suricata
detect-http-server-body.c
Go to the documentation of this file.
1 /* Copyright (C) 2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Giuseppe Longo <giuseppe@glongo.it>
22  *
23  * Tests for the hsbd with swf files
24  */
25 
26 #include "../suricata-common.h"
27 #include "../conf-yaml-loader.h"
28 #include "../decode.h"
29 #include "../flow.h"
30 #include "../detect.h"
31 
32 /**
33  * \test Test parser accepting valid rules and rejecting invalid rules
34  */
35 static int DetectHttpServerBodyParserTest01(void)
36 {
37  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", true));
38  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; nocase; http_server_body; sid:1;)", true));
39  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; endswith; http_server_body; sid:1;)", true));
40  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; http_server_body; sid:1;)", true));
41  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; endswith; http_server_body; sid:1;)", true));
42 
43  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; rawbytes; http_server_body; sid:1;)", false));
44  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http_server_body; sid:1;)", false));
45  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", false));
46  PASS;
47 }
48 
49 /**
50  * \test Test parser accepting valid rules and rejecting invalid rules
51  */
52 static int DetectHttpServerBodyParserTest02(void)
53 {
54  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", true));
55  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; nocase; sid:1;)", true));
56  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; endswith; sid:1;)", true));
57  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; sid:1;)", true));
58  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; endswith; sid:1;)", true));
59  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; bsize:10; sid:1;)", true));
60 
61  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; rawbytes; sid:1;)", false));
62  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http.response_body; sid:1;)", false));
63  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", false));
64  PASS;
65 }
66 struct TestSteps {
67  const uint8_t *input;
68  size_t input_size; /**< if 0 strlen will be used */
69  int direction; /**< STREAM_TOSERVER, STREAM_TOCLIENT */
70  int expect;
71 };
72 
73 static int RunTest(struct TestSteps *steps, const char *sig, const char *yaml)
74 {
75  TcpSession ssn;
76  Flow f;
77  ThreadVars th_v;
78  DetectEngineThreadCtx *det_ctx = NULL;
80  FAIL_IF_NULL(alp_tctx);
81 
82  memset(&th_v, 0, sizeof(th_v));
83  memset(&f, 0, sizeof(f));
84  memset(&ssn, 0, sizeof(ssn));
85 
86  if (yaml) {
88  ConfInit();
90 
91  ConfYamlLoadString(yaml, strlen(yaml));
92  HTPConfigure();
94  }
95 
97 
99  FAIL_IF_NULL(de_ctx);
100  de_ctx->flags |= DE_QUIET;
101 
102  FLOW_INITIALIZE(&f);
103  f.protoctx = (void *)&ssn;
104  f.proto = IPPROTO_TCP;
105  f.flags |= FLOW_IPV4;
106  f.alproto = ALPROTO_HTTP;
107 
108  SCLogDebug("sig %s", sig);
109  Signature *s = DetectEngineAppendSig(de_ctx, (char *)sig);
110  FAIL_IF_NULL(s);
111 
112  SigGroupBuild(de_ctx);
113  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
114  FAIL_IF_NULL(det_ctx);
115 
116  struct TestSteps *b = steps;
117  int i = 0;
118  while (b->input != NULL) {
119  SCLogDebug("chunk %p %d", b, i);
120  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
121  FAIL_IF_NULL(p);
122  p->flow = &f;
126 
127  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
128  b->direction, (uint8_t *)b->input,
129  b->input_size ? b->input_size : strlen((const char *)b->input));
130  FAIL_IF_NOT(r == 0);
131 
132  /* do detect */
133  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
134 
135  int match = PacketAlertCheck(p, 1);
136  FAIL_IF_NOT(b->expect == match);
137 
138  UTHFreePackets(&p, 1);
139  b++;
140  i++;
141  }
142 
143  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
144  AppLayerParserThreadCtxFree(alp_tctx);
145  DetectEngineCtxFree(de_ctx);
146 
148  FLOW_DESTROY(&f);
149 
150  if (yaml) {
154  }
155  PASS;
156 }
157 
158 static int DetectEngineHttpServerBodyTest01(void)
159 {
160  TcpSession ssn;
161  Packet *p1 = NULL;
162  Packet *p2 = NULL;
163  ThreadVars th_v;
164  DetectEngineCtx *de_ctx = NULL;
165  DetectEngineThreadCtx *det_ctx = NULL;
166  HtpState *http_state = NULL;
167  Flow f;
168  uint8_t http_buf1[] =
169  "GET /index.html HTTP/1.0\r\n"
170  "Host: www.openinfosecfoundation.org\r\n"
171  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
172  "\r\n";
173  uint32_t http_len1 = sizeof(http_buf1) - 1;
174  uint8_t http_buf2[] =
175  "HTTP/1.0 200 ok\r\n"
176  "Content-Type: text/html\r\n"
177  "Content-Length: 7\r\n"
178  "\r\n"
179  "message";
180  uint32_t http_len2 = sizeof(http_buf2) - 1;
181  int result = 0;
183 
184  memset(&th_v, 0, sizeof(th_v));
185  memset(&f, 0, sizeof(f));
186  memset(&ssn, 0, sizeof(ssn));
187 
188  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
189  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
190 
191  FLOW_INITIALIZE(&f);
192  f.protoctx = (void *)&ssn;
193  f.proto = IPPROTO_TCP;
194  f.flags |= FLOW_IPV4;
195 
196  p1->flow = &f;
200  p2->flow = &f;
204  f.alproto = ALPROTO_HTTP;
205 
207 
208  de_ctx = DetectEngineCtxInit();
209  if (de_ctx == NULL)
210  goto end;
211 
212  de_ctx->flags |= DE_QUIET;
213 
214  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
215  "(msg:\"http server body test\"; "
216  "content:\"message\"; http_server_body; "
217  "sid:1;)");
218  if (de_ctx->sig_list == NULL)
219  goto end;
220 
221  SigGroupBuild(de_ctx);
222  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
223 
224  FLOWLOCK_WRLOCK(&f);
225  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
226  STREAM_TOSERVER, http_buf1, http_len1);
227  if (r != 0) {
228  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
229  result = 0;
230  FLOWLOCK_UNLOCK(&f);
231  goto end;
232  }
233  FLOWLOCK_UNLOCK(&f);
234 
235  http_state = f.alstate;
236  if (http_state == NULL) {
237  printf("no http state: \n");
238  result = 0;
239  goto end;
240  }
241 
242  /* do detect */
243  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
244 
245  if ((PacketAlertCheck(p1, 1))) {
246  printf("sid 1 matched but shouldn't have\n");
247  goto end;
248  }
249 
250  FLOWLOCK_WRLOCK(&f);
251  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
252  STREAM_TOCLIENT, http_buf2, http_len2);
253  if (r != 0) {
254  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
255  result = 0;
256  FLOWLOCK_UNLOCK(&f);
257  goto end;
258  }
259  FLOWLOCK_UNLOCK(&f);
260 
261  /* do detect */
262  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
263 
264  if (!(PacketAlertCheck(p2, 1))) {
265  printf("sid 1 didn't match but should have");
266  goto end;
267  }
268 
269  result = 1;
270 
271 end:
272  if (alp_tctx != NULL)
273  AppLayerParserThreadCtxFree(alp_tctx);
274  if (de_ctx != NULL)
275  DetectEngineCtxFree(de_ctx);
276 
278  FLOW_DESTROY(&f);
279  UTHFreePackets(&p1, 1);
280  UTHFreePackets(&p2, 1);
281  return result;
282 }
283 
284 static int DetectEngineHttpServerBodyTest02(void)
285 {
286  TcpSession ssn;
287  Packet *p1 = NULL;
288  ThreadVars th_v;
289  DetectEngineCtx *de_ctx = NULL;
290  DetectEngineThreadCtx *det_ctx = NULL;
291  HtpState *http_state = NULL;
292  Flow f;
293  uint8_t http_buf1[] =
294  "GET /index.html HTTP/1.0\r\n"
295  "Host: www.openinfosecfoundation.org\r\n"
296  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
297  "\r\n";
298  uint32_t http_len1 = sizeof(http_buf1) - 1;
299  uint8_t http_buf2[] =
300  "HTTP/1.0 200 ok\r\n"
301  "Content-Type: text/html\r\n"
302  "Content-Length: 7\r\n"
303  "\r\n"
304  "xxxxABC";
305  uint32_t http_len2 = sizeof(http_buf2) - 1;
306  int result = 0;
308 
309  memset(&th_v, 0, sizeof(th_v));
310  memset(&f, 0, sizeof(f));
311  memset(&ssn, 0, sizeof(ssn));
312 
313  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
314 
315  FLOW_INITIALIZE(&f);
316  f.protoctx = (void *)&ssn;
317  f.proto = IPPROTO_TCP;
318  f.flags |= FLOW_IPV4;
319 
320  p1->flow = &f;
324  f.alproto = ALPROTO_HTTP;
325 
327 
328  de_ctx = DetectEngineCtxInit();
329  if (de_ctx == NULL)
330  goto end;
331 
332  de_ctx->flags |= DE_QUIET;
333 
334  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
335  "(msg:\"http server body test\"; "
336  "content:\"ABC\"; http_server_body; offset:4; "
337  "sid:1;)");
338  if (de_ctx->sig_list == NULL)
339  goto end;
340 
341  SigGroupBuild(de_ctx);
342  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
343 
344  FLOWLOCK_WRLOCK(&f);
345  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
346  STREAM_TOSERVER, http_buf1, http_len1);
347  if (r != 0) {
348  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
349  result = 0;
350  FLOWLOCK_UNLOCK(&f);
351  goto end;
352  }
353  FLOWLOCK_UNLOCK(&f);
354 
355  FLOWLOCK_WRLOCK(&f);
356  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
357  STREAM_TOCLIENT, http_buf2, http_len2);
358  if (r != 0) {
359  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
360  result = 0;
361  FLOWLOCK_UNLOCK(&f);
362  goto end;
363  }
364  FLOWLOCK_UNLOCK(&f);
365 
366  http_state = f.alstate;
367  if (http_state == NULL) {
368  printf("no http state: \n");
369  result = 0;
370  goto end;
371  }
372 
373  /* do detect */
374  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
375 
376  if (!(PacketAlertCheck(p1, 1))) {
377  printf("sid 1 didn't match but should have\n");
378  goto end;
379  }
380 
381  result = 1;
382 
383 end:
384  if (alp_tctx != NULL)
385  AppLayerParserThreadCtxFree(alp_tctx);
386  if (de_ctx != NULL)
387  DetectEngineCtxFree(de_ctx);
388 
390  FLOW_DESTROY(&f);
391  UTHFreePackets(&p1, 1);
392  return result;
393 }
394 
395 static int DetectEngineHttpServerBodyTest03(void)
396 {
397  TcpSession ssn;
398  Packet *p1 = NULL;
399  Packet *p2 = NULL;
400  ThreadVars th_v;
401  DetectEngineCtx *de_ctx = NULL;
402  DetectEngineThreadCtx *det_ctx = NULL;
403  HtpState *http_state = NULL;
404  Flow f;
405  int result = 0;
406  uint8_t http_buf1[] =
407  "GET /index.html HTTP/1.0\r\n"
408  "Host: www.openinfosecfoundation.org\r\n"
409  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
410  "\r\n";
411  uint32_t http_len1 = sizeof(http_buf1) - 1;
412  uint8_t http_buf2[] =
413  "HTTP/1.0 200 ok\r\n"
414  "Content-Type: text/html\r\n"
415  "Content-Length: 17\r\n"
416  "\r\n"
417  "1234567";
418  uint32_t http_len2 = sizeof(http_buf2) - 1;
419  uint8_t http_buf3[] =
420  "8901234ABC";
421  uint32_t http_len3 = sizeof(http_buf3) - 1;
423 
424  memset(&th_v, 0, sizeof(th_v));
425  memset(&f, 0, sizeof(f));
426  memset(&ssn, 0, sizeof(ssn));
427 
428  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
429  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
430 
431  FLOW_INITIALIZE(&f);
432  f.protoctx = (void *)&ssn;
433  f.proto = IPPROTO_TCP;
434  f.flags |= FLOW_IPV4;
435 
436  p1->flow = &f;
440  p2->flow = &f;
444  f.alproto = ALPROTO_HTTP;
445 
447 
448  de_ctx = DetectEngineCtxInit();
449  if (de_ctx == NULL)
450  goto end;
451 
452  de_ctx->flags |= DE_QUIET;
453 
454  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
455  "(msg:\"http server body test\"; "
456  "content:\"ABC\"; http_server_body; offset:14; "
457  "sid:1;)");
458  if (de_ctx->sig_list == NULL)
459  goto end;
460 
461  SigGroupBuild(de_ctx);
462  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
463 
464  FLOWLOCK_WRLOCK(&f);
465  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
466  STREAM_TOSERVER, http_buf1, http_len1);
467  if (r != 0) {
468  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
469  result = 0;
470  FLOWLOCK_UNLOCK(&f);
471  goto end;
472  }
473  FLOWLOCK_UNLOCK(&f);
474 
475  http_state = f.alstate;
476  if (http_state == NULL) {
477  printf("no http state: \n");
478  result = 0;
479  goto end;
480  }
481 
482  /* do detect */
483  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
484 
485  if (PacketAlertCheck(p1, 1)) {
486  printf("sid 1 matched but shouldn't have\n");
487  goto end;
488  }
489 
490  FLOWLOCK_WRLOCK(&f);
491  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
492  STREAM_TOCLIENT, http_buf2, http_len2);
493  if (r != 0) {
494  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
495  result = 0;
496  FLOWLOCK_UNLOCK(&f);
497  goto end;
498  }
499  FLOWLOCK_UNLOCK(&f);
500 
501  FLOWLOCK_WRLOCK(&f);
502  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
503  STREAM_TOCLIENT, http_buf3, http_len3);
504  if (r != 0) {
505  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
506  result = 0;
507  FLOWLOCK_UNLOCK(&f);
508  goto end;
509  }
510  FLOWLOCK_UNLOCK(&f);
511 
512  /* do detect */
513  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
514 
515  if (!(PacketAlertCheck(p2, 1))) {
516  printf("sid 1 didn't match but should have");
517  goto end;
518  }
519 
520  result = 1;
521 
522 end:
523  if (alp_tctx != NULL)
524  AppLayerParserThreadCtxFree(alp_tctx);
525  if (de_ctx != NULL)
526  DetectEngineCtxFree(de_ctx);
527 
529  FLOW_DESTROY(&f);
530  UTHFreePackets(&p1, 1);
531  UTHFreePackets(&p2, 1);
532  return result;
533 }
534 
535 static int DetectEngineHttpServerBodyTest04(void)
536 {
537  TcpSession ssn;
538  Packet *p1 = NULL;
539  Packet *p2 = NULL;
540  ThreadVars th_v;
541  DetectEngineCtx *de_ctx = NULL;
542  DetectEngineThreadCtx *det_ctx = NULL;
543  HtpState *http_state = NULL;
544  Flow f;
545  uint8_t http_buf1[] =
546  "GET /index.html HTTP/1.0\r\n"
547  "Host: www.openinfosecfoundation.org\r\n"
548  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
549  "\r\n";
550  uint32_t http_len1 = sizeof(http_buf1) - 1;
551  uint8_t http_buf2[] =
552  "HTTP/1.0 200 ok\r\n"
553  "Content-Type: text/html\r\n"
554  "Content-Length: 6\r\n"
555  "\r\n"
556  "abcdef";
557  uint32_t http_len2 = sizeof(http_buf2) - 1;
558  int result = 0;
560 
561  memset(&th_v, 0, sizeof(th_v));
562  memset(&f, 0, sizeof(f));
563  memset(&ssn, 0, sizeof(ssn));
564 
565  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
566  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
567 
568  FLOW_INITIALIZE(&f);
569  f.protoctx = (void *)&ssn;
570  f.proto = IPPROTO_TCP;
571  f.flags |= FLOW_IPV4;
572 
573  p1->flow = &f;
577  p2->flow = &f;
581  f.alproto = ALPROTO_HTTP;
582 
584 
585  de_ctx = DetectEngineCtxInit();
586  if (de_ctx == NULL)
587  goto end;
588 
589  de_ctx->flags |= DE_QUIET;
590 
591  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
592  "(msg:\"http server body test\"; "
593  "content:!\"abc\"; http_server_body; offset:3; "
594  "sid:1;)");
595  if (de_ctx->sig_list == NULL)
596  goto end;
597 
598  SigGroupBuild(de_ctx);
599  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
600 
601  FLOWLOCK_WRLOCK(&f);
602  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
603  STREAM_TOSERVER, http_buf1, http_len1);
604  if (r != 0) {
605  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
606  result = 0;
607  FLOWLOCK_UNLOCK(&f);
608  goto end;
609  }
610  FLOWLOCK_UNLOCK(&f);
611 
612  http_state = f.alstate;
613  if (http_state == NULL) {
614  printf("no http state: \n");
615  result = 0;
616  goto end;
617  }
618 
619  /* do detect */
620  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
621 
622  if (PacketAlertCheck(p1, 1)) {
623  printf("sid 1 matched but shouldn't have: ");
624  goto end;
625  }
626 
627  FLOWLOCK_WRLOCK(&f);
628  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
629  STREAM_TOCLIENT, http_buf2, http_len2);
630  if (r != 0) {
631  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
632  result = 0;
633  FLOWLOCK_UNLOCK(&f);
634  goto end;
635  }
636  FLOWLOCK_UNLOCK(&f);
637 
638  /* do detect */
639  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
640 
641  if (!PacketAlertCheck(p2, 1)) {
642  printf("sid 1 didn't match but should have: ");
643  goto end;
644  }
645 
646  result = 1;
647 
648 end:
649  if (alp_tctx != NULL)
650  AppLayerParserThreadCtxFree(alp_tctx);
651  if (de_ctx != NULL)
652  DetectEngineCtxFree(de_ctx);
653 
655  FLOW_DESTROY(&f);
656  UTHFreePackets(&p1, 1);
657  UTHFreePackets(&p2, 1);
658  return result;
659 }
660 
661 static int DetectEngineHttpServerBodyTest05(void)
662 {
663  TcpSession ssn;
664  Packet *p1 = NULL;
665  Packet *p2 = NULL;
666  ThreadVars th_v;
667  DetectEngineCtx *de_ctx = NULL;
668  DetectEngineThreadCtx *det_ctx = NULL;
669  HtpState *http_state = NULL;
670  Flow f;
671  uint8_t http_buf1[] =
672  "GET /index.html HTTP/1.0\r\n"
673  "Host: www.openinfosecfoundation.org\r\n"
674  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
675  "\r\n";
676  uint32_t http_len1 = sizeof(http_buf1) - 1;
677  uint8_t http_buf2[] =
678  "HTTP/1.0 200 ok\r\n"
679  "Content-Type: text/html\r\n"
680  "Content-Length: 6\r\n"
681  "\r\n"
682  "abcdef";
683  uint32_t http_len2 = sizeof(http_buf2) - 1;
684  int result = 0;
686 
687  memset(&th_v, 0, sizeof(th_v));
688  memset(&f, 0, sizeof(f));
689  memset(&ssn, 0, sizeof(ssn));
690 
691  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
692  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
693 
694  FLOW_INITIALIZE(&f);
695  f.protoctx = (void *)&ssn;
696  f.proto = IPPROTO_TCP;
697  f.flags |= FLOW_IPV4;
698 
699  p1->flow = &f;
703  p2->flow = &f;
707  f.alproto = ALPROTO_HTTP;
708 
710 
711  de_ctx = DetectEngineCtxInit();
712  if (de_ctx == NULL)
713  goto end;
714 
715  de_ctx->flags |= DE_QUIET;
716 
717  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
718  "(msg:\"http server body test\"; "
719  "content:\"abc\"; http_server_body; depth:3; "
720  "sid:1;)");
721  if (de_ctx->sig_list == NULL)
722  goto end;
723 
724  SigGroupBuild(de_ctx);
725  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
726 
727  FLOWLOCK_WRLOCK(&f);
728  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
729  STREAM_TOSERVER, http_buf1, http_len1);
730  if (r != 0) {
731  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
732  result = 0;
733  FLOWLOCK_UNLOCK(&f);
734  goto end;
735  }
736  FLOWLOCK_UNLOCK(&f);
737 
738  http_state = f.alstate;
739  if (http_state == NULL) {
