suricata
detect-http-server-body.c
Go to the documentation of this file.
1 /* Copyright (C) 2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Giuseppe Longo <giuseppe@glongo.it>
22  *
23  * Tests for the hsbd with swf files
24  */
25 
26 #include "../suricata-common.h"
27 #include "../conf-yaml-loader.h"
28 #include "../decode.h"
29 #include "../flow.h"
30 #include "../detect.h"
31 #include "../detect-engine-build.h"
32 #include "../detect-engine-alert.h"
33 
34 /**
35  * \test Test parser accepting valid rules and rejecting invalid rules
36  */
37 static int DetectHttpServerBodyParserTest01(void)
38 {
39  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", true));
40  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; nocase; http_server_body; sid:1;)", true));
41  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; endswith; http_server_body; sid:1;)", true));
42  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; http_server_body; sid:1;)", true));
43  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; endswith; http_server_body; sid:1;)", true));
44 
45  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; rawbytes; http_server_body; sid:1;)", false));
46  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http_server_body; sid:1;)", false));
47  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", false));
48  PASS;
49 }
50 
51 /**
52  * \test Test parser accepting valid rules and rejecting invalid rules
53  */
54 static int DetectHttpServerBodyParserTest02(void)
55 {
56  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", true));
57  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; nocase; sid:1;)", true));
58  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; endswith; sid:1;)", true));
59  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; sid:1;)", true));
60  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; endswith; sid:1;)", true));
61  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; bsize:10; sid:1;)", true));
62 
63  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; rawbytes; sid:1;)", false));
64  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http.response_body; sid:1;)", false));
65  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", false));
66  PASS;
67 }
68 struct TestSteps {
69  const uint8_t *input;
70  size_t input_size; /**< if 0 strlen will be used */
71  int direction; /**< STREAM_TOSERVER, STREAM_TOCLIENT */
72  int expect;
73 };
74 
75 static int RunTest(struct TestSteps *steps, const char *sig, const char *yaml)
76 {
77  TcpSession ssn;
78  Flow f;
79  ThreadVars th_v;
80  DetectEngineThreadCtx *det_ctx = NULL;
81  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
82  FAIL_IF_NULL(alp_tctx);
83 
84  memset(&th_v, 0, sizeof(th_v));
85  memset(&f, 0, sizeof(f));
86  memset(&ssn, 0, sizeof(ssn));
87 
88  if (yaml) {
89  ConfCreateContextBackup();
90  ConfInit();
91  HtpConfigCreateBackup();
92 
93  ConfYamlLoadString(yaml, strlen(yaml));
94  HTPConfigure();
95  EngineModeSetIPS();
96  }
97 
98  StreamTcpInitConfig(true);
99 
100  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
101  FAIL_IF_NULL(de_ctx);
102  de_ctx->flags |= DE_QUIET;
103 
104  FLOW_INITIALIZE(&f);
105  f.protoctx = (void *)&ssn;
106  f.proto = IPPROTO_TCP;
107  f.flags |= FLOW_IPV4;
108  f.alproto = ALPROTO_HTTP1;
109 
110  SCLogDebug("sig %s", sig);
111  Signature *s = DetectEngineAppendSig(de_ctx, (char *)sig);
112  FAIL_IF_NULL(s);
113 
114  SigGroupBuild(de_ctx);
115  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
116  FAIL_IF_NULL(det_ctx);
117 
118  struct TestSteps *b = steps;
119  int i = 0;
120  while (b->input != NULL) {
121  SCLogDebug("chunk %p %d", b, i);
122  (void)i;
123  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
124  FAIL_IF_NULL(p);
125  p->flow = &f;
126  p->flowflags = (b->direction == STREAM_TOSERVER) ? FLOW_PKT_TOSERVER : FLOW_PKT_TOCLIENT;
127  p->flowflags |= FLOW_PKT_ESTABLISHED;
128  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
129 
130  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, b->direction,
131  (uint8_t *)b->input,
132  b->input_size ? b->input_size : strlen((const char *)b->input));
133  FAIL_IF_NOT(r == 0);
134 
135  /* do detect */
136  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
137 
138  int match = PacketAlertCheck(p, 1);
139  FAIL_IF_NOT(b->expect == match);
140 
141  UTHFreePackets(&p, 1);
142  b++;
143  i++;
144  }
145 
146  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
147  AppLayerParserThreadCtxFree(alp_tctx);
148  DetectEngineCtxFree(de_ctx);
149 
150  StreamTcpFreeConfig(true);
151  FLOW_DESTROY(&f);
152 
153  if (yaml) {
154  HtpConfigRestoreBackup();
155  ConfRestoreContextBackup();
156  EngineModeSetIDS();
157  }
158  PASS;
159 }
160 
161 static int DetectEngineHttpServerBodyTest01(void)
162 {
163  TcpSession ssn;
164  Packet *p1 = NULL;
165  Packet *p2 = NULL;
166  ThreadVars th_v;
167  DetectEngineCtx *de_ctx = NULL;
168  DetectEngineThreadCtx *det_ctx = NULL;
169  HtpState *http_state = NULL;
170  Flow f;
171  uint8_t http_buf1[] =
172  "GET /index.html HTTP/1.0\r\n"
173  "Host: www.openinfosecfoundation.org\r\n"
174  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
175  "\r\n";
176  uint32_t http_len1 = sizeof(http_buf1) - 1;
177  uint8_t http_buf2[] =
178  "HTTP/1.0 200 ok\r\n"
179  "Content-Type: text/html\r\n"
180  "Content-Length: 7\r\n"
181  "\r\n"
182  "message";
183  uint32_t http_len2 = sizeof(http_buf2) - 1;
184  int result = 0;
185  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
186 
187  memset(&th_v, 0, sizeof(th_v));
188  memset(&f, 0, sizeof(f));
189  memset(&ssn, 0, sizeof(ssn));
190 
191  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
192  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
193 
194  FLOW_INITIALIZE(&f);
195  f.protoctx = (void *)&ssn;
196  f.proto = IPPROTO_TCP;
197  f.flags |= FLOW_IPV4;
198 
199  p1->flow = &f;
200  p1->flowflags |= FLOW_PKT_TOSERVER;
201  p1->flowflags |= FLOW_PKT_ESTABLISHED;
202  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
203  p2->flow = &f;
204  p2->flowflags |= FLOW_PKT_TOCLIENT;
205  p2->flowflags |= FLOW_PKT_ESTABLISHED;
206  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
207  f.alproto = ALPROTO_HTTP1;
208 
209  StreamTcpInitConfig(true);
210 
211  de_ctx = DetectEngineCtxInit();
212  if (de_ctx == NULL)
213  goto end;
214 
215  de_ctx->flags |= DE_QUIET;
216 
217  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
218  "(msg:\"http server body test\"; "
219  "content:\"message\"; http_server_body; "
220  "sid:1;)");
221  if (de_ctx->sig_list == NULL)
222  goto end;
223 
224  SigGroupBuild(de_ctx);
225  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
226 
227  int r = AppLayerParserParse(
228  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
229  if (r != 0) {
230  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
231  result = 0;
232  goto end;
233  }
234 
235  http_state = f.alstate;
236  if (http_state == NULL) {
237  printf("no http state: \n");
238  result = 0;
239  goto end;
240  }
241 
242  /* do detect */
243  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
244 
245  if ((PacketAlertCheck(p1, 1))) {
246  printf("sid 1 matched but shouldn't have\n");
247  goto end;
248  }
249 
250  r = AppLayerParserParse(
251  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
252  if (r != 0) {
253  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
254  result = 0;
255  goto end;
256  }
257 
258  /* do detect */
259  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
260 
261  if (!(PacketAlertCheck(p2, 1))) {
262  printf("sid 1 didn't match but should have");
263  goto end;
264  }
265 
266  result = 1;
267 
268 end:
269  if (alp_tctx != NULL)
270  AppLayerParserThreadCtxFree(alp_tctx);
271  if (de_ctx != NULL)
272  DetectEngineCtxFree(de_ctx);
273 
274  StreamTcpFreeConfig(true);
275  FLOW_DESTROY(&f);
276  UTHFreePackets(&p1, 1);
277  UTHFreePackets(&p2, 1);
278  return result;
279 }
280 
281 static int DetectEngineHttpServerBodyTest02(void)
282 {
283  TcpSession ssn;
284  Packet *p1 = NULL;
285  ThreadVars th_v;
286  DetectEngineCtx *de_ctx = NULL;
287  DetectEngineThreadCtx *det_ctx = NULL;
288  HtpState *http_state = NULL;
289  Flow f;
290  uint8_t http_buf1[] =
291  "GET /index.html HTTP/1.0\r\n"
292  "Host: www.openinfosecfoundation.org\r\n"
293  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
294  "\r\n";
295  uint32_t http_len1 = sizeof(http_buf1) - 1;
296  uint8_t http_buf2[] =
297  "HTTP/1.0 200 ok\r\n"
298  "Content-Type: text/html\r\n"
299  "Content-Length: 7\r\n"
300  "\r\n"
301  "xxxxABC";
302  uint32_t http_len2 = sizeof(http_buf2) - 1;
303  int result = 0;
304  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
305 
306  memset(&th_v, 0, sizeof(th_v));
307  memset(&f, 0, sizeof(f));
308  memset(&ssn, 0, sizeof(ssn));
309 
310  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
311 
312  FLOW_INITIALIZE(&f);
313  f.protoctx = (void *)&ssn;
314  f.proto = IPPROTO_TCP;
315  f.flags |= FLOW_IPV4;
316 
317  p1->flow = &f;
318  p1->flowflags |= FLOW_PKT_TOCLIENT;
319  p1->flowflags |= FLOW_PKT_ESTABLISHED;
320  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
321  f.alproto = ALPROTO_HTTP1;
322 
323  StreamTcpInitConfig(true);
324 
325  de_ctx = DetectEngineCtxInit();
326  if (de_ctx == NULL)
327  goto end;
328 
329  de_ctx->flags |= DE_QUIET;
330 
331  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
332  "(msg:\"http server body test\"; "
333  "content:\"ABC\"; http_server_body; offset:4; "
334  "sid:1;)");
335  if (de_ctx->sig_list == NULL)
336  goto end;
337 
338  SigGroupBuild(de_ctx);
339  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
340 
341  int r = AppLayerParserParse(
342  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
343  if (r != 0) {
344  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
345  result = 0;
346  goto end;
347  }
348 
349  r = AppLayerParserParse(
350  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
351  if (r != 0) {
352  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
353  result = 0;
354  goto end;
355  }
356 
357  http_state = f.alstate;
358  if (http_state == NULL) {
359  printf("no http state: \n");
360  result = 0;
361  goto end;
362  }
363 
364  /* do detect */
365  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
366 
367  if (!(PacketAlertCheck(p1, 1))) {
368  printf("sid 1 didn't match but should have\n");
369  goto end;
370  }
371 
372  result = 1;
373 
374 end:
375  if (alp_tctx != NULL)
376  AppLayerParserThreadCtxFree(alp_tctx);
377  if (de_ctx != NULL)
378  DetectEngineCtxFree(de_ctx);
379 
380  StreamTcpFreeConfig(true);
381  FLOW_DESTROY(&f);
382  UTHFreePackets(&p1, 1);
383  return result;
384 }
385 
386 static int DetectEngineHttpServerBodyTest03(void)
387 {
388  TcpSession ssn;
389  Packet *p1 = NULL;
390  Packet *p2 = NULL;
391  ThreadVars th_v;
392  DetectEngineCtx *de_ctx = NULL;
393  DetectEngineThreadCtx *det_ctx = NULL;
394  HtpState *http_state = NULL;
395  Flow f;
396  int result = 0;
397  uint8_t http_buf1[] =
398  "GET /index.html HTTP/1.0\r\n"
399  "Host: www.openinfosecfoundation.org\r\n"
400  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
401  "\r\n";
402  uint32_t http_len1 = sizeof(http_buf1) - 1;
403  uint8_t http_buf2[] =
404  "HTTP/1.0 200 ok\r\n"
405  "Content-Type: text/html\r\n"
406  "Content-Length: 17\r\n"
407  "\r\n"
408  "1234567";
409  uint32_t http_len2 = sizeof(http_buf2) - 1;
410  uint8_t http_buf3[] =
411  "8901234ABC";
412  uint32_t http_len3 = sizeof(http_buf3) - 1;
413  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
414 
415  memset(&th_v, 0, sizeof(th_v));
416  memset(&f, 0, sizeof(f));
417  memset(&ssn, 0, sizeof(ssn));
418 
419  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
420  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
421 
422  FLOW_INITIALIZE(&f);
423  f.protoctx = (void *)&ssn;
424  f.proto = IPPROTO_TCP;
425  f.flags |= FLOW_IPV4;
426 
427  p1->flow = &f;
428  p1->flowflags |= FLOW_PKT_TOSERVER;
429  p1->flowflags |= FLOW_PKT_ESTABLISHED;
430  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
431  p2->flow = &f;
432  p2->flowflags |= FLOW_PKT_TOCLIENT;
433  p2->flowflags |= FLOW_PKT_ESTABLISHED;
434  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
435  f.alproto = ALPROTO_HTTP1;
436 
437  StreamTcpInitConfig(true);
438 
439  de_ctx = DetectEngineCtxInit();
440  if (de_ctx == NULL)
441  goto end;
442 
443  de_ctx->flags |= DE_QUIET;
444 
445  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
446  "(msg:\"http server body test\"; "
447  "content:\"ABC\"; http_server_body; offset:14; "
448  "sid:1;)");
449  if (de_ctx->sig_list == NULL)
450  goto end;
451 
452  SigGroupBuild(de_ctx);
453  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
454 
455  int r = AppLayerParserParse(
456  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
