
2123  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2124  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2125  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2126  { (const uint8_t *)http_buf4, sizeof(http_buf4) - 1, STREAM_TOCLIENT, 1 },
2127  { NULL, 0, 0, 0 },
2128  };
2129  const char *sig = "alert http any any -> any any "
2130  "(msg:\"http client body test\"; "
2131  "content:\"message\"; http_server_body; "
2132  "sid:1;)";
2133  return RunTest(steps, sig, NULL);
2134 }
2135 
2136 /**
2137  *\test Test that the http_server_body content matches against a http request
2138  * which holds the content. Case insensitive.
2139  */
2140 static int DetectHttpServerBodyTest10(void)
2141 {
2142  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2143  "Host: www.openinfosecfoundation.org\r\n"
2144  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2145  "Gecko/20091221 Firefox/3.5.7\r\n"
2146  "\r\n";
2147  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2148  "Content-Type: text/html\r\n"
2149  "Content-Length: 14\r\n"
2150  "\r\n"
2151  "bigmes";
2152  uint8_t http_buf3[] = "sag";
2153  uint8_t http_buf4[] =
2154  "e4u!!";
2155  struct TestSteps steps[] = {
2156  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2157  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2158  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2159  { (const uint8_t *)http_buf4, sizeof(http_buf4) - 1, STREAM_TOCLIENT, 1 },
2160  { NULL, 0, 0, 0 },
2161  };
2162  const char *sig = "alert http any any -> any any "
2163  "(msg:\"http client body test\"; "
2164  "content:\"MeSSaGE\"; http_server_body; nocase; "
2165  "sid:1;)";
2166  return RunTest(steps, sig, NULL);
2167 }
2168 
2169 /**
2170  *\test Test that the http_server_body content matches against a http request
2171  * which holds the content. Negated match.
2172  */
2173 static int DetectHttpServerBodyTest11(void)
2174 {
2175  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2176  "Host: www.openinfosecfoundation.org\r\n"
2177  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2178  "Gecko/20091221 Firefox/3.5.7\r\n"
2179  "\r\n";
2180  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2181  "Content-Type: text/html\r\n"
2182  "Content-Length: 14\r\n"
2183  "\r\n";
2184  uint8_t http_buf3[] = "bigmessage4u!!";
2185  struct TestSteps steps[] = {
2186  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2187  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2188  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
2189  { NULL, 0, 0, 0 },
2190  };
2191  const char *sig = "alert http any any -> any any "
2192  "(msg:\"http client body test\"; "
2193  "content:!\"MaSSaGE\"; http_server_body; nocase; "
2194  "sid:1;)";
2195  return RunTest(steps, sig, NULL);
2196 }
2197 
2198 /**
2199  *\test Test that the http_server_body content matches against a http request
2200  * which holds the content. Negated match.
2201  */
2202 static int DetectHttpServerBodyTest12(void)
2203 {
2204  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2205  "Host: www.openinfosecfoundation.org\r\n"
2206  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2207  "Gecko/20091221 Firefox/3.5.7\r\n"
2208  "\r\n";
2209  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2210  "Content-Type: text/html\r\n"
2211  "Content-Length: 14\r\n"
2212  "\r\n";
2213  uint8_t http_buf3[] = "bigmessage4u!!";
2214  struct TestSteps steps[] = {
2215  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2216  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2217  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2218  { NULL, 0, 0, 0 },
2219  };
2220  const char *sig = "alert http any any -> any any "
2221  "(msg:\"http client body test\"; "
2222  "content:!\"MeSSaGE\"; http_server_body; nocase; "
2223  "sid:1;)";
2224  return RunTest(steps, sig, NULL);
2225 }
2226 
2227 static int DetectHttpServerBodyTest13(void)
2228 {
2229  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2230  "Host: www.openinfosecfoundation.org\r\n"
2231  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2232  "Gecko/20091221 Firefox/3.5.7\r\n"
2233  "\r\n";
2234  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2235  "Content-Type: text/html\r\n"
2236  "Content-Length: 55\r\n"
2237  "\r\n"
2238  "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend";
2239  struct TestSteps steps[] = {
2240  { (const uint8_t *)http_buf, sizeof(http_buf) - 1, STREAM_TOSERVER, 0 },
2241  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
2242  { NULL, 0, 0, 0 },
2243  };
2244  const char *sig = "alert http any any -> any any "
2245  "(msg:\"http server body test\"; "
2246  "content:\"longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\"; "
2247  "http_server_body; "
2248  "sid:1;)";
2249  return RunTest(steps, sig, NULL);