740  printf("no http state: \n");
741  result = 0;
742  goto end;
743  }
744 
745  /* do detect */
746  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
747 
748  if (PacketAlertCheck(p1, 1)) {
749  printf("sid 1 matched but shouldn't have: ");
750  goto end;
751  }
752 
753  FLOWLOCK_WRLOCK(&f);
754  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
755  STREAM_TOCLIENT, http_buf2, http_len2);
756  if (r != 0) {
757  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
758  result = 0;
759  FLOWLOCK_UNLOCK(&f);
760  goto end;
761  }
762  FLOWLOCK_UNLOCK(&f);
763 
764  /* do detect */
765  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
766 
767  if (!PacketAlertCheck(p2, 1)) {
768  printf("sid 1 didn't match but should have: ");
769  goto end;
770  }
771 
772  result = 1;
773 
774 end:
775  if (alp_tctx != NULL)
776  AppLayerParserThreadCtxFree(alp_tctx);
777  if (de_ctx != NULL)
778  DetectEngineCtxFree(de_ctx);
779 
781  FLOW_DESTROY(&f);
782  UTHFreePackets(&p1, 1);
783  UTHFreePackets(&p2, 1);
784  return result;
785 }
786 
787 static int DetectEngineHttpServerBodyTest06(void)
788 {
789  TcpSession ssn;
790  Packet *p1 = NULL;
791  Packet *p2 = NULL;
792  ThreadVars th_v;
793  DetectEngineCtx *de_ctx = NULL;
794  DetectEngineThreadCtx *det_ctx = NULL;
795  HtpState *http_state = NULL;
796  Flow f;
797  uint8_t http_buf1[] =
798  "GET /index.html HTTP/1.0\r\n"
799  "Host: www.openinfosecfoundation.org\r\n"
800  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
801  "\r\n";
802  uint32_t http_len1 = sizeof(http_buf1) - 1;
803  uint8_t http_buf2[] =
804  "HTTP/1.0 200 ok\r\n"
805  "Content-Type: text/html\r\n"
806  "Content-Length: 6\r\n"
807  "\r\n"
808  "abcdef";
809  uint32_t http_len2 = sizeof(http_buf2) - 1;
810  int result = 0;
812 
813  memset(&th_v, 0, sizeof(th_v));
814  memset(&f, 0, sizeof(f));
815  memset(&ssn, 0, sizeof(ssn));
816 
817  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
818  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
819 
820  FLOW_INITIALIZE(&f);
821  f.protoctx = (void *)&ssn;
822  f.proto = IPPROTO_TCP;
823  f.flags |= FLOW_IPV4;
824 
825  p1->flow = &f;
829  p2->flow = &f;
833  f.alproto = ALPROTO_HTTP;
834 
836 
837  de_ctx = DetectEngineCtxInit();
838  if (de_ctx == NULL)
839  goto end;
840 
841  de_ctx->flags |= DE_QUIET;
842 
843  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
844  "(msg:\"http server body test\"; "
845  "content:!\"def\"; http_server_body; depth:3; "
846  "sid:1;)");
847  if (de_ctx->sig_list == NULL)
848  goto end;
849 
850  SigGroupBuild(de_ctx);
851  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
852 
853  FLOWLOCK_WRLOCK(&f);
854  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
855  STREAM_TOSERVER, http_buf1, http_len1);
856  if (r != 0) {
857  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
858  result = 0;
859  FLOWLOCK_UNLOCK(&f);
860  goto end;
861  }
862  FLOWLOCK_UNLOCK(&f);
863 
864  http_state = f.alstate;
865  if (http_state == NULL) {
866  printf("no http state: \n");
867  result = 0;
868  goto end;
869  }
870 
871  /* do detect */
872  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
873 
874  if (PacketAlertCheck(p1, 1)) {
875  printf("sid 1 matched but shouldn't have: ");
876  goto end;
877  }
878 
879  FLOWLOCK_WRLOCK(&f);
880  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
881  STREAM_TOCLIENT, http_buf2, http_len2);
882  if (r != 0) {
883  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
884  result = 0;
885  FLOWLOCK_UNLOCK(&f);
886  goto end;
887  }
888  FLOWLOCK_UNLOCK(&f);
889 
890  /* do detect */
891  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
892 
893  if (!PacketAlertCheck(p2, 1)) {
894  printf("sid 1 didn't match but should have: ");
895  goto end;
896  }
897 
898  result = 1;
899 
900 end:
901  if (alp_tctx != NULL)
902  AppLayerParserThreadCtxFree(alp_tctx);
903  if (de_ctx != NULL)
904  DetectEngineCtxFree(de_ctx);
905 
907  FLOW_DESTROY(&f);
908  UTHFreePackets(&p1, 1);
909  UTHFreePackets(&p2, 1);
910  return result;
911 }
912 
913 static int DetectEngineHttpServerBodyTest07(void)
914 {
915  TcpSession ssn;
916  Packet *p1 = NULL;
917  Packet *p2 = NULL;
918  ThreadVars th_v;
919  DetectEngineCtx *de_ctx = NULL;
920  DetectEngineThreadCtx *det_ctx = NULL;
921  HtpState *http_state = NULL;
922  Flow f;
923  uint8_t http_buf1[] =
924  "GET /index.html HTTP/1.0\r\n"
925  "Host: www.openinfosecfoundation.org\r\n"
926  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
927  "\r\n";
928  uint32_t http_len1 = sizeof(http_buf1) - 1;
929  uint8_t http_buf2[] =
930  "HTTP/1.0 200 ok\r\n"
931  "Content-Type: text/html\r\n"
932  "Content-Length: 6\r\n"
933  "\r\n"
934  "abcdef";
935  uint32_t http_len2 = sizeof(http_buf2) - 1;
936  int result = 0;
938 
939  memset(&th_v, 0, sizeof(th_v));
940  memset(&f, 0, sizeof(f));
941  memset(&ssn, 0, sizeof(ssn));
942 
943  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
944  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
945 
946  FLOW_INITIALIZE(&f);
947  f.protoctx = (void *)&ssn;
948  f.proto = IPPROTO_TCP;
949  f.flags |= FLOW_IPV4;
950 
951  p1->flow = &f;
955  p2->flow = &f;
959  f.alproto = ALPROTO_HTTP;
960 
962 
963  de_ctx = DetectEngineCtxInit();
964  if (de_ctx == NULL)
965  goto end;
966 
967  de_ctx->flags |= DE_QUIET;
968 
969  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
970  "(msg:\"http server body test\"; "
971  "content:!\"def\"; http_server_body; offset:3; "
972  "sid:1;)");
973  if (de_ctx->sig_list == NULL)
974  goto end;
975 
976  SigGroupBuild(de_ctx);
977  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
978 
979  FLOWLOCK_WRLOCK(&f);
980  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
981  STREAM_TOSERVER, http_buf1, http_len1);
982  if (r != 0) {
983  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
984  result = 0;
985  FLOWLOCK_UNLOCK(&f);
986  goto end;
987  }
988  FLOWLOCK_UNLOCK(&f);
989 
990  http_state = f.alstate;
991  if (http_state == NULL) {
992  printf("no http state: \n");
993  result = 0;
994  goto end;
995  }
996 
997  /* do detect */
998  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
999 
1000  if (PacketAlertCheck(p1, 1)) {
1001  printf("sid 1 matched but shouldn't have: ");
1002  goto end;
1003  }
1004 
1005  FLOWLOCK_WRLOCK(&f);
1006  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1007  STREAM_TOCLIENT, http_buf2, http_len2);
1008  if (r != 0) {
1009  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1010  result = 0;
1011  FLOWLOCK_UNLOCK(&f);
1012  goto end;
1013  }
1014  FLOWLOCK_UNLOCK(&f);
1015 
1016  /* do detect */
1017  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1018 
1019  if (PacketAlertCheck(p2, 1)) {
1020  printf("sid 1 matched but shouldn't have: ");
1021  goto end;
1022  }
1023 
1024  result = 1;
1025 
1026 end:
1027  if (alp_tctx != NULL)
1028  AppLayerParserThreadCtxFree(alp_tctx);
1029  if (de_ctx != NULL)
1030  DetectEngineCtxFree(de_ctx);
1031 
1033  FLOW_DESTROY(&f);
1034  UTHFreePackets(&p1, 1);
1035  UTHFreePackets(&p2, 1);
1036  return result;
1037 }
1038 
1039 static int DetectEngineHttpServerBodyTest08(void)
1040 {
1041  TcpSession ssn;
1042  Packet *p1 = NULL;
1043  Packet *p2 = NULL;
1044  ThreadVars th_v;
1045  DetectEngineCtx *de_ctx = NULL;
1046  DetectEngineThreadCtx *det_ctx = NULL;
1047  HtpState *http_state = NULL;
1048  Flow f;
1049  uint8_t http_buf1[] =
1050  "GET /index.html HTTP/1.0\r\n"
1051  "Host: www.openinfosecfoundation.org\r\n"
1052  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1053  "\r\n";
1054  uint32_t http_len1 = sizeof(http_buf1) - 1;
1055  uint8_t http_buf2[] =
1056  "HTTP/1.0 200 ok\r\n"
1057  "Content-Type: text/html\r\n"
1058  "Content-Length: 6\r\n"
1059  "\r\n"
1060  "abcdef";
1061  uint32_t http_len2 = sizeof(http_buf2) - 1;
1062  int result = 0;
1064 
1065  memset(&th_v, 0, sizeof(th_v));
1066  memset(&f, 0, sizeof(f));
1067  memset(&ssn, 0, sizeof(ssn));
1068 
1069  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1070  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1071 
1072  FLOW_INITIALIZE(&f);
1073  f.protoctx = (void *)&ssn;
1074  f.proto = IPPROTO_TCP;
1075  f.flags |= FLOW_IPV4;
1076 
1077  p1->flow = &f;
1081  p2->flow = &f;
1085  f.alproto = ALPROTO_HTTP;
1086 
1088 
1089  de_ctx = DetectEngineCtxInit();
1090  if (de_ctx == NULL)
1091  goto end;
1092 
1093  de_ctx->flags |= DE_QUIET;
1094 
1095  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1096  "(msg:\"http server body test\"; "
1097  "content:!\"abc\"; http_server_body; depth:3; "
1098  "sid:1;)");
1099  if (de_ctx->sig_list == NULL)
1100  goto end;
1101 
1102  SigGroupBuild(de_ctx);
1103  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1104 
1105  FLOWLOCK_WRLOCK(&f);
1106  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1107  STREAM_TOSERVER, http_buf1, http_len1);
1108  if (r != 0) {
1109  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1110  result = 0;
1111  FLOWLOCK_UNLOCK(&f);
1112  goto end;
1113  }
1114  FLOWLOCK_UNLOCK(&f);
1115 
1116  http_state = f.alstate;
1117  if (http_state == NULL) {
1118  printf("no http state: \n");
1119  result = 0;
1120  goto end;
1121  }
1122 
1123  /* do detect */
1124  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1125 
1126  if (PacketAlertCheck(p1, 1)) {
1127  printf("sid 1 matched but shouldn't have: ");
1128  goto end;
1129  }
1130 
1131  FLOWLOCK_WRLOCK(&f);
1132  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1133  STREAM_TOCLIENT, http_buf2, http_len2);
1134  if (r != 0) {
1135  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1136  result = 0;
1137  FLOWLOCK_UNLOCK(&f);
1138  goto end;
1139  }
1140  FLOWLOCK_UNLOCK(&f);
1141 
1142  /* do detect */
1143  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1144 
1145  if (PacketAlertCheck(p2, 1)) {
1146  printf("sid 1 matched but shouldn't have: ");
1147  goto end;
1148  }
1149 
1150  result = 1;
1151 
1152 end:
1153  if (alp_tctx != NULL)
1154  AppLayerParserThreadCtxFree(alp_tctx);
1155  if (de_ctx != NULL)
1156  DetectEngineCtxFree(de_ctx);
1157 
1159  FLOW_DESTROY(&f);
1160  UTHFreePackets(&p1, 1);
1161  UTHFreePackets(&p2, 1);
1162  return result;
1163 }
1164 
1165 static int DetectEngineHttpServerBodyTest09(void)
1166 {
1167  TcpSession ssn;
1168  Packet *p1 = NULL;
1169  Packet *p2 = NULL;
1170  ThreadVars th_v;
1171  DetectEngineCtx *de_ctx = NULL;
1172  DetectEngineThreadCtx *det_ctx = NULL;
1173  HtpState *http_state = NULL;
1174  Flow f;
1175  uint8_t http_buf1[] =
1176  "GET /index.html HTTP/1.0\r\n"
1177  "Host: www.openinfosecfoundation.org\r\n"
1178  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1179  "\r\n";
1180  uint32_t http_len1 = sizeof(http_buf1) - 1;
1181  uint8_t http_buf2[] =
1182  "HTTP/1.0 200 ok\r\n"
1183  "Content-Type: text/html\r\n"
1184  "Content-Length: 6\r\n"
1185  "\r\n"
1186  "abcdef";
1187  uint32_t http_len2 = sizeof(http_buf2) - 1;
1188  int result = 0;
1190 
1191  memset(&th_v, 0, sizeof(th_v));
1192  memset(&f, 0, sizeof(f));
1193  memset(&ssn, 0, sizeof(ssn));
1194 
1195  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1196  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1197 
1198  FLOW_INITIALIZE(&f);
1199  f.protoctx = (void *)&ssn;
1200  f.proto = IPPROTO_TCP;
1201  f.flags |= FLOW_IPV4;
1202 
1203  p1->flow = &f;
1207  p2->flow = &f;
1211  f.alproto = ALPROTO_HTTP;
1212 
1214 
1215  de_ctx = DetectEngineCtxInit();
1216  if (de_ctx == NULL)
1217  goto end;
1218 
1219  de_ctx->flags |= DE_QUIET;
1220 
1221  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1222  "(msg:\"http server body test\"; "
1223  "content:\"abc\"; http_server_body; depth:3; "
1224  "content:\"def\"; http_server_body; within:3; "
1225  "sid:1;)");
1226  if (de_ctx->sig_list == NULL)
1227  goto end;
1228 
1229  SigGroupBuild(de_ctx);
1230  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1231 
1232  FLOWLOCK_WRLOCK(&f);
1233  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1234  STREAM_TOSERVER, http_buf1, http_len1);
1235  if (r != 0) {
1236  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1237  result = 0;
1238  FLOWLOCK_UNLOCK(&f);
1239  goto end;
1240  }
1241  FLOWLOCK_UNLOCK(&f);
1242 
1243  http_state = f.alstate;
1244  if (http_state == NULL) {
1245  printf("no http state: \n");
1246  result = 0;
1247  goto end;
1248  }
1249 
1250  /* do detect */
1251  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1252 
1253  if (PacketAlertCheck(p1, 1)) {
1254  printf("sid 1 matched but shouldn't have: ");
1255  goto end;
1256  }
1257 
1258  FLOWLOCK_WRLOCK(&f);
1259  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1260  STREAM_TOCLIENT, http_buf2, http_len2);
1261  if (r != 0) {
1262  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1263  result = 0;
1264  FLOWLOCK_UNLOCK(&f);
1265  goto end;
1266  }
1267  FLOWLOCK_UNLOCK(&f);
1268 
1269  /* do detect */
1270  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1271 
1272  if (!PacketAlertCheck(p2, 1)) {
1273  printf("sid 1 didn't match but should have: ");
1274  goto end;
1275  }
1276 
1277  result = 1;
1278 
1279 end:
1280  if (alp_tctx != NULL)
1281  AppLayerParserThreadCtxFree(alp_tctx);
1282  if (de_ctx != NULL)
1283  DetectEngineCtxFree(de_ctx);
1284 
1286  FLOW_DESTROY(&f);
1287  UTHFreePackets(&p1, 1);
1288  UTHFreePackets(&p2, 1);
1289  return result;
1290 }
1291 
1292 static int DetectEngineHttpServerBodyTest10(void)
1293 {
1294  TcpSession ssn;
1295  Packet *p1 = NULL;
1296  Packet *p2 = NULL;
1297  ThreadVars th_v;
1298  DetectEngineCtx *de_ctx = NULL;
1299  DetectEngineThreadCtx *det_ctx = NULL;
1300  HtpState *http_state = NULL;
1301  Flow f;
1302  uint8_t http_buf1[] =
1303  "GET /index.html HTTP/1.0\r\n"
1304  "Host: www.openinfosecfoundation.org\r\n"
1305  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1306  "\r\n";
1307  uint32_t http_len1 = sizeof(http_buf1) - 1;
1308  uint8_t http_buf2[] =
1309  "HTTP/1.0 200 ok\r\n"
1310  "Content-Type: text/html\r\n"
1311  "Content-Length: 6\r\n"
1312  "\r\n"
1313  "abcdef";
1314  uint32_t http_len2 = sizeof(http_buf2) - 1;
1315  int result = 0;
1317 
1318  memset(&th_v, 0, sizeof(th_v));
1319  memset(&f, 0, sizeof(f));
1320  memset(&ssn, 0, sizeof(ssn));
1321 
1322  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1323  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1324 
1325  FLOW_INITIALIZE(&f);
1326  f.protoctx = (void *)&ssn;
1327  f.proto = IPPROTO_TCP;
1328  f.flags |= FLOW_IPV4;
1329 
1330  p1->flow = &f;
1334  p2->flow = &f;
1338  f.alproto = ALPROTO_HTTP;
1339 
1341 
1342  de_ctx = DetectEngineCtxInit();
1343  if (de_ctx == NULL)
1344  goto end;
1345 
1346  de_ctx->flags |= DE_QUIET;
1347 
1348  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1349  "(msg:\"http server body test\"; "
1350  "content:\"abc\"; http_server_body; depth:3; "
1351  "content:!\"xyz\"; http_server_body; within:3; "
1352  "sid:1;)");
1353  if (de_ctx->sig_list == NULL)
1354  goto end;
1355 
1356  SigGroupBuild(de_ctx);
1357  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1358 
1359  FLOWLOCK_WRLOCK(&f);
1360  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1361  STREAM_TOSERVER, http_buf1, http_len1);
1362  if (r != 0) {
1363  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1364  result = 0;
1365  FLOWLOCK_UNLOCK(&f);
1366  goto end;
1367  }
1368  FLOWLOCK_UNLOCK(&f);
1369 
1370  http_state = f.alstate;
1371  if (http_state == NULL) {
1372  printf("no http state: \n");
1373  result = 0;
1374  goto end;
1375  }
1376 
1377  /* do detect */
1378  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1379 
1380  if (PacketAlertCheck(p1, 1)) {
1381  printf("sid 1 matched but shouldn't have: ");
1382  goto end;
1383  }
1384 
1385  FLOWLOCK_WRLOCK(&f);
1386  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1387  STREAM_TOCLIENT, http_buf2, http_len2);
1388  if (r != 0) {
1389  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1390  result = 0;
1391  FLOWLOCK_UNLOCK(&f);
1392  goto end;
1393  }
1394  FLOWLOCK_UNLOCK(&f);
1395 
1396  /* do detect */
1397  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1398 
1399  if (!PacketAlertCheck(p2, 1)) {
1400  printf("sid 1 didn't match but should have: ");
1401  goto end;
1402  }
1403 
1404  result = 1;
1405 
1406 end:
1407  if (alp_tctx != NULL)
1408  AppLayerParserThreadCtxFree(alp_tctx);
1409  if (de_ctx != NULL)
1410  DetectEngineCtxFree(de_ctx);
1411 
1413  FLOW_DESTROY(&f);
1414  UTHFreePackets(&p1, 1);
1415  UTHFreePackets(&p2, 1);
1416  return result;
1417 }
1418 
1419 static int DetectEngineHttpServerBodyTest11(void)
1420 {
1421  TcpSession ssn;
1422  Packet *p1 = NULL;
1423  Packet *p2 = NULL;
1424  ThreadVars th_v;
1425  DetectEngineCtx *de_ctx = NULL;
1426  DetectEngineThreadCtx *det_ctx = NULL;
1427  HtpState *http_state = NULL;
1428  Flow f;
1429  uint8_t http_buf1[] =
1430  "GET /index.html HTTP/1.0\r\n"
1431  "Host: www.openinfosecfoundation.org\r\n"
1432  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1433  "\r\n";
1434  uint32_t http_len1 = sizeof(http_buf1) - 1;
1435  uint8_t http_buf2[] =
1436  "HTTP/1.0 200 ok\r\n"
1437  "Content-Type: text/html\r\n"
1438  "Content-Length: 6\r\n"
1439  "\r\n"
1440  "abcdef";
1441  uint32_t http_len2 = sizeof(http_buf2) - 1;
1442  int result = 0;
1444 
1445  memset(&th_v, 0, sizeof(th_v));
1446  memset(&f, 0, sizeof(f));
1447  memset(&ssn, 0, sizeof(ssn));
1448 
1449  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1450  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1451 
1452  FLOW_INITIALIZE(&f);
1453  f.protoctx = (void *)&ssn;
1454  f.proto = IPPROTO_TCP;
1455  f.flags |= FLOW_IPV4;
1456 
1457  p1->flow = &f;
1461  p2->flow = &f;
1465  f.alproto = ALPROTO_HTTP;
1466 
1468 
1469  de_ctx = DetectEngineCtxInit();
1470  if (de_ctx == NULL)
1471  goto end;
1472 
1473  de_ctx->flags |= DE_QUIET;
1474 
1475  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1476  "(msg:\"http server body test\"; "
1477  "content:\"abc\"; http_server_body; depth:3; "
1478  "content:\"xyz\"; http_server_body; within:3; "
1479  "sid:1;)");
1480  if (de_ctx->sig_list == NULL)
1481  goto end;
1482 
1483  SigGroupBuild(de_ctx);
1484  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1485 