457  if (r != 0) {
458  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
459  result = 0;
460  goto end;
461  }
462 
463  http_state = f.alstate;
464  if (http_state == NULL) {
465  printf("no http state: \n");
466  result = 0;
467  goto end;
468  }
469 
470  /* do detect */
471  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
472 
473  if (PacketAlertCheck(p1, 1)) {
474  printf("sid 1 matched but shouldn't have\n");
475  goto end;
476  }
477 
478  r = AppLayerParserParse(
479  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
480  if (r != 0) {
481  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
482  result = 0;
483  goto end;
484  }
485 
486  r = AppLayerParserParse(
487  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf3, http_len3);
488  if (r != 0) {
489  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
490  result = 0;
491  goto end;
492  }
493 
494  /* do detect */
495  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
496 
497  if (!(PacketAlertCheck(p2, 1))) {
498  printf("sid 1 didn't match but should have");
499  goto end;
500  }
501 
502  result = 1;
503 
504 end:
505  if (alp_tctx != NULL)
506  AppLayerParserThreadCtxFree(alp_tctx);
507  if (de_ctx != NULL)
508  DetectEngineCtxFree(de_ctx);
509 
510  StreamTcpFreeConfig(true);
511  FLOW_DESTROY(&f);
512  UTHFreePackets(&p1, 1);
513  UTHFreePackets(&p2, 1);
514  return result;
515 }
516 
517 static int DetectEngineHttpServerBodyTest04(void)
518 {
519  TcpSession ssn;
520  Packet *p1 = NULL;
521  Packet *p2 = NULL;
522  ThreadVars th_v;
523  DetectEngineCtx *de_ctx = NULL;
524  DetectEngineThreadCtx *det_ctx = NULL;
525  HtpState *http_state = NULL;
526  Flow f;
527  uint8_t http_buf1[] =
528  "GET /index.html HTTP/1.0\r\n"
529  "Host: www.openinfosecfoundation.org\r\n"
530  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
531  "\r\n";
532  uint32_t http_len1 = sizeof(http_buf1) - 1;
533  uint8_t http_buf2[] =
534  "HTTP/1.0 200 ok\r\n"
535  "Content-Type: text/html\r\n"
536  "Content-Length: 6\r\n"
537  "\r\n"
538  "abcdef";
539  uint32_t http_len2 = sizeof(http_buf2) - 1;
540  int result = 0;
541  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
542 
543  memset(&th_v, 0, sizeof(th_v));
544  memset(&f, 0, sizeof(f));
545  memset(&ssn, 0, sizeof(ssn));
546 
547  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
548  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
549 
550  FLOW_INITIALIZE(&f);
551  f.protoctx = (void *)&ssn;
552  f.proto = IPPROTO_TCP;
553  f.flags |= FLOW_IPV4;
554 
555  p1->flow = &f;
556  p1->flowflags |= FLOW_PKT_TOSERVER;
557  p1->flowflags |= FLOW_PKT_ESTABLISHED;
558  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
559  p2->flow = &f;
560  p2->flowflags |= FLOW_PKT_TOCLIENT;
561  p2->flowflags |= FLOW_PKT_ESTABLISHED;
562  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
563  f.alproto = ALPROTO_HTTP1;
564 
565  StreamTcpInitConfig(true);
566 
567  de_ctx = DetectEngineCtxInit();
568  if (de_ctx == NULL)
569  goto end;
570 
571  de_ctx->flags |= DE_QUIET;
572 
573  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
574  "(msg:\"http server body test\"; "
575  "content:!\"abc\"; http_server_body; offset:3; "
576  "sid:1;)");
577  if (de_ctx->sig_list == NULL)
578  goto end;
579 
580  SigGroupBuild(de_ctx);
581  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
582 
583  int r = AppLayerParserParse(
584  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
585  if (r != 0) {
586  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
587  result = 0;
588  goto end;
589  }
590 
591  http_state = f.alstate;
592  if (http_state == NULL) {
593  printf("no http state: \n");
594  result = 0;
595  goto end;
596  }
597 
598  /* do detect */
599  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
600 
601  if (PacketAlertCheck(p1, 1)) {
602  printf("sid 1 matched but shouldn't have: ");
603  goto end;
604  }
605 
606  r = AppLayerParserParse(
607  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
608  if (r != 0) {
609  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
610  result = 0;
611  goto end;
612  }
613 
614  /* do detect */
615  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
616 
617  if (!PacketAlertCheck(p2, 1)) {
618  printf("sid 1 didn't match but should have: ");
619  goto end;
620  }
621 
622  result = 1;
623 
624 end:
625  if (alp_tctx != NULL)
626  AppLayerParserThreadCtxFree(alp_tctx);
627  if (de_ctx != NULL)
628  DetectEngineCtxFree(de_ctx);
629 
630  StreamTcpFreeConfig(true);
631  FLOW_DESTROY(&f);
632  UTHFreePackets(&p1, 1);
633  UTHFreePackets(&p2, 1);
634  return result;
635 }
636 
637 static int DetectEngineHttpServerBodyTest05(void)
638 {
639  TcpSession ssn;
640  Packet *p1 = NULL;
641  Packet *p2 = NULL;
642  ThreadVars th_v;
643  DetectEngineCtx *de_ctx = NULL;
644  DetectEngineThreadCtx *det_ctx = NULL;
645  HtpState *http_state = NULL;
646  Flow f;
647  uint8_t http_buf1[] =
648  "GET /index.html HTTP/1.0\r\n"
649  "Host: www.openinfosecfoundation.org\r\n"
650  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
651  "\r\n";
652  uint32_t http_len1 = sizeof(http_buf1) - 1;
653  uint8_t http_buf2[] =
654  "HTTP/1.0 200 ok\r\n"
655  "Content-Type: text/html\r\n"
656  "Content-Length: 6\r\n"
657  "\r\n"
658  "abcdef";
659  uint32_t http_len2 = sizeof(http_buf2) - 1;
660  int result = 0;
661  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
662 
663  memset(&th_v, 0, sizeof(th_v));
664  memset(&f, 0, sizeof(f));
665  memset(&ssn, 0, sizeof(ssn));
666 
667  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
668  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
669 
670  FLOW_INITIALIZE(&f);
671  f.protoctx = (void *)&ssn;
672  f.proto = IPPROTO_TCP;
673  f.flags |= FLOW_IPV4;
674 
675  p1->flow = &f;
676  p1->flowflags |= FLOW_PKT_TOSERVER;
677  p1->flowflags |= FLOW_PKT_ESTABLISHED;
678  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
679  p2->flow = &f;
680  p2->flowflags |= FLOW_PKT_TOCLIENT;
681  p2->flowflags |= FLOW_PKT_ESTABLISHED;
682  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
683  f.alproto = ALPROTO_HTTP1;
684 
685  StreamTcpInitConfig(true);
686 
687  de_ctx = DetectEngineCtxInit();
688  if (de_ctx == NULL)
689  goto end;
690 
691  de_ctx->flags |= DE_QUIET;
692 
693  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
694  "(msg:\"http server body test\"; "
695  "content:\"abc\"; http_server_body; depth:3; "
696  "sid:1;)");
697  if (de_ctx->sig_list == NULL)
698  goto end;
699 
700  SigGroupBuild(de_ctx);
701  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
702 
703  int r = AppLayerParserParse(
704  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
705  if (r != 0) {
706  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
707  result = 0;
708  goto end;
709  }
710 
711  http_state = f.alstate;
712  if (http_state == NULL) {
713  printf("no http state: \n");
714  result = 0;
715  goto end;
716  }
717 
718  /* do detect */
719  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
720 
721  if (PacketAlertCheck(p1, 1)) {
722  printf("sid 1 matched but shouldn't have: ");
723  goto end;
724  }
725 
726  r = AppLayerParserParse(
727  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
728  if (r != 0) {
729  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
730  result = 0;
731  goto end;
732  }
733 
734  /* do detect */
735  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
736 
737  if (!PacketAlertCheck(p2, 1)) {
738  printf("sid 1 didn't match but should have: ");
739  goto end;
740  }
741 
742  result = 1;
743 
744 end:
745  if (alp_tctx != NULL)
746  AppLayerParserThreadCtxFree(alp_tctx);
747  if (de_ctx != NULL)
748  DetectEngineCtxFree(de_ctx);
749 
750  StreamTcpFreeConfig(true);
751  FLOW_DESTROY(&f);
752  UTHFreePackets(&p1, 1);
753  UTHFreePackets(&p2, 1);
754  return result;
755 }
756 
757 static int DetectEngineHttpServerBodyTest06(void)
758 {
759  TcpSession ssn;
760  Packet *p1 = NULL;
761  Packet *p2 = NULL;
762  ThreadVars th_v;
763  DetectEngineCtx *de_ctx = NULL;
764  DetectEngineThreadCtx *det_ctx = NULL;
765  HtpState *http_state = NULL;
766  Flow f;
767  uint8_t http_buf1[] =
768  "GET /index.html HTTP/1.0\r\n"
769  "Host: www.openinfosecfoundation.org\r\n"
770  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
771  "\r\n";
772  uint32_t http_len1 = sizeof(http_buf1) - 1;
773  uint8_t http_buf2[] =
774  "HTTP/1.0 200 ok\r\n"
775  "Content-Type: text/html\r\n"
776  "Content-Length: 6\r\n"
777  "\r\n"
778  "abcdef";
779  uint32_t http_len2 = sizeof(http_buf2) - 1;
780  int result = 0;
781  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
782 
783  memset(&th_v, 0, sizeof(th_v));
784  memset(&f, 0, sizeof(f));
785  memset(&ssn, 0, sizeof(ssn));
786 
787  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
788  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
789 
790  FLOW_INITIALIZE(&f);
791  f.protoctx = (void *)&ssn;
792  f.proto = IPPROTO_TCP;
793  f.flags |= FLOW_IPV4;
794 
795  p1->flow = &f;
796  p1->flowflags |= FLOW_PKT_TOSERVER;
797  p1->flowflags |= FLOW_PKT_ESTABLISHED;
798  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
799  p2->flow = &f;
800  p2->flowflags |= FLOW_PKT_TOCLIENT;
801  p2->flowflags |= FLOW_PKT_ESTABLISHED;
802  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
803  f.alproto = ALPROTO_HTTP1;
804 
805  StreamTcpInitConfig(true);
806 
807  de_ctx = DetectEngineCtxInit();
808  if (de_ctx == NULL)
809  goto end;
810 
811  de_ctx->flags |= DE_QUIET;
812 
813  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
814  "(msg:\"http server body test\"; "
815  "content:!\"def\"; http_server_body; depth:3; "
816  "sid:1;)");
817  if (de_ctx->sig_list == NULL)
818  goto end;
819 
820  SigGroupBuild(de_ctx);
821  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
822 
823  int r = AppLayerParserParse(
824  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
825  if (r != 0) {
826  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
827  result = 0;
828  goto end;
829  }
830 
831  http_state = f.alstate;
832  if (http_state == NULL) {
833  printf("no http state: \n");
834  result = 0;
835  goto end;
836  }
837 
838  /* do detect */
839  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
840 
841  if (PacketAlertCheck(p1, 1)) {
842  printf("sid 1 matched but shouldn't have: ");
843  goto end;
844  }
845 
846  r = AppLayerParserParse(
847  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
848  if (r != 0) {
849  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
850  result = 0;
851  goto end;
852  }
853 
854  /* do detect */
855  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
856 
857  if (!PacketAlertCheck(p2, 1)) {
858  printf("sid 1 didn't match but should have: ");
859  goto end;
860  }
861 
862  result = 1;
863 
864 end:
865  if (alp_tctx != NULL)
866  AppLayerParserThreadCtxFree(alp_tctx);
867  if (de_ctx != NULL)
868  DetectEngineCtxFree(de_ctx);
869 
870  StreamTcpFreeConfig(true);
871  FLOW_DESTROY(&f);
872  UTHFreePackets(&p1, 1);
873  UTHFreePackets(&p2, 1);
874  return result;
875 }
876 
877 static int DetectEngineHttpServerBodyTest07(void)
878 {
879  TcpSession ssn;
880  Packet *p1 = NULL;
881  Packet *p2 = NULL;
882  ThreadVars th_v;
883  DetectEngineCtx *de_ctx = NULL;
884  DetectEngineThreadCtx *det_ctx = NULL;
885  HtpState *http_state = NULL;
886  Flow f;
887  uint8_t http_buf1[] =
888  "GET /index.html HTTP/1.0\r\n"
889  "Host: www.openinfosecfoundation.org\r\n"
890  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
891  "\r\n";
892  uint32_t http_len1 = sizeof(http_buf1) - 1;
893  uint8_t http_buf2[] =
894  "HTTP/1.0 200 ok\r\n"
895  "Content-Type: text/html\r\n"
896  "Content-Length: 6\r\n"
897  "\r\n"
898  "abcdef";
899  uint32_t http_len2 = sizeof(http_buf2) - 1;
900  int result = 0;
901  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
902 
903  memset(&th_v, 0, sizeof(th_v));
904  memset(&f, 0, sizeof(f));
905  memset(&ssn, 0, sizeof(ssn));
906 
907  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
908  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
909 
910  FLOW_INITIALIZE(&f);
911  f.protoctx = (void *)&ssn;
912  f.proto = IPPROTO_TCP;
913  f.flags |= FLOW_IPV4;
914 
915  p1->flow = &f;
916  p1->flowflags |= FLOW_PKT_TOSERVER;
917  p1->flowflags |= FLOW_PKT_ESTABLISHED;
918  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
919  p2->flow = &f;
920  p2->flowflags |= FLOW_PKT_TOCLIENT;
921  p2->flowflags |= FLOW_PKT_ESTABLISHED;
922  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
923  f.alproto = ALPROTO_HTTP1;
924 
925  StreamTcpInitConfig(true);
926 
927  de_ctx = DetectEngineCtxInit();
928  if (de_ctx == NULL)
929  goto end;
930 
931  de_ctx->flags |= DE_QUIET;
932 
933  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
934  "(msg:\"http server body test\"; "
935  "content:!\"def\"; http_server_body; offset:3; "