2250 }
2251 
2252 /** \test multiple http transactions and body chunks of request handling */
2253 static int DetectHttpServerBodyTest14(void)
2254 {
2255  DetectEngineThreadCtx *det_ctx = NULL;
2256  ThreadVars th_v;
2257  Flow f;
2258  TcpSession ssn;
2259  uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
2260  "User-Agent: Mozilla/1.0\r\n"
2261  "Host: www.openinfosecfoundation.org\r\n"
2262  "Connection: keep-alive\r\n"
2263  "Cookie: dummy1\r\n\r\n";
2264  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2265  uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
2266  "Content-Type: text/html\r\n"
2267  "Content-Length: 3\r\n"
2268  "\r\n"
2269  "one";
2270  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2271  uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
2272  "User-Agent: Firefox/1.0\r\n"
2273  "Host: www.openinfosecfoundation.org\r\n"
2274  "Connection: keep-alive\r\n"
2275  "Cookie: dummy2\r\n\r\n";
2276  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
2277  uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
2278  "Content-Type: text/html\r\n"
2279  "Content-Length: 3\r\n"
2280  "\r\n"
2281  "two";
2282  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
2283 
2284  memset(&th_v, 0, sizeof(th_v));
2285  StatsThreadInit(&th_v.stats);
2286  memset(&f, 0, sizeof(f));
2287  memset(&ssn, 0, sizeof(ssn));
2288 
2289  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2290  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2291 
2292  FLOW_INITIALIZE(&f);
2293  f.protoctx = (void *)&ssn;
2294  f.proto = IPPROTO_TCP;
2295  f.flags |= FLOW_IPV4;
2296 
2297  p->flow = &f;
2298  p->flowflags |= FLOW_PKT_TOCLIENT;
2299  p->flowflags |= FLOW_PKT_ESTABLISHED;
2300  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2301  f.alproto = ALPROTO_HTTP1;
2302 
2303  StreamTcpInitConfig(true);
2304 
2305  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2306  FAIL_IF_NULL(de_ctx);
2307  de_ctx->flags |= DE_QUIET;
2308 
2309  Signature *s = DetectEngineAppendSig(de_ctx,
2310  "alert tcp any any -> any any (flow:established,to_client; "
2311  "content:\"one\"; http_server_body; sid:1; rev:1;)");
2312  FAIL_IF_NULL(s);
2313  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; "
2314  "content:\"two\"; http_server_body; sid:2; rev:1;)");
2315  FAIL_IF_NULL(s);
2316 
2317  SigGroupBuild(de_ctx);
2318  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2319 
2320  SCLogDebug("add chunk 1");
2321  int r = AppLayerParserParse(
2322  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
2323  FAIL_IF(r != 0);
2324 
2325  SCLogDebug("add chunk 2");
2326 
2327  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2328  FAIL_IF(r != 0);
2329 
2330  SCLogDebug("inspect chunk 1");
2331 
2332  /* do detect */
2333  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2334  FAIL_IF(!(PacketAlertCheck(p, 1)));
2335  p->alerts.cnt = 0;
2336 
2337  SCLogDebug("add chunk 3");
2338 
2339  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
2340  FAIL_IF(r != 0);
2341 
2342  SCLogDebug("add chunk 4");
2343 
2344  r = AppLayerParserParse(
2345  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
2346  FAIL_IF(r != 0);
2347 
2348  SCLogDebug("inspect chunk 4");
2349 
2350  /* do detect */
2351  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2352  FAIL_IF((PacketAlertCheck(p, 1)));
2353  FAIL_IF(!(PacketAlertCheck(p, 2)));
2354  p->alerts.cnt = 0;
2355 
2356  HtpState *htp_state = f.alstate;
2357  FAIL_IF_NULL(htp_state);
2358  FAIL_IF(AppLayerParserGetTxCnt(&f, htp_state) != 2);
2359 
2360  UTHFreePacket(p);
2361  FLOW_DESTROY(&f);
2362 
2363  AppLayerParserThreadCtxFree(alp_tctx);
2364  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2365  DetectEngineCtxFree(de_ctx);
2366  StreamTcpFreeConfig(true);
2367  StatsThreadCleanup(&th_v.stats);
2368  PASS;
2369 }
2370 
2371 static int DetectHttpServerBodyTest15(void)
2372 {
2373  DetectEngineThreadCtx *det_ctx = NULL;
2374  ThreadVars th_v;
2375  Flow f;
2376  TcpSession ssn;
2377  uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
2378  "User-Agent: Mozilla/1.0\r\n"
2379  "Host: www.openinfosecfoundation.org\r\n"
2380  "Connection: keep-alive\r\n"
2381  "Cookie: dummy1\r\n\r\n";
2382  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2383  uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
2384  "Content-Type: text/html\r\n"
2385  "Content-Length: 3\r\n"
2386  "\r\n"
2387  "one";
2388  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2389  uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
2390  "User-Agent: Firefox/1.0\r\n"
2391  "Host: www.openinfosecfoundation.org\r\n"
2392  "Connection: keep-alive\r\n"
2393  "Cookie: dummy2\r\n\r\n";
2394  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