1486  FLOWLOCK_WRLOCK(&f);
1487  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1488  STREAM_TOSERVER, http_buf1, http_len1);
1489  if (r != 0) {
1490  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1491  result = 0;
1492  FLOWLOCK_UNLOCK(&f);
1493  goto end;
1494  }
1495  FLOWLOCK_UNLOCK(&f);
1496 
1497  http_state = f.alstate;
1498  if (http_state == NULL) {
1499  printf("no http state: \n");
1500  result = 0;
1501  goto end;
1502  }
1503 
1504  /* do detect */
1505  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1506 
1507  if (PacketAlertCheck(p1, 1)) {
1508  printf("sid 1 matched but shouldn't have: ");
1509  goto end;
1510  }
1511 
1512  FLOWLOCK_WRLOCK(&f);
1513  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1514  STREAM_TOCLIENT, http_buf2, http_len2);
1515  if (r != 0) {
1516  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1517  result = 0;
1518  FLOWLOCK_UNLOCK(&f);
1519  goto end;
1520  }
1521  FLOWLOCK_UNLOCK(&f);
1522 
1523  /* do detect */
1524  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1525 
1526  if (PacketAlertCheck(p2, 1)) {
1527  printf("sid 1 did match but should not have: ");
1528  goto end;
1529  }
1530 
1531  result = 1;
1532 
1533 end:
1534  if (alp_tctx != NULL)
1535  AppLayerParserThreadCtxFree(alp_tctx);
1536  if (de_ctx != NULL)
1537  DetectEngineCtxFree(de_ctx);
1538 
1540  FLOW_DESTROY(&f);
1541  UTHFreePackets(&p1, 1);
1542  UTHFreePackets(&p2, 1);
1543  return result;
1544 }
1545 
1546 static int DetectEngineHttpServerBodyTest12(void)
1547 {
1548  TcpSession ssn;
1549  Packet *p1 = NULL;
1550  Packet *p2 = NULL;
1551  ThreadVars th_v;
1552  DetectEngineCtx *de_ctx = NULL;
1553  DetectEngineThreadCtx *det_ctx = NULL;
1554  HtpState *http_state = NULL;
1555  Flow f;
1556  uint8_t http_buf1[] =
1557  "GET /index.html HTTP/1.0\r\n"
1558  "Host: www.openinfosecfoundation.org\r\n"
1559  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1560  "\r\n";
1561  uint32_t http_len1 = sizeof(http_buf1) - 1;
1562  uint8_t http_buf2[] =
1563  "HTTP/1.0 200 ok\r\n"
1564  "Content-Type: text/html\r\n"
1565  "Content-Length: 6\r\n"
1566  "\r\n"
1567  "abcdef";
1568  uint32_t http_len2 = sizeof(http_buf2) - 1;
1569  int result = 0;
1571 
1572  memset(&th_v, 0, sizeof(th_v));
1573  memset(&f, 0, sizeof(f));
1574  memset(&ssn, 0, sizeof(ssn));
1575 
1576  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1577  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1578 
1579  FLOW_INITIALIZE(&f);
1580  f.protoctx = (void *)&ssn;
1581  f.proto = IPPROTO_TCP;
1582  f.flags |= FLOW_IPV4;
1583 
1584  p1->flow = &f;
1588  p2->flow = &f;
1592  f.alproto = ALPROTO_HTTP;
1593 
1595 
1596  de_ctx = DetectEngineCtxInit();
1597  if (de_ctx == NULL)
1598  goto end;
1599 
1600  de_ctx->flags |= DE_QUIET;
1601 
1602  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1603  "(msg:\"http server body test\"; "
1604  "content:\"ab\"; http_server_body; depth:2; "
1605  "content:\"ef\"; http_server_body; distance:2; "
1606  "sid:1;)");
1607  if (de_ctx->sig_list == NULL)
1608  goto end;
1609 
1610  SigGroupBuild(de_ctx);
1611  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1612 
1613  FLOWLOCK_WRLOCK(&f);
1614  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1615  STREAM_TOSERVER, http_buf1, http_len1);
1616  if (r != 0) {
1617  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1618  result = 0;
1619  FLOWLOCK_UNLOCK(&f);
1620  goto end;
1621  }
1622  FLOWLOCK_UNLOCK(&f);
1623 
1624  http_state = f.alstate;
1625  if (http_state == NULL) {
1626  printf("no http state: \n");
1627  result = 0;
1628  goto end;
1629  }
1630 
1631  /* do detect */
1632  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1633 
1634  if (PacketAlertCheck(p1, 1)) {
1635  printf("sid 1 matched but shouldn't have: ");
1636  goto end;
1637  }
1638 
1639  FLOWLOCK_WRLOCK(&f);
1640  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1641  STREAM_TOCLIENT, http_buf2, http_len2);
1642  if (r != 0) {
1643  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1644  result = 0;
1645  FLOWLOCK_UNLOCK(&f);
1646  goto end;
1647  }
1648  FLOWLOCK_UNLOCK(&f);
1649 
1650  /* do detect */
1651  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1652 
1653  if (!PacketAlertCheck(p2, 1)) {
1654  printf("sid 1 did not match but should have: ");
1655  goto end;
1656  }
1657 
1658  result = 1;
1659 
1660 end:
1661  if (alp_tctx != NULL)
1662  AppLayerParserThreadCtxFree(alp_tctx);
1663  if (de_ctx != NULL)
1664  DetectEngineCtxFree(de_ctx);
1665 
1667  FLOW_DESTROY(&f);
1668  UTHFreePackets(&p1, 1);
1669  UTHFreePackets(&p2, 1);
1670  return result;
1671 }
1672 
1673 static int DetectEngineHttpServerBodyTest13(void)
1674 {
1675  TcpSession ssn;
1676  Packet *p1 = NULL;
1677  Packet *p2 = NULL;
1678  ThreadVars th_v;
1679  DetectEngineCtx *de_ctx = NULL;
1680  DetectEngineThreadCtx *det_ctx = NULL;
1681  HtpState *http_state = NULL;
1682  Flow f;
1683  uint8_t http_buf1[] =
1684  "GET /index.html HTTP/1.0\r\n"
1685  "Host: www.openinfosecfoundation.org\r\n"
1686  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1687  "\r\n";
1688  uint32_t http_len1 = sizeof(http_buf1) - 1;
1689  uint8_t http_buf2[] =
1690  "HTTP/1.0 200 ok\r\n"
1691  "Content-Type: text/html\r\n"
1692  "Content-Length: 6\r\n"
1693  "\r\n"
1694  "abcdef";
1695  uint32_t http_len2 = sizeof(http_buf2) - 1;
1696  int result = 0;
1698 
1699  memset(&th_v, 0, sizeof(th_v));
1700  memset(&f, 0, sizeof(f));
1701  memset(&ssn, 0, sizeof(ssn));
1702 
1703  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1704  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1705 
1706  FLOW_INITIALIZE(&f);
1707  f.protoctx = (void *)&ssn;
1708  f.proto = IPPROTO_TCP;
1709  f.flags |= FLOW_IPV4;
1710 
1711  p1->flow = &f;
1715  p2->flow = &f;
1719  f.alproto = ALPROTO_HTTP;
1720 
1722 
1723  de_ctx = DetectEngineCtxInit();
1724  if (de_ctx == NULL)
1725  goto end;
1726 
1727  de_ctx->flags |= DE_QUIET;
1728 
1729  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1730  "(msg:\"http server body test\"; "
1731  "content:\"ab\"; http_server_body; depth:3; "
1732  "content:!\"yz\"; http_server_body; distance:2; "
1733  "sid:1;)");
1734  if (de_ctx->sig_list == NULL)
1735  goto end;
1736 
1737  SigGroupBuild(de_ctx);
1738  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1739 
1740  FLOWLOCK_WRLOCK(&f);
1741  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1742  STREAM_TOSERVER, http_buf1, http_len1);
1743  if (r != 0) {
1744  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1745  result = 0;
1746  FLOWLOCK_UNLOCK(&f);
1747  goto end;
1748  }
1749  FLOWLOCK_UNLOCK(&f);
1750 
1751  http_state = f.alstate;
1752  if (http_state == NULL) {
1753  printf("no http state: \n");
1754  result = 0;
1755  goto end;
1756  }
1757 
1758  /* do detect */
1759  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1760 
1761  if (PacketAlertCheck(p1, 1)) {
1762  printf("sid 1 matched but shouldn't have: ");
1763  goto end;
1764  }
1765 
1766  FLOWLOCK_WRLOCK(&f);
1767  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1768  STREAM_TOCLIENT, http_buf2, http_len2);
1769  if (r != 0) {
1770  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1771  result = 0;
1772  FLOWLOCK_UNLOCK(&f);
1773  goto end;
1774  }
1775  FLOWLOCK_UNLOCK(&f);
1776 
1777  /* do detect */
1778  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1779 
1780  if (!PacketAlertCheck(p2, 1)) {
1781  printf("sid 1 did not match but should have: ");
1782  goto end;
1783  }
1784 
1785  result = 1;
1786 
1787 end:
1788  if (alp_tctx != NULL)
1789  AppLayerParserThreadCtxFree(alp_tctx);
1790  if (de_ctx != NULL)
1791  DetectEngineCtxFree(de_ctx);
1792 
1794  FLOW_DESTROY(&f);
1795  UTHFreePackets(&p1, 1);
1796  UTHFreePackets(&p2, 1);
1797  return result;
1798 }
1799 
1800 static int DetectEngineHttpServerBodyTest14(void)
1801 {
1802  TcpSession ssn;
1803  Packet *p1 = NULL;
1804  Packet *p2 = NULL;
1805  ThreadVars th_v;
1806  DetectEngineCtx *de_ctx = NULL;
1807  DetectEngineThreadCtx *det_ctx = NULL;
1808  HtpState *http_state = NULL;
1809  Flow f;
1810  uint8_t http_buf1[] =
1811  "GET /index.html HTTP/1.0\r\n"
1812  "Host: www.openinfosecfoundation.org\r\n"
1813  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1814  "\r\n";
1815  uint32_t http_len1 = sizeof(http_buf1) - 1;
1816  uint8_t http_buf2[] =
1817  "HTTP/1.0 200 ok\r\n"
1818  "Content-Type: text/html\r\n"
1819  "Content-Length: 6\r\n"
1820  "\r\n"
1821  "abcdef";
1822  uint32_t http_len2 = sizeof(http_buf2) - 1;
1823  int result = 0;
1825 
1826  memset(&th_v, 0, sizeof(th_v));
1827  memset(&f, 0, sizeof(f));
1828  memset(&ssn, 0, sizeof(ssn));
1829 
1830  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1831  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1832 
1833  FLOW_INITIALIZE(&f);
1834  f.protoctx = (void *)&ssn;
1835  f.proto = IPPROTO_TCP;
1836  f.flags |= FLOW_IPV4;
1837 
1838  p1->flow = &f;
1842  p2->flow = &f;
1846  f.alproto = ALPROTO_HTTP;
1847 
1849 
1850  de_ctx = DetectEngineCtxInit();
1851  if (de_ctx == NULL)
1852  goto end;
1853 
1854  de_ctx->flags |= DE_QUIET;
1855 
1856  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1857  "(msg:\"http server body test\"; "
1858  "pcre:/ab/Q; "
1859  "content:\"ef\"; http_server_body; distance:2; "
1860  "sid:1;)");
1861  if (de_ctx->sig_list == NULL)
1862  goto end;
1863 
1864  SigGroupBuild(de_ctx);
1865  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1866 
1867  FLOWLOCK_WRLOCK(&f);
1868  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1869  STREAM_TOSERVER, http_buf1, http_len1);
1870  if (r != 0) {
1871  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1872  result = 0;
1873  FLOWLOCK_UNLOCK(&f);
1874  goto end;
1875  }
1876  FLOWLOCK_UNLOCK(&f);
1877 
1878  http_state = f.alstate;
1879  if (http_state == NULL) {
1880  printf("no http state: \n");
1881  result = 0;
1882  goto end;
1883  }
1884 
1885  /* do detect */
1886  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1887 
1888  if (PacketAlertCheck(p1, 1)) {
1889  printf("sid 1 matched but shouldn't have: ");
1890  goto end;
1891  }
1892 
1893  FLOWLOCK_WRLOCK(&f);
1894  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1895  STREAM_TOCLIENT, http_buf2, http_len2);
1896  if (r != 0) {
1897  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1898  result = 0;
1899  FLOWLOCK_UNLOCK(&f);
1900  goto end;
1901  }
1902  FLOWLOCK_UNLOCK(&f);
1903 
1904  /* do detect */
1905  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1906 
1907  if (!PacketAlertCheck(p2, 1)) {
1908  printf("sid 1 did not match but should have: ");
1909  goto end;
1910  }
1911 
1912  result = 1;
1913 
1914 end:
1915  if (alp_tctx != NULL)
1916  AppLayerParserThreadCtxFree(alp_tctx);
1917  if (de_ctx != NULL)
1918  DetectEngineCtxFree(de_ctx);
1919 
1921  FLOW_DESTROY(&f);
1922  UTHFreePackets(&p1, 1);
1923  UTHFreePackets(&p2, 1);
1924  return result;
1925 }
1926 
1927 static int DetectEngineHttpServerBodyTest15(void)
1928 {
1929  TcpSession ssn;
1930  Packet *p1 = NULL;
1931  Packet *p2 = NULL;
1932  ThreadVars th_v;
1933  DetectEngineCtx *de_ctx = NULL;
1934  DetectEngineThreadCtx *det_ctx = NULL;
1935  HtpState *http_state = NULL;
1936  Flow f;
1937  uint8_t http_buf1[] =
1938  "GET /index.html HTTP/1.0\r\n"
1939  "Host: www.openinfosecfoundation.org\r\n"
1940  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1941  "\r\n";
1942  uint32_t http_len1 = sizeof(http_buf1) - 1;
1943  uint8_t http_buf2[] =
1944  "HTTP/1.0 200 ok\r\n"
1945  "Content-Type: text/html\r\n"
1946  "Content-Length: 6\r\n"
1947  "\r\n"
1948  "abcdef";
1949  uint32_t http_len2 = sizeof(http_buf2) - 1;
1950  int result = 0;
1952 
1953  memset(&th_v, 0, sizeof(th_v));
1954  memset(&f, 0, sizeof(f));
1955  memset(&ssn, 0, sizeof(ssn));
1956 
1957  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1958  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1959 
1960  FLOW_INITIALIZE(&f);
1961  f.protoctx = (void *)&ssn;
1962  f.proto = IPPROTO_TCP;
1963  f.flags |= FLOW_IPV4;
1964 
1965  p1->flow = &f;
1969  p2->flow = &f;
1973  f.alproto = ALPROTO_HTTP;
1974 
1976 
1977  de_ctx = DetectEngineCtxInit();
1978  if (de_ctx == NULL)
1979  goto end;
1980 
1981  de_ctx->flags |= DE_QUIET;
1982 
1983  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1984  "(msg:\"http server body test\"; "
1985  "pcre:/abc/Q; "
1986  "content:!\"xyz\"; http_server_body; distance:0; within:3; "
1987  "sid:1;)");
1988  if (de_ctx->sig_list == NULL)
1989  goto end;
1990 
1991  SigGroupBuild(de_ctx);
1992  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1993 
1994  FLOWLOCK_WRLOCK(&f);
1995  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1996  STREAM_TOSERVER, http_buf1, http_len1);
1997  if (r != 0) {
1998  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1999  result = 0;
2000  FLOWLOCK_UNLOCK(&f);
2001  goto end;
2002  }
2003  FLOWLOCK_UNLOCK(&f);
2004 
2005  http_state = f.alstate;
2006  if (http_state == NULL) {
2007  printf("no http state: \n");
2008  result = 0;
2009  goto end;
2010  }
2011 
2012  /* do detect */
2013  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2014 
2015  if (PacketAlertCheck(p1, 1)) {
2016  printf("sid 1 matched but shouldn't have: ");
2017  goto end;
2018  }
2019 
2020  FLOWLOCK_WRLOCK(&f);
2021  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2022  STREAM_TOCLIENT, http_buf2, http_len2);
2023  if (r != 0) {
2024  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2025  result = 0;
2026  FLOWLOCK_UNLOCK(&f);
2027  goto end;
2028  }
2029  FLOWLOCK_UNLOCK(&f);
2030 
2031  /* do detect */
2032  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2033 
2034  if (!PacketAlertCheck(p2, 1)) {
2035  printf("sid 1 did not match but should have: ");
2036  goto end;
2037  }
2038 
2039  result = 1;
2040 
2041 end:
2042  if (alp_tctx != NULL)
2043  AppLayerParserThreadCtxFree(alp_tctx);
2044  if (de_ctx != NULL)
2045  DetectEngineCtxFree(de_ctx);
2046 
2048  FLOW_DESTROY(&f);
2049  UTHFreePackets(&p1, 1);
2050  UTHFreePackets(&p2, 1);
2051  return result;
2052 }
2053 
2054 static int DetectEngineHttpServerBodyTest16(void)
2055 {
2056  char input[] = "\
2057 %YAML 1.1\n\
2058 ---\n\
2059 libhtp:\n\
2060 \n\
2061  default-config:\n\
2062  personality: IDS\n\
2063  request-body-limit: 0\n\
2064  response-body-limit: 0\n\
2065 \n\
2066  request-body-inspect-window: 0\n\
2067  response-body-inspect-window: 0\n\
2068  request-body-minimal-inspect-size: 0\n\
2069  response-body-minimal-inspect-size: 0\n\
2070 ";
2071 
2073  ConfInit();
2075 
2076  ConfYamlLoadString(input, strlen(input));
2077  HTPConfigure();
2078 
2079  TcpSession ssn;
2080  Packet *p1 = NULL;
2081  Packet *p2 = NULL;
2082  ThreadVars th_v;
2083  DetectEngineCtx *de_ctx = NULL;
2084  DetectEngineThreadCtx *det_ctx = NULL;
2085  HtpState *http_state = NULL;
2086  Flow f;
2087  int result = 0;
2088  uint8_t http_buf1[] =
2089  "GET /index.html HTTP/1.0\r\n"
2090  "Host: www.openinfosecfoundation.org\r\n"
2091  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2092  "\r\n";
2093  uint32_t http_len1 = sizeof(http_buf1) - 1;
2094  uint8_t http_buf2[] =
2095  "HTTP/1.0 200 ok\r\n"
2096  "Content-Type: text/html\r\n"
2097  "Content-Length: 17\r\n"
2098  "\r\n"
2099  "1234567";
2100  uint32_t http_len2 = sizeof(http_buf2) - 1;
2101  uint8_t http_buf3[] =
2102  "8901234ABC";
2103  uint32_t http_len3 = sizeof(http_buf3) - 1;
2105 
2106  memset(&th_v, 0, sizeof(th_v));
2107  memset(&f, 0, sizeof(f));
2108  memset(&ssn, 0, sizeof(ssn));
2109 
2110  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2111  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2112 
2113  FLOW_INITIALIZE(&f);
2114  f.protoctx = (void *)&ssn;
2115  f.proto = IPPROTO_TCP;
2116  f.flags |= FLOW_IPV4;
2117 
2118  p1->flow = &f;
2122  p2->flow = &f;
2126  f.alproto = ALPROTO_HTTP;
2127 
2129 
2130  de_ctx = DetectEngineCtxInit();
2131  if (de_ctx == NULL)
2132  goto end;
2133 
2134  de_ctx->flags |= DE_QUIET;
2135 
2136  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2137  "(msg:\"http server body test\"; "
2138  "content:\"890\"; within:3; http_server_body; "
2139  "sid:1;)");
2140  if (de_ctx->sig_list == NULL)
2141  goto end;
2142 
2143  SigGroupBuild(de_ctx);
2144  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2145 
2146  FLOWLOCK_WRLOCK(&f);
2147  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2148  STREAM_TOSERVER, http_buf1, http_len1);
2149  if (r != 0) {
2150  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2151  result = 0;
2152  FLOWLOCK_UNLOCK(&f);
2153  goto end;
2154  }
2155  FLOWLOCK_UNLOCK(&f);
2156 
2157  http_state = f.alstate;
2158  if (http_state == NULL) {
2159  printf("no http state: \n");
2160  result = 0;
2161  goto end;
2162  }
2163 
2164  /* do detect */
2165  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2166 
2167  if (PacketAlertCheck(p1, 1)) {
2168  printf("sid 1 matched but shouldn't have\n");
2169  goto end;
2170  }
2171 
2172  FLOWLOCK_WRLOCK(&f);
2173  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2174  STREAM_TOCLIENT, http_buf2, http_len2);
2175  if (r != 0) {
2176  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2177  result = 0;
2178  FLOWLOCK_UNLOCK(&f);
2179  goto end;
2180  }
2181  FLOWLOCK_UNLOCK(&f);
2182 
2183  /* do detect */
2184  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2185 
2186  if (PacketAlertCheck(p2, 1)) {
2187  printf("sid 1 matched but shouldn't have\n");
2188  goto end;
2189  }
2190 
2191  FLOWLOCK_WRLOCK(&f);
2192  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2193  STREAM_TOCLIENT, http_buf3, http_len3);
2194  if (r != 0) {
2195  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2196  result = 0;
2197  FLOWLOCK_UNLOCK(&f);
2198  goto end;
2199  }
2200  FLOWLOCK_UNLOCK(&f);
2201 
2202  /* do detect */
2203  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2204 
2205  if (PacketAlertCheck(p2, 1)) {
2206  printf("sid 1 matched but shouldn't have\n");
2207  goto end;
2208  }
2209 
2210  result = 1;
2211 
2212 end:
2213  if (alp_tctx != NULL)
2214  AppLayerParserThreadCtxFree(alp_tctx);
2215  HTPFreeConfig();
2218 
2219  if (de_ctx != NULL)
2220  DetectEngineCtxFree(de_ctx);