936  "sid:1;)");
937  if (de_ctx->sig_list == NULL)
938  goto end;
939 
940  SigGroupBuild(de_ctx);
941  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
942 
943  int r = AppLayerParserParse(
944  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
945  if (r != 0) {
946  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
947  result = 0;
948  goto end;
949  }
950 
951  http_state = f.alstate;
952  if (http_state == NULL) {
953  printf("no http state: \n");
954  result = 0;
955  goto end;
956  }
957 
958  /* do detect */
959  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
960 
961  if (PacketAlertCheck(p1, 1)) {
962  printf("sid 1 matched but shouldn't have: ");
963  goto end;
964  }
965 
966  r = AppLayerParserParse(
967  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
968  if (r != 0) {
969  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
970  result = 0;
971  goto end;
972  }
973 
974  /* do detect */
975  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
976 
977  if (PacketAlertCheck(p2, 1)) {
978  printf("sid 1 matched but shouldn't have: ");
979  goto end;
980  }
981 
982  result = 1;
983 
984 end:
985  if (alp_tctx != NULL)
986  AppLayerParserThreadCtxFree(alp_tctx);
987  if (de_ctx != NULL)
988  DetectEngineCtxFree(de_ctx);
989 
990  StreamTcpFreeConfig(true);
991  FLOW_DESTROY(&f);
992  UTHFreePackets(&p1, 1);
993  UTHFreePackets(&p2, 1);
994  return result;
995 }
996 
997 static int DetectEngineHttpServerBodyTest08(void)
998 {
999  TcpSession ssn;
1000  Packet *p1 = NULL;
1001  Packet *p2 = NULL;
1002  ThreadVars th_v;
1003  DetectEngineCtx *de_ctx = NULL;
1004  DetectEngineThreadCtx *det_ctx = NULL;
1005  HtpState *http_state = NULL;
1006  Flow f;
1007  uint8_t http_buf1[] =
1008  "GET /index.html HTTP/1.0\r\n"
1009  "Host: www.openinfosecfoundation.org\r\n"
1010  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1011  "\r\n";
1012  uint32_t http_len1 = sizeof(http_buf1) - 1;
1013  uint8_t http_buf2[] =
1014  "HTTP/1.0 200 ok\r\n"
1015  "Content-Type: text/html\r\n"
1016  "Content-Length: 6\r\n"
1017  "\r\n"
1018  "abcdef";
1019  uint32_t http_len2 = sizeof(http_buf2) - 1;
1020  int result = 0;
1021  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1022 
1023  memset(&th_v, 0, sizeof(th_v));
1024  memset(&f, 0, sizeof(f));
1025  memset(&ssn, 0, sizeof(ssn));
1026 
1027  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1028  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1029 
1030  FLOW_INITIALIZE(&f);
1031  f.protoctx = (void *)&ssn;
1032  f.proto = IPPROTO_TCP;
1033  f.flags |= FLOW_IPV4;
1034 
1035  p1->flow = &f;
1036  p1->flowflags |= FLOW_PKT_TOSERVER;
1037  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1038  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1039  p2->flow = &f;
1040  p2->flowflags |= FLOW_PKT_TOCLIENT;
1041  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1042  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1043  f.alproto = ALPROTO_HTTP1;
1044 
1045  StreamTcpInitConfig(true);
1046 
1047  de_ctx = DetectEngineCtxInit();
1048  if (de_ctx == NULL)
1049  goto end;
1050 
1051  de_ctx->flags |= DE_QUIET;
1052 
1053  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1054  "(msg:\"http server body test\"; "
1055  "content:!\"abc\"; http_server_body; depth:3; "
1056  "sid:1;)");
1057  if (de_ctx->sig_list == NULL)
1058  goto end;
1059 
1060  SigGroupBuild(de_ctx);
1061  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1062 
1063  int r = AppLayerParserParse(
1064  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1065  if (r != 0) {
1066  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1067  result = 0;
1068  goto end;
1069  }
1070 
1071  http_state = f.alstate;
1072  if (http_state == NULL) {
1073  printf("no http state: \n");
1074  result = 0;
1075  goto end;
1076  }
1077 
1078  /* do detect */
1079  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1080 
1081  if (PacketAlertCheck(p1, 1)) {
1082  printf("sid 1 matched but shouldn't have: ");
1083  goto end;
1084  }
1085 
1086  r = AppLayerParserParse(
1087  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1088  if (r != 0) {
1089  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1090  result = 0;
1091  goto end;
1092  }
1093 
1094  /* do detect */
1095  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1096 
1097  if (PacketAlertCheck(p2, 1)) {
1098  printf("sid 1 matched but shouldn't have: ");
1099  goto end;
1100  }
1101 
1102  result = 1;
1103 
1104 end:
1105  if (alp_tctx != NULL)
1106  AppLayerParserThreadCtxFree(alp_tctx);
1107  if (de_ctx != NULL)
1108  DetectEngineCtxFree(de_ctx);
1109 
1110  StreamTcpFreeConfig(true);
1111  FLOW_DESTROY(&f);
1112  UTHFreePackets(&p1, 1);
1113  UTHFreePackets(&p2, 1);
1114  return result;
1115 }
1116 
1117 static int DetectEngineHttpServerBodyTest09(void)
1118 {
1119  TcpSession ssn;
1120  Packet *p1 = NULL;
1121  Packet *p2 = NULL;
1122  ThreadVars th_v;
1123  DetectEngineCtx *de_ctx = NULL;
1124  DetectEngineThreadCtx *det_ctx = NULL;
1125  HtpState *http_state = NULL;
1126  Flow f;
1127  uint8_t http_buf1[] =
1128  "GET /index.html HTTP/1.0\r\n"
1129  "Host: www.openinfosecfoundation.org\r\n"
1130  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1131  "\r\n";
1132  uint32_t http_len1 = sizeof(http_buf1) - 1;
1133  uint8_t http_buf2[] =
1134  "HTTP/1.0 200 ok\r\n"
1135  "Content-Type: text/html\r\n"
1136  "Content-Length: 6\r\n"
1137  "\r\n"
1138  "abcdef";
1139  uint32_t http_len2 = sizeof(http_buf2) - 1;
1140  int result = 0;
1141  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1142 
1143  memset(&th_v, 0, sizeof(th_v));
1144  memset(&f, 0, sizeof(f));
1145  memset(&ssn, 0, sizeof(ssn));
1146 
1147  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1148  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1149 
1150  FLOW_INITIALIZE(&f);
1151  f.protoctx = (void *)&ssn;
1152  f.proto = IPPROTO_TCP;
1153  f.flags |= FLOW_IPV4;
1154 
1155  p1->flow = &f;
1156  p1->flowflags |= FLOW_PKT_TOSERVER;
1157  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1158  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1159  p2->flow = &f;
1160  p2->flowflags |= FLOW_PKT_TOCLIENT;
1161  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1162  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1163  f.alproto = ALPROTO_HTTP1;
1164 
1165  StreamTcpInitConfig(true);
1166 
1167  de_ctx = DetectEngineCtxInit();
1168  if (de_ctx == NULL)
1169  goto end;
1170 
1171  de_ctx->flags |= DE_QUIET;
1172 
1173  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1174  "(msg:\"http server body test\"; "
1175  "content:\"abc\"; http_server_body; depth:3; "
1176  "content:\"def\"; http_server_body; within:3; "
1177  "sid:1;)");
1178  if (de_ctx->sig_list == NULL)
1179  goto end;
1180 
1181  SigGroupBuild(de_ctx);
1182  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1183 
1184  int r = AppLayerParserParse(
1185  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1186  if (r != 0) {
1187  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1188  result = 0;
1189  goto end;
1190  }
1191 
1192  http_state = f.alstate;
1193  if (http_state == NULL) {
1194  printf("no http state: \n");
1195  result = 0;
1196  goto end;
1197  }
1198 
1199  /* do detect */
1200  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1201 
1202  if (PacketAlertCheck(p1, 1)) {
1203  printf("sid 1 matched but shouldn't have: ");
1204  goto end;
1205  }
1206 
1207  r = AppLayerParserParse(
1208  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1209  if (r != 0) {
1210  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1211  result = 0;
1212  goto end;
1213  }
1214 
1215  /* do detect */
1216  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1217 
1218  if (!PacketAlertCheck(p2, 1)) {
1219  printf("sid 1 didn't match but should have: ");
1220  goto end;
1221  }
1222 
1223  result = 1;
1224 
1225 end:
1226  if (alp_tctx != NULL)
1227  AppLayerParserThreadCtxFree(alp_tctx);
1228  if (de_ctx != NULL)
1229  DetectEngineCtxFree(de_ctx);
1230 
1231  StreamTcpFreeConfig(true);
1232  FLOW_DESTROY(&f);
1233  UTHFreePackets(&p1, 1);
1234  UTHFreePackets(&p2, 1);
1235  return result;
1236 }
1237 
1238 static int DetectEngineHttpServerBodyTest10(void)
1239 {
1240  TcpSession ssn;
1241  Packet *p1 = NULL;
1242  Packet *p2 = NULL;
1243  ThreadVars th_v;
1244  DetectEngineCtx *de_ctx = NULL;
1245  DetectEngineThreadCtx *det_ctx = NULL;
1246  HtpState *http_state = NULL;
1247  Flow f;
1248  uint8_t http_buf1[] =
1249  "GET /index.html HTTP/1.0\r\n"
1250  "Host: www.openinfosecfoundation.org\r\n"
1251  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1252  "\r\n";
1253  uint32_t http_len1 = sizeof(http_buf1) - 1;
1254  uint8_t http_buf2[] =
1255  "HTTP/1.0 200 ok\r\n"
1256  "Content-Type: text/html\r\n"
1257  "Content-Length: 6\r\n"
1258  "\r\n"
1259  "abcdef";
1260  uint32_t http_len2 = sizeof(http_buf2) - 1;
1261  int result = 0;
1262  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1263 
1264  memset(&th_v, 0, sizeof(th_v));
1265  memset(&f, 0, sizeof(f));
1266  memset(&ssn, 0, sizeof(ssn));
1267 
1268  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1269  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1270 
1271  FLOW_INITIALIZE(&f);
1272  f.protoctx = (void *)&ssn;
1273  f.proto = IPPROTO_TCP;
1274  f.flags |= FLOW_IPV4;
1275 
1276  p1->flow = &f;
1277  p1->flowflags |= FLOW_PKT_TOSERVER;
1278  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1279  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1280  p2->flow = &f;
1281  p2->flowflags |= FLOW_PKT_TOCLIENT;
1282  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1283  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1284  f.alproto = ALPROTO_HTTP1;
1285 
1286  StreamTcpInitConfig(true);
1287 
1288  de_ctx = DetectEngineCtxInit();
1289  if (de_ctx == NULL)
1290  goto end;
1291 
1292  de_ctx->flags |= DE_QUIET;
1293 
1294  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1295  "(msg:\"http server body test\"; "
1296  "content:\"abc\"; http_server_body; depth:3; "
1297  "content:!\"xyz\"; http_server_body; within:3; "
1298  "sid:1;)");
1299  if (de_ctx->sig_list == NULL)
1300  goto end;
1301 
1302  SigGroupBuild(de_ctx);
1303  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1304 
1305  int r = AppLayerParserParse(
1306  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1307  if (r != 0) {
1308  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1309  result = 0;
1310  goto end;
1311  }
1312 
1313  http_state = f.alstate;
1314  if (http_state == NULL) {
1315  printf("no http state: \n");
1316  result = 0;
1317  goto end;
1318  }
1319 
1320  /* do detect */
1321  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1322 
1323  if (PacketAlertCheck(p1, 1)) {
1324  printf("sid 1 matched but shouldn't have: ");
1325  goto end;
1326  }
1327 
1328  r = AppLayerParserParse(
1329  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1330  if (r != 0) {
1331  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1332  result = 0;
1333  goto end;
1334  }
1335 
1336  /* do detect */
1337  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1338 
1339  if (!PacketAlertCheck(p2, 1)) {
1340  printf("sid 1 didn't match but should have: ");
1341  goto end;
1342  }
1343 
1344  result = 1;
1345 
1346 end:
1347  if (alp_tctx != NULL)
1348  AppLayerParserThreadCtxFree(alp_tctx);
1349  if (de_ctx != NULL)
1350  DetectEngineCtxFree(de_ctx);
1351 
1352  StreamTcpFreeConfig(true);
1353  FLOW_DESTROY(&f);
1354  UTHFreePackets(&p1, 1);
1355  UTHFreePackets(&p2, 1);
1356  return result;
1357 }
1358 
1359 static int DetectEngineHttpServerBodyTest11(void)
1360 {
1361  TcpSession ssn;
1362  Packet *p1 = NULL;
1363  Packet *p2 = NULL;
1364  ThreadVars th_v;
1365  DetectEngineCtx *de_ctx = NULL;
1366  DetectEngineThreadCtx *det_ctx = NULL;
1367  HtpState *http_state = NULL;
1368  Flow f;
1369  uint8_t http_buf1[] =
1370  "GET /index.html HTTP/1.0\r\n"
1371  "Host: www.openinfosecfoundation.org\r\n"
1372  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1373  "\r\n";
1374  uint32_t http_len1 = sizeof(http_buf1) - 1;
1375  uint8_t http_buf2[] =
1376  "HTTP/1.0 200 ok\r\n"
1377  "Content-Type: text/html\r\n"
1378  "Content-Length: 6\r\n"
1379  "\r\n"
1380  "abcdef";
1381  uint32_t http_len2 = sizeof(http_buf2) - 1;
1382  int result = 0;
1383  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1384 
1385  memset(&th_v, 0, sizeof(th_v));
1386  memset(&f, 0, sizeof(f));
1387  memset(&ssn, 0, sizeof(ssn));
1388 
1389  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1390  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1391 
1392  FLOW_INITIALIZE(&f);
1393  f.protoctx = (void *)&ssn;
1394  f.proto = IPPROTO_TCP;
1395  f.flags |= FLOW_IPV4;
1396 
1397  p1->flow = &f;
1398  p1->flowflags |= FLOW_PKT_TOSERVER;