2395  uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
2396  "Content-Type: text/html\r\n"
2397  "Content-Length: 3\r\n"
2398  "\r\n"
2399  "two";
2400  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
2401 
2402  memset(&th_v, 0, sizeof(th_v));
2403  StatsThreadInit(&th_v.stats);
2404  memset(&f, 0, sizeof(f));
2405  memset(&ssn, 0, sizeof(ssn));
2406 
2407  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2408  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2409 
2410  FLOW_INITIALIZE(&f);
2411  f.protoctx = (void *)&ssn;
2412  f.proto = IPPROTO_TCP;
2413  f.flags |= FLOW_IPV4;
2414 
2415  p->flow = &f;
2416  p->flowflags |= FLOW_PKT_TOCLIENT;
2417  p->flowflags |= FLOW_PKT_ESTABLISHED;
2418  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2419  f.alproto = ALPROTO_HTTP1;
2420 
2421  StreamTcpInitConfig(true);
2422 
2423  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2424  FAIL_IF_NULL(de_ctx);
2425  de_ctx->flags |= DE_QUIET;
2426 
2427  Signature *s = DetectEngineAppendSig(de_ctx,
2428  "alert tcp any any -> any any (flow:established,to_client; "
2429  "content:\"one\"; http_server_body; sid:1; rev:1;)");
2430  FAIL_IF_NULL(s);
2431  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; "
2432  "content:\"two\"; http_server_body; sid:2; rev:1;)");
2433  FAIL_IF_NULL(s);
2434 
2435  SigGroupBuild(de_ctx);
2436  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2437 
2438  int r = AppLayerParserParse(
2439  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
2440  FAIL_IF(r != 0);
2441 
2442  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2443  FAIL_IF(r != 0);
2444 
2445  /* do detect */
2446  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2447  FAIL_IF(!(PacketAlertCheck(p, 1)));
2448  FAIL_IF(PacketAlertCheck(p, 2));
2449  p->alerts.cnt = 0;
2450 
2451  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
2452  FAIL_IF(r != 0);
2453 
2454  r = AppLayerParserParse(
2455  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
2456  FAIL_IF(r != 0);
2457 
2458  /* do detect */
2459  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2460  FAIL_IF((PacketAlertCheck(p, 1)));
2461  FAIL_IF(!(PacketAlertCheck(p, 2)));
2462  p->alerts.cnt = 0;
2463 
2464  HtpState *htp_state = f.alstate;
2465  FAIL_IF_NULL(htp_state);
2466  FAIL_IF(AppLayerParserGetTxCnt(&f, htp_state) != 2);
2467 
2468  UTHFreePacket(p);
2469  FLOW_DESTROY(&f);
2470 
2471  AppLayerParserThreadCtxFree(alp_tctx);
2472  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2473  DetectEngineCtxFree(de_ctx);
2474  StreamTcpFreeConfig(true);
2475  StatsThreadCleanup(&th_v.stats);
2476  PASS;
2477 }
2478 
2479 /**
2480  *\test Test that the http_server_body content matches against a http request
2481  * which holds the content.
2482  */
2483 static int DetectHttpServerBodyFileDataTest01(void)
2484 {
2485  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2486  "Host: www.openinfosecfoundation.org\r\n"
2487  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2488  "Gecko/20091221 Firefox/3.5.7\r\n"
2489  "\r\n";
2490  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2491  "Content-Type: text/html\r\n"
2492  "Content-Length: 7\r\n"
2493  "\r\n"
2494  "message";
2495  struct TestSteps steps[] = {
2496  { (const uint8_t *)http_buf, sizeof(http_buf) - 1, STREAM_TOSERVER, 0 },
2497  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
2498  { NULL, 0, 0, 0 },
2499  };
2500  const char *sig = "alert http any any -> any any "
2501  "(msg:\"http server body test\"; "
2502  "file_data; content:\"message\"; "
2503  "sid:1;)";
2504  return RunTest(steps, sig, NULL);
2505 }
2506 
2507 /**
2508  *\test Test that the http_server_body content matches against a http request
2509  * which holds the content.
2510  */
2511 static int DetectHttpServerBodyFileDataTest02(void)
2512 {
2513  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2514  "Host: www.openinfosecfoundation.org\r\n"
2515  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2516  "Gecko/20091221 Firefox/3.5.7\r\n"
2517  "\r\n";
2518  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2519  "Content-Type: text/html\r\n"
2520  "Content-Length: 14\r\n"
2521  "\r\n";
2522  uint8_t http_buf3[] = "message";
2523  struct TestSteps steps[] = {
2524  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2525  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2526  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT | STREAM_EOF, 1 },
2527  { NULL, 0, 0, 0 },
2528  };
2529  const char *sig = "alert http any any -> any any "
2530  "(msg:\"http server body test\"; "
2531  "file_data; content:\"message\"; "
2532  "sid:1;)";
2533  return RunTest(steps, sig, NULL);
2534 }
2535 
2536 /**
2537  *\test Test that the http_server_body content matches against a http request
2538  * which holds the content.