2221 
2223  FLOW_DESTROY(&f);
2224  UTHFreePackets(&p1, 1);
2225  UTHFreePackets(&p2, 1);
2226  return result;
2227 }
2228 
2229 static int DetectEngineHttpServerBodyTest17(void)
2230 {
2231  char input[] = "\
2232 %YAML 1.1\n\
2233 ---\n\
2234 libhtp:\n\
2235 \n\
2236  default-config:\n\
2237  personality: IDS\n\
2238  request-body-limit: 0\n\
2239  response-body-limit: 0\n\
2240 \n\
2241  request-body-inspect-window: 0\n\
2242  response-body-inspect-window: 0\n\
2243  request-body-minimal-inspect-size: 0\n\
2244  response-body-minimal-inspect-size: 0\n\
2245 ";
2246 
2248  ConfInit();
2250 
2251  ConfYamlLoadString(input, strlen(input));
2252  HTPConfigure();
2253 
2254  TcpSession ssn;
2255  Packet *p1 = NULL;
2256  Packet *p2 = NULL;
2257  ThreadVars th_v;
2258  DetectEngineCtx *de_ctx = NULL;
2259  DetectEngineThreadCtx *det_ctx = NULL;
2260  HtpState *http_state = NULL;
2261  Flow f;
2262  int result = 0;
2263  uint8_t http_buf1[] =
2264  "GET /index.html HTTP/1.0\r\n"
2265  "Host: www.openinfosecfoundation.org\r\n"
2266  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2267  "\r\n";
2268  uint32_t http_len1 = sizeof(http_buf1) - 1;
2269  uint8_t http_buf2[] =
2270  "HTTP/1.0 200 ok\r\n"
2271  "Content-Type: text/html\r\n"
2272  "Content-Length: 17\r\n"
2273  "\r\n"
2274  "1234567";
2275  uint32_t http_len2 = sizeof(http_buf2) - 1;
2276  uint8_t http_buf3[] =
2277  "8901234ABC";
2278  uint32_t http_len3 = sizeof(http_buf3) - 1;
2280 
2281  memset(&th_v, 0, sizeof(th_v));
2282  memset(&f, 0, sizeof(f));
2283  memset(&ssn, 0, sizeof(ssn));
2284 
2285  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2286  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2287 
2288  FLOW_INITIALIZE(&f);
2289  f.protoctx = (void *)&ssn;
2290  f.proto = IPPROTO_TCP;
2291  f.flags |= FLOW_IPV4;
2292 
2293  p1->flow = &f;
2297  p2->flow = &f;
2301  f.alproto = ALPROTO_HTTP;
2302 
2304 
2305  de_ctx = DetectEngineCtxInit();
2306  if (de_ctx == NULL)
2307  goto end;
2308 
2309  de_ctx->flags |= DE_QUIET;
2310 
2311  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2312  "(msg:\"http server body test\"; "
2313  "content:\"890\"; depth:3; http_server_body; "
2314  "sid:1;)");
2315  if (de_ctx->sig_list == NULL)
2316  goto end;
2317 
2318  SigGroupBuild(de_ctx);
2319  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2320 
2321  FLOWLOCK_WRLOCK(&f);
2322  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2323  STREAM_TOSERVER, http_buf1, http_len1);
2324  if (r != 0) {
2325  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2326  result = 0;
2327  FLOWLOCK_UNLOCK(&f);
2328  goto end;
2329  }
2330  FLOWLOCK_UNLOCK(&f);
2331 
2332  http_state = f.alstate;
2333  if (http_state == NULL) {
2334  printf("no http state: \n");
2335  result = 0;
2336  goto end;
2337  }
2338 
2339  /* do detect */
2340  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2341 
2342  if (PacketAlertCheck(p1, 1)) {
2343  printf("sid 1 matched but shouldn't have\n");
2344  goto end;
2345  }
2346 
2347  FLOWLOCK_WRLOCK(&f);
2348  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2349  STREAM_TOCLIENT, http_buf2, http_len2);
2350  if (r != 0) {
2351  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2352  result = 0;
2353  FLOWLOCK_UNLOCK(&f);
2354  goto end;
2355  }
2356  FLOWLOCK_UNLOCK(&f);
2357 
2358  /* do detect */
2359  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2360 
2361  if (PacketAlertCheck(p2, 1)) {
2362  printf("sid 1 matched but shouldn't have\n");
2363  goto end;
2364  }
2365 
2366  FLOWLOCK_WRLOCK(&f);
2367  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2368  STREAM_TOCLIENT, http_buf3, http_len3);
2369  if (r != 0) {
2370  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2371  result = 0;
2372  FLOWLOCK_UNLOCK(&f);
2373  goto end;
2374  }
2375  FLOWLOCK_UNLOCK(&f);
2376 
2377  /* do detect */
2378  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2379 
2380  if (PacketAlertCheck(p2, 1)) {
2381  printf("sid 1 matched but shouldn't have\n");
2382  goto end;
2383  }
2384 
2385  result = 1;
2386 
2387 end:
2388  if (alp_tctx != NULL)
2389  AppLayerParserThreadCtxFree(alp_tctx);
2390  HTPFreeConfig();
2393 
2394  if (de_ctx != NULL)
2395  DetectEngineCtxFree(de_ctx);
2396 
2398  FLOW_DESTROY(&f);
2399  UTHFreePackets(&p1, 1);
2400  UTHFreePackets(&p2, 1);
2401  return result;
2402 }
2403 
2404 /*
2405  * gzip stream
2406  */
2407 static int DetectEngineHttpServerBodyTest18(void)
2408 {
2409  TcpSession ssn;
2410  Packet *p1 = NULL;
2411  Packet *p2 = NULL;
2412  ThreadVars th_v;
2413  DetectEngineCtx *de_ctx = NULL;
2414  DetectEngineThreadCtx *det_ctx = NULL;
2415  HtpState *http_state = NULL;
2416  Flow f;
2417  uint8_t http_buf1[] =
2418  "GET /index.html HTTP/1.0\r\n"
2419  "Host: www.openinfosecfoundation.org\r\n"
2420  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2421  "\r\n";
2422  uint32_t http_len1 = sizeof(http_buf1) - 1;
2423  uint8_t http_buf2[] = {
2424  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2425  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
2426  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'g', 'z', 'i', 'p', 0x0d, 0x0a,
2427  0x0d, 0x0a,
2428  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51,
2429  0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
2430  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2431  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2432  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2433  0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
2434  0x00, 0x00, 0x00,
2435  };
2436  uint32_t http_len2 = sizeof(http_buf2);
2437  int result = 0;
2439 
2440  memset(&th_v, 0, sizeof(th_v));
2441  memset(&f, 0, sizeof(f));
2442  memset(&ssn, 0, sizeof(ssn));
2443 
2444  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2445  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2446 
2447  FLOW_INITIALIZE(&f);
2448  f.protoctx = (void *)&ssn;
2449  f.proto = IPPROTO_TCP;
2450  f.flags |= FLOW_IPV4;
2451 
2452  p1->flow = &f;
2456  p2->flow = &f;
2460  f.alproto = ALPROTO_HTTP;
2461 
2463 
2464  de_ctx = DetectEngineCtxInit();
2465  if (de_ctx == NULL)
2466  goto end;
2467 
2468  de_ctx->flags |= DE_QUIET;
2469 
2470  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2471  "(msg:\"http server body test\"; "
2472  "content:\"file\"; http_server_body; "
2473  "sid:1;)");
2474  if (de_ctx->sig_list == NULL)
2475  goto end;
2476 
2477  SigGroupBuild(de_ctx);
2478  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2479 
2480  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2481  STREAM_TOSERVER, http_buf1, http_len1);
2482  if (r != 0) {
2483  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2484  result = 0;
2485  goto end;
2486  }
2487 
2488  http_state = f.alstate;
2489  if (http_state == NULL) {
2490  printf("no http state: \n");
2491  result = 0;
2492  goto end;
2493  }
2494 
2495  /* do detect */
2496  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2497 
2498  if ((PacketAlertCheck(p1, 1))) {
2499  printf("sid 1 matched but shouldn't have\n");
2500  goto end;
2501  }
2502 
2503  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2504  STREAM_TOCLIENT, http_buf2, http_len2);
2505  if (r != 0) {
2506  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2507  result = 0;
2508  goto end;
2509  }
2510 
2511  /* do detect */
2512  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2513 
2514  if (!(PacketAlertCheck(p2, 1))) {
2515  printf("sid 1 didn't match but should have");
2516  goto end;
2517  }
2518 
2519  result = 1;
2520 
2521 end:
2522  if (alp_tctx != NULL)
2523  AppLayerParserThreadCtxFree(alp_tctx);
2524  if (de_ctx != NULL)
2525  DetectEngineCtxFree(de_ctx);
2526 
2528  FLOW_DESTROY(&f);
2529  UTHFreePackets(&p1, 1);
2530  UTHFreePackets(&p2, 1);
2531  return result;
2532 }
2533 
2534 /*
2535  * deflate stream
2536  */
2537 static int DetectEngineHttpServerBodyTest19(void)
2538 {
2539  TcpSession ssn;
2540  Packet *p1 = NULL;
2541  Packet *p2 = NULL;
2542  ThreadVars th_v;
2543  DetectEngineCtx *de_ctx = NULL;
2544  DetectEngineThreadCtx *det_ctx = NULL;
2545  HtpState *http_state = NULL;
2546  Flow f;
2547  uint8_t http_buf1[] =
2548  "GET /index.html HTTP/1.0\r\n"
2549  "Host: www.openinfosecfoundation.org\r\n"
2550  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2551  "\r\n";
2552  uint32_t http_len1 = sizeof(http_buf1) - 1;
2553  uint8_t http_buf2[] = {
2554  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2555  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '2', '4', 0x0d, 0x0a,
2556  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
2557  0x0d, 0x0a,
2558  0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2559  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2560  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2561  0x8f, 0x0b, 0x00,
2562  };
2563  // 0xb2, 0x7d, 0xac, 0x9b, 0x19, 0x00, 0x00, 0x00,
2564  uint32_t http_len2 = sizeof(http_buf2);
2565  int result = 0;
2567 
2568  memset(&th_v, 0, sizeof(th_v));
2569  memset(&f, 0, sizeof(f));
2570  memset(&ssn, 0, sizeof(ssn));
2571 
2572  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2573  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2574 
2575  FLOW_INITIALIZE(&f);
2576  f.protoctx = (void *)&ssn;
2577  f.proto = IPPROTO_TCP;
2578  f.flags |= FLOW_IPV4;
2579 
2580  p1->flow = &f;
2584  p2->flow = &f;
2588  f.alproto = ALPROTO_HTTP;
2589 
2591 
2592  de_ctx = DetectEngineCtxInit();
2593  if (de_ctx == NULL)
2594  goto end;
2595 
2596  de_ctx->flags |= DE_QUIET;
2597 
2598  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2599  "(msg:\"http server body test\"; "
2600  "content:\"file\"; http_server_body; "
2601  "sid:1;)");
2602  if (de_ctx->sig_list == NULL)
2603  goto end;
2604 
2605  SigGroupBuild(de_ctx);
2606  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2607 
2608  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2609  STREAM_TOSERVER, http_buf1, http_len1);
2610  if (r != 0) {
2611  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2612  result = 0;
2613  goto end;
2614  }
2615 
2616  http_state = f.alstate;
2617  if (http_state == NULL) {
2618  printf("no http state: \n");
2619  result = 0;
2620  goto end;
2621  }
2622 
2623  /* do detect */
2624  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2625 
2626  if ((PacketAlertCheck(p1, 1))) {
2627  printf("sid 1 matched but shouldn't have\n");
2628  goto end;
2629  }
2630 
2631  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2632  STREAM_TOCLIENT, http_buf2, http_len2);
2633  if (r != 0) {
2634  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2635  result = 0;
2636  goto end;
2637  }
2638 
2639  /* do detect */
2640  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2641 
2642  if (!(PacketAlertCheck(p2, 1))) {
2643  printf("sid 1 didn't match but should have");
2644  goto end;
2645  }
2646 
2647  result = 1;
2648 
2649 end:
2650  if (alp_tctx != NULL)
2651  AppLayerParserThreadCtxFree(alp_tctx);
2652  if (de_ctx != NULL)
2653  DetectEngineCtxFree(de_ctx);
2654 
2656  FLOW_DESTROY(&f);
2657  UTHFreePackets(&p1, 1);
2658  UTHFreePackets(&p2, 1);
2659  return result;
2660 }
2661 
2662 /*
2663  * deflate stream with gzip set as content-encoding
2664  */
2665 static int DetectEngineHttpServerBodyTest20(void)
2666 {
2667  TcpSession ssn;
2668  Packet *p1 = NULL;
2669  Packet *p2 = NULL;
2670  ThreadVars th_v;
2671  DetectEngineCtx *de_ctx = NULL;
2672  DetectEngineThreadCtx *det_ctx = NULL;
2673  HtpState *http_state = NULL;
2674  Flow f;
2675  uint8_t http_buf1[] =
2676  "GET /index.html HTTP/1.0\r\n"
2677  "Host: www.openinfosecfoundation.org\r\n"
2678  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2679  "\r\n";
2680  uint32_t http_len1 = sizeof(http_buf1) - 1;
2681  uint8_t http_buf2[] = {
2682  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2683  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '2', '4', 0x0d, 0x0a,
2684  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'g', 'z', 'i', 'p', 0x0d, 0x0a,
2685  0x0d, 0x0a,
2686  0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2687  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2688  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2689  0x8f, 0x0b, 0x00,
2690  };
2691  // 0xb2, 0x7d, 0xac, 0x9b, 0x19, 0x00, 0x00, 0x00,
2692  uint32_t http_len2 = sizeof(http_buf2);
2693  int result = 0;
2695 
2696  memset(&th_v, 0, sizeof(th_v));
2697  memset(&f, 0, sizeof(f));
2698  memset(&ssn, 0, sizeof(ssn));
2699 
2700  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2701  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2702 
2703  FLOW_INITIALIZE(&f);
2704  f.protoctx = (void *)&ssn;
2705  f.proto = IPPROTO_TCP;
2706  f.flags |= FLOW_IPV4;
2707 
2708  p1->flow = &f;
2712  p2->flow = &f;
2716  f.alproto = ALPROTO_HTTP;
2717 
2719 
2720  de_ctx = DetectEngineCtxInit();
2721  if (de_ctx == NULL)
2722  goto end;
2723 
2724  de_ctx->flags |= DE_QUIET;
2725 
2726  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2727  "(msg:\"http server body test\"; "
2728  "content:\"file\"; http_server_body; "
2729  "sid:1;)");
2730  if (de_ctx->sig_list == NULL)
2731  goto end;
2732 
2733  SigGroupBuild(de_ctx);
2734  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2735 
2736  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2737  STREAM_TOSERVER, http_buf1, http_len1);
2738  if (r != 0) {
2739  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2740  result = 0;
2741  goto end;
2742  }
2743 
2744  http_state = f.alstate;
2745  if (http_state == NULL) {
2746  printf("no http state: \n");
2747  result = 0;
2748  goto end;
2749  }
2750 
2751  /* do detect */
2752  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2753 
2754  if ((PacketAlertCheck(p1, 1))) {
2755  printf("sid 1 matched but shouldn't have\n");
2756  goto end;
2757  }
2758 
2759  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2760  STREAM_TOCLIENT, http_buf2, http_len2);
2761  if (r != 0) {
2762  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2763  result = 0;
2764  goto end;
2765  }
2766 
2767  /* do detect */
2768  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2769 
2770 #ifdef HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT
2771  FAIL_IF(!(PacketAlertCheck(p2, 1)));
2772 #endif
2773 
2774  result = 1;
2775 
2776 end:
2777  if (alp_tctx != NULL)
2778  AppLayerParserThreadCtxFree(alp_tctx);
2779  if (de_ctx != NULL)
2780  DetectEngineCtxFree(de_ctx);
2781 
2783  FLOW_DESTROY(&f);
2784  UTHFreePackets(&p1, 1);
2785  UTHFreePackets(&p2, 1);
2786  return result;
2787 }
2788 
2789 /*
2790  * gzip stream with deflate set as content-encoding.
2791  */
2792 static int DetectEngineHttpServerBodyTest21(void)
2793 {
2794  TcpSession ssn;
2795  Packet *p1 = NULL;
2796  Packet *p2 = NULL;
2797  ThreadVars th_v;
2798  DetectEngineCtx *de_ctx = NULL;
2799  DetectEngineThreadCtx *det_ctx = NULL;
2800  HtpState *http_state = NULL;
2801  Flow f;
2802  uint8_t http_buf1[] =
2803  "GET /index.html HTTP/1.0\r\n"
2804  "Host: www.openinfosecfoundation.org\r\n"
2805  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2806  "\r\n";
2807  uint32_t http_len1 = sizeof(http_buf1) - 1;
2808  uint8_t http_buf2[] = {
2809  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2810  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
2811  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
2812  0x0d, 0x0a,
2813  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51,
2814  0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
2815  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2816  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2817  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2818  0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
2819  0x00, 0x00, 0x00,
2820  };
2821  uint32_t http_len2 = sizeof(http_buf2);
2822  int result = 0;
2824 
2825  memset(&th_v, 0, sizeof(th_v));
2826  memset(&f, 0, sizeof(f));
2827  memset(&ssn, 0, sizeof(ssn));
2828 
2829  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2830  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2831 
2832  FLOW_INITIALIZE(&f);
2833  f.protoctx = (void *)&ssn;
2834  f.proto = IPPROTO_TCP;
2835  f.flags |= FLOW_IPV4;
2836 
2837  p1->flow = &f;
2841  p2->flow = &f;
2845  f.alproto = ALPROTO_HTTP;
2846 
2848 
2849  de_ctx = DetectEngineCtxInit();
2850  if (de_ctx == NULL)
2851  goto end;
2852 
2853  de_ctx->flags |= DE_QUIET;
2854 
2855  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2856  "(msg:\"http server body test\"; "
2857  "content:\"file\"; http_server_body; "
2858  "sid:1;)");
2859  if (de_ctx->sig_list == NULL)
2860  goto end;
2861 
2862  SigGroupBuild(de_ctx);
2863  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2864 
2865  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2866  STREAM_TOSERVER, http_buf1, http_len1);
2867  if (r != 0) {
2868  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2869  result = 0;
2870  goto end;
2871  }
2872 
2873  http_state = f.alstate;
2874  if (http_state == NULL) {
2875  printf("no http state: \n");
2876  result = 0;
2877  goto end;
2878  }
2879 
2880  /* do detect */
2881  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2882 
2883  if ((PacketAlertCheck(p1, 1))) {
2884  printf("sid 1 matched but shouldn't have\n");
2885  goto end;
2886  }
2887 
2888  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2889  STREAM_TOCLIENT, http_buf2, http_len2);
2890  if (r != 0) {
2891  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2892  result = 0;
2893  goto end;
2894  }
2895 
2896  /* do detect */
2897  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2898 
2899 #ifdef HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT
2900  FAIL_IF(!(PacketAlertCheck(p2, 1)));
2901 #endif
2902 
2903  result = 1;
2904 
2905 end:
2906  if (alp_tctx != NULL)
2907  AppLayerParserThreadCtxFree(alp_tctx);
2908  if (de_ctx != NULL)
2909  DetectEngineCtxFree(de_ctx);
2910 
2912  FLOW_DESTROY(&f);
2913  UTHFreePackets(&p1, 1);
2914  UTHFreePackets(&p2, 1);
2915  return result;
2916 }
2917 
2918 /*
2919  * gzip stream.
2920  * We have 2 content-encoding headers. First gzip and second deflate.