1399  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1400  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1401  p2->flow = &f;
1402  p2->flowflags |= FLOW_PKT_TOCLIENT;
1403  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1404  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1405  f.alproto = ALPROTO_HTTP1;
1406 
1407  StreamTcpInitConfig(true);
1408 
1409  de_ctx = DetectEngineCtxInit();
1410  if (de_ctx == NULL)
1411  goto end;
1412 
1413  de_ctx->flags |= DE_QUIET;
1414 
1415  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1416  "(msg:\"http server body test\"; "
1417  "content:\"abc\"; http_server_body; depth:3; "
1418  "content:\"xyz\"; http_server_body; within:3; "
1419  "sid:1;)");
1420  if (de_ctx->sig_list == NULL)
1421  goto end;
1422 
1423  SigGroupBuild(de_ctx);
1424  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1425 
1426  int r = AppLayerParserParse(
1427  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1428  if (r != 0) {
1429  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1430  result = 0;
1431  goto end;
1432  }
1433 
1434  http_state = f.alstate;
1435  if (http_state == NULL) {
1436  printf("no http state: \n");
1437  result = 0;
1438  goto end;
1439  }
1440 
1441  /* do detect */
1442  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1443 
1444  if (PacketAlertCheck(p1, 1)) {
1445  printf("sid 1 matched but shouldn't have: ");
1446  goto end;
1447  }
1448 
1449  r = AppLayerParserParse(
1450  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1451  if (r != 0) {
1452  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1453  result = 0;
1454  goto end;
1455  }
1456 
1457  /* do detect */
1458  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1459 
1460  if (PacketAlertCheck(p2, 1)) {
1461  printf("sid 1 did match but should not have: ");
1462  goto end;
1463  }
1464 
1465  result = 1;
1466 
1467 end:
1468  if (alp_tctx != NULL)
1469  AppLayerParserThreadCtxFree(alp_tctx);
1470  if (de_ctx != NULL)
1471  DetectEngineCtxFree(de_ctx);
1472 
1473  StreamTcpFreeConfig(true);
1474  FLOW_DESTROY(&f);
1475  UTHFreePackets(&p1, 1);
1476  UTHFreePackets(&p2, 1);
1477  return result;
1478 }
1479 
1480 static int DetectEngineHttpServerBodyTest12(void)
1481 {
1482  TcpSession ssn;
1483  Packet *p1 = NULL;
1484  Packet *p2 = NULL;
1485  ThreadVars th_v;
1486  DetectEngineCtx *de_ctx = NULL;
1487  DetectEngineThreadCtx *det_ctx = NULL;
1488  HtpState *http_state = NULL;
1489  Flow f;
1490  uint8_t http_buf1[] =
1491  "GET /index.html HTTP/1.0\r\n"
1492  "Host: www.openinfosecfoundation.org\r\n"
1493  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1494  "\r\n";
1495  uint32_t http_len1 = sizeof(http_buf1) - 1;
1496  uint8_t http_buf2[] =
1497  "HTTP/1.0 200 ok\r\n"
1498  "Content-Type: text/html\r\n"
1499  "Content-Length: 6\r\n"
1500  "\r\n"
1501  "abcdef";
1502  uint32_t http_len2 = sizeof(http_buf2) - 1;
1503  int result = 0;
1504  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1505 
1506  memset(&th_v, 0, sizeof(th_v));
1507  memset(&f, 0, sizeof(f));
1508  memset(&ssn, 0, sizeof(ssn));
1509 
1510  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1511  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1512 
1513  FLOW_INITIALIZE(&f);
1514  f.protoctx = (void *)&ssn;
1515  f.proto = IPPROTO_TCP;
1516  f.flags |= FLOW_IPV4;
1517 
1518  p1->flow = &f;
1519  p1->flowflags |= FLOW_PKT_TOSERVER;
1520  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1521  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1522  p2->flow = &f;
1523  p2->flowflags |= FLOW_PKT_TOCLIENT;
1524  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1525  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1526  f.alproto = ALPROTO_HTTP1;
1527 
1528  StreamTcpInitConfig(true);
1529 
1530  de_ctx = DetectEngineCtxInit();
1531  if (de_ctx == NULL)
1532  goto end;
1533 
1534  de_ctx->flags |= DE_QUIET;
1535 
1536  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1537  "(msg:\"http server body test\"; "
1538  "content:\"ab\"; http_server_body; depth:2; "
1539  "content:\"ef\"; http_server_body; distance:2; "
1540  "sid:1;)");
1541  if (de_ctx->sig_list == NULL)
1542  goto end;
1543 
1544  SigGroupBuild(de_ctx);
1545  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1546 
1547  int r = AppLayerParserParse(
1548  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1549  if (r != 0) {
1550  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1551  result = 0;
1552  goto end;
1553  }
1554 
1555  http_state = f.alstate;
1556  if (http_state == NULL) {
1557  printf("no http state: \n");
1558  result = 0;
1559  goto end;
1560  }
1561 
1562  /* do detect */
1563  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1564 
1565  if (PacketAlertCheck(p1, 1)) {
1566  printf("sid 1 matched but shouldn't have: ");
1567  goto end;
1568  }
1569 
1570  r = AppLayerParserParse(
1571  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1572  if (r != 0) {
1573  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1574  result = 0;
1575  goto end;
1576  }
1577 
1578  /* do detect */
1579  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1580 
1581  if (!PacketAlertCheck(p2, 1)) {
1582  printf("sid 1 did not match but should have: ");
1583  goto end;
1584  }
1585 
1586  result = 1;
1587 
1588 end:
1589  if (alp_tctx != NULL)
1590  AppLayerParserThreadCtxFree(alp_tctx);
1591  if (de_ctx != NULL)
1592  DetectEngineCtxFree(de_ctx);
1593 
1594  StreamTcpFreeConfig(true);
1595  FLOW_DESTROY(&f);
1596  UTHFreePackets(&p1, 1);
1597  UTHFreePackets(&p2, 1);
1598  return result;
1599 }
1600 
1601 static int DetectEngineHttpServerBodyTest13(void)
1602 {
1603  TcpSession ssn;
1604  Packet *p1 = NULL;
1605  Packet *p2 = NULL;
1606  ThreadVars th_v;
1607  DetectEngineCtx *de_ctx = NULL;
1608  DetectEngineThreadCtx *det_ctx = NULL;
1609  HtpState *http_state = NULL;
1610  Flow f;
1611  uint8_t http_buf1[] =
1612  "GET /index.html HTTP/1.0\r\n"
1613  "Host: www.openinfosecfoundation.org\r\n"
1614  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1615  "\r\n";
1616  uint32_t http_len1 = sizeof(http_buf1) - 1;
1617  uint8_t http_buf2[] =
1618  "HTTP/1.0 200 ok\r\n"
1619  "Content-Type: text/html\r\n"
1620  "Content-Length: 6\r\n"
1621  "\r\n"
1622  "abcdef";
1623  uint32_t http_len2 = sizeof(http_buf2) - 1;
1624  int result = 0;
1625  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1626 
1627  memset(&th_v, 0, sizeof(th_v));
1628  memset(&f, 0, sizeof(f));
1629  memset(&ssn, 0, sizeof(ssn));
1630 
1631  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1632  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1633 
1634  FLOW_INITIALIZE(&f);
1635  f.protoctx = (void *)&ssn;
1636  f.proto = IPPROTO_TCP;
1637  f.flags |= FLOW_IPV4;
1638 
1639  p1->flow = &f;
1640  p1->flowflags |= FLOW_PKT_TOSERVER;
1641  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1642  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1643  p2->flow = &f;
1644  p2->flowflags |= FLOW_PKT_TOCLIENT;
1645  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1646  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1647  f.alproto = ALPROTO_HTTP1;
1648 
1649  StreamTcpInitConfig(true);
1650 
1651  de_ctx = DetectEngineCtxInit();
1652  if (de_ctx == NULL)
1653  goto end;
1654 
1655  de_ctx->flags |= DE_QUIET;
1656 
1657  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1658  "(msg:\"http server body test\"; "
1659  "content:\"ab\"; http_server_body; depth:3; "
1660  "content:!\"yz\"; http_server_body; distance:2; "
1661  "sid:1;)");
1662  if (de_ctx->sig_list == NULL)
1663  goto end;
1664 
1665  SigGroupBuild(de_ctx);
1666  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1667 
1668  int r = AppLayerParserParse(
1669  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1670  if (r != 0) {
1671  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1672  result = 0;
1673  goto end;
1674  }
1675 
1676  http_state = f.alstate;
1677  if (http_state == NULL) {
1678  printf("no http state: \n");
1679  result = 0;
1680  goto end;
1681  }
1682 
1683  /* do detect */
1684  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1685 
1686  if (PacketAlertCheck(p1, 1)) {
1687  printf("sid 1 matched but shouldn't have: ");
1688  goto end;
1689  }
1690 
1691  r = AppLayerParserParse(
1692  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1693  if (r != 0) {
1694  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1695  result = 0;
1696  goto end;
1697  }
1698 
1699  /* do detect */
1700  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1701 
1702  if (!PacketAlertCheck(p2, 1)) {
1703  printf("sid 1 did not match but should have: ");
1704  goto end;
1705  }
1706 
1707  result = 1;
1708 
1709 end:
1710  if (alp_tctx != NULL)
1711  AppLayerParserThreadCtxFree(alp_tctx);
1712  if (de_ctx != NULL)
1713  DetectEngineCtxFree(de_ctx);
1714 
1715  StreamTcpFreeConfig(true);
1716  FLOW_DESTROY(&f);
1717  UTHFreePackets(&p1, 1);
1718  UTHFreePackets(&p2, 1);
1719  return result;
1720 }
1721 
1722 static int DetectEngineHttpServerBodyTest14(void)
1723 {
1724  TcpSession ssn;
1725  Packet *p1 = NULL;
1726  Packet *p2 = NULL;
1727  ThreadVars th_v;
1728  DetectEngineCtx *de_ctx = NULL;
1729  DetectEngineThreadCtx *det_ctx = NULL;
1730  HtpState *http_state = NULL;
1731  Flow f;
1732  uint8_t http_buf1[] =
1733  "GET /index.html HTTP/1.0\r\n"
1734  "Host: www.openinfosecfoundation.org\r\n"
1735  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1736  "\r\n";
1737  uint32_t http_len1 = sizeof(http_buf1) - 1;
1738  uint8_t http_buf2[] =
1739  "HTTP/1.0 200 ok\r\n"
1740  "Content-Type: text/html\r\n"
1741  "Content-Length: 6\r\n"
1742  "\r\n"
1743  "abcdef";
1744  uint32_t http_len2 = sizeof(http_buf2) - 1;
1745  int result = 0;
1746  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1747 
1748  memset(&th_v, 0, sizeof(th_v));
1749  memset(&f, 0, sizeof(f));
1750  memset(&ssn, 0, sizeof(ssn));
1751 
1752  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1753  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1754 
1755  FLOW_INITIALIZE(&f);
1756  f.protoctx = (void *)&ssn;
1757  f.proto = IPPROTO_TCP;
1758  f.flags |= FLOW_IPV4;
1759 
1760  p1->flow = &f;
1761  p1->flowflags |= FLOW_PKT_TOSERVER;
1762  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1763  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1764  p2->flow = &f;
1765  p2->flowflags |= FLOW_PKT_TOCLIENT;
1766  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1767  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1768  f.alproto = ALPROTO_HTTP1;
1769 
1770  StreamTcpInitConfig(true);
1771 
1772  de_ctx = DetectEngineCtxInit();
1773  if (de_ctx == NULL)
1774  goto end;
1775 
1776  de_ctx->flags |= DE_QUIET;
1777 
1778  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1779  "(msg:\"http server body test\"; "
1780  "pcre:/ab/Q; "
1781  "content:\"ef\"; http_server_body; distance:2; "
1782  "sid:1;)");
1783  if (de_ctx->sig_list == NULL)
1784  goto end;
1785 
1786  SigGroupBuild(de_ctx);
1787  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1788 
1789  int r = AppLayerParserParse(
1790  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1791  if (r != 0) {
1792  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1793  result = 0;
1794  goto end;
1795  }
1796 
1797  http_state = f.alstate;
1798  if (http_state == NULL) {
1799  printf("no http state: \n");
1800  result = 0;
1801  goto end;
1802  }
1803 
1804  /* do detect */
1805  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1806 
1807  if (PacketAlertCheck(p1, 1)) {
1808  printf("sid 1 matched but shouldn't have: ");
1809  goto end;
1810  }
1811 
1812  r = AppLayerParserParse(
1813  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1814  if (r != 0) {
1815  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1816  result = 0;
1817  goto end;
1818  }
1819 
1820  /* do detect */
1821  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1822 
1823  if (!PacketAlertCheck(p2, 1)) {
1824  printf("sid 1 did not match but should have: ");
1825  goto end;
1826  }
1827 
1828  result = 1;
1829 
1830 end:
1831  if (alp_tctx != NULL)
1832  AppLayerParserThreadCtxFree(alp_tctx);
1833  if (de_ctx != NULL)
1834  DetectEngineCtxFree(de_ctx);
1835 
1836  StreamTcpFreeConfig(true);
1837  FLOW_DESTROY(&f);
1838  UTHFreePackets(&p1, 1);
1839  UTHFreePackets(&p2, 1);
1840  return result;
1841 }
1842 
1843 static int DetectEngineHttpServerBodyTest15(void)
1844 {
1845  TcpSession ssn;
1846  Packet *p1 = NULL;
1847  Packet *p2 = NULL;
1848  ThreadVars th_v;
1849  DetectEngineCtx *de_ctx = NULL;
1850  DetectEngineThreadCtx *det_ctx = NULL;
1851  HtpState *http_state = NULL;
1852  Flow f;
1853  uint8_t http_buf1[] =
1854  "GET /index.html HTTP/1.0\r\n"
1855  "Host: www.openinfosecfoundation.org\r\n"
1856  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1857  "\r\n";
1858  uint32_t http_len1 = sizeof(http_buf1) - 1;
1859  uint8_t http_buf2[] =