2539  */
2540 static int DetectHttpServerBodyFileDataTest03(void)
2541 {
2542  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2543  "Host: www.openinfosecfoundation.org\r\n"
2544  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2545  "Gecko/20091221 Firefox/3.5.7\r\n"
2546  "\r\n";
2547  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2548  "Content-Type: text/html\r\n"
2549  "Content-Length: 14\r\n"
2550  "\r\n"
2551  "bigmes";
2552  uint8_t http_buf3[] = "sage4u!!";
2553  struct TestSteps steps[] = {
2554  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2555  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2556  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
2557  { NULL, 0, 0, 0 },
2558  };
2559  const char *sig = "alert http any any -> any any "
2560  "(msg:\"http server body test\"; "
2561  "file_data; content:\"message\"; "
2562  "sid:1;)";
2563  return RunTest(steps, sig, NULL);
2564 }
2565 
2566 /**
2567  *\test Test that the http_server_body content matches against a http request
2568  * which holds the content.
2569  */
2570 static int DetectHttpServerBodyFileDataTest04(void)
2571 {
2572  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2573  "Host: www.openinfosecfoundation.org\r\n"
2574  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2575  "Gecko/20091221 Firefox/3.5.7\r\n"
2576  "\r\n";
2577  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2578  "Content-Type: text/html\r\n"
2579  "Content-Length: 14\r\n"
2580  "\r\n"
2581  "bigmes";
2582  uint8_t http_buf3[] = "sag";
2583  uint8_t http_buf4[] = "e4u!!";
2584  struct TestSteps steps[] = {
2585  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2586  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2587  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2588  { (const uint8_t *)http_buf4, sizeof(http_buf4) - 1, STREAM_TOCLIENT, 1 },
2589  { NULL, 0, 0, 0 },
2590  };
2591  const char *sig = "alert http any any -> any any "
2592  "(msg:\"http server body test\"; "
2593  "file_data; content:\"message\"; "
2594  "sid:1;)";
2595  return RunTest(steps, sig, NULL);
2596 }
2597 
2598 /**
2599  *\test Test that the http_server_body content matches against a http request
2600  * which holds the content. Case insensitive.
2601  */
2602 static int DetectHttpServerBodyFileDataTest05(void)
2603 {
2604  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2605  "Host: www.openinfosecfoundation.org\r\n"
2606  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2607  "Gecko/20091221 Firefox/3.5.7\r\n"
2608  "\r\n";
2609  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2610  "Content-Type: text/html\r\n"
2611  "Content-Length: 14\r\n"
2612  "\r\n"
2613  "bigmes";
2614  uint8_t http_buf3[] = "sag";
2615  uint8_t http_buf4[] = "e4u!!";
2616  struct TestSteps steps[] = {
2617  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2618  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2619  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2620  { (const uint8_t *)http_buf4, sizeof(http_buf4) - 1, STREAM_TOCLIENT, 1 },
2621  { NULL, 0, 0, 0 },
2622  };
2623  const char *sig = "alert http any any -> any any "
2624  "(msg:\"http client body test\"; "
2625  "file_data; content:\"MeSSaGE\"; nocase; "
2626  "sid:1;)";
2627  return RunTest(steps, sig, NULL);
2628 }
2629 
2630 /**
2631  *\test Test that the http_server_body content matches against a http request
2632  * which holds the content. Negated match.
2633  */
2634 static int DetectHttpServerBodyFileDataTest06(void)
2635 {
2636  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2637  "Host: www.openinfosecfoundation.org\r\n"
2638  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2639  "Gecko/20091221 Firefox/3.5.7\r\n"
2640  "\r\n";
2641  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2642  "Content-Type: text/html\r\n"
2643  "Content-Length: 14\r\n"
2644  "\r\n";
2645  uint8_t http_buf3[] = "bigmessage4u!!";
2646  struct TestSteps steps[] = {
2647  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2648  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2649  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
2650  { NULL, 0, 0, 0 },
2651  };
2652  const char *sig = "alert http any any -> any any "
2653  "(msg:\"http file_data test\"; "
2654  "file_data; content:!\"MaSSaGE\"; nocase; "
2655  "sid:1;)";
2656  return RunTest(steps, sig, NULL);
2657 }
2658 
2659 /**
2660  *\test Test that the http_server_body content matches against a http request
2661  * which holds the content. Negated match.