2921  */
2922 static int DetectEngineHttpServerBodyTest22(void)
2923 {
2924  TcpSession ssn;
2925  Packet *p1 = NULL;
2926  Packet *p2 = NULL;
2927  ThreadVars th_v;
2928  DetectEngineCtx *de_ctx = NULL;
2929  DetectEngineThreadCtx *det_ctx = NULL;
2930  HtpState *http_state = NULL;
2931  Flow f;
2932  uint8_t http_buf1[] =
2933  "GET /index.html HTTP/1.0\r\n"
2934  "Host: www.openinfosecfoundation.org\r\n"
2935  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2936  "\r\n";
2937  uint32_t http_len1 = sizeof(http_buf1) - 1;
2938  uint8_t http_buf2[] = {
2939  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2940  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
2941  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'g', 'z', 'i', 'p', 0x0d, 0x0a,
2942  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
2943  0x0d, 0x0a,
2944  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51,
2945  0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
2946  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2947  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2948  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2949  0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
2950  0x00, 0x00, 0x00,
2951  };
2952  uint32_t http_len2 = sizeof(http_buf2);
2953  int result = 0;
2955 
2956  memset(&th_v, 0, sizeof(th_v));
2957  memset(&f, 0, sizeof(f));
2958  memset(&ssn, 0, sizeof(ssn));
2959 
2960  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2961  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2962 
2963  FLOW_INITIALIZE(&f);
2964  f.protoctx = (void *)&ssn;
2965  f.proto = IPPROTO_TCP;
2966  f.flags |= FLOW_IPV4;
2967 
2968  p1->flow = &f;
2972  p2->flow = &f;
2976  f.alproto = ALPROTO_HTTP;
2977 
2979 
2980  de_ctx = DetectEngineCtxInit();
2981  if (de_ctx == NULL)
2982  goto end;
2983 
2984  de_ctx->flags |= DE_QUIET;
2985 
2986  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2987  "(msg:\"http server body test\"; "
2988  "content:\"file\"; http_server_body; "
2989  "sid:1;)");
2990  if (de_ctx->sig_list == NULL)
2991  goto end;
2992 
2993  SigGroupBuild(de_ctx);
2994  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2995 
2996  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2997  STREAM_TOSERVER, http_buf1, http_len1);
2998  if (r != 0) {
2999  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3000  result = 0;
3001  goto end;
3002  }
3003 
3004  http_state = f.alstate;
3005  if (http_state == NULL) {
3006  printf("no http state: \n");
3007  result = 0;
3008  goto end;
3009  }
3010 
3011  /* do detect */
3012  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3013 
3014  if ((PacketAlertCheck(p1, 1))) {
3015  printf("sid 1 matched but shouldn't have: ");
3016  goto end;
3017  }
3018 
3019  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3020  STREAM_TOCLIENT, http_buf2, http_len2);
3021  if (r != 0) {
3022  printf("toserver chunk 2 returned %" PRId32 ", expected 0: \n", r);
3023  result = 0;
3024  goto end;
3025  }
3026 
3027  /* do detect */
3028  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3029 
3030 #ifdef HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT
3031  FAIL_IF(!(PacketAlertCheck(p2, 1)));
3032 #endif
3033 
3034  result = 1;
3035 
3036 end:
3037  if (alp_tctx != NULL)
3038  AppLayerParserThreadCtxFree(alp_tctx);
3039  if (de_ctx != NULL)
3040  DetectEngineCtxFree(de_ctx);
3041 
3043  FLOW_DESTROY(&f);
3044  UTHFreePackets(&p1, 1);
3045  UTHFreePackets(&p2, 1);
3046  return result;
3047 }
3048 
3049 static int DetectEngineHttpServerBodyFileDataTest01(void)
3050 {
3051  TcpSession ssn;
3052  Packet *p1 = NULL;
3053  Packet *p2 = NULL;
3054  ThreadVars th_v;
3055  DetectEngineCtx *de_ctx = NULL;
3056  DetectEngineThreadCtx *det_ctx = NULL;
3057  HtpState *http_state = NULL;
3058  Flow f;
3059  uint8_t http_buf1[] =
3060  "GET /index.html HTTP/1.0\r\n"
3061  "Host: www.openinfosecfoundation.org\r\n"
3062  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3063  "\r\n";
3064  uint32_t http_len1 = sizeof(http_buf1) - 1;
3065  uint8_t http_buf2[] =
3066  "HTTP/1.0 200 ok\r\n"
3067  "Content-Type: text/html\r\n"
3068  "Content-Length: 6\r\n"
3069  "\r\n"
3070  "abcdef";
3071  uint32_t http_len2 = sizeof(http_buf2) - 1;
3072  int result = 0;
3074 
3075  memset(&th_v, 0, sizeof(th_v));
3076  memset(&f, 0, sizeof(f));
3077  memset(&ssn, 0, sizeof(ssn));
3078 
3079  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3080  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3081 
3082  FLOW_INITIALIZE(&f);
3083  f.protoctx = (void *)&ssn;
3084  f.proto = IPPROTO_TCP;
3085  f.flags |= FLOW_IPV4;
3086 
3087  p1->flow = &f;
3091  p2->flow = &f;
3095  f.alproto = ALPROTO_HTTP;
3096 
3098 
3099  de_ctx = DetectEngineCtxInit();
3100  if (de_ctx == NULL)
3101  goto end;
3102 
3103  de_ctx->flags |= DE_QUIET;
3104 
3105  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3106  "(msg:\"http server body test\"; "
3107  "file_data; pcre:/ab/; "
3108  "content:\"ef\"; distance:2; "
3109  "sid:1;)");
3110  if (de_ctx->sig_list == NULL)
3111  goto end;
3112 
3113  SigGroupBuild(de_ctx);
3114  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3115 
3116  FLOWLOCK_WRLOCK(&f);
3117  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3118  STREAM_TOSERVER, http_buf1, http_len1);
3119  if (r != 0) {
3120  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3121  result = 0;
3122  FLOWLOCK_UNLOCK(&f);
3123  goto end;
3124  }
3125  FLOWLOCK_UNLOCK(&f);
3126 
3127  http_state = f.alstate;
3128  if (http_state == NULL) {
3129  printf("no http state: \n");
3130  result = 0;
3131  goto end;
3132  }
3133 
3134  /* do detect */
3135  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3136 
3137  if (PacketAlertCheck(p1, 1)) {
3138  printf("sid 1 matched but shouldn't have: ");
3139  goto end;
3140  }
3141 
3142  FLOWLOCK_WRLOCK(&f);
3143  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3144  STREAM_TOCLIENT, http_buf2, http_len2);
3145  if (r != 0) {
3146  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3147  result = 0;
3148  FLOWLOCK_UNLOCK(&f);
3149  goto end;
3150  }
3151  FLOWLOCK_UNLOCK(&f);
3152 
3153  /* do detect */
3154  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3155 
3156  if (!PacketAlertCheck(p2, 1)) {
3157  printf("sid 1 did not match but should have: ");
3158  goto end;
3159  }
3160 
3161  result = 1;
3162 
3163 end:
3164  if (alp_tctx != NULL)
3165  AppLayerParserThreadCtxFree(alp_tctx);
3166  if (de_ctx != NULL)
3167  DetectEngineCtxFree(de_ctx);
3168 
3170  FLOW_DESTROY(&f);
3171  UTHFreePackets(&p1, 1);
3172  UTHFreePackets(&p2, 1);
3173  return result;
3174 }
3175 
3176 static int DetectEngineHttpServerBodyFileDataTest02(void)
3177 {
3178  TcpSession ssn;
3179  Packet *p1 = NULL;
3180  Packet *p2 = NULL;
3181  ThreadVars th_v;
3182  DetectEngineCtx *de_ctx = NULL;
3183  DetectEngineThreadCtx *det_ctx = NULL;
3184  HtpState *http_state = NULL;
3185  Flow f;
3186  uint8_t http_buf1[] =
3187  "GET /index.html HTTP/1.0\r\n"
3188  "Host: www.openinfosecfoundation.org\r\n"
3189  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3190  "\r\n";
3191  uint32_t http_len1 = sizeof(http_buf1) - 1;
3192  uint8_t http_buf2[] =
3193  "HTTP/1.0 200 ok\r\n"
3194  "Content-Type: text/html\r\n"
3195  "Content-Length: 6\r\n"
3196  "\r\n"
3197  "abcdef";
3198  uint32_t http_len2 = sizeof(http_buf2) - 1;
3199  int result = 0;
3201 
3202  memset(&th_v, 0, sizeof(th_v));
3203  memset(&f, 0, sizeof(f));
3204  memset(&ssn, 0, sizeof(ssn));
3205 
3206  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3207  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3208 
3209  FLOW_INITIALIZE(&f);
3210  f.protoctx = (void *)&ssn;
3211  f.proto = IPPROTO_TCP;
3212  f.flags |= FLOW_IPV4;
3213 
3214  p1->flow = &f;
3218  p2->flow = &f;
3222  f.alproto = ALPROTO_HTTP;
3223 
3225 
3226  de_ctx = DetectEngineCtxInit();
3227  if (de_ctx == NULL)
3228  goto end;
3229 
3230  de_ctx->flags |= DE_QUIET;
3231 
3232  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3233  "(msg:\"http server body test\"; "
3234  "file_data; pcre:/abc/; "
3235  "content:!\"xyz\"; distance:0; within:3; "
3236  "sid:1;)");
3237  if (de_ctx->sig_list == NULL)
3238  goto end;
3239 
3240  SigGroupBuild(de_ctx);
3241  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3242 
3243  FLOWLOCK_WRLOCK(&f);
3244  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3245  STREAM_TOSERVER, http_buf1, http_len1);
3246  if (r != 0) {
3247  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3248  result = 0;
3249  FLOWLOCK_UNLOCK(&f);
3250  goto end;
3251  }
3252  FLOWLOCK_UNLOCK(&f);
3253 
3254  http_state = f.alstate;
3255  if (http_state == NULL) {
3256  printf("no http state: \n");
3257  result = 0;
3258  goto end;
3259  }
3260 
3261  /* do detect */
3262  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3263 
3264  if (PacketAlertCheck(p1, 1)) {
3265  printf("sid 1 matched but shouldn't have: ");
3266  goto end;
3267  }
3268 
3269  FLOWLOCK_WRLOCK(&f);
3270  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3271  STREAM_TOCLIENT, http_buf2, http_len2);
3272  if (r != 0) {
3273  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3274  result = 0;
3275  FLOWLOCK_UNLOCK(&f);
3276  goto end;
3277  }
3278  FLOWLOCK_UNLOCK(&f);
3279 
3280  /* do detect */
3281  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3282 
3283  if (!PacketAlertCheck(p2, 1)) {
3284  printf("sid 1 did not match but should have: ");
3285  goto end;
3286  }
3287 
3288  result = 1;
3289 
3290 end:
3291  if (alp_tctx != NULL)
3292  AppLayerParserThreadCtxFree(alp_tctx);
3293  if (de_ctx != NULL)
3294  DetectEngineCtxFree(de_ctx);
3295 
3297  FLOW_DESTROY(&f);
3298  UTHFreePackets(&p1, 1);
3299  UTHFreePackets(&p2, 1);
3300  return result;
3301 }
3302 
3303 /* \test recursive relative byte test */
3304 static int DetectEngineHttpServerBodyFileDataTest03(void)
3305 {
3306  TcpSession ssn;
3307  Packet *p1 = NULL;
3308  Packet *p2 = NULL;
3309  ThreadVars th_v;
3310  DetectEngineCtx *de_ctx = NULL;
3311  DetectEngineThreadCtx *det_ctx = NULL;
3312  HtpState *http_state = NULL;
3313  Flow f;
3314  uint8_t http_buf1[] =
3315  "GET /index.html HTTP/1.0\r\n"
3316  "Host: www.openinfosecfoundation.org\r\n"
3317  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3318  "\r\n";
3319  uint32_t http_len1 = sizeof(http_buf1) - 1;
3320  uint8_t http_buf2[] =
3321  "HTTP/1.0 200 ok\r\n"
3322  "Content-Type: text/html\r\n"
3323  "Content-Length: 33\r\n"
3324  "\r\n"
3325  "XYZ_klm_1234abcd_XYZ_klm_5678abcd";
3326  uint32_t http_len2 = sizeof(http_buf2) - 1;
3327  int result = 0;
3329 
3330  memset(&th_v, 0, sizeof(th_v));
3331  memset(&f, 0, sizeof(f));
3332  memset(&ssn, 0, sizeof(ssn));
3333 
3334  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3335  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3336 
3337  FLOW_INITIALIZE(&f);
3338  f.protoctx = (void *)&ssn;
3339  f.proto = IPPROTO_TCP;
3340  f.flags |= FLOW_IPV4;
3341 
3342  p1->flow = &f;
3346  p2->flow = &f;
3350  f.alproto = ALPROTO_HTTP;
3351 
3353 
3354  de_ctx = DetectEngineCtxInit();
3355  if (de_ctx == NULL)
3356  goto end;
3357 
3358  de_ctx->flags |= DE_QUIET;
3359 
3360  if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
3361  "(msg:\"match on 1st\"; "
3362  "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; distance:4; byte_test:4,=,1234,-8,relative,string;"
3363  "sid:1;)")))
3364  goto end;
3365  if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
3366  "(msg:\"match on 2nd\"; "
3367  "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; distance:4; byte_test:4,=,5678,-8,relative,string;"
3368  "sid:2;)")))
3369  goto end;
3370 
3371  SigGroupBuild(de_ctx);
3372  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3373 
3374  FLOWLOCK_WRLOCK(&f);
3375  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3376  STREAM_TOSERVER, http_buf1, http_len1);
3377  if (r != 0) {
3378  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3379  result = 0;
3380  FLOWLOCK_UNLOCK(&f);
3381  goto end;
3382  }
3383  FLOWLOCK_UNLOCK(&f);
3384 
3385  http_state = f.alstate;
3386  if (http_state == NULL) {
3387  printf("no http state: \n");
3388  result = 0;
3389  goto end;
3390  }
3391 
3392  /* do detect */
3393  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3394 
3395  if (PacketAlertCheck(p1, 1)) {
3396  printf("sid 1 matched but shouldn't have: ");
3397  goto end;
3398  }
3399 
3400  FLOWLOCK_WRLOCK(&f);
3401  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3402  STREAM_TOCLIENT, http_buf2, http_len2);
3403  if (r != 0) {
3404  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3405  result = 0;
3406  FLOWLOCK_UNLOCK(&f);
3407  goto end;
3408  }
3409  FLOWLOCK_UNLOCK(&f);
3410 
3411  /* do detect */
3412  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3413 
3414  if (!PacketAlertCheck(p2, 1)) {
3415  printf("sid 1 did not match but should have: ");
3416  goto end;
3417  }
3418  if (!PacketAlertCheck(p2, 2)) {
3419  printf("sid 2 did not match but should have: ");
3420  goto end;
3421  }
3422 
3423  result = 1;
3424 
3425 end:
3426  if (alp_tctx != NULL)
3427  AppLayerParserThreadCtxFree(alp_tctx);
3428  if (de_ctx != NULL)
3429  DetectEngineCtxFree(de_ctx);
3430 
3432  FLOW_DESTROY(&f);
3433  UTHFreePackets(&p1, 1);
3434  UTHFreePackets(&p2, 1);
3435  return result;
3436 }
3437 
3438 static int DetectEngineHttpServerBodyFileDataTest04(void)
3439 {
3440 
3441  const char yaml[] = "\
3442 %YAML 1.1\n\
3443 ---\n\
3444 libhtp:\n\
3445 \n\
3446  default-config:\n\
3447 \n\
3448  http-body-inline: yes\n\
3449  response-body-minimal-inspect-size: 6\n\
3450  response-body-inspect-window: 3\n\
3451 ";
3452 
3453  struct TestSteps steps[] = {
3454  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3455  "Host: www.openinfosecfoundation.org\r\n"
3456  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3457  "\r\n",
3458  0, STREAM_TOSERVER, 0 },
3459  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3460  "Content-Type: text/html\r\n"
3461  "Content-Length: 6\r\n"
3462  "\r\n"
3463  "ab",
3464  0, STREAM_TOCLIENT, 0 },
3465  { (const uint8_t *)"cd",
3466  0, STREAM_TOCLIENT, 1 },
3467  { (const uint8_t *)"ef",
3468  0, STREAM_TOCLIENT, 0 },
3469  { NULL, 0, 0, 0 },
3470  };
3471 
3472  const char *sig = "alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)";
3473  return RunTest(steps, sig, yaml);
3474 }
3475 
3476 static int DetectEngineHttpServerBodyFileDataTest05(void)
3477 {
3478 
3479  const char yaml[] = "\
3480 %YAML 1.1\n\
3481 ---\n\
3482 libhtp:\n\
3483 \n\
3484  default-config:\n\
3485 \n\
3486  http-body-inline: yes\n\
3487  response-body-minimal-inspect-size: 6\n\
3488  response-body-inspect-window: 3\n\
3489 ";
3490 
3491  struct TestSteps steps[] = {
3492  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3493  "Host: www.openinfosecfoundation.org\r\n"
3494  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3495  "\r\n",
3496  0, STREAM_TOSERVER, 0 },
3497  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3498  "Content-Type: text/html\r\n"
3499  "Content-Length: 6\r\n"
3500  "\r\n"
3501  "ab",
3502  0, STREAM_TOCLIENT, 0 },
3503  { (const uint8_t *)"cd",
3504  0, STREAM_TOCLIENT, 0 },
3505  { (const uint8_t *)"ef",
3506  0, STREAM_TOCLIENT, 1 },
3507  { NULL, 0, 0, 0 },
3508  };
3509 
3510  const char *sig = "alert http any any -> any any (file_data; content:\"abcdef\"; sid:1;)";
3511  return RunTest(steps, sig, yaml);
3512 }
3513 
3514 static int DetectEngineHttpServerBodyFileDataTest06(void)
3515 {
3516 
3517  const char yaml[] = "\
3518 %YAML 1.1\n\
3519 ---\n\
3520 libhtp:\n\
3521 \n\
3522  default-config:\n\
3523 \n\
3524  http-body-inline: yes\n\
3525  response-body-minimal-inspect-size: 6\n\
3526  response-body-inspect-window: 3\n\
3527 ";
3528 
3529  struct TestSteps steps[] = {
3530  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3531  "Host: www.openinfosecfoundation.org\r\n"
3532  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3533  "\r\n",
3534  0, STREAM_TOSERVER, 0 },
3535  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3536  "Content-Type: text/html\r\n"
3537  "Content-Length: 6\r\n"
3538  "\r\n"
3539  "ab",
3540  0, STREAM_TOCLIENT, 0 },
3541  { (const uint8_t *)"cd",
3542  0, STREAM_TOCLIENT, 0 },
3543  { (const uint8_t *)"ef",
3544  0, STREAM_TOCLIENT, 1 },
3545  { NULL, 0, 0, 0 },
3546  };
3547 
3548  const char *sig = "alert http any any -> any any (file_data; content:\"bcdef\"; offset:1; sid:1;)";
3549  return RunTest(steps, sig, yaml);
3550 }
3551 
3552 static int DetectEngineHttpServerBodyFileDataTest07(void)
3553 {
3554 
3555  const char yaml[] = "\
3556 %YAML 1.1\n\
3557 ---\n\
3558 libhtp:\n\
3559 \n\
3560  default-config:\n\
3561 \n\
3562  http-body-inline: yes\n\
3563  response-body-minimal-inspect-size: 6\n\
3564  response-body-inspect-window: 3\n\
3565 ";
3566 
3567  struct TestSteps steps[] = {
3568  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3569  "Host: www.openinfosecfoundation.org\r\n"
3570  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3571  "\r\n",
3572  0, STREAM_TOSERVER, 0 },
3573  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3574  "Content-Type: text/html\r\n"
3575  "Content-Length: 13\r\n"
3576  "\r\n"
3577  "ab",
3578  0, STREAM_TOCLIENT, 0 },
3579  { (const uint8_t *)"cd",
3580  0, STREAM_TOCLIENT, 1 },
3581  { (const uint8_t *)"123456789",
3582  0, STREAM_TOCLIENT, 0 },
3583  { NULL, 0, 0, 0 },
3584  };
3585 
3586  const char *sig = "alert http any any -> any any (file_data; content:\"bc\"; offset:1; depth:2; sid:1;)";
3587  return RunTest(steps, sig, yaml);
3588 }
3589 
3590 static int DetectEngineHttpServerBodyFileDataTest08(void)
3591 {
3592 
3593  const char yaml[] = "\
3594 %YAML 1.1\n\
3595 ---\n\
3596 libhtp:\n\
3597 \n\
3598  default-config:\n\
3599 \n\
3600  http-body-inline: yes\n\
3601  response-body-minimal-inspect-size: 6\n\
3602  response-body-inspect-window: 3\n\
3603 ";
3604 
3605  struct TestSteps steps[] = {
3606  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3607  "Host: www.openinfosecfoundation.org\r\n"
3608  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3609  "\r\n",
3610  0, STREAM_TOSERVER, 0 },
3611  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3612  "Content-Type: text/html\r\n"
3613  "Content-Length: 14\r\n"
3614  "\r\n"
3615  "ab",
3616  0, STREAM_TOCLIENT, 0 },
3617  { (const uint8_t *)"cd",
3618  0, STREAM_TOCLIENT, 0 },
3619  { (const uint8_t *)"1234567890",
3620  0, STREAM_TOCLIENT, 1 },
3621  { NULL, 0, 0, 0 },
3622  };
3623 
3624  const char *sig = "alert http any any -> any any (file_data; content:\"d123456789\"; offset:3; sid:1;)";
3625  return RunTest(steps, sig, yaml);
3626 }
3627 
3628 static int DetectEngineHttpServerBodyFileDataTest09(void)
3629 {
3630 
3631  const char yaml[] = "\
3632 %YAML 1.1\n\
3633 ---\n\
3634 libhtp:\n\
3635 \n\
3636  default-config:\n\
3637 \n\
3638  http-body-inline: yes\n\
3639  response-body-minimal-inspect-size: 6\n\
3640  response-body-inspect-window: 3\n\
3641 ";
3642 
3643  struct TestSteps steps[] = {
3644  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3645  "Host: www.openinfosecfoundation.org\r\n"