1860  "HTTP/1.0 200 ok\r\n"
1861  "Content-Type: text/html\r\n"
1862  "Content-Length: 6\r\n"
1863  "\r\n"
1864  "abcdef";
1865  uint32_t http_len2 = sizeof(http_buf2) - 1;
1866  int result = 0;
1867  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1868 
1869  memset(&th_v, 0, sizeof(th_v));
1870  memset(&f, 0, sizeof(f));
1871  memset(&ssn, 0, sizeof(ssn));
1872 
1873  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1874  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1875 
1876  FLOW_INITIALIZE(&f);
1877  f.protoctx = (void *)&ssn;
1878  f.proto = IPPROTO_TCP;
1879  f.flags |= FLOW_IPV4;
1880 
1881  p1->flow = &f;
1882  p1->flowflags |= FLOW_PKT_TOSERVER;
1883  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1884  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1885  p2->flow = &f;
1886  p2->flowflags |= FLOW_PKT_TOCLIENT;
1887  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1888  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1889  f.alproto = ALPROTO_HTTP1;
1890 
1891  StreamTcpInitConfig(true);
1892 
1893  de_ctx = DetectEngineCtxInit();
1894  if (de_ctx == NULL)
1895  goto end;
1896 
1897  de_ctx->flags |= DE_QUIET;
1898 
1899  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1900  "(msg:\"http server body test\"; "
1901  "pcre:/abc/Q; "
1902  "content:!\"xyz\"; http_server_body; distance:0; within:3; "
1903  "sid:1;)");
1904  if (de_ctx->sig_list == NULL)
1905  goto end;
1906 
1907  SigGroupBuild(de_ctx);
1908  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1909 
1910  int r = AppLayerParserParse(
1911  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1912  if (r != 0) {
1913  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1914  result = 0;
1915  goto end;
1916  }
1917 
1918  http_state = f.alstate;
1919  if (http_state == NULL) {
1920  printf("no http state: \n");
1921  result = 0;
1922  goto end;
1923  }
1924 
1925  /* do detect */
1926  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1927 
1928  if (PacketAlertCheck(p1, 1)) {
1929  printf("sid 1 matched but shouldn't have: ");
1930  goto end;
1931  }
1932 
1933  r = AppLayerParserParse(
1934  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1935  if (r != 0) {
1936  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1937  result = 0;
1938  goto end;
1939  }
1940 
1941  /* do detect */
1942  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1943 
1944  if (!PacketAlertCheck(p2, 1)) {
1945  printf("sid 1 did not match but should have: ");
1946  goto end;
1947  }
1948 
1949  result = 1;
1950 
1951 end:
1952  if (alp_tctx != NULL)
1953  AppLayerParserThreadCtxFree(alp_tctx);
1954  if (de_ctx != NULL)
1955  DetectEngineCtxFree(de_ctx);
1956 
1957  StreamTcpFreeConfig(true);
1958  FLOW_DESTROY(&f);
1959  UTHFreePackets(&p1, 1);
1960  UTHFreePackets(&p2, 1);
1961  return result;
1962 }
1963 
1964 static int DetectEngineHttpServerBodyTest16(void)
1965 {
1966  char input[] = "\
1967 %YAML 1.1\n\
1968 ---\n\
1969 libhtp:\n\
1970 \n\
1971  default-config:\n\
1972  personality: IDS\n\
1973  request-body-limit: 0\n\
1974  response-body-limit: 0\n\
1975 \n\
1976  request-body-inspect-window: 0\n\
1977  response-body-inspect-window: 0\n\
1978  request-body-minimal-inspect-size: 0\n\
1979  response-body-minimal-inspect-size: 0\n\
1980 ";
1981 
1982  ConfCreateContextBackup();
1983  ConfInit();
1984  HtpConfigCreateBackup();
1985 
1986  ConfYamlLoadString(input, strlen(input));
1987  HTPConfigure();
1988 
1989  TcpSession ssn;
1990  Packet *p1 = NULL;
1991  Packet *p2 = NULL;
1992  ThreadVars th_v;
1993  DetectEngineThreadCtx *det_ctx = NULL;
1994  HtpState *http_state = NULL;
1995  Flow f;
1996  uint8_t http_buf1[] =
1997  "GET /index.html HTTP/1.0\r\n"
1998  "Host: www.openinfosecfoundation.org\r\n"
1999  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2000  "\r\n";
2001  uint32_t http_len1 = sizeof(http_buf1) - 1;
2002  uint8_t http_buf2[] =
2003  "HTTP/1.0 200 ok\r\n"
2004  "Content-Type: text/html\r\n"
2005  "Content-Length: 17\r\n"
2006  "\r\n"
2007  "1234567";
2008  uint32_t http_len2 = sizeof(http_buf2) - 1;
2009  uint8_t http_buf3[] =
2010  "8901234ABC";
2011  uint32_t http_len3 = sizeof(http_buf3) - 1;
2012  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2013 
2014  memset(&th_v, 0, sizeof(th_v));
2015  memset(&f, 0, sizeof(f));
2016  memset(&ssn, 0, sizeof(ssn));
2017 
2018  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2019  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2020 
2021  FLOW_INITIALIZE(&f);
2022  f.protoctx = (void *)&ssn;
2023  f.proto = IPPROTO_TCP;
2024  f.flags |= FLOW_IPV4;
2025 
2026  p1->flow = &f;
2027  p1->flowflags |= FLOW_PKT_TOSERVER;
2028  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2029  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2030  p2->flow = &f;
2031  p2->flowflags |= FLOW_PKT_TOCLIENT;
2032  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2033  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2034  f.alproto = ALPROTO_HTTP1;
2035 
2036  StreamTcpInitConfig(true);
2037 
2038  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2039  FAIL_IF_NULL(de_ctx);
2040  de_ctx->flags |= DE_QUIET;
2041 
2042  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any ("
2043  "content:\"890\"; within:3; http_server_body; "
2044  "sid:1;)");
2045  FAIL_IF_NULL(s);
2046 
2047  SigGroupBuild(de_ctx);
2048  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2049 
2050  int r = AppLayerParserParse(
2051  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2052  FAIL_IF(r != 0);
2053 
2054  http_state = f.alstate;
2055  FAIL_IF_NULL(http_state);
2056 
2057  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2058  FAIL_IF(PacketAlertCheck(p1, 1));
2059 
2060  r = AppLayerParserParse(
2061  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2062  FAIL_IF(r != 0);
2063 
2064  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2065  FAIL_IF(PacketAlertCheck(p2, 1));
2066 
2067  r = AppLayerParserParse(
2068  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf3, http_len3);
2069  FAIL_IF(r != 0);
2070 
2071  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2072  FAIL_IF(PacketAlertCheck(p2, 1));
2073 
2074  AppLayerParserThreadCtxFree(alp_tctx);
2075  HTPFreeConfig();
2076  HtpConfigRestoreBackup();
2077  ConfRestoreContextBackup();
2078  DetectEngineCtxFree(de_ctx);
2079  StreamTcpFreeConfig(true);
2080  FLOW_DESTROY(&f);
2081  UTHFreePackets(&p1, 1);
2082  UTHFreePackets(&p2, 1);
2083  PASS;
2084 }
2085 
2086 static int DetectEngineHttpServerBodyTest17(void)
2087 {
2088  char input[] = "\
2089 %YAML 1.1\n\
2090 ---\n\
2091 libhtp:\n\
2092 \n\
2093  default-config:\n\
2094  personality: IDS\n\
2095  request-body-limit: 0\n\
2096  response-body-limit: 0\n\
2097 \n\
2098  request-body-inspect-window: 0\n\
2099  response-body-inspect-window: 0\n\
2100  request-body-minimal-inspect-size: 0\n\
2101  response-body-minimal-inspect-size: 0\n\
2102 ";
2103 
2104  ConfCreateContextBackup();
2105  ConfInit();
2106  HtpConfigCreateBackup();
2107 
2108  ConfYamlLoadString(input, strlen(input));
2109  HTPConfigure();
2110 
2111  TcpSession ssn;
2112  Packet *p1 = NULL;
2113  Packet *p2 = NULL;
2114  ThreadVars th_v;
2115  DetectEngineCtx *de_ctx = NULL;
2116  DetectEngineThreadCtx *det_ctx = NULL;
2117  HtpState *http_state = NULL;
2118  Flow f;
2119  uint8_t http_buf1[] =
2120  "GET /index.html HTTP/1.0\r\n"
2121  "Host: www.openinfosecfoundation.org\r\n"
2122  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2123  "\r\n";
2124  uint32_t http_len1 = sizeof(http_buf1) - 1;
2125  uint8_t http_buf2[] =
2126  "HTTP/1.0 200 ok\r\n"
2127  "Content-Type: text/html\r\n"
2128  "Content-Length: 17\r\n"
2129  "\r\n"
2130  "1234567";
2131  uint32_t http_len2 = sizeof(http_buf2) - 1;
2132  uint8_t http_buf3[] =
2133  "8901234ABC";
2134  uint32_t http_len3 = sizeof(http_buf3) - 1;
2135  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2136 
2137  memset(&th_v, 0, sizeof(th_v));
2138  memset(&f, 0, sizeof(f));
2139  memset(&ssn, 0, sizeof(ssn));
2140 
2141  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2142  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2143 
2144  FLOW_INITIALIZE(&f);
2145  f.protoctx = (void *)&ssn;
2146  f.proto = IPPROTO_TCP;
2147  f.flags |= FLOW_IPV4;
2148 
2149  p1->flow = &f;
2150  p1->flowflags |= FLOW_PKT_TOSERVER;
2151  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2152  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2153  p2->flow = &f;
2154  p2->flowflags |= FLOW_PKT_TOCLIENT;
2155  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2156  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2157  f.alproto = ALPROTO_HTTP1;
2158 
2159  StreamTcpInitConfig(true);
2160 
2161  de_ctx = DetectEngineCtxInit();
2162  FAIL_IF_NULL(de_ctx);
2163  de_ctx->flags |= DE_QUIET;
2164 
2165  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any ("
2166  "content:\"890\"; depth:3; http_server_body; "
2167  "sid:1;)");
2168  FAIL_IF_NULL(s);
2169 
2170  SigGroupBuild(de_ctx);
2171  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2172 
2173  int r = AppLayerParserParse(
2174  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2175  FAIL_IF_NOT(r == 0);
2176 
2177  http_state = f.alstate;
2178  FAIL_IF_NULL(http_state);
2179 
2180  /* do detect */
2181  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2182  FAIL_IF(PacketAlertCheck(p1, 1));
2183 
2184  SCLogDebug("chunk http_buf2");
2185  r = AppLayerParserParse(
2186  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2187  FAIL_IF_NOT(r == 0);
2188 
2189  /* do detect */
2190  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2191  FAIL_IF(PacketAlertCheck(p2, 1));
2192 
2193  SCLogDebug("chunk http_buf3");
2194  r = AppLayerParserParse(
2195  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf3, http_len3);
2196  FAIL_IF_NOT(r == 0);
2197 
2198  /* do detect */
2199  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2200  FAIL_IF(PacketAlertCheck(p2, 1));
2201 
2202  AppLayerParserThreadCtxFree(alp_tctx);
2203  HTPFreeConfig();
2204  HtpConfigRestoreBackup();
2205  ConfRestoreContextBackup();
2206 
2207  DetectEngineCtxFree(de_ctx);
2208 
2209  StreamTcpFreeConfig(true);
2210  FLOW_DESTROY(&f);
2211  UTHFreePackets(&p1, 1);
2212  UTHFreePackets(&p2, 1);
2213  PASS;
2214 }
2215 
2216 /*
2217  * gzip stream
2218  */
2219 static int DetectEngineHttpServerBodyTest18(void)
2220 {
2221  TcpSession ssn;
2222  Packet *p1 = NULL;
2223  Packet *p2 = NULL;
2224  ThreadVars th_v;
2225  DetectEngineCtx *de_ctx = NULL;
2226  DetectEngineThreadCtx *det_ctx = NULL;
2227  HtpState *http_state = NULL;
2228  Flow f;
2229  uint8_t http_buf1[] =
2230  "GET /index.html HTTP/1.0\r\n"
2231  "Host: www.openinfosecfoundation.org\r\n"
2232  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2233  "\r\n";
2234  uint32_t http_len1 = sizeof(http_buf1) - 1;
2235  uint8_t http_buf2[] = {
2236  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2237  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
2238  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'g', 'z', 'i', 'p', 0x0d, 0x0a,
2239  0x0d, 0x0a,
2240  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51,
2241  0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
2242  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2243  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2244  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2245  0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
2246  0x00, 0x00, 0x00,
2247  };
2248  uint32_t http_len2 = sizeof(http_buf2);
2249  int result = 0;
2250  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2251 
2252  memset(&th_v, 0, sizeof(th_v));
2253  memset(&f, 0, sizeof(f));
2254  memset(&ssn, 0, sizeof(ssn));
2255 
2256  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2257  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2258 
2259  FLOW_INITIALIZE(&f);
2260  f.protoctx = (void *)&ssn;
2261  f.proto = IPPROTO_TCP;
2262  f.flags |= FLOW_IPV4;
2263 
2264  p1->flow = &f;
2265  p1->flowflags |= FLOW_PKT_TOSERVER;
2266  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2267  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2268  p2->flow = &f;
2269  p2->flowflags |= FLOW_PKT_TOCLIENT;
2270  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2271  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2272  f.alproto = ALPROTO_HTTP1;
2273 
2274  StreamTcpInitConfig(true);
2275 
2276  de_ctx = DetectEngineCtxInit();
2277  if (de_ctx == NULL)
2278  goto end;
2279 
2280  de_ctx->flags |= DE_QUIET;
2281 
2282  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2283  "(msg:\"http server body test\"; "
2284  "content:\"file\"; http_server_body; "
2285  "sid:1;)");
2286  if (de_ctx->sig_list == NULL)
2287  goto end;
2288 
2289  SigGroupBuild(de_ctx);
2290  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2291 