2662  */
2663 static int DetectHttpServerBodyFileDataTest07(void)
2664 {
2665  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2666  "Host: www.openinfosecfoundation.org\r\n"
2667  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2668  "Gecko/20091221 Firefox/3.5.7\r\n"
2669  "\r\n";
2670  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2671  "Content-Type: text/html\r\n"
2672  "Content-Length: 14\r\n"
2673  "\r\n";
2674  uint8_t http_buf3[] = "bigmessage4u!!";
2675  struct TestSteps steps[] = {
2676  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2677  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2678  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2679  { NULL, 0, 0, 0 },
2680  };
2681  const char *sig = "alert http any any -> any any "
2682  "(msg:\"http file_data test\"; "
2683  "file_data; content:!\"MeSSaGE\"; nocase; "
2684  "sid:1;)";
2685  return RunTest(steps, sig, NULL);
2686 }
2687 
2688 static int DetectHttpServerBodyFileDataTest08(void)
2689 {
2690  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2691  "Host: www.openinfosecfoundation.org\r\n"
2692  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2693  "Gecko/20091221 Firefox/3.5.7\r\n"
2694  "\r\n";
2695  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2696  "Content-Type: text/html\r\n"
2697  "Content-Length: 55\r\n"
2698  "\r\n"
2699  "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend";
2700  struct TestSteps steps[] = {
2701  { (const uint8_t *)http_buf, sizeof(http_buf) - 1, STREAM_TOSERVER, 0 },
2702  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
2703  { NULL, 0, 0, 0 },
2704  };
2705  const char *sig =
2706  "alert http any any -> any any "
2707  "(msg:\"http server body test\"; "
2708  "file_data; content:\"longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\"; "
2709  "sid:1;)";
2710  return RunTest(steps, sig, NULL);
2711 }
2712 
2713 /** \test multiple http transactions and body chunks of request handling */
2714 static int DetectHttpServerBodyFileDataTest09(void)
2715 {
2716  DetectEngineThreadCtx *det_ctx = NULL;
2717  ThreadVars th_v;
2718  Flow f;
2719  TcpSession ssn;
2720  uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
2721  "User-Agent: Mozilla/1.0\r\n"
2722  "Host: www.openinfosecfoundation.org\r\n"
2723  "Connection: keep-alive\r\n"
2724  "Cookie: dummy1\r\n\r\n";
2725  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2726  uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
2727  "Content-Type: text/html\r\n"
2728  "Content-Length: 3\r\n"
2729  "\r\n"
2730  "one";
2731  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2732  uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
2733  "User-Agent: Firefox/1.0\r\n"
2734  "Host: www.openinfosecfoundation.org\r\n"
2735  "Connection: keep-alive\r\n"
2736  "Cookie: dummy2\r\n\r\n";
2737  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
2738  uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
2739  "Content-Type: text/html\r\n"
2740  "Content-Length: 3\r\n"
2741  "\r\n"
2742  "two";
2743  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
2744 
2745  memset(&th_v, 0, sizeof(th_v));
2746  StatsThreadInit(&th_v.stats);
2747  memset(&f, 0, sizeof(f));
2748  memset(&ssn, 0, sizeof(ssn));
2749 
2750  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2751  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2752 
2753  FLOW_INITIALIZE(&f);
2754  f.protoctx = (void *)&ssn;
2755  f.proto = IPPROTO_TCP;
2756  f.flags |= FLOW_IPV4;
2757 
2758  p->flow = &f;
2759  p->flowflags |= FLOW_PKT_TOCLIENT;
2760  p->flowflags |= FLOW_PKT_ESTABLISHED;
2761  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2762  f.alproto = ALPROTO_HTTP1;
2763 
2764  StreamTcpInitConfig(true);
2765 
2766  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2767  FAIL_IF_NULL(de_ctx);
2768  de_ctx->flags |= DE_QUIET;
2769 
2770  Signature *s = DetectEngineAppendSig(de_ctx,
2771  "alert tcp any any -> any any (flow:established,to_client; file_data; "
2772  "content:\"one\"; sid:1; rev:1;)");
2773  FAIL_IF_NULL(s);
2774  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; file_data; content:\"two\"; sid:2; rev:1;)");
2775  FAIL_IF_NULL(s);
2776 
2777  SigGroupBuild(de_ctx);
2778  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2779 
2780  int r = AppLayerParserParse(
2781  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
2782  FAIL_IF(r != 0);
2783 
2784  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2785  FAIL_IF(r != 0);
2786 
2787  /* do detect */
2788  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2789  FAIL_IF(!(PacketAlertCheck(p, 1)));
2790  p->alerts.cnt = 0;
2791 
2792  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
2793  FAIL_IF(r != 0);
2794 
2795  r = AppLayerParserParse(
2796  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
2797  FAIL_IF(r != 0);
2798 
2799  /* do detect */
2800  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2801  FAIL_IF((PacketAlertCheck(p, 1)));
2802  FAIL_IF(!(PacketAlertCheck(p, 2)));
2803 