3646  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3647  "\r\n",
3648  0, STREAM_TOSERVER, 0 },
3649  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3650  "Content-Type: text/html\r\n"
3651  "Content-Length: 13\r\n"
3652  "\r\n"
3653  "ab",
3654  0, STREAM_TOCLIENT, 0 },
3655  { (const uint8_t *)"cd",
3656  0, STREAM_TOCLIENT, 0 },
3657  { (const uint8_t *)"123456789",
3658  0, STREAM_TOCLIENT, 1 },
3659  { NULL, 0, 0, 0 },
3660  };
3661 
3662  const char *sig = "alert http any any -> any any (file_data; content:\"abcd12\"; depth:6; sid:1;)";
3663  return RunTest(steps, sig, yaml);
3664 }
3665 
3666 static int DetectEngineHttpServerBodyFileDataTest10(void)
3667 {
3668 
3669  const char yaml[] = "\
3670 %YAML 1.1\n\
3671 ---\n\
3672 libhtp:\n\
3673 \n\
3674  default-config:\n\
3675 \n\
3676  http-body-inline: yes\n\
3677  response-body-minimal-inspect-size: 6\n\
3678  response-body-inspect-window: 3\n\
3679 ";
3680 
3681  struct TestSteps steps[] = {
3682  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3683  "Host: www.openinfosecfoundation.org\r\n"
3684  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3685  "\r\n",
3686  0, STREAM_TOSERVER, 0 },
3687  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3688  "Content-Type: text/html\r\n"
3689  "Content-Length: 5\r\n"
3690  "\r\n"
3691  "ab",
3692  0, STREAM_TOCLIENT, 0 },
3693  { (const uint8_t *)"c",
3694  0, STREAM_TOCLIENT, 1 },
3695  { (const uint8_t *)"de",
3696  0, STREAM_TOCLIENT, 0 },
3697  { NULL, 0, 0, 0 },
3698  };
3699 
3700  const char *sig = "alert http any any -> any any (file_data; content:\"abc\"; depth:3; sid:1;)";
3701  return RunTest(steps, sig, yaml);
3702 }
3703 
3704 static int DetectEngineHttpServerBodyFileDataTest11(void)
3705 {
3706 
3707  const char yaml[] = "\
3708 %YAML 1.1\n\
3709 ---\n\
3710 libhtp:\n\
3711 \n\
3712  default-config:\n\
3713 \n\
3714  http-body-inline: yes\n\
3715  response-body-minimal-inspect-size: 6\n\
3716  response-body-inspect-window: 3\n\
3717 ";
3718 
3719  struct TestSteps steps[] = {
3720  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3721  "Host: www.openinfosecfoundation.org\r\n"
3722  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3723  "\r\n",
3724  0, STREAM_TOSERVER, 0 },
3725  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3726  "Content-Type: text/html\r\n"
3727  "Content-Length: 5\r\n"
3728  "\r\n"
3729  "ab",
3730  0, STREAM_TOCLIENT, 0 },
3731  { (const uint8_t *)"c",
3732  0, STREAM_TOCLIENT, 0 },
3733  { (const uint8_t *)"de",
3734  0, STREAM_TOCLIENT, 1 },
3735  { NULL, 0, 0, 0 },
3736  };
3737 
3738  const char *sig = "alert http any any -> any any (file_data; content:\"bcde\"; offset:1; depth:4; sid:1;)";
3739  return RunTest(steps, sig, yaml);
3740 }
3741 
3742 static int DetectEngineHttpServerBodyFileDataTest12(void)
3743 {
3744 
3745  const char yaml[] = "\
3746 %YAML 1.1\n\
3747 ---\n\
3748 libhtp:\n\
3749 \n\
3750  default-config:\n\
3751 \n\
3752  http-body-inline: yes\n\
3753  response-body-minimal-inspect-size: 6\n\
3754  response-body-inspect-window: 3\n\
3755 ";
3756 
3757  struct TestSteps steps[] = {
3758  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3759  "Host: www.openinfosecfoundation.org\r\n"
3760  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3761  "\r\n",
3762  0, STREAM_TOSERVER, 0 },
3763  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3764  "Content-Type: text/html\r\n"
3765  "Content-Length: 13\r\n"
3766  "\r\n"
3767  "a",
3768  0, STREAM_TOCLIENT, 0 },
3769  { (const uint8_t *)"b",
3770  0, STREAM_TOCLIENT, 0 },
3771  { (const uint8_t *)"c",
3772  0, STREAM_TOCLIENT, 0 },
3773  { (const uint8_t *)"d",
3774  0, STREAM_TOCLIENT, 1 },
3775  { (const uint8_t *)"efghijklm",
3776  0, STREAM_TOCLIENT, 0 },
3777  { NULL, 0, 0, 0 },
3778  };
3779 
3780  const char *sig = "alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)";
3781  return RunTest(steps, sig, yaml);
3782 }
3783 
3784 static int DetectEngineHttpServerBodyFileDataTest13(void)
3785 {
3786 
3787  const char yaml[] = "\
3788 %YAML 1.1\n\
3789 ---\n\
3790 libhtp:\n\
3791 \n\
3792  default-config:\n\
3793 \n\
3794  http-body-inline: yes\n\
3795  response-body-minimal-inspect-size: 9\n\
3796  response-body-inspect-window: 12\n\
3797 ";
3798 
3799  struct TestSteps steps[] = {
3800  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3801  "Host: www.openinfosecfoundation.org\r\n"
3802  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3803  "\r\n",
3804  0, STREAM_TOSERVER, 0 },
3805  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3806  "Content-Type: text/html\r\n"
3807  "Content-Length: 13\r\n"
3808  "\r\n"
3809  "a",
3810  0, STREAM_TOCLIENT, 0 },
3811  { (const uint8_t *)"b",
3812  0, STREAM_TOCLIENT, 0 },
3813  { (const uint8_t *)"c",
3814  0, STREAM_TOCLIENT, 0 },
3815  { (const uint8_t *)"d",
3816  0, STREAM_TOCLIENT, 0 },
3817  { (const uint8_t *)"efghijklm",
3818  0, STREAM_TOCLIENT, 1 },
3819  { NULL, 0, 0, 0 },
3820  };
3821 
3822  const char *sig = "alert http any any -> any any (file_data; content:\"abcdefghijklm\"; sid:1;)";
3823  return RunTest(steps, sig, yaml);
3824 }
3825 
3826 static int DetectEngineHttpServerBodyFileDataTest14(void)
3827 {
3828 
3829  const char yaml[] = "\
3830 %YAML 1.1\n\
3831 ---\n\
3832 libhtp:\n\
3833 \n\
3834  default-config:\n\
3835 \n\
3836  http-body-inline: yes\n\
3837  response-body-minimal-inspect-size: 9\n\
3838  response-body-inspect-window: 12\n\
3839 ";
3840 
3841  struct TestSteps steps[] = {
3842  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3843  "Host: www.openinfosecfoundation.org\r\n"
3844  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3845  "\r\n",
3846  0, STREAM_TOSERVER, 0 },
3847  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3848  "Content-Type: text/html\r\n"
3849  "Content-Length: 20\r\n"
3850  "\r\n"
3851  "1234567890",
3852  0, STREAM_TOCLIENT, 0 },
3853  { (const uint8_t *)"abcdefghi",
3854  0, STREAM_TOCLIENT, 1 },
3855  { NULL, 0, 0, 0 },
3856  };
3857 
3858  const char *sig = "alert http any any -> any any (file_data; content:\"890abcdefghi\"; sid:1;)";
3859  return RunTest(steps, sig, yaml);
3860 }
3861 
3862 static int DetectEngineHttpServerBodyFileDataTest15(void)
3863 {
3864 
3865  const char yaml[] = "\
3866 %YAML 1.1\n\
3867 ---\n\
3868 libhtp:\n\
3869 \n\
3870  default-config:\n\
3871 \n\
3872  http-body-inline: yes\n\
3873  response-body-minimal-inspect-size: 9\n\
3874  response-body-inspect-window: 12\n\
3875 ";
3876 
3877  struct TestSteps steps[] = {
3878  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3879  "Host: www.openinfosecfoundation.org\r\n"
3880  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3881  "\r\n",
3882  0, STREAM_TOSERVER, 0 },
3883  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3884  "Content-Type: text/html\r\n"
3885  "Content-Length: 20\r\n"
3886  "\r\n"
3887  "1234567890",
3888  0, STREAM_TOCLIENT, 0 },
3889  { (const uint8_t *)"abcdefghi",
3890  0, STREAM_TOCLIENT, 0 },
3891  { NULL, 0, 0, 0 },
3892  };
3893 
3894  const char *sig = "alert http any any -> any any (file_data; content:\"7890ab\"; depth:6; sid:1;)";
3895  return RunTest(steps, sig, yaml);
3896 }
3897 
3898 static int DetectEngineHttpServerBodyFileDataTest16(void)
3899 {
3900 
3901  const char yaml[] = "\
3902 %YAML 1.1\n\
3903 ---\n\
3904 libhtp:\n\
3905 \n\
3906  default-config:\n\
3907 \n\
3908  http-body-inline: yes\n\
3909  response-body-minimal-inspect-size: 9\n\
3910  response-body-inspect-window: 12\n\
3911 ";
3912 
3913  struct TestSteps steps[] = {
3914  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3915  "Host: www.openinfosecfoundation.org\r\n"
3916  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3917  "\r\n",
3918  0, STREAM_TOSERVER, 0 },
3919  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3920  "Content-Type: text/html\r\n"
3921  "Content-Length: 20\r\n"
3922  "\r\n"
3923  "aaaab",
3924  0, STREAM_TOCLIENT, 0 },
3925  { (const uint8_t *)"bbbbc",
3926  0, STREAM_TOCLIENT, 0 },
3927  { (const uint8_t *)"ccccd",
3928  0, STREAM_TOCLIENT, 0 },
3929  { (const uint8_t *)"dddde",
3930  0, STREAM_TOCLIENT, 0 },
3931  { NULL, 0, 0, 0 },
3932  };
3933 
3934  const char *sig = "alert http any any -> any any (file_data; content:\"aabb\"; depth:4; sid:1;)";
3935  return RunTest(steps, sig, yaml);
3936 }
3937 
3938 static int DetectEngineHttpServerBodyFileDataTest17(void)
3939 {
3940 
3941  const char yaml[] = "\
3942 %YAML 1.1\n\
3943 ---\n\
3944 libhtp:\n\
3945 \n\
3946  default-config:\n\
3947 \n\
3948  http-body-inline: yes\n\
3949  response-body-minimal-inspect-size: 8\n\
3950  response-body-inspect-window: 4\n\
3951 ";
3952 
3953  struct TestSteps steps[] = {
3954  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3955  "Host: www.openinfosecfoundation.org\r\n"
3956  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3957  "\r\n",
3958  0, STREAM_TOSERVER, 0 },
3959  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3960  "Content-Type: text/html\r\n"
3961  "Content-Length: 20\r\n"
3962  "\r\n"
3963  "aaaab",
3964  0, STREAM_TOCLIENT, 0 },
3965  { (const uint8_t *)"bbbbc",
3966  0, STREAM_TOCLIENT, 0 },
3967  { (const uint8_t *)"ccccd",
3968  0, STREAM_TOCLIENT, 0 },
3969  { (const uint8_t *)"dddde",
3970  0, STREAM_TOCLIENT, 0 },
3971  { NULL, 0, 0, 0 },
3972  };
3973 
3974  const char *sig = "alert http any any -> any any (file_data; content:\"bbbc\"; depth:4; sid:1;)";
3975  return RunTest(steps, sig, yaml);
3976 }
3977 
3978 static int DetectEngineHttpServerBodyFileDataTest18(void)
3979 {
3980 
3981  const char yaml[] = "\
3982 %YAML 1.1\n\
3983 ---\n\
3984 libhtp:\n\
3985 \n\
3986  default-config:\n\
3987 \n\
3988  http-body-inline: yes\n\
3989  response-body-minimal-inspect-size: 8\n\
3990  response-body-inspect-window: 4\n\
3991 ";
3992 
3993  struct TestSteps steps[] = {
3994  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3995  "Host: www.openinfosecfoundation.org\r\n"
3996  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3997  "\r\n",
3998  0, STREAM_TOSERVER, 0 },
3999  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
4000  "Content-Type: text/html\r\n"
4001  "Content-Length: 20\r\n"
4002  "\r\n"
4003  "aaaab",
4004  0, STREAM_TOCLIENT, 0 },
4005  { (const uint8_t *)"bbbbc",
4006  0, STREAM_TOCLIENT, 0 },
4007  { (const uint8_t *)"ccccd",
4008  0, STREAM_TOCLIENT, 0 },
4009  { (const uint8_t *)"dddde",
4010  0, STREAM_TOCLIENT, 0 },
4011  { NULL, 0, 0, 0 },
4012  };
4013 
4014  const char *sig = "alert http any any -> any any (file_data; content:\"bccd\"; depth:4; sid:1;)";
4015  return RunTest(steps, sig, yaml);
4016 }
4017 static int DetectEngineHttpServerBodyFileDataTest19(void)
4018 {
4019  char input[] = "\
4020 %YAML 1.1\n\
4021 ---\n\
4022 libhtp:\n\
4023 \n\
4024  default-config:\n\
4025 \n\
4026  swf-decompression:\n\
4027  enabled: yes\n\
4028  type: both\n\
4029  compress-depth: 0\n\
4030  decompress-depth: 0\n\
4031 ";
4033  ConfInit();
4035  ConfYamlLoadString(input, strlen(input));
4036  HTPConfigure();
4037  TcpSession ssn;
4038  Packet *p1 = NULL;
4039  Packet *p2 = NULL;
4040  ThreadVars th_v;
4041  DetectEngineCtx *de_ctx = NULL;
4042  DetectEngineThreadCtx *det_ctx = NULL;
4043  HtpState *http_state = NULL;
4044  Flow f;
4045  uint8_t http_buf1[] =
4046  "GET /file.swf HTTP/1.0\r\n"
4047  "Host: www.openinfosecfoundation.org\r\n"
4048  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4049  "\r\n";
4050  uint32_t http_len1 = sizeof(http_buf1) - 1;
4051  uint8_t http_buf2[] = {
4052  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4053  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
4054  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4055  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
4056  0x0d, 0x0a,
4057  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
4058  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
4059  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
4060  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
4061  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
4062  };
4063  uint32_t http_len2 = sizeof(http_buf2);
4065  FAIL_IF_NULL(alp_tctx);
4066 
4067  memset(&th_v, 0, sizeof(th_v));
4068  memset(&f, 0, sizeof(f));
4069  memset(&ssn, 0, sizeof(ssn));
4070 
4071  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4072  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4073 
4074  FLOW_INITIALIZE(&f);
4075  f.protoctx = (void *)&ssn;
4076  f.proto = IPPROTO_TCP;
4077  f.flags |= FLOW_IPV4;
4078 
4079  p1->flow = &f;
4083  p2->flow = &f;
4087  f.alproto = ALPROTO_HTTP;
4088 
4090 
4091  de_ctx = DetectEngineCtxInit();
4092  FAIL_IF_NULL(de_ctx);
4093 
4094  de_ctx->flags |= DE_QUIET;
4095 
4096  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4097  "(flow:established,from_server; "
4098  "file_data; content:\"FWS\"; "
4099  "sid:1;)");
4100  FAIL_IF_NULL(de_ctx->sig_list);
4101 
4102  SigGroupBuild(de_ctx);
4103  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4104 
4105  int r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_len1);
4106  FAIL_IF(r != 0);
4107 
4108  http_state = f.alstate;
4109  FAIL_IF_NULL(http_state);
4110 
4111  /* do detect */
4112  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4113 
4114  FAIL_IF((PacketAlertCheck(p1, 1)));
4115 
4116  r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2);
4117  FAIL_IF(r != 0);
4118 
4119  /* do detect */
4120  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4121 
4122  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4123 
4124  AppLayerParserThreadCtxFree(alp_tctx);
4125  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4126  DetectEngineCtxFree(de_ctx);
4127 
4128  HTPFreeConfig();
4131 
4133  FLOW_DESTROY(&f);
4134  UTHFreePackets(&p1, 1);
4135  UTHFreePackets(&p2, 1);
4136  PASS;
4137 }
4138 
4139 static int DetectEngineHttpServerBodyFileDataTest20(void)
4140 {
4141  char input[] = "\
4142 %YAML 1.1\n\
4143 ---\n\
4144 libhtp:\n\
4145 \n\
4146  default-config:\n\
4147 \n\
4148  swf-decompression:\n\
4149  enabled: no\n\
4150  type: both\n\
4151  compress-depth: 0\n\
4152  decompress-depth: 0\n\
4153 ";
4154 
4156  ConfInit();
4158 
4159  ConfYamlLoadString(input, strlen(input));
4160  HTPConfigure();
4161 
4162  TcpSession ssn;
4163  Packet *p1 = NULL;
4164  Packet *p2 = NULL;
4165  ThreadVars th_v;
4166  DetectEngineCtx *de_ctx = NULL;
4167  DetectEngineThreadCtx *det_ctx = NULL;
4168  HtpState *http_state = NULL;
4169  Flow f;
4170  uint8_t http_buf1[] =
4171  "GET /file.swf HTTP/1.0\r\n"
4172  "Host: www.openinfosecfoundation.org\r\n"
4173  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4174  "\r\n";
4175  uint32_t http_len1 = sizeof(http_buf1) - 1;
4176  uint8_t http_buf2[] = {
4177  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4178  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
4179  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4180  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
4181  0x0d, 0x0a,
4182  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
4183  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
4184  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
4185  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
4186  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
4187  };
4188  uint32_t http_len2 = sizeof(http_buf2);
4190  FAIL_IF_NULL(alp_tctx);
4191 
4192  memset(&th_v, 0, sizeof(th_v));
4193  memset(&f, 0, sizeof(f));
4194  memset(&ssn, 0, sizeof(ssn));
4195 
4196  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4197  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4198 
4199  FLOW_INITIALIZE(&f);
4200  f.protoctx = (void *)&ssn;
4201  f.proto = IPPROTO_TCP;
4202  f.flags |= FLOW_IPV4;
4203 
4204  p1->flow = &f;
4208  p2->flow = &f;
4212  f.alproto = ALPROTO_HTTP;
4213 
4215 
4216  de_ctx = DetectEngineCtxInit();
4217  FAIL_IF_NULL(de_ctx);
4218 
4219  de_ctx->flags |= DE_QUIET;
4220 
4221  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4222  "(flow:established,from_server; "
4223  "file_data; content:\"CWS\"; "
4224  "sid:1;)");
4225  FAIL_IF_NULL(de_ctx->sig_list);
4226 
4227  SigGroupBuild(de_ctx);
4228  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4229 
4230  int r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_len1);
4231  FAIL_IF(r != 0);
4232 
4233  http_state = f.alstate;
4234  FAIL_IF_NULL(http_state);
4235 
4236  /* do detect */
4237  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4238 
4239  FAIL_IF((PacketAlertCheck(p1, 1)));
4240 
4241  r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2);
4242  FAIL_IF(r != 0);
4243 
4244  /* do detect */
4245  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4246 
4247  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4248 
4249  AppLayerParserThreadCtxFree(alp_tctx);
4250  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4251  DetectEngineCtxFree(de_ctx);
4252 
4253  HTPFreeConfig();
4256 
4258  FLOW_DESTROY(&f);
4259  UTHFreePackets(&p1, 1);
4260  UTHFreePackets(&p2, 1);
4261  PASS;
4262 }
4263 
4264 static int DetectEngineHttpServerBodyFileDataTest21(void)
4265 {
4266  char input[] = "\
4267 %YAML 1.1\n\
4268 ---\n\
4269 libhtp:\n\
4270 \n\
4271  default-config:\n\
4272 \n\
4273  swf-decompression:\n\
4274  enabled: yes\n\
4275  type: deflate\n\
4276  compress-depth: 0\n\
4277  decompress-depth: 0\n\
4278 ";
4279 
4281  ConfInit();
4283 
4284  ConfYamlLoadString(input, strlen(input));
4285  HTPConfigure();
4286 
4287  TcpSession ssn;
4288  Packet *p1 = NULL;
4289  Packet *p2 = NULL;
4290  ThreadVars th_v;
4291  DetectEngineCtx *de_ctx = NULL;
4292  DetectEngineThreadCtx *det_ctx = NULL;
4293  HtpState *http_state = NULL;
4294  Flow f;
4295  uint8_t http_buf1[] =
4296  "GET /file.swf HTTP/1.0\r\n"
4297  "Host: www.openinfosecfoundation.org\r\n"
4298  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4299  "\r\n";
4300  uint32_t http_len1 = sizeof(http_buf1) - 1;
4301  uint8_t http_buf2[] = {
4302  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4303  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
4304  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4305  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
4306  0x0d, 0x0a,
4307  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
4308  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
4309  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
4310  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
4311  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
4312  };
4313  uint32_t http_len2 = sizeof(http_buf2);
4315  FAIL_IF_NULL(alp_tctx);
4316 
4317  memset(&th_v, 0, sizeof(th_v));
4318  memset(&f, 0, sizeof(f));
4319  memset(&ssn, 0, sizeof(ssn));
4320 
4321  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4322  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4323 
4324  FLOW_INITIALIZE(&f);
4325  f.protoctx = (void *)&ssn;
4326  f.proto = IPPROTO_TCP;
4327  f.flags |= FLOW_IPV4;
4328 
4329  p1->flow = &f;
4333  p2->flow = &f;
4337  f.alproto = ALPROTO_HTTP;
4338 
4340 
4341  de_ctx = DetectEngineCtxInit();
4342  FAIL_IF_NULL(de_ctx);
4343 