2292  int r = AppLayerParserParse(
2293  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2294  if (r != 0) {
2295  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2296  result = 0;
2297  goto end;
2298  }
2299 
2300  http_state = f.alstate;
2301  if (http_state == NULL) {
2302  printf("no http state: \n");
2303  result = 0;
2304  goto end;
2305  }
2306 
2307  /* do detect */
2308  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2309 
2310  if ((PacketAlertCheck(p1, 1))) {
2311  printf("sid 1 matched but shouldn't have\n");
2312  goto end;
2313  }
2314 
2315  r = AppLayerParserParse(
2316  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2317  if (r != 0) {
2318  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2319  result = 0;
2320  goto end;
2321  }
2322 
2323  /* do detect */
2324  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2325 
2326  if (!(PacketAlertCheck(p2, 1))) {
2327  printf("sid 1 didn't match but should have");
2328  goto end;
2329  }
2330 
2331  result = 1;
2332 
2333 end:
2334  if (alp_tctx != NULL)
2335  AppLayerParserThreadCtxFree(alp_tctx);
2336  if (de_ctx != NULL)
2337  DetectEngineCtxFree(de_ctx);
2338 
2339  StreamTcpFreeConfig(true);
2340  FLOW_DESTROY(&f);
2341  UTHFreePackets(&p1, 1);
2342  UTHFreePackets(&p2, 1);
2343  return result;
2344 }
2345 
2346 /*
2347  * deflate stream
2348  */
2349 static int DetectEngineHttpServerBodyTest19(void)
2350 {
2351  TcpSession ssn;
2352  Packet *p1 = NULL;
2353  Packet *p2 = NULL;
2354  ThreadVars th_v;
2355  DetectEngineCtx *de_ctx = NULL;
2356  DetectEngineThreadCtx *det_ctx = NULL;
2357  HtpState *http_state = NULL;
2358  Flow f;
2359  uint8_t http_buf1[] =
2360  "GET /index.html HTTP/1.0\r\n"
2361  "Host: www.openinfosecfoundation.org\r\n"
2362  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2363  "\r\n";
2364  uint32_t http_len1 = sizeof(http_buf1) - 1;
2365  uint8_t http_buf2[] = {
2366  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2367  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '2', '4', 0x0d, 0x0a,
2368  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
2369  0x0d, 0x0a,
2370  0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2371  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2372  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2373  0x8f, 0x0b, 0x00,
2374  };
2375  // 0xb2, 0x7d, 0xac, 0x9b, 0x19, 0x00, 0x00, 0x00,
2376  uint32_t http_len2 = sizeof(http_buf2);
2377  int result = 0;
2378  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2379 
2380  memset(&th_v, 0, sizeof(th_v));
2381  memset(&f, 0, sizeof(f));
2382  memset(&ssn, 0, sizeof(ssn));
2383 
2384  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2385  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2386 
2387  FLOW_INITIALIZE(&f);
2388  f.protoctx = (void *)&ssn;
2389  f.proto = IPPROTO_TCP;
2390  f.flags |= FLOW_IPV4;
2391 
2392  p1->flow = &f;
2393  p1->flowflags |= FLOW_PKT_TOSERVER;
2394  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2395  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2396  p2->flow = &f;
2397  p2->flowflags |= FLOW_PKT_TOCLIENT;
2398  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2399  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2400  f.alproto = ALPROTO_HTTP1;
2401 
2402  StreamTcpInitConfig(true);
2403 
2404  de_ctx = DetectEngineCtxInit();
2405  if (de_ctx == NULL)
2406  goto end;
2407 
2408  de_ctx->flags |= DE_QUIET;
2409 
2410  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2411  "(msg:\"http server body test\"; "
2412  "content:\"file\"; http_server_body; "
2413  "sid:1;)");
2414  if (de_ctx->sig_list == NULL)
2415  goto end;
2416 
2417  SigGroupBuild(de_ctx);
2418  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2419 
2420  int r = AppLayerParserParse(
2421  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2422  if (r != 0) {
2423  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2424  result = 0;
2425  goto end;
2426  }
2427 
2428  http_state = f.alstate;
2429  if (http_state == NULL) {
2430  printf("no http state: \n");
2431  result = 0;
2432  goto end;
2433  }
2434 
2435  /* do detect */
2436  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2437 
2438  if ((PacketAlertCheck(p1, 1))) {
2439  printf("sid 1 matched but shouldn't have\n");
2440  goto end;
2441  }
2442 
2443  r = AppLayerParserParse(
2444  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2445  if (r != 0) {
2446  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2447  result = 0;
2448  goto end;
2449  }
2450 
2451  /* do detect */
2452  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2453 
2454  if (!(PacketAlertCheck(p2, 1))) {
2455  printf("sid 1 didn't match but should have");
2456  goto end;
2457  }
2458 
2459  result = 1;
2460 
2461 end:
2462  if (alp_tctx != NULL)
2463  AppLayerParserThreadCtxFree(alp_tctx);
2464  if (de_ctx != NULL)
2465  DetectEngineCtxFree(de_ctx);
2466 
2467  StreamTcpFreeConfig(true);
2468  FLOW_DESTROY(&f);
2469  UTHFreePackets(&p1, 1);
2470  UTHFreePackets(&p2, 1);
2471  return result;
2472 }
2473 
2474 /*
2475  * deflate stream with gzip set as content-encoding
2476  */
2477 static int DetectEngineHttpServerBodyTest20(void)
2478 {
2479  TcpSession ssn;
2480  Packet *p1 = NULL;
2481  Packet *p2 = NULL;
2482  ThreadVars th_v;
2483  DetectEngineCtx *de_ctx = NULL;
2484  DetectEngineThreadCtx *det_ctx = NULL;
2485  HtpState *http_state = NULL;
2486  Flow f;
2487  uint8_t http_buf1[] =
2488  "GET /index.html HTTP/1.0\r\n"
2489  "Host: www.openinfosecfoundation.org\r\n"
2490  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2491  "\r\n";
2492  uint32_t http_len1 = sizeof(http_buf1) - 1;
2493  uint8_t http_buf2[] = {
2494  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2495  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '2', '4', 0x0d, 0x0a,
2496  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'g', 'z', 'i', 'p', 0x0d, 0x0a,
2497  0x0d, 0x0a,
2498  0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2499  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2500  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2501  0x8f, 0x0b, 0x00,
2502  };
2503  // 0xb2, 0x7d, 0xac, 0x9b, 0x19, 0x00, 0x00, 0x00,
2504  uint32_t http_len2 = sizeof(http_buf2);
2505  int result = 0;
2506  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2507 
2508  memset(&th_v, 0, sizeof(th_v));
2509  memset(&f, 0, sizeof(f));
2510  memset(&ssn, 0, sizeof(ssn));
2511 
2512  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2513  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2514 
2515  FLOW_INITIALIZE(&f);
2516  f.protoctx = (void *)&ssn;
2517  f.proto = IPPROTO_TCP;
2518  f.flags |= FLOW_IPV4;
2519 
2520  p1->flow = &f;
2521  p1->flowflags |= FLOW_PKT_TOSERVER;
2522  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2523  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2524  p2->flow = &f;
2525  p2->flowflags |= FLOW_PKT_TOCLIENT;
2526  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2527  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2528  f.alproto = ALPROTO_HTTP1;
2529 
2530  StreamTcpInitConfig(true);
2531 
2532  de_ctx = DetectEngineCtxInit();
2533  if (de_ctx == NULL)
2534  goto end;
2535 
2536  de_ctx->flags |= DE_QUIET;
2537 
2538  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2539  "(msg:\"http server body test\"; "
2540  "content:\"file\"; http_server_body; "
2541  "sid:1;)");
2542  if (de_ctx->sig_list == NULL)
2543  goto end;
2544 
2545  SigGroupBuild(de_ctx);
2546  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2547 
2548  int r = AppLayerParserParse(
2549  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2550  if (r != 0) {
2551  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2552  result = 0;
2553  goto end;
2554  }
2555 
2556  http_state = f.alstate;
2557  if (http_state == NULL) {
2558  printf("no http state: \n");
2559  result = 0;
2560  goto end;
2561  }
2562 
2563  /* do detect */
2564  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2565 
2566  if ((PacketAlertCheck(p1, 1))) {
2567  printf("sid 1 matched but shouldn't have\n");
2568  goto end;
2569  }
2570 
2571  r = AppLayerParserParse(
2572  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2573  if (r != 0) {
2574  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2575  result = 0;
2576  goto end;
2577  }
2578 
2579  /* do detect */
2580  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2581 
2582 #ifdef HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT
2583  FAIL_IF(!(PacketAlertCheck(p2, 1)));
2584 #endif
2585 
2586  result = 1;
2587 
2588 end:
2589  if (alp_tctx != NULL)
2590  AppLayerParserThreadCtxFree(alp_tctx);
2591  if (de_ctx != NULL)
2592  DetectEngineCtxFree(de_ctx);
2593 
2594  StreamTcpFreeConfig(true);
2595  FLOW_DESTROY(&f);
2596  UTHFreePackets(&p1, 1);
2597  UTHFreePackets(&p2, 1);
2598  return result;
2599 }
2600 
2601 /*
2602  * gzip stream with deflate set as content-encoding.
2603  */
2604 static int DetectEngineHttpServerBodyTest21(void)
2605 {
2606  TcpSession ssn;
2607  Packet *p1 = NULL;
2608  Packet *p2 = NULL;
2609  ThreadVars th_v;
2610  DetectEngineCtx *de_ctx = NULL;
2611  DetectEngineThreadCtx *det_ctx = NULL;
2612  HtpState *http_state = NULL;
2613  Flow f;
2614  uint8_t http_buf1[] =
2615  "GET /index.html HTTP/1.0\r\n"
2616  "Host: www.openinfosecfoundation.org\r\n"
2617  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2618  "\r\n";
2619  uint32_t http_len1 = sizeof(http_buf1) - 1;
2620  uint8_t http_buf2[] = {
2621  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2622  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
2623  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
2624  0x0d, 0x0a,
2625  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51,
2626  0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
2627  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2628  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2629  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2630  0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
2631  0x00, 0x00, 0x00,
2632  };
2633  uint32_t http_len2 = sizeof(http_buf2);
2634  int result = 0;
2635  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2636 
2637  memset(&th_v, 0, sizeof(th_v));
2638  memset(&f, 0, sizeof(f));
2639  memset(&ssn, 0, sizeof(ssn));
2640 
2641  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2642  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2643 
2644  FLOW_INITIALIZE(&f);
2645  f.protoctx = (void *)&ssn;
2646  f.proto = IPPROTO_TCP;
2647  f.flags |= FLOW_IPV4;
2648 
2649  p1->flow = &f;
2650  p1->flowflags |= FLOW_PKT_TOSERVER;
2651  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2652  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2653  p2->flow = &f;
2654  p2->flowflags |= FLOW_PKT_TOCLIENT;
2655  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2656  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2657  f.alproto = ALPROTO_HTTP1;
2658 
2659  StreamTcpInitConfig(true);
2660 
2661  de_ctx = DetectEngineCtxInit();
2662  if (de_ctx == NULL)
2663  goto end;
2664 
2665  de_ctx->flags |= DE_QUIET;
2666 
2667  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2668  "(msg:\"http server body test\"; "
2669  "content:\"file\"; http_server_body; "
2670  "sid:1;)");
2671  if (de_ctx->sig_list == NULL)
2672  goto end;
2673 
2674  SigGroupBuild(de_ctx);
2675  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2676 
2677  int r = AppLayerParserParse(
2678  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2679  if (r != 0) {
2680  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2681  result = 0;
2682  goto end;
2683  }
2684 
2685  http_state = f.alstate;
2686  if (http_state == NULL) {
2687  printf("no http state: \n");
2688  result = 0;
2689  goto end;
2690  }
2691 
2692  /* do detect */
2693  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2694 
2695  if ((PacketAlertCheck(p1, 1))) {
2696  printf("sid 1 matched but shouldn't have\n");
2697  goto end;
2698  }
2699 
2700  r = AppLayerParserParse(
2701  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2702  if (r != 0) {
2703  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2704  result = 0;
2705  goto end;
2706  }
2707 
2708  /* do detect */
2709  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2710 
2711 #ifdef HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT
2712  FAIL_IF(!(PacketAlertCheck(p2, 1)));
2713 #endif
2714 
2715  result = 1;
2716 
2717 end:
2718  if (alp_tctx != NULL)
2719  AppLayerParserThreadCtxFree(alp_tctx);
2720  if (de_ctx != NULL)
2721  DetectEngineCtxFree(de_ctx);
2722 
2723  StreamTcpFreeConfig(true);
2724  FLOW_DESTROY(&f);
2725  UTHFreePackets(&p1, 1);
2726  UTHFreePackets(&p2, 1);
2727  return result;
2728 }
2729 
2730 /*
2731  * gzip stream.
2732  * We have 2 content-encoding headers. First gzip and second deflate.