2804  HtpState *htp_state = f.alstate;
2805  FAIL_IF_NULL(htp_state);
2806  FAIL_IF(AppLayerParserGetTxCnt(&f, htp_state) != 2);
2807 
2808  UTHFreePacket(p);
2809  FLOW_DESTROY(&f);
2810 
2811  AppLayerParserThreadCtxFree(alp_tctx);
2812  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2813  DetectEngineCtxFree(de_ctx);
2814  StreamTcpFreeConfig(true);
2815  StatsThreadCleanup(&th_v.stats);
2816  PASS;
2817 }
2818 
2819 static int DetectHttpServerBodyFileDataTest10(void)
2820 {
2821  DetectEngineThreadCtx *det_ctx = NULL;
2822  ThreadVars th_v;
2823  Flow f;
2824  TcpSession ssn;
2825  uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
2826  "User-Agent: Mozilla/1.0\r\n"
2827  "Host: www.openinfosecfoundation.org\r\n"
2828  "Connection: keep-alive\r\n"
2829  "Cookie: dummy1\r\n\r\n";
2830  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2831  uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
2832  "Content-Type: text/html\r\n"
2833  "Content-Length: 3\r\n"
2834  "\r\n"
2835  "one";
2836  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2837  uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
2838  "User-Agent: Firefox/1.0\r\n"
2839  "Host: www.openinfosecfoundation.org\r\n"
2840  "Connection: keep-alive\r\n"
2841  "Cookie: dummy2\r\n\r\n";
2842  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
2843  uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
2844  "Content-Type: text/html\r\n"
2845  "Content-Length: 3\r\n"
2846  "\r\n"
2847  "two";
2848  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
2849 
2850  memset(&th_v, 0, sizeof(th_v));
2851  StatsThreadInit(&th_v.stats);
2852  memset(&f, 0, sizeof(f));
2853  memset(&ssn, 0, sizeof(ssn));
2854 
2855  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2856  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2857 
2858  FLOW_INITIALIZE(&f);
2859  f.protoctx = (void *)&ssn;
2860  f.proto = IPPROTO_TCP;
2861  f.flags |= FLOW_IPV4;
2862 
2863  p->flow = &f;
2864  p->flowflags |= FLOW_PKT_TOCLIENT;
2865  p->flowflags |= FLOW_PKT_ESTABLISHED;
2866  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2867  f.alproto = ALPROTO_HTTP1;
2868 
2869  StreamTcpInitConfig(true);
2870 
2871  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2872  FAIL_IF_NULL(de_ctx);
2873  de_ctx->flags |= DE_QUIET;
2874 
2875  Signature *s = DetectEngineAppendSig(de_ctx,
2876  "alert tcp any any -> any any (flow:established,to_client; file_data; "
2877  "content:\"one\"; sid:1; rev:1;)");
2878  FAIL_IF_NULL(s);
2879  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; file_data; content:\"two\"; sid:2; rev:1;)");
2880  FAIL_IF_NULL(s);
2881 
2882  SigGroupBuild(de_ctx);
2883  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2884 
2885  int r = AppLayerParserParse(
2886  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
2887  FAIL_IF(r != 0);
2888 
2889  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2890  FAIL_IF(r != 0);
2891 
2892  /* do detect */
2893  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2894  FAIL_IF(!(PacketAlertCheck(p, 1)));
2895  p->alerts.cnt = 0;
2896 
2897  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
2898  FAIL_IF(r != 0);
2899 
2900  r = AppLayerParserParse(
2901  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
2902  FAIL_IF(r != 0);
2903 
2904  /* do detect */
2905  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2906  FAIL_IF((PacketAlertCheck(p, 1)));
2907  FAIL_IF(!(PacketAlertCheck(p, 2)));
2908 
2909  HtpState *htp_state = f.alstate;
2910  FAIL_IF_NULL(htp_state);
2911  FAIL_IF(AppLayerParserGetTxCnt(&f, htp_state) != 2);
2912 
2913  UTHFreePacket(p);
2914  FLOW_DESTROY(&f);
2915 
2916  AppLayerParserThreadCtxFree(alp_tctx);
2917  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2918  DetectEngineCtxFree(de_ctx);
2919  StreamTcpFreeConfig(true);
2920  StatsThreadCleanup(&th_v.stats);
2921  PASS;
2922 }
2923 
2924 void DetectHttpServerBodyRegisterTests(void)
2925 {
2926  UtRegisterTest("DetectHttpServerBodyParserTest01", DetectHttpServerBodyParserTest01);
2927  UtRegisterTest("DetectHttpServerBodyParserTest02", DetectHttpServerBodyParserTest02);
2928 
2929  UtRegisterTest("DetectHttpServerBodyTest06", DetectHttpServerBodyTest06);
2930  UtRegisterTest("DetectHttpServerBodyTest07", DetectHttpServerBodyTest07);
2931  UtRegisterTest("DetectHttpServerBodyTest08", DetectHttpServerBodyTest08);
2932  UtRegisterTest("DetectHttpServerBodyTest09", DetectHttpServerBodyTest09);
2933  UtRegisterTest("DetectHttpServerBodyTest10", DetectHttpServerBodyTest10);
2934  UtRegisterTest("DetectHttpServerBodyTest11", DetectHttpServerBodyTest11);
2935  UtRegisterTest("DetectHttpServerBodyTest12", DetectHttpServerBodyTest12);
2936  UtRegisterTest("DetectHttpServerBodyTest13", DetectHttpServerBodyTest13);
2937  UtRegisterTest("DetectHttpServerBodyTest14", DetectHttpServerBodyTest14);
2938  UtRegisterTest("DetectHttpServerBodyTest15", DetectHttpServerBodyTest15);
2939 
2940  UtRegisterTest("DetectHttpServerBodyFileDataTest01",
2941  DetectHttpServerBodyFileDataTest01);