4344  de_ctx->flags |= DE_QUIET;
4345 
4346  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4347  "(flow:established,from_server; "
4348  "file_data; content:\"FWS\"; "
4349  "sid:1;)");
4350  FAIL_IF_NULL(de_ctx->sig_list);
4351 
4352  SigGroupBuild(de_ctx);
4353  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4354 
4355  int r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_len1);
4356  FAIL_IF(r != 0);
4357 
4358  http_state = f.alstate;
4359  FAIL_IF_NULL(http_state);
4360 
4361  /* do detect */
4362  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4363 
4364  FAIL_IF((PacketAlertCheck(p1, 1)));
4365 
4366  r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2);
4367  FAIL_IF(r != 0);
4368 
4369  /* do detect */
4370  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4371 
4372  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4373 
4374  AppLayerParserThreadCtxFree(alp_tctx);
4375  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4376  DetectEngineCtxFree(de_ctx);
4377 
4378  HTPFreeConfig();
4381 
4383  FLOW_DESTROY(&f);
4384  UTHFreePackets(&p1, 1);
4385  UTHFreePackets(&p2, 1);
4386  PASS;
4387 }
4388 
4389 static int DetectEngineHttpServerBodyFileDataTest22(void)
4390 {
4391  char input[] = "\
4392 %YAML 1.1\n\
4393 ---\n\
4394 libhtp:\n\
4395 \n\
4396  default-config:\n\
4397 \n\
4398  swf-decompression:\n\
4399  enabled: yes\n\
4400  type: lzma\n\
4401  compress-depth: 0\n\
4402  decompress-depth: 0\n\
4403 ";
4404 
4406  ConfInit();
4408 
4409  ConfYamlLoadString(input, strlen(input));
4410  HTPConfigure();
4411 
4412  TcpSession ssn;
4413  Packet *p1 = NULL;
4414  Packet *p2 = NULL;
4415  ThreadVars th_v;
4416  DetectEngineCtx *de_ctx = NULL;
4417  DetectEngineThreadCtx *det_ctx = NULL;
4418  HtpState *http_state = NULL;
4419  Flow f;
4420  uint8_t http_buf1[] =
4421  "GET /file.swf HTTP/1.0\r\n"
4422  "Host: www.openinfosecfoundation.org\r\n"
4423  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4424  "\r\n";
4425  uint32_t http_len1 = sizeof(http_buf1) - 1;
4426  uint8_t http_buf2[] = {
4427  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4428  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
4429  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4430  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
4431  0x0d, 0x0a,
4432  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
4433  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
4434  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
4435  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
4436  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
4437  };
4438  uint32_t http_len2 = sizeof(http_buf2);
4440  FAIL_IF_NULL(alp_tctx);
4441 
4442  memset(&th_v, 0, sizeof(th_v));
4443  memset(&f, 0, sizeof(f));
4444  memset(&ssn, 0, sizeof(ssn));
4445 
4446  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4447  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4448 
4449  FLOW_INITIALIZE(&f);
4450  f.protoctx = (void *)&ssn;
4451  f.proto = IPPROTO_TCP;
4452  f.flags |= FLOW_IPV4;
4453 
4454  p1->flow = &f;
4458  p2->flow = &f;
4462  f.alproto = ALPROTO_HTTP;
4463 
4465 
4466  de_ctx = DetectEngineCtxInit();
4467  FAIL_IF_NULL(de_ctx);
4468 
4469  de_ctx->flags |= DE_QUIET;
4470 
4471  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4472  "(flow:established,from_server; "
4473  "file_data; content:\"CWS\"; "
4474  "sid:1;)");
4475  FAIL_IF_NULL(de_ctx->sig_list);
4476 
4477  SigGroupBuild(de_ctx);
4478  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4479 
4480  int r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_len1);
4481  FAIL_IF(r != 0);
4482 
4483  http_state = f.alstate;
4484  FAIL_IF_NULL(http_state);
4485 
4486  /* do detect */
4487  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4488 
4489  FAIL_IF((PacketAlertCheck(p1, 1)));
4490 
4491  r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2);
4492  FAIL_IF(r != 0);
4493 
4494  /* do detect */
4495  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4496 
4497  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4498 
4499  AppLayerParserThreadCtxFree(alp_tctx);
4500  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4501  DetectEngineCtxFree(de_ctx);
4502 
4503  HTPFreeConfig();
4506 
4508  FLOW_DESTROY(&f);
4509  UTHFreePackets(&p1, 1);
4510  UTHFreePackets(&p2, 1);
4511  PASS;
4512 }
4513 
4514 static int DetectEngineHttpServerBodyFileDataTest23(void)
4515 {
4516  char input[] = "\
4517 %YAML 1.1\n\
4518 ---\n\
4519 libhtp:\n\
4520 \n\
4521  default-config:\n\
4522 \n\
4523  swf-decompression:\n\
4524  enabled: yes\n\
4525  type: both\n\
4526  compress-depth: 0\n\
4527  decompress-depth: 0\n\
4528 ";
4529 
4531  ConfInit();
4533 
4534  ConfYamlLoadString(input, strlen(input));
4535  HTPConfigure();
4536 
4537  TcpSession ssn;
4538  Packet *p1 = NULL;
4539  Packet *p2 = NULL;
4540  ThreadVars th_v;
4541  DetectEngineCtx *de_ctx = NULL;
4542  DetectEngineThreadCtx *det_ctx = NULL;
4543  HtpState *http_state = NULL;
4544  Flow f;
4545  uint8_t http_buf1[] =
4546  "GET /file.swf HTTP/1.0\r\n"
4547  "Host: www.openinfosecfoundation.org\r\n"
4548  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4549  "\r\n";
4550  uint32_t http_len1 = sizeof(http_buf1) - 1;
4551  uint8_t http_buf2[] = {
4552  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4553  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
4554  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4555  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
4556  0x0d, 0x0a,
4557  0x43, 0x57, 0x53, 0x01, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
4558  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
4559  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
4560  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
4561  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
4562  };
4563  uint32_t http_len2 = sizeof(http_buf2);
4565  FAIL_IF_NULL(alp_tctx);
4566 
4567  memset(&th_v, 0, sizeof(th_v));
4568  memset(&f, 0, sizeof(f));
4569  memset(&ssn, 0, sizeof(ssn));
4570 
4571  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4572  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4573 
4574  FLOW_INITIALIZE(&f);
4575  f.protoctx = (void *)&ssn;
4576  f.proto = IPPROTO_TCP;
4577  f.flags |= FLOW_IPV4;
4578 
4579  p1->flow = &f;
4583  p2->flow = &f;
4587  f.alproto = ALPROTO_HTTP;
4588 
4590 
4591  de_ctx = DetectEngineCtxInit();
4592  FAIL_IF_NULL(de_ctx);
4593 
4594  de_ctx->flags |= DE_QUIET;
4595 
4596  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4597  "(flow:established,from_server; "
4598  "file_data; content:\"CWS\"; "
4599  "sid:1;)");
4600  FAIL_IF_NULL(de_ctx->sig_list);
4601 
4602  SigGroupBuild(de_ctx);
4603  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4604 
4605  int r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_len1);
4606  FAIL_IF(r != 0);
4607 
4608  http_state = f.alstate;
4609  FAIL_IF_NULL(http_state);
4610 
4611  /* do detect */
4612  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4613 
4614  FAIL_IF((PacketAlertCheck(p1, 1)));
4615 
4616  r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2);
4617  FAIL_IF(r != 0);
4618 
4619  /* do detect */
4620  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4621 
4622  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4623 
4624  AppLayerParserThreadCtxFree(alp_tctx);
4625  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4626  DetectEngineCtxFree(de_ctx);
4627 
4628  HTPFreeConfig();
4631 
4633  FLOW_DESTROY(&f);
4634  UTHFreePackets(&p1, 1);
4635  UTHFreePackets(&p2, 1);
4636  PASS;
4637 }
4638 
4639 static int DetectEngineHttpServerBodyFileDataTest24(void)
4640 {
4641 #ifdef HAVE_LIBLZMA
4642  char input[] = "\
4643 %YAML 1.1\n\
4644 ---\n\
4645 libhtp:\n\
4646 \n\
4647  default-config:\n\
4648 \n\
4649  swf-decompression:\n\
4650  enabled: yes\n\
4651  type: both\n\
4652  compress-depth: 0\n\
4653  decompress-depth: 0\n\
4654 ";
4655 
4657  ConfInit();
4659 
4660  ConfYamlLoadString(input, strlen(input));
4661  HTPConfigure();
4662 
4663  TcpSession ssn;
4664  Packet *p1 = NULL;
4665  Packet *p2 = NULL;
4666  ThreadVars th_v;
4667  DetectEngineCtx *de_ctx = NULL;
4668  DetectEngineThreadCtx *det_ctx = NULL;
4669  HtpState *http_state = NULL;
4670  Flow f;
4671  uint8_t http_buf1[] =
4672  "GET /file.swf HTTP/1.0\r\n"
4673  "Host: www.openinfosecfoundation.org\r\n"
4674  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4675  "\r\n";
4676  uint32_t http_len1 = sizeof(http_buf1) - 1;
4677  uint8_t http_buf2[] = {
4678  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4679  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '1', '0', '3', 0x0d, 0x0a,
4680  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4681  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
4682  0x0d, 0x0a,
4683  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
4684  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
4685  0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe,
4686  0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37,
4687  0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
4688  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08, 0xe9,
4689  0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86
4690  };
4691  uint32_t http_len2 = sizeof(http_buf2);
4693  FAIL_IF_NULL(alp_tctx);
4694 
4695  memset(&th_v, 0, sizeof(th_v));
4696  memset(&f, 0, sizeof(f));
4697  memset(&ssn, 0, sizeof(ssn));
4698 
4699  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4700  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4701 
4702  FLOW_INITIALIZE(&f);
4703  f.protoctx = (void *)&ssn;
4704  f.proto = IPPROTO_TCP;
4705  f.flags |= FLOW_IPV4;
4706 
4707  p1->flow = &f;
4711  p2->flow = &f;
4715  f.alproto = ALPROTO_HTTP;
4716 
4718 
4719  de_ctx = DetectEngineCtxInit();
4720  FAIL_IF_NULL(de_ctx);
4721 
4722 
4723  de_ctx->flags |= DE_QUIET;
4724 
4725  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4726  "(flow:established,from_server; "
4727  "file_data; content:\"FWS\"; "
4728  "sid:1;)");
4729  FAIL_IF_NULL(de_ctx->sig_list);
4730 
4731  SigGroupBuild(de_ctx);
4732  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4733 
4734  int r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_len1);
4735  FAIL_IF(r != 0);
4736 
4737  http_state = f.alstate;
4738  FAIL_IF_NULL(http_state);
4739 
4740  /* do detect */
4741  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4742 
4743  FAIL_IF((PacketAlertCheck(p1, 1)));
4744 
4745  r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2);
4746  FAIL_IF(r != 0);
4747 
4748  /* do detect */
4749  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4750 
4751  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4752 
4753  AppLayerParserThreadCtxFree(alp_tctx);
4754  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4755  DetectEngineCtxFree(de_ctx);
4756 
4757  HTPFreeConfig();
4760 
4762  FLOW_DESTROY(&f);
4763  UTHFreePackets(&p1, 1);
4764  UTHFreePackets(&p2, 1);
4765  PASS;
4766 #else
4767  PASS;
4768 #endif /* HAVE_LIBLZMA */
4769 }
4770 
4771 static int DetectEngineHttpServerBodyFileDataTest25(void)
4772 {
4773  char input[] = "\
4774 %YAML 1.1\n\
4775 ---\n\
4776 libhtp:\n\
4777 \n\
4778  default-config:\n\
4779 \n\
4780  swf-decompression:\n\
4781  enabled: no\n\
4782  type: both\n\
4783  compress-depth: 0\n\
4784  decompress-depth: 0\n\
4785 ";
4786 
4788  ConfInit();
4790 
4791  ConfYamlLoadString(input, strlen(input));
4792  HTPConfigure();
4793 
4794  TcpSession ssn;
4795  Packet *p1 = NULL;
4796  Packet *p2 = NULL;
4797  ThreadVars th_v;
4798  DetectEngineCtx *de_ctx = NULL;
4799  DetectEngineThreadCtx *det_ctx = NULL;
4800  HtpState *http_state = NULL;
4801  Flow f;
4802  uint8_t http_buf1[] =
4803  "GET /file.swf HTTP/1.0\r\n"
4804  "Host: www.openinfosecfoundation.org\r\n"
4805  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4806  "\r\n";
4807  uint32_t http_len1 = sizeof(http_buf1) - 1;
4808  uint8_t http_buf2[] = {
4809  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4810  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '1', '0', '3', 0x0d, 0x0a,
4811  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4812  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
4813  0x0d, 0x0a,
4814  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20, 0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19,
4815  0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05,
4816  0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2,
4817  0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0, 0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59,
4818  0x56, 0x06, 0x08, 0xe9, 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86
4819  };
4820  uint32_t http_len2 = sizeof(http_buf2);
4822  FAIL_IF_NULL(alp_tctx);
4823 
4824  memset(&th_v, 0, sizeof(th_v));
4825  memset(&f, 0, sizeof(f));
4826  memset(&ssn, 0, sizeof(ssn));
4827 
4828  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4829  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4830 
4831  FLOW_INITIALIZE(&f);
4832  f.protoctx = (void *)&ssn;
4833  f.proto = IPPROTO_TCP;
4834  f.flags |= FLOW_IPV4;
4835 
4836  p1->flow = &f;
4840  p2->flow = &f;
4844  f.alproto = ALPROTO_HTTP;
4845 
4847 
4848  de_ctx = DetectEngineCtxInit();
4849  FAIL_IF_NULL(de_ctx);
4850 
4851  de_ctx->flags |= DE_QUIET;
4852 
4853  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4854  "(flow:established,from_server; "
4855  "file_data; content:\"ZWS\"; "
4856  "sid:1;)");
4857  FAIL_IF_NULL(de_ctx->sig_list);
4858 
4859  SigGroupBuild(de_ctx);
4860  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4861 
4862  int r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_len1);
4863  FAIL_IF(r != 0);
4864 
4865  http_state = f.alstate;
4866  FAIL_IF_NULL(http_state);
4867 
4868  /* do detect */
4869  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4870 
4871  FAIL_IF((PacketAlertCheck(p1, 1)));
4872 
4873  r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2);
4874  FAIL_IF(r != 0);
4875 
4876  /* do detect */
4877  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4878 
4879  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4880 
4881  AppLayerParserThreadCtxFree(alp_tctx);
4882  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4883  DetectEngineCtxFree(de_ctx);
4884 
4885  HTPFreeConfig();
4888 
4890  FLOW_DESTROY(&f);
4891  UTHFreePackets(&p1, 1);
4892  UTHFreePackets(&p2, 1);
4893  PASS;
4894 }
4895 
4896 static int DetectEngineHttpServerBodyFileDataTest26(void)
4897 {
4898 #ifdef HAVE_LIBLZMA
4899  char input[] = "\
4900 %YAML 1.1\n\
4901 ---\n\
4902 libhtp:\n\
4903 \n\
4904  default-config:\n\
4905 \n\
4906  swf-decompression:\n\
4907  enabled: yes\n\
4908  type: lzma\n\
4909  compress-depth: 0\n\
4910  decompress-depth: 0\n\
4911 ";
4912 
4914  ConfInit();
4916 
4917  ConfYamlLoadString(input, strlen(input));
4918  HTPConfigure();
4919 
4920  TcpSession ssn;
4921  Packet *p1 = NULL;
4922  Packet *p2 = NULL;
4923  ThreadVars th_v;
4924  DetectEngineCtx *de_ctx = NULL;
4925  DetectEngineThreadCtx *det_ctx = NULL;
4926  HtpState *http_state = NULL;
4927  Flow f;
4928  uint8_t http_buf1[] =
4929  "GET /file.swf HTTP/1.0\r\n"
4930  "Host: www.openinfosecfoundation.org\r\n"
4931  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4932  "\r\n";
4933  uint32_t http_len1 = sizeof(http_buf1) - 1;
4934  uint8_t http_buf2[] = {
4935  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4936  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '1', '0', '3', 0x0d, 0x0a,
4937  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4938  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
4939  0x0d, 0x0a,
4940  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
4941  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
4942  0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe,
4943  0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37,
4944  0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
4945  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08, 0xe9,
4946  0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86
4947  };
4948  uint32_t http_len2 = sizeof(http_buf2);
4950  FAIL_IF_NULL(alp_tctx);
4951 
4952  memset(&th_v, 0, sizeof(th_v));
4953  memset(&f, 0, sizeof(f));
4954  memset(&ssn, 0, sizeof(ssn));
4955 
4956  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4957  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4958 
4959  FLOW_INITIALIZE(&f);
4960  f.protoctx = (void *)&ssn;
4961  f.proto = IPPROTO_TCP;
4962  f.flags |= FLOW_IPV4;
4963 
4964  p1->flow = &f;
4968  p2->flow = &f;
4972  f.alproto = ALPROTO_HTTP;
4973 
4975 
4976  de_ctx = DetectEngineCtxInit();
4977  FAIL_IF_NULL(de_ctx);
4978 
4979  de_ctx->flags |= DE_QUIET;
4980 
4981  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4982  "(flow:established,from_server; "
4983  "file_data; content:\"FWS\"; "
4984  "sid:1;)");
4985  FAIL_IF_NULL(de_ctx->sig_list);
4986 
4987  SigGroupBuild(de_ctx);
4988  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4989 
4990  int r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_len1);
4991  FAIL_IF(r != 0);
4992 
4993  http_state = f.alstate;
4994  FAIL_IF_NULL(http_state);
4995 
4996  /* do detect */
4997  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4998 
4999  FAIL_IF((PacketAlertCheck(p1, 1)));
5000 
5001  r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2);
5002  FAIL_IF(r != 0);
5003 
5004  /* do detect */
5005  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5006 
5007  FAIL_IF(!(PacketAlertCheck(p2, 1)));
5008 
5009  AppLayerParserThreadCtxFree(alp_tctx);
5010  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
5011  DetectEngineCtxFree(de_ctx);
5012 
5013  HTPFreeConfig();
5016 
5018  FLOW_DESTROY(&f);
5019  UTHFreePackets(&p1, 1);
5020  UTHFreePackets(&p2, 1);
5021  PASS;
5022 #else
5023  PASS;
5024 #endif /* HAVE_LIBLZMA */
5025 }
5026 
5027 static int DetectEngineHttpServerBodyFileDataTest27(void)
5028 {
5029  char input[] = "\
5030 %YAML 1.1\n\
5031 ---\n\
5032 libhtp:\n\
5033 \n\
5034  default-config:\n\
5035 \n\
5036  swf-decompression:\n\
5037  enabled: yes\n\
5038  type: deflate\n\
5039  compress-depth: 0\n\
5040  decompress-depth: 0\n\
5041 ";
5042 
5044  ConfInit();
5046 
5047  ConfYamlLoadString(input, strlen(input));
5048  HTPConfigure();
5049 
5050  TcpSession ssn;
5051  Packet *p1 = NULL;
5052  Packet *p2 = NULL;
5053  ThreadVars th_v;
5054  DetectEngineCtx *de_ctx = NULL;
5055  DetectEngineThreadCtx *det_ctx = NULL;
5056  HtpState *http_state = NULL;
5057  Flow f;
5058  uint8_t http_buf1[] =
5059  "GET /file.swf HTTP/1.0\r\n"
5060  "Host: www.openinfosecfoundation.org\r\n"
5061  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5062  "\r\n";
5063  uint32_t http_len1 = sizeof(http_buf1) - 1;
5064  uint8_t http_buf2[] = {
5065  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
5066  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
5067  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
5068  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
5069  0x0d, 0x0a,