2733  */
2734 static int DetectEngineHttpServerBodyTest22(void)
2735 {
2736  TcpSession ssn;
2737  Packet *p1 = NULL;
2738  Packet *p2 = NULL;
2739  ThreadVars th_v;
2740  DetectEngineCtx *de_ctx = NULL;
2741  DetectEngineThreadCtx *det_ctx = NULL;
2742  HtpState *http_state = NULL;
2743  Flow f;
2744  uint8_t http_buf1[] =
2745  "GET /index.html HTTP/1.0\r\n"
2746  "Host: www.openinfosecfoundation.org\r\n"
2747  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2748  "\r\n";
2749  uint32_t http_len1 = sizeof(http_buf1) - 1;
2750  uint8_t http_buf2[] = {
2751  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
2752  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
2753  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'g', 'z', 'i', 'p', 0x0d, 0x0a,
2754  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ', 'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
2755  0x0d, 0x0a,
2756  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51,
2757  0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
2758  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56,
2759  0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
2760  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42,
2761  0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
2762  0x00, 0x00, 0x00,
2763  };
2764  uint32_t http_len2 = sizeof(http_buf2);
2765  int result = 0;
2766  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2767 
2768  memset(&th_v, 0, sizeof(th_v));
2769  memset(&f, 0, sizeof(f));
2770  memset(&ssn, 0, sizeof(ssn));
2771 
2772  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2773  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2774 
2775  FLOW_INITIALIZE(&f);
2776  f.protoctx = (void *)&ssn;
2777  f.proto = IPPROTO_TCP;
2778  f.flags |= FLOW_IPV4;
2779 
2780  p1->flow = &f;
2781  p1->flowflags |= FLOW_PKT_TOSERVER;
2782  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2783  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2784  p2->flow = &f;
2785  p2->flowflags |= FLOW_PKT_TOCLIENT;
2786  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2787  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2788  f.alproto = ALPROTO_HTTP1;
2789 
2790  StreamTcpInitConfig(true);
2791 
2792  de_ctx = DetectEngineCtxInit();
2793  if (de_ctx == NULL)
2794  goto end;
2795 
2796  de_ctx->flags |= DE_QUIET;
2797 
2798  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2799  "(msg:\"http server body test\"; "
2800  "content:\"file\"; http_server_body; "
2801  "sid:1;)");
2802  if (de_ctx->sig_list == NULL)
2803  goto end;
2804 
2805  SigGroupBuild(de_ctx);
2806  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2807 
2808  int r = AppLayerParserParse(
2809  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2810  if (r != 0) {
2811  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2812  result = 0;
2813  goto end;
2814  }
2815 
2816  http_state = f.alstate;
2817  if (http_state == NULL) {
2818  printf("no http state: \n");
2819  result = 0;
2820  goto end;
2821  }
2822 
2823  /* do detect */
2824  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2825 
2826  if ((PacketAlertCheck(p1, 1))) {
2827  printf("sid 1 matched but shouldn't have: ");
2828  goto end;
2829  }
2830 
2831  r = AppLayerParserParse(
2832  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2833  if (r != 0) {
2834  printf("toserver chunk 2 returned %" PRId32 ", expected 0: \n", r);
2835  result = 0;
2836  goto end;
2837  }
2838 
2839  /* do detect */
2840  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2841 
2842 #ifdef HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT
2843  FAIL_IF(!(PacketAlertCheck(p2, 1)));
2844 #endif
2845 
2846  result = 1;
2847 
2848 end:
2849  if (alp_tctx != NULL)
2850  AppLayerParserThreadCtxFree(alp_tctx);
2851  if (de_ctx != NULL)
2852  DetectEngineCtxFree(de_ctx);
2853 
2854  StreamTcpFreeConfig(true);
2855  FLOW_DESTROY(&f);
2856  UTHFreePackets(&p1, 1);
2857  UTHFreePackets(&p2, 1);
2858  return result;
2859 }
2860 
2861 static int DetectEngineHttpServerBodyFileDataTest01(void)
2862 {
2863  TcpSession ssn;
2864  Packet *p1 = NULL;
2865  Packet *p2 = NULL;
2866  ThreadVars th_v;
2867  DetectEngineCtx *de_ctx = NULL;
2868  DetectEngineThreadCtx *det_ctx = NULL;
2869  HtpState *http_state = NULL;
2870  Flow f;
2871  uint8_t http_buf1[] =
2872  "GET /index.html HTTP/1.0\r\n"
2873  "Host: www.openinfosecfoundation.org\r\n"
2874  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2875  "\r\n";
2876  uint32_t http_len1 = sizeof(http_buf1) - 1;
2877  uint8_t http_buf2[] =
2878  "HTTP/1.0 200 ok\r\n"
2879  "Content-Type: text/html\r\n"
2880  "Content-Length: 6\r\n"
2881  "\r\n"
2882  "abcdef";
2883  uint32_t http_len2 = sizeof(http_buf2) - 1;
2884  int result = 0;
2885  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2886 
2887  memset(&th_v, 0, sizeof(th_v));
2888  memset(&f, 0, sizeof(f));
2889  memset(&ssn, 0, sizeof(ssn));
2890 
2891  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2892  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2893 
2894  FLOW_INITIALIZE(&f);
2895  f.protoctx = (void *)&ssn;
2896  f.proto = IPPROTO_TCP;
2897  f.flags |= FLOW_IPV4;
2898 
2899  p1->flow = &f;
2900  p1->flowflags |= FLOW_PKT_TOSERVER;
2901  p1->flowflags |= FLOW_PKT_ESTABLISHED;
2902  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2903  p2->flow = &f;
2904  p2->flowflags |= FLOW_PKT_TOCLIENT;
2905  p2->flowflags |= FLOW_PKT_ESTABLISHED;
2906  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2907  f.alproto = ALPROTO_HTTP1;
2908 
2909  StreamTcpInitConfig(true);
2910 
2911  de_ctx = DetectEngineCtxInit();
2912  if (de_ctx == NULL)
2913  goto end;
2914 
2915  de_ctx->flags |= DE_QUIET;
2916 
2917  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2918  "(msg:\"http server body test\"; "
2919  "file_data; pcre:/ab/; "
2920  "content:\"ef\"; distance:2; "
2921  "sid:1;)");
2922  if (de_ctx->sig_list == NULL)
2923  goto end;
2924 
2925  SigGroupBuild(de_ctx);
2926  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2927 
2928  int r = AppLayerParserParse(
2929  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
2930  if (r != 0) {
2931  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2932  result = 0;
2933  goto end;
2934  }
2935 
2936  http_state = f.alstate;
2937  if (http_state == NULL) {
2938  printf("no http state: \n");
2939  result = 0;
2940  goto end;
2941  }
2942 
2943  /* do detect */
2944  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2945 
2946  if (PacketAlertCheck(p1, 1)) {
2947  printf("sid 1 matched but shouldn't have: ");
2948  goto end;
2949  }
2950 
2951  r = AppLayerParserParse(
2952  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
2953  if (r != 0) {
2954  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2955  result = 0;
2956  goto end;
2957  }
2958 
2959  /* do detect */
2960  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2961 
2962  if (!PacketAlertCheck(p2, 1)) {
2963  printf("sid 1 did not match but should have: ");
2964  goto end;
2965  }
2966 
2967  result = 1;
2968 
2969 end:
2970  if (alp_tctx != NULL)
2971  AppLayerParserThreadCtxFree(alp_tctx);
2972  if (de_ctx != NULL)
2973  DetectEngineCtxFree(de_ctx);
2974 
2975  StreamTcpFreeConfig(true);
2976  FLOW_DESTROY(&f);
2977  UTHFreePackets(&p1, 1);
2978  UTHFreePackets(&p2, 1);
2979  return result;
2980 }
2981 
2982 static int DetectEngineHttpServerBodyFileDataTest02(void)
2983 {
2984  TcpSession ssn;
2985  Packet *p1 = NULL;
2986  Packet *p2 = NULL;
2987  ThreadVars th_v;
2988  DetectEngineCtx *de_ctx = NULL;
2989  DetectEngineThreadCtx *det_ctx = NULL;
2990  HtpState *http_state = NULL;
2991  Flow f;
2992  uint8_t http_buf1[] =
2993  "GET /index.html HTTP/1.0\r\n"
2994  "Host: www.openinfosecfoundation.org\r\n"
2995  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2996  "\r\n";
2997  uint32_t http_len1 = sizeof(http_buf1) - 1;
2998  uint8_t http_buf2[] =
2999  "HTTP/1.0 200 ok\r\n"
3000  "Content-Type: text/html\r\n"
3001  "Content-Length: 6\r\n"
3002  "\r\n"
3003  "abcdef";
3004  uint32_t http_len2 = sizeof(http_buf2) - 1;
3005  int result = 0;
3006  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3007 
3008  memset(&th_v, 0, sizeof(th_v));
3009  memset(&f, 0, sizeof(f));
3010  memset(&ssn, 0, sizeof(ssn));
3011 
3012  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3013  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3014 
3015  FLOW_INITIALIZE(&f);
3016  f.protoctx = (void *)&ssn;
3017  f.proto = IPPROTO_TCP;
3018  f.flags |= FLOW_IPV4;
3019 
3020  p1->flow = &f;
3021  p1->flowflags |= FLOW_PKT_TOSERVER;
3022  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3023  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3024  p2->flow = &f;
3025  p2->flowflags |= FLOW_PKT_TOCLIENT;
3026  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3027  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3028  f.alproto = ALPROTO_HTTP1;
3029 
3030  StreamTcpInitConfig(true);
3031 
3032  de_ctx = DetectEngineCtxInit();
3033  if (de_ctx == NULL)
3034  goto end;
3035 
3036  de_ctx->flags |= DE_QUIET;
3037 
3038  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3039  "(msg:\"http server body test\"; "
3040  "file_data; pcre:/abc/; "
3041  "content:!\"xyz\"; distance:0; within:3; "
3042  "sid:1;)");
3043  if (de_ctx->sig_list == NULL)
3044  goto end;
3045 
3046  SigGroupBuild(de_ctx);
3047  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3048 
3049  int r = AppLayerParserParse(
3050  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
3051  if (r != 0) {
3052  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3053  result = 0;
3054  goto end;
3055  }
3056 
3057  http_state = f.alstate;
3058  if (http_state == NULL) {
3059  printf("no http state: \n");
3060  result = 0;
3061  goto end;
3062  }
3063 
3064  /* do detect */
3065  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3066 
3067  if (PacketAlertCheck(p1, 1)) {
3068  printf("sid 1 matched but shouldn't have: ");
3069  goto end;
3070  }
3071 
3072  r = AppLayerParserParse(
3073  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
3074  if (r != 0) {
3075  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3076  result = 0;
3077  goto end;
3078  }
3079 
3080  /* do detect */
3081  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3082 
3083  if (!PacketAlertCheck(p2, 1)) {
3084  printf("sid 1 did not match but should have: ");
3085  goto end;
3086  }
3087 
3088  result = 1;
3089 
3090 end:
3091  if (alp_tctx != NULL)
3092  AppLayerParserThreadCtxFree(alp_tctx);
3093  if (de_ctx != NULL)
3094  DetectEngineCtxFree(de_ctx);
3095 
3096  StreamTcpFreeConfig(true);
3097  FLOW_DESTROY(&f);
3098  UTHFreePackets(&p1, 1);
3099  UTHFreePackets(&p2, 1);
3100  return result;
3101 }
3102 
3103 /* \test recursive relative byte test */
3104 static int DetectEngineHttpServerBodyFileDataTest03(void)
3105 {
3106  TcpSession ssn;
3107  Packet *p1 = NULL;
3108  Packet *p2 = NULL;
3109  ThreadVars th_v;
3110  DetectEngineThreadCtx *det_ctx = NULL;
3111  HtpState *http_state = NULL;
3112  Flow f;
3113  uint8_t http_buf1[] =
3114  "GET /index.html HTTP/1.0\r\n"
3115  "Host: www.openinfosecfoundation.org\r\n"
3116  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3117  "\r\n";
3118  uint32_t http_len1 = sizeof(http_buf1) - 1;
3119  uint8_t http_buf2[] =
3120  "HTTP/1.0 200 ok\r\n"
3121  "Content-Type: text/html\r\n"
3122  "Content-Length: 33\r\n"
3123  "\r\n"
3124  "XYZ_klm_1234abcd_XYZ_klm_5678abcd";
3125  uint32_t http_len2 = sizeof(http_buf2) - 1;
3126  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3127 
3128  memset(&th_v, 0, sizeof(th_v));
3129  memset(&f, 0, sizeof(f));
3130  memset(&ssn, 0, sizeof(ssn));
3131 
3132  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3133  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3134 
3135  FLOW_INITIALIZE(&f);
3136  f.protoctx = (void *)&ssn;
3137  f.proto = IPPROTO_TCP;
3138  f.flags |= FLOW_IPV4;
3139 
3140  p1->flow = &f;
3141  p1->flowflags |= FLOW_PKT_TOSERVER;
3142  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3143  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3144  p2->flow = &f;
3145  p2->flowflags |= FLOW_PKT_TOCLIENT;
3146  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3147  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3148  f.alproto = ALPROTO_HTTP1;
3149 
3150  StreamTcpInitConfig(true);
3151 
3152  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3153  FAIL_IF_NULL(de_ctx);
3154  de_ctx->flags |= DE_QUIET;
3155 
3156  Signature *s = DetectEngineAppendSig(de_ctx,
3157  "alert http any any -> any any "
3158  "(msg:\"match on 1st\"; "
3159  "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; "
3160  "distance:4; byte_test:4,=,1234,-8,relative,string;"
3161  "sid:1;)");
3162  FAIL_IF_NULL(s);
3163  s = DetectEngineAppendSig(de_ctx,
3164  "alert http any any -> any any "
3165  "(msg:\"match on 2nd\"; "
3166  "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; "
3167  "distance:4; byte_test:4,=,5678,-8,relative,string;"
3168  "sid:2;)");
3169  FAIL_IF_NULL(s);
3170 
3171  SigGroupBuild(de_ctx);
3172  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3173 
3174  int r = AppLayerParserParse(
3175  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
3176  FAIL_IF(r != 0);
3177  http_state = f.alstate;
3178  FAIL_IF_NULL(http_state);
3179 
3180  /* do detect */