2942  UtRegisterTest("DetectHttpServerBodyFileDataTest02",
2943  DetectHttpServerBodyFileDataTest02);
2944  UtRegisterTest("DetectHttpServerBodyFileDataTest03",
2945  DetectHttpServerBodyFileDataTest03);
2946  UtRegisterTest("DetectHttpServerBodyFileDataTest04",
2947  DetectHttpServerBodyFileDataTest04);
2948  UtRegisterTest("DetectHttpServerBodyFileDataTest05",
2949  DetectHttpServerBodyFileDataTest05);
2950  UtRegisterTest("DetectHttpServerBodyFileDataTest06",
2951  DetectHttpServerBodyFileDataTest06);
2952  UtRegisterTest("DetectHttpServerBodyFileDataTest07",
2953  DetectHttpServerBodyFileDataTest07);
2954  UtRegisterTest("DetectHttpServerBodyFileDataTest08",
2955  DetectHttpServerBodyFileDataTest08);
2956  UtRegisterTest("DetectHttpServerBodyFileDataTest09",
2957  DetectHttpServerBodyFileDataTest09);
2958  UtRegisterTest("DetectHttpServerBodyFileDataTest10",
2959  DetectHttpServerBodyFileDataTest10);
2960 
2961  UtRegisterTest("DetectEngineHttpServerBodyTest01",
2962  DetectEngineHttpServerBodyTest01);
2963  UtRegisterTest("DetectEngineHttpServerBodyTest02",
2964  DetectEngineHttpServerBodyTest02);
2965  UtRegisterTest("DetectEngineHttpServerBodyTest03",
2966  DetectEngineHttpServerBodyTest03);
2967  UtRegisterTest("DetectEngineHttpServerBodyTest04",
2968  DetectEngineHttpServerBodyTest04);
2969  UtRegisterTest("DetectEngineHttpServerBodyTest05",
2970  DetectEngineHttpServerBodyTest05);
2971  UtRegisterTest("DetectEngineHttpServerBodyTest06",
2972  DetectEngineHttpServerBodyTest06);
2973  UtRegisterTest("DetectEngineHttpServerBodyTest07",
2974  DetectEngineHttpServerBodyTest07);
2975  UtRegisterTest("DetectEngineHttpServerBodyTest08",
2976  DetectEngineHttpServerBodyTest08);
2977  UtRegisterTest("DetectEngineHttpServerBodyTest09",
2978  DetectEngineHttpServerBodyTest09);
2979  UtRegisterTest("DetectEngineHttpServerBodyTest10",
2980  DetectEngineHttpServerBodyTest10);
2981  UtRegisterTest("DetectEngineHttpServerBodyTest11",
2982  DetectEngineHttpServerBodyTest11);
2983  UtRegisterTest("DetectEngineHttpServerBodyTest12",
2984  DetectEngineHttpServerBodyTest12);
2985  UtRegisterTest("DetectEngineHttpServerBodyTest13",
2986  DetectEngineHttpServerBodyTest13);
2987  UtRegisterTest("DetectEngineHttpServerBodyTest14",
2988  DetectEngineHttpServerBodyTest14);
2989  UtRegisterTest("DetectEngineHttpServerBodyTest15",
2990  DetectEngineHttpServerBodyTest15);
2991  UtRegisterTest("DetectEngineHttpServerBodyTest16",
2992  DetectEngineHttpServerBodyTest16);
2993  UtRegisterTest("DetectEngineHttpServerBodyTest17",
2994  DetectEngineHttpServerBodyTest17);
2995  UtRegisterTest("DetectEngineHttpServerBodyTest18",
2996  DetectEngineHttpServerBodyTest18);
2997  UtRegisterTest("DetectEngineHttpServerBodyTest19",
2998  DetectEngineHttpServerBodyTest19);
2999  UtRegisterTest("DetectEngineHttpServerBodyTest20",
3000  DetectEngineHttpServerBodyTest20);
3001  UtRegisterTest("DetectEngineHttpServerBodyTest21",
3002  DetectEngineHttpServerBodyTest21);
3003  UtRegisterTest("DetectEngineHttpServerBodyTest22",
3004  DetectEngineHttpServerBodyTest22);
3005 
3006  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest01",
3007  DetectEngineHttpServerBodyFileDataTest01);
3008  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest02",
3009  DetectEngineHttpServerBodyFileDataTest02);
3010  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest03",
3011  DetectEngineHttpServerBodyFileDataTest03);
3012  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest04",
3013  DetectEngineHttpServerBodyFileDataTest04);
3014  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest05",
3015  DetectEngineHttpServerBodyFileDataTest05);
3016  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest06",
3017  DetectEngineHttpServerBodyFileDataTest06);
3018  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest07",
3019  DetectEngineHttpServerBodyFileDataTest07);
3020  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest08",
3021  DetectEngineHttpServerBodyFileDataTest08);
3022  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest09",
3023  DetectEngineHttpServerBodyFileDataTest09);
3024  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest10",
3025  DetectEngineHttpServerBodyFileDataTest10);
3026  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest11",
3027  DetectEngineHttpServerBodyFileDataTest11);
3028  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest12",
3029  DetectEngineHttpServerBodyFileDataTest12);
3030  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest13",
3031  DetectEngineHttpServerBodyFileDataTest13);
3032  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest14",
3033  DetectEngineHttpServerBodyFileDataTest14);
3034  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest15",
3035  DetectEngineHttpServerBodyFileDataTest15);
3036  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest16",
3037  DetectEngineHttpServerBodyFileDataTest16);
3038  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest17",
3039  DetectEngineHttpServerBodyFileDataTest17);