5070  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
5071  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
5072  0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61,
5073  0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b,
5074  0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1,
5075  };
5076  uint32_t http_len2 = sizeof(http_buf2);
5078  FAIL_IF_NULL(alp_tctx);
5079 
5080  memset(&th_v, 0, sizeof(th_v));
5081  memset(&f, 0, sizeof(f));
5082  memset(&ssn, 0, sizeof(ssn));
5083 
5084  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5085  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5086 
5087  FLOW_INITIALIZE(&f);
5088  f.protoctx = (void *)&ssn;
5089  f.proto = IPPROTO_TCP;
5090  f.flags |= FLOW_IPV4;
5091 
5092  p1->flow = &f;
5096  p2->flow = &f;
5100  f.alproto = ALPROTO_HTTP;
5101 
5103 
5104  de_ctx = DetectEngineCtxInit();
5105  FAIL_IF_NULL(de_ctx);
5106 
5107  de_ctx->flags |= DE_QUIET;
5108 
5109  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
5110  "(flow:established,from_server; "
5111  "file_data; content:\"ZWS\"; "
5112  "sid:1;)");
5113  FAIL_IF_NULL(de_ctx->sig_list);
5114 
5115  SigGroupBuild(de_ctx);
5116  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5117 
5118  int r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_len1);
5119  FAIL_IF(r != 0);
5120 
5121  http_state = f.alstate;
5122  FAIL_IF_NULL(http_state);
5123 
5124  /* do detect */
5125  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5126 
5127  FAIL_IF((PacketAlertCheck(p1, 1)));
5128 
5129  r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2);
5130  FAIL_IF(r != 0);
5131 
5132  /* do detect */
5133  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5134 
5135  FAIL_IF(!(PacketAlertCheck(p2, 1)));
5136 
5137  AppLayerParserThreadCtxFree(alp_tctx);
5138  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
5139  DetectEngineCtxFree(de_ctx);
5140 
5141  HTPFreeConfig();
5144 
5146  FLOW_DESTROY(&f);
5147  UTHFreePackets(&p1, 1);
5148  UTHFreePackets(&p2, 1);
5149  PASS;
5150 }
5151 
5152 static int DetectEngineHttpServerBodyFileDataTest28(void)
5153 {
5154  char input[] = "\
5155 %YAML 1.1\n\
5156 ---\n\
5157 libhtp:\n\
5158 \n\
5159  default-config:\n\
5160 \n\
5161  swf-decompression:\n\
5162  enabled: yes\n\
5163  type: both\n\
5164  compress-depth: 0\n\
5165  decompress-depth: 0\n\
5166 ";
5167 
5169  ConfInit();
5171 
5172  ConfYamlLoadString(input, strlen(input));
5173  HTPConfigure();
5174 
5175  TcpSession ssn;
5176  Packet *p1 = NULL;
5177  Packet *p2 = NULL;
5178  ThreadVars th_v;
5179  DetectEngineCtx *de_ctx = NULL;
5180  DetectEngineThreadCtx *det_ctx = NULL;
5181  HtpState *http_state = NULL;
5182  Flow f;
5183  uint8_t http_buf1[] =
5184  "GET /file.swf HTTP/1.0\r\n"
5185  "Host: www.openinfosecfoundation.org\r\n"
5186  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5187  "\r\n";
5188  uint32_t http_len1 = sizeof(http_buf1) - 1;
5189  uint8_t http_buf2[] = {
5190  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
5191  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
5192  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
5193  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
5194  0x0d, 0x0a,
5195  0x5a, 0x57, 0x53, 0x01, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
5196  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
5197  0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61,
5198  0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b,
5199  0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1,
5200  };
5201  uint32_t http_len2 = sizeof(http_buf2);
5203  FAIL_IF_NULL(alp_tctx);
5204 
5205  memset(&th_v, 0, sizeof(th_v));
5206  memset(&f, 0, sizeof(f));
5207  memset(&ssn, 0, sizeof(ssn));
5208 
5209  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5210  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5211 
5212  FLOW_INITIALIZE(&f);
5213  f.protoctx = (void *)&ssn;
5214  f.proto = IPPROTO_TCP;
5215  f.flags |= FLOW_IPV4;
5216 
5217  p1->flow = &f;
5221  p2->flow = &f;
5225  f.alproto = ALPROTO_HTTP;
5226 
5228 
5229  de_ctx = DetectEngineCtxInit();
5230  FAIL_IF_NULL(de_ctx);
5231 
5232  de_ctx->flags |= DE_QUIET;
5233 
5234  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
5235  "(flow:established,from_server; "
5236  "file_data; content:\"ZWS\"; "
5237  "sid:1;)");
5238  FAIL_IF_NULL(de_ctx->sig_list);
5239 
5240  SigGroupBuild(de_ctx);
5241  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5242 
5243  int r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_len1);
5244  FAIL_IF(r != 0);
5245 
5246  http_state = f.alstate;
5247  FAIL_IF_NULL(http_state);
5248 
5249  /* do detect */
5250  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5251 
5252  FAIL_IF((PacketAlertCheck(p1, 1)));
5253 
5254  r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2);
5255  FAIL_IF(r != 0);
5256 
5257  /* do detect */
5258  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5259 
5260  FAIL_IF(!(PacketAlertCheck(p2, 1)));
5261 
5262  AppLayerParserThreadCtxFree(alp_tctx);
5263  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
5264  DetectEngineCtxFree(de_ctx);
5265 
5266  HTPFreeConfig();
5269 
5271  FLOW_DESTROY(&f);
5272  UTHFreePackets(&p1, 1);
5273  UTHFreePackets(&p2, 1);
5274  PASS;
5275 }
5276 
5277 static int DetectEngineHttpServerBodyFileDataTest29(void)
5278 {
5279  char input[] = "\
5280 %YAML 1.1\n\
5281 ---\n\
5282 libhtp:\n\
5283 \n\
5284  default-config:\n\
5285 \n\
5286  swf-decompression:\n\
5287  enabled: yes\n\
5288  type: both\n\
5289  compress-depth: 1000\n\
5290  decompress-depth: 0\n\
5291 ";
5292 
5294  ConfInit();
5296  ConfYamlLoadString(input, strlen(input));
5297  HTPConfigure();
5298 
5299  TcpSession ssn;
5300  Packet *p1 = NULL;
5301  Packet *p2 = NULL;
5302  ThreadVars th_v;
5303  DetectEngineCtx *de_ctx = NULL;
5304  DetectEngineThreadCtx *det_ctx = NULL;
5305  HtpState *http_state = NULL;
5306  Flow f;
5307  uint8_t http_buf1[] =
5308  "GET /file.swf HTTP/1.0\r\n"
5309  "Host: www.openinfosecfoundation.org\r\n"
5310  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5311  "\r\n";
5312  uint32_t http_len1 = sizeof(http_buf1) - 1;
5313  uint8_t http_buf2[] = {
5314  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
5315  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
5316  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
5317  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
5318  0x0d, 0x0a,
5319  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
5320  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
5321  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
5322  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
5323  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
5324  };
5325  uint32_t http_len2 = sizeof(http_buf2);
5327  FAIL_IF_NULL(alp_tctx);
5328 
5329  memset(&th_v, 0, sizeof(th_v));
5330  memset(&f, 0, sizeof(f));
5331  memset(&ssn, 0, sizeof(ssn));
5332 
5333  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5334  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5335 
5336  FLOW_INITIALIZE(&f);
5337  f.protoctx = (void *)&ssn;
5338  f.proto = IPPROTO_TCP;
5339  f.flags |= FLOW_IPV4;
5340 
5341  p1->flow = &f;
5345  p2->flow = &f;
5349  f.alproto = ALPROTO_HTTP;
5350 
5352 
5353  de_ctx = DetectEngineCtxInit();
5354  FAIL_IF_NULL(de_ctx);
5355 
5356  de_ctx->flags |= DE_QUIET;
5357 
5358  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
5359  "(flow:established,from_server; "
5360  "file_data; content:\"FWS\"; "
5361  "sid:1;)");
5362  FAIL_IF_NULL(de_ctx->sig_list);
5363 
5364  SigGroupBuild(de_ctx);
5365  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5366 
5367  int r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_len1);
5368  FAIL_IF(r != 0);
5369 
5370  http_state = f.alstate;
5371  FAIL_IF_NULL(http_state);
5372 
5373  /* do detect */
5374  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5375 
5376  FAIL_IF((PacketAlertCheck(p1, 1)));
5377 
5378  r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2);
5379  FAIL_IF(r != 0);
5380 
5381  /* do detect */
5382  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5383 
5384  FAIL_IF(!(PacketAlertCheck(p2, 1)));
5385 
5386  AppLayerParserThreadCtxFree(alp_tctx);
5387  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
5388  DetectEngineCtxFree(de_ctx);
5389 
5390  HTPFreeConfig();
5393 
5395  FLOW_DESTROY(&f);
5396  UTHFreePackets(&p1, 1);
5397  UTHFreePackets(&p2, 1);
5398  PASS;
5399 }
5400 
5401 /**
5402  * \test Test that a signature containting a http_server_body is correctly parsed
5403  * and the keyword is registered.
5404  */
5405 static int DetectHttpServerBodyTest01(void)
5406 {
5407  DetectEngineCtx *de_ctx = NULL;
5408  int result = 0;
5409  SigMatch *sm = NULL;
5410 
5411  de_ctx = DetectEngineCtxInit();
5412  if (de_ctx == NULL)
5413  goto end;
5414 
5415  de_ctx->flags |= DE_QUIET;
5416  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
5417  "(msg:\"Testing http_server_body\"; "
5418  "content:\"one\"; http_server_body; sid:1;)");
5419  if (de_ctx->sig_list == NULL) {
5420  goto end;
5421  }
5422 
5423  /* sm should not be in the MATCH list */
5424  sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_MATCH];
5425  if (sm != NULL) {
5426  goto end;
5427  }
5428 
5429  sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id];
5430  if (sm == NULL) {
5431  goto end;
5432  }
5433 
5434  if (sm->type != DETECT_CONTENT) {
5435  printf("sm type not DETECT_AL_HTTP_SERVER_BODY: ");
5436  goto end;
5437  }
5438 
5439  if (sm->next != NULL) {
5440  goto end;
5441  }
5442 
5443  result = 1;
5444 end:
5445  DetectEngineCtxFree(de_ctx);
5446 
5447  return result;
5448 }
5449 
5450 /**
5451  * \test Test that a signature containing an valid http_server_body entry is
5452  * parsed.
5453  */
5454 static int DetectHttpServerBodyTest02(void)
5455 {
5456  DetectEngineCtx *de_ctx = NULL;
5457  int result = 0;
5458 
5459  de_ctx = DetectEngineCtxInit();
5460  if (de_ctx == NULL)
5461  goto end;
5462 
5463  de_ctx->flags |= DE_QUIET;
5464  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
5465  "(msg:\"Testing http_server_body\"; "
5466  "content:\"one\"; http_server_body:; sid:1;)");
5467  if (de_ctx->sig_list != NULL)
5468  result = 1;
5469 
5470  end:
5471  DetectEngineCtxFree(de_ctx);
5472 
5473  return result;
5474 }
5475 
5476 /**
5477  * \test Test that an invalid signature containing no content but a http_server_body
5478  * is invalidated.
5479  */
5480 static int DetectHttpServerBodyTest03(void)
5481 {
5482  DetectEngineCtx *de_ctx = NULL;
5483  int result = 0;
5484 
5485  de_ctx = DetectEngineCtxInit();
5486  if (de_ctx == NULL)
5487  goto end;
5488 
5489  de_ctx->flags |= DE_QUIET;
5490  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
5491  "(msg:\"Testing http_server_body\"; "
5492  "http_server_body; sid:1;)");
5493  if (de_ctx->sig_list == NULL)
5494  result = 1;
5495 
5496  end:
5497  DetectEngineCtxFree(de_ctx);
5498 
5499  return result;
5500 }
5501 
5502 /**
5503  * \test Test that an invalid signature containing a rawbytes along with a
5504  * http_server_body is invalidated.
5505  */
5506 static int DetectHttpServerBodyTest04(void)
5507 {
5508  DetectEngineCtx *de_ctx = NULL;
5509  int result = 0;
5510 
5511  de_ctx = DetectEngineCtxInit();
5512  if (de_ctx == NULL)
5513  goto end;
5514 
5515  de_ctx->flags |= DE_QUIET;
5516  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
5517  "(msg:\"Testing http_server_body\"; "
5518  "content:\"one\"; rawbytes; http_server_body; sid:1;)");
5519  if (de_ctx->sig_list == NULL)
5520  result = 1;
5521 
5522  end:
5523  DetectEngineCtxFree(de_ctx);
5524 
5525  return result;
5526 }
5527 
5528 /**
5529  * \test Test that an invalid signature containing a rawbytes along with a
5530  * http_server_body is invalidated.
5531  */
5532 static int DetectHttpServerBodyTest05(void)
5533 {
5534  DetectEngineCtx *de_ctx = NULL;
5535  int result = 0;
5536 
5537  de_ctx = DetectEngineCtxInit();
5538  if (de_ctx == NULL)
5539  goto end;
5540 
5541  de_ctx->flags |= DE_QUIET;
5542  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
5543  "(msg:\"Testing http_server_body\"; "
5544  "content:\"one\"; http_server_body; nocase; sid:1;)");
5545  if (de_ctx->sig_list != NULL)
5546  result = 1;
5547 
5548  end:
5549  DetectEngineCtxFree(de_ctx);
5550 
5551  return result;
5552 }
5553 
5554 /**
5555  *\test Test that the http_server_body content matches against a http request
5556  * which holds the content.
5557  */
5558 static int DetectHttpServerBodyTest06(void)
5559 {
5560  TcpSession ssn;
5561  Packet *p = NULL;
5562  ThreadVars th_v;
5563  DetectEngineCtx *de_ctx = NULL;
5564  DetectEngineThreadCtx *det_ctx = NULL;
5565  HtpState *http_state = NULL;
5566  Flow f;
5567  uint8_t http_buf[] =
5568  "GET /index.html HTTP/1.0\r\n"
5569  "Host: www.openinfosecfoundation.org\r\n"
5570  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5571  "\r\n";
5572  uint32_t http_len = sizeof(http_buf) - 1;
5573  uint8_t http_buf2[] =
5574  "HTTP/1.0 200 ok\r\n"
5575  "Content-Type: text/html\r\n"
5576  "Content-Length: 7\r\n"
5577  "\r\n"
5578  "message";
5579  uint32_t http_len2 = sizeof(http_buf2) - 1;
5580  int result = 0;
5582 
5583  memset(&th_v, 0, sizeof(th_v));
5584  memset(&f, 0, sizeof(f));
5585  memset(&ssn, 0, sizeof(ssn));
5586 
5587  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5588 
5589  FLOW_INITIALIZE(&f);
5590  f.protoctx = (void *)&ssn;
5591  f.proto = IPPROTO_TCP;
5592  f.flags |= FLOW_IPV4;
5593 
5594  p->flow = &f;
5598  f.alproto = ALPROTO_HTTP;
5599 
5601 
5602  de_ctx = DetectEngineCtxInit();
5603  if (de_ctx == NULL)
5604  goto end;
5605 
5606  de_ctx->flags |= DE_QUIET;
5607 
5608  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5609  "(msg:\"http server body test\"; "
5610  "content:\"message\"; http_server_body; "
5611  "sid:1;)");
5612  if (de_ctx->sig_list == NULL)
5613  goto end;
5614 
5615  SigGroupBuild(de_ctx);
5616  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5617 
5618  FLOWLOCK_WRLOCK(&f);
5619  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5621  http_buf,
5622  http_len);
5623  if (r != 0) {
5624  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5625  result = 0;
5626  FLOWLOCK_UNLOCK(&f);
5627  goto end;
5628  }
5629  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5631  http_buf2,
5632  http_len2);
5633  if (r != 0) {
5634  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5635  result = 0;
5636  FLOWLOCK_UNLOCK(&f);
5637  goto end;
5638  }
5639  FLOWLOCK_UNLOCK(&f);
5640 
5641  http_state = f.alstate;
5642  if (http_state == NULL) {
5643  printf("no http state: \n");
5644  result = 0;
5645  goto end;
5646  }
5647 
5648  /* do detect */
5649  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5650 
5651  if (!(PacketAlertCheck(p, 1))) {
5652  printf("sid 1 didn't match but should have: ");
5653  goto end;
5654  }
5655 
5656  result = 1;
5657 end:
5658  if (alp_tctx != NULL)
5659  AppLayerParserThreadCtxFree(alp_tctx);
5660  if (de_ctx != NULL)
5661  DetectEngineCtxFree(de_ctx);
5662 
5664  FLOW_DESTROY(&f);
5665  UTHFreePackets(&p, 1);
5666  return result;
5667 }
5668 
5669 /**
5670  *\test Test that the http_server_body content matches against a http request
5671  * which holds the content.
5672  */
5673 static int DetectHttpServerBodyTest07(void)
5674 {
5675  TcpSession ssn;
5676  Packet *p1 = NULL;
5677  Packet *p2 = NULL;
5678  ThreadVars th_v;
5679  DetectEngineCtx *de_ctx = NULL;
5680  DetectEngineThreadCtx *det_ctx = NULL;
5681  HtpState *http_state = NULL;
5682  Flow f;
5683  uint8_t http_buf1[] =
5684  "GET /index.html HTTP/1.0\r\n"
5685  "Host: www.openinfosecfoundation.org\r\n"
5686  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5687  "\r\n";
5688  uint32_t http_len1 = sizeof(http_buf1) - 1;
5689  uint8_t http_buf2[] =
5690  "HTTP/1.0 200 ok\r\n"
5691  "Content-Type: text/html\r\n"
5692  "Content-Length: 14\r\n"
5693  "\r\n"
5694  "message";
5695  uint32_t http_len2 = sizeof(http_buf2) - 1;
5696  uint8_t http_buf3[] =
5697  "message";
5698  uint32_t http_len3 = sizeof(http_buf3) - 1;
5699  int result = 0;
5701 
5702  memset(&th_v, 0, sizeof(th_v));
5703  memset(&f, 0, sizeof(f));
5704  memset(&ssn, 0, sizeof(ssn));
5705 
5706  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5707  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5708 
5709  FLOW_INITIALIZE(&f);
5710  f.protoctx = (void *)&ssn;
5711  f.proto = IPPROTO_TCP;
5712  f.flags |= FLOW_IPV4;
5713 
5714  p1->flow = &f;
5718 
5719  p2->flow = &f;
5723  f.alproto = ALPROTO_HTTP;
5724 
5726 
5727  de_ctx = DetectEngineCtxInit();
5728  if (de_ctx == NULL)
5729  goto end;
5730 
5731  de_ctx->flags |= DE_QUIET;
5732 
5733  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5734  "(msg:\"http server body test\"; "
5735  "content:\"message\"; http_server_body; "
5736  "sid:1;)");
5737  if (de_ctx->sig_list == NULL)
5738  goto end;
5739 
5740  SigGroupBuild(de_ctx);
5741  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5742 
5743  FLOWLOCK_WRLOCK(&f);
5744  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5746  http_buf1,
5747  http_len1);
5748  if (r != 0) {
5749  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5750  FLOWLOCK_UNLOCK(&f);
5751  goto end;
5752  }
5753 
5754  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5755  STREAM_TOCLIENT | STREAM_START, http_buf2,
5756  http_len2);
5757  if (r != 0) {
5758  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
5759  FLOWLOCK_UNLOCK(&f);
5760  goto end;
5761  }
5762  FLOWLOCK_UNLOCK(&f);
5763 
5764  http_state = f.alstate;
5765  if (http_state == NULL) {
5766  printf("no http state: ");
5767  goto end;
5768  }
5769 
5770  /* do detect */
5771  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5772 
5773  if ((PacketAlertCheck(p1, 1))) {
5774  printf("sid 1 matched on chunk2 but shouldn't have: ");
5775  goto end;
5776  }
5777 
5778  FLOWLOCK_WRLOCK(&f);
5779  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5780  STREAM_TOCLIENT | STREAM_EOF, http_buf3,
5781  http_len3);
5782  if (r != 0) {
5783  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
5784  FLOWLOCK_UNLOCK(&f);
5785  goto end;
5786  }
5787  FLOWLOCK_UNLOCK(&f);
5788 
5789  /* do detect */
5790  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5791  if (!(PacketAlertCheck(p2, 1))) {
5792  printf("sid 1 didn't match on p2 (chunk3) but should have: ");
5793  goto end;
5794  }
5795 
5796  result = 1;
5797 end:
5798  if (alp_tctx != NULL)
5799  AppLayerParserThreadCtxFree(alp_tctx);
5800  if (de_ctx != NULL)
5801  DetectEngineCtxFree(de_ctx);
5802 
5804  FLOW_DESTROY(&f);
5805  UTHFreePackets(&p1, 1);
5806  UTHFreePackets(&p2, 1);
5807  return result;
5808 }
5809 
5810 /**
5811  *\test Test that the http_server_body content matches against a http request
5812  * which holds the content.
5813  */
5814 static int DetectHttpServerBodyTest08(void)
5815 {
5816  TcpSession ssn;
5817  Packet *p1 = NULL;
5818  Packet *p2 = NULL;
5819  ThreadVars th_v;
5820  DetectEngineCtx *de_ctx = NULL;
5821  DetectEngineThreadCtx *det_ctx = NULL;
5822  HtpState *http_state = NULL;
58