3040  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest18",
3041  DetectEngineHttpServerBodyFileDataTest18);
3042 
3043  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest19",
3044  DetectEngineHttpServerBodyFileDataTest19);
3045  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest20",
3046  DetectEngineHttpServerBodyFileDataTest20);
3047  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest21",
3048  DetectEngineHttpServerBodyFileDataTest21);
3049  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest22",
3050  DetectEngineHttpServerBodyFileDataTest22);
3051  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest23",
3052  DetectEngineHttpServerBodyFileDataTest23);
3053  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest24",
3054  DetectEngineHttpServerBodyFileDataTest24);
3055  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest25",
3056  DetectEngineHttpServerBodyFileDataTest25);
3057  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest26",
3058  DetectEngineHttpServerBodyFileDataTest26);
3059  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest27",
3060  DetectEngineHttpServerBodyFileDataTest27);
3061  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest28",
3062  DetectEngineHttpServerBodyFileDataTest28);
3063  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest29",
3064  DetectEngineHttpServerBodyFileDataTest29);
3065 }
TestSteps
Definition: detect-http-client-body.c:107
SCConfYamlLoadString
int SCConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:535
UTHParseSignature
int UTHParseSignature(const char *str, bool expect)
parser a sig and see if the expected result is correct
Definition: util-unittest-helper.c:917
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
TestSteps::direction
int direction
Definition: detect-http-client-body.c:110
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
TestSteps::input
const uint8_t * input
Definition: detect-http-client-body.c:108
Flow_::proto
uint8_t proto
Definition: flow.h:370
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:287
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
Flow_
Flow data structure.
Definition: flow.h:348
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:933
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2418
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3447
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
Flow_::protoctx
void * protoctx
Definition: flow.h:433
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:620
HTPConfigure
void HTPConfigure(void)
Definition: app-layer-htp.c:2351
HtpState_
Definition: app-layer-htp.h:181
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
SCConfInit
void SCConfInit(void)
Initialize the configuration system.
Definition: conf.c:120
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:496
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
TestSteps::expect
int expect
Definition: detect-http-client-body.c:111
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
HtpConfigCreateBackup
void HtpConfigCreateBackup(void)
Definition: app-layer-htp.c:2687
DetectEngineThreadCtx_
Definition: detect.h:1245
EngineModeSetIDS
void EngineModeSetIDS(void)
Definition: suricata.c:267
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3364
EngineModeSetIPS
void EngineModeSetIPS(void)
Definition: suricata.c:262
Packet_
Definition: decode.h:501
SCConfCreateContextBackup
void SCConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition: conf.c:684
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2194
StatsThreadInit
void StatsThreadInit(StatsThreadContext *stats)
Definition: counters.c:1258
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:867
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1277
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3601
SCConfDeInit
void SCConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:703
HtpConfigRestoreBackup
void HtpConfigRestoreBackup(void)
Definition: app-layer-htp.c:2692
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:473
Flow_::alstate
void * alstate
Definition: flow.h:471
Flow_::flags
uint32_t flags
Definition: flow.h:413
SCConfRestoreContextBackup
void SCConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition: conf.c:694
Signature_
Signature container.
Definition: detect.h:668
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:935
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
HTPFreeConfig
void HTPFreeConfig(void)
Clears the HTTP server configuration memory used by HTP library.
Definition: app-layer-htp.c:1591
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
DetectHttpServerBodyRegisterTests
void DetectHttpServerBodyRegisterTests(void)
Definition: detect-http-server-body.c:2924
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
StatsThreadCleanup
void StatsThreadCleanup(StatsThreadContext *stats)
Definition: counters.c:1354
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1088
TestSteps::input_size
size_t input_size
Definition: detect-http-client-body.c:109
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456