3181  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3182  FAIL_IF(PacketAlertCheck(p1, 1));
3183 
3184  r = AppLayerParserParse(
3185  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
3186  FAIL_IF(r != 0);
3187 
3188  /* do detect */
3189  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3190 
3191  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
3192  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
3193 
3194  AppLayerParserThreadCtxFree(alp_tctx);
3195  DetectEngineCtxFree(de_ctx);
3196  StreamTcpFreeConfig(true);
3197  FLOW_DESTROY(&f);
3198  UTHFreePackets(&p1, 1);
3199  UTHFreePackets(&p2, 1);
3200  PASS;
3201 }
3202 
3203 static int DetectEngineHttpServerBodyFileDataTest04(void)
3204 {
3205 
3206  const char yaml[] = "\
3207 %YAML 1.1\n\
3208 ---\n\
3209 libhtp:\n\
3210 \n\
3211  default-config:\n\
3212 \n\
3213  http-body-inline: yes\n\
3214  response-body-minimal-inspect-size: 6\n\
3215  response-body-inspect-window: 3\n\
3216 ";
3217 
3218  struct TestSteps steps[] = {
3219  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3220  "Host: www.openinfosecfoundation.org\r\n"
3221  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3222  "\r\n",
3223  0, STREAM_TOSERVER, 0 },
3224  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3225  "Content-Type: text/html\r\n"
3226  "Content-Length: 6\r\n"
3227  "\r\n"
3228  "ab",
3229  0, STREAM_TOCLIENT, 0 },
3230  { (const uint8_t *)"cd",
3231  0, STREAM_TOCLIENT, 1 },
3232  { (const uint8_t *)"ef",
3233  0, STREAM_TOCLIENT, 0 },
3234  { NULL, 0, 0, 0 },
3235  };
3236 
3237  const char *sig = "alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)";
3238  return RunTest(steps, sig, yaml);
3239 }
3240 
3241 static int DetectEngineHttpServerBodyFileDataTest05(void)
3242 {
3243 
3244  const char yaml[] = "\
3245 %YAML 1.1\n\
3246 ---\n\
3247 libhtp:\n\
3248 \n\
3249  default-config:\n\
3250 \n\
3251  http-body-inline: yes\n\
3252  response-body-minimal-inspect-size: 6\n\
3253  response-body-inspect-window: 3\n\
3254 ";
3255 
3256  struct TestSteps steps[] = {
3257  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3258  "Host: www.openinfosecfoundation.org\r\n"
3259  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3260  "\r\n",
3261  0, STREAM_TOSERVER, 0 },
3262  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3263  "Content-Type: text/html\r\n"
3264  "Content-Length: 6\r\n"
3265  "\r\n"
3266  "ab",
3267  0, STREAM_TOCLIENT, 0 },
3268  { (const uint8_t *)"cd",
3269  0, STREAM_TOCLIENT, 0 },
3270  { (const uint8_t *)"ef",
3271  0, STREAM_TOCLIENT, 1 },
3272  { NULL, 0, 0, 0 },
3273  };
3274 
3275  const char *sig = "alert http any any -> any any (file_data; content:\"abcdef\"; sid:1;)";
3276  return RunTest(steps, sig, yaml);
3277 }
3278 
3279 static int DetectEngineHttpServerBodyFileDataTest06(void)
3280 {
3281 
3282  const char yaml[] = "\
3283 %YAML 1.1\n\
3284 ---\n\
3285 libhtp:\n\
3286 \n\
3287  default-config:\n\
3288 \n\
3289  http-body-inline: yes\n\
3290  response-body-minimal-inspect-size: 6\n\
3291  response-body-inspect-window: 3\n\
3292 ";
3293 
3294  struct TestSteps steps[] = {
3295  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3296  "Host: www.openinfosecfoundation.org\r\n"
3297  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3298  "\r\n",
3299  0, STREAM_TOSERVER, 0 },
3300  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3301  "Content-Type: text/html\r\n"
3302  "Content-Length: 6\r\n"
3303  "\r\n"
3304  "ab",
3305  0, STREAM_TOCLIENT, 0 },
3306  { (const uint8_t *)"cd",
3307  0, STREAM_TOCLIENT, 0 },
3308  { (const uint8_t *)"ef",
3309  0, STREAM_TOCLIENT, 1 },
3310  { NULL, 0, 0, 0 },
3311  };
3312 
3313  const char *sig = "alert http any any -> any any (file_data; content:\"bcdef\"; offset:1; sid:1;)";
3314  return RunTest(steps, sig, yaml);
3315 }
3316 
3317 static int DetectEngineHttpServerBodyFileDataTest07(void)
3318 {
3319 
3320  const char yaml[] = "\
3321 %YAML 1.1\n\
3322 ---\n\
3323 libhtp:\n\
3324 \n\
3325  default-config:\n\
3326 \n\
3327  http-body-inline: yes\n\
3328  response-body-minimal-inspect-size: 6\n\
3329  response-body-inspect-window: 3\n\
3330 ";
3331 
3332  struct TestSteps steps[] = {
3333  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3334  "Host: www.openinfosecfoundation.org\r\n"
3335  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3336  "\r\n",
3337  0, STREAM_TOSERVER, 0 },
3338  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3339  "Content-Type: text/html\r\n"
3340  "Content-Length: 13\r\n"
3341  "\r\n"
3342  "ab",
3343  0, STREAM_TOCLIENT, 0 },
3344  { (const uint8_t *)"cd",
3345  0, STREAM_TOCLIENT, 1 },
3346  { (const uint8_t *)"123456789",
3347  0, STREAM_TOCLIENT, 0 },
3348  { NULL, 0, 0, 0 },
3349  };
3350 
3351  const char *sig = "alert http any any -> any any (file_data; content:\"bc\"; offset:1; depth:2; sid:1;)";
3352  return RunTest(steps, sig, yaml);
3353 }
3354 
3355 static int DetectEngineHttpServerBodyFileDataTest08(void)
3356 {
3357 
3358  const char yaml[] = "\
3359 %YAML 1.1\n\
3360 ---\n\
3361 libhtp:\n\
3362 \n\
3363  default-config:\n\
3364 \n\
3365  http-body-inline: yes\n\
3366  response-body-minimal-inspect-size: 6\n\
3367  response-body-inspect-window: 3\n\
3368 ";
3369 
3370  struct TestSteps steps[] = {
3371  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3372  "Host: www.openinfosecfoundation.org\r\n"
3373  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3374  "\r\n",
3375  0, STREAM_TOSERVER, 0 },
3376  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3377  "Content-Type: text/html\r\n"
3378  "Content-Length: 14\r\n"
3379  "\r\n"
3380  "ab",
3381  0, STREAM_TOCLIENT, 0 },
3382  { (const uint8_t *)"cd",
3383  0, STREAM_TOCLIENT, 0 },
3384  { (const uint8_t *)"1234567890",
3385  0, STREAM_TOCLIENT, 1 },
3386  { NULL, 0, 0, 0 },
3387  };
3388 
3389  const char *sig = "alert http any any -> any any (file_data; content:\"d123456789\"; offset:3; sid:1;)";
3390  return RunTest(steps, sig, yaml);
3391 }
3392 
3393 static int DetectEngineHttpServerBodyFileDataTest09(void)
3394 {
3395 
3396  const char yaml[] = "\
3397 %YAML 1.1\n\
3398 ---\n\
3399 libhtp:\n\
3400 \n\
3401  default-config:\n\
3402 \n\
3403  http-body-inline: yes\n\
3404  response-body-minimal-inspect-size: 6\n\
3405  response-body-inspect-window: 3\n\
3406 ";
3407 
3408  struct TestSteps steps[] = {
3409  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3410  "Host: www.openinfosecfoundation.org\r\n"
3411  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3412  "\r\n",
3413  0, STREAM_TOSERVER, 0 },
3414  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3415  "Content-Type: text/html\r\n"
3416  "Content-Length: 13\r\n"
3417  "\r\n"
3418  "ab",
3419  0, STREAM_TOCLIENT, 0 },
3420  { (const uint8_t *)"cd",
3421  0, STREAM_TOCLIENT, 0 },
3422  { (const uint8_t *)"123456789",
3423  0, STREAM_TOCLIENT, 1 },
3424  { NULL, 0, 0, 0 },
3425  };
3426 
3427  const char *sig = "alert http any any -> any any (file_data; content:\"abcd12\"; depth:6; sid:1;)";
3428  return RunTest(steps, sig, yaml);
3429 }
3430 
3431 static int DetectEngineHttpServerBodyFileDataTest10(void)
3432 {
3433 
3434  const char yaml[] = "\
3435 %YAML 1.1\n\
3436 ---\n\
3437 libhtp:\n\
3438 \n\
3439  default-config:\n\
3440 \n\
3441  http-body-inline: yes\n\
3442  response-body-minimal-inspect-size: 6\n\
3443  response-body-inspect-window: 3\n\
3444 ";
3445 
3446  struct TestSteps steps[] = {
3447  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3448  "Host: www.openinfosecfoundation.org\r\n"
3449  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3450  "\r\n",
3451  0, STREAM_TOSERVER, 0 },
3452  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3453  "Content-Type: text/html\r\n"
3454  "Content-Length: 5\r\n"
3455  "\r\n"
3456  "ab",
3457  0, STREAM_TOCLIENT, 0 },
3458  { (const uint8_t *)"c",
3459  0, STREAM_TOCLIENT, 1 },
3460  { (const uint8_t *)"de",
3461  0, STREAM_TOCLIENT, 0 },
3462  { NULL, 0, 0, 0 },
3463  };
3464 
3465  const char *sig = "alert http any any -> any any (file_data; content:\"abc\"; depth:3; sid:1;)";
3466  return RunTest(steps, sig, yaml);
3467 }
3468 
3469 static int DetectEngineHttpServerBodyFileDataTest11(void)
3470 {
3471 
3472  const char yaml[] = "\
3473 %YAML 1.1\n\
3474 ---\n\
3475 libhtp:\n\
3476 \n\
3477  default-config:\n\
3478 \n\
3479  http-body-inline: yes\n\
3480  response-body-minimal-inspect-size: 6\n\
3481  response-body-inspect-window: 3\n\
3482 ";
3483 
3484  struct TestSteps steps[] = {
3485  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3486  "Host: www.openinfosecfoundation.org\r\n"
3487  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3488  "\r\n",
3489  0, STREAM_TOSERVER, 0 },
3490  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3491  "Content-Type: text/html\r\n"
3492  "Content-Length: 5\r\n"
3493  "\r\n"
3494  "ab",
3495  0, STREAM_TOCLIENT, 0 },
3496  { (const uint8_t *)"c",
3497  0, STREAM_TOCLIENT, 0 },
3498  { (const uint8_t *)"de",
3499  0, STREAM_TOCLIENT, 1 },
3500  { NULL, 0, 0, 0 },
3501  };
3502 
3503  const char *sig = "alert http any any -> any any (file_data; content:\"bcde\"; offset:1; depth:4; sid:1;)";
3504  return RunTest(steps, sig, yaml);
3505 }
3506 
3507 static int DetectEngineHttpServerBodyFileDataTest12(void)
3508 {
3509 
3510  const char yaml[] = "\
3511 %YAML 1.1\n\
3512 ---\n\
3513 libhtp:\n\
3514 \n\
3515  default-config:\n\
3516 \n\
3517  http-body-inline: yes\n\
3518  response-body-minimal-inspect-size: 6\n\
3519  response-body-inspect-window: 3\n\
3520 ";
3521 
3522  struct TestSteps steps[] = {
3523  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3524  "Host: www.openinfosecfoundation.org\r\n"
3525  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3526  "\r\n",
3527  0, STREAM_TOSERVER, 0 },
3528  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3529  "Content-Type: text/html\r\n"
3530  "Content-Length: 13\r\n"
3531  "\r\n"
3532  "a",
3533  0, STREAM_TOCLIENT, 0 },
3534  { (const uint8_t *)"b",
3535  0, STREAM_TOCLIENT, 0 },
3536  { (const uint8_t *)"c",
3537  0, STREAM_TOCLIENT, 0 },
3538  { (const uint8_t *)"d",
3539  0, STREAM_TOCLIENT, 1 },
3540  { (const uint8_t *)"efghijklm",
3541  0, STREAM_TOCLIENT, 0 },
3542  { NULL, 0, 0, 0 },
3543  };
3544 
3545  const char *sig = "alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)";
3546  return RunTest(steps, sig, yaml);
3547 }
3548 
3549 static int DetectEngineHttpServerBodyFileDataTest13(void)
3550 {
3551 
3552  const char yaml[] = "\
3553 %YAML 1.1\n\
3554 ---\n\
3555 libhtp:\n\
3556 \n\
3557  default-config:\n\
3558 \n\
3559  http-body-inline: yes\n\
3560  response-body-minimal-inspect-size: 9\n\
3561  response-body-inspect-window: 12\n\
3562 ";
3563 
3564  struct TestSteps steps[] = {
3565  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3566  "Host: www.openinfosecfoundation.org\r\n"
3567  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3568  "\r\n",
3569  0, STREAM_TOSERVER, 0 },
3570  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3571  "Content-Type: text/html\r\n"
3572  "Content-Length: 13\r\n"
3573  "\r\n"
3574  "a",
3575  0, STREAM_TOCLIENT, 0 },
3576  { (const uint8_t *)"b",
3577  0, STREAM_TOCLIENT, 0 },
3578  { (const uint8_t *)"c",
3579  0, STREAM_TOCLIENT, 0 },
3580  { (const uint8_t *)"d",
3581  0, STREAM_TOCLIENT, 0 },
3582  { (const uint8_t *)"efghijklm",
3583  0, STREAM_TOCLIENT, 1 },
3584  { NULL, 0, 0, 0 },
3585  };
3586 
3587  const char *sig = "alert http any any -> any any (file_data; content:\"abcdefghijklm\"; sid:1;)";
3588  return RunTest(steps, sig, yaml);
3589 }
3590 
3591 static int DetectEngineHttpServerBodyFileDataTest14(void)
3592 {
3593 
3594  const char yaml[] = "\
3595 %YAML 1.1\n\
3596 ---\n\
3597 libhtp:\n\
3598 \n\
3599  default-config:\n\
3600 \n\
3601  http-body-inline: yes\n\
3602  response-body-minimal-inspect-size: 9\n\
3603  response-body-inspect-window: 12\n\
3604 ";
3605 
3606  struct TestSteps steps[] = {
3607  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3608  "Host: www.openinfosecfoundation.org\r\n"
3609  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3610  "\r\n",
3611  0, STREAM_TOSERVER, 0 },
3612  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3613  "Content-Type: text/html\r\n"
3614  "Content-Length: 20\r\n"
3615  "\r\n"
3616  "1234567890",
3617  0, STREAM_TOCLIENT, 0 },
3618  { (const uint8_t *)"abcdefghi",
3619  0, STREAM_TOCLIENT, 1 },
3620  { NULL, 0, 0, 0 },
3621  };
3622 
3623  const char *sig = "alert http any any -> any any (file_data; content:\"890abcdefghi\"; sid:1;)";
3624  return RunTest(steps, sig, yaml);
3625 }
3626 
3627 static int DetectEngineHttpServerBodyFileDataTest15(void)
3628 {
3629 
3630  const char yaml[] = "\
3631 %YAML 1.1\n\
3632 ---\n\
3633 libhtp:\n\
3634 \n\
3635  default-config:\n\
3636 \n\
3637  http-body-inline: yes\n\
3638  response-body-minimal-inspect-size: 9\n\
3639  response-body-inspect-window: 12\n\
3640 ";
3641 
3642  struct TestSteps steps[] = {
3643  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3644  "Host: www.openinfosecfoundation.org\r\n"
3645  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3646  "\r\n",
3647  0, STREAM_TOSERVER, 0 },
3648  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3649  "Content-Type: text/html\r\n"
3650  "Content-Length: 20\r\n"
3651  "\r\n"
3652  "1234567890",
3653  0, STREAM_TOCLIENT, 0 },
3654  { (const uint8_t *)"abcdefghi",
3655  0, STREAM_TOCLIENT, 0 },
3656  { NULL, 0, 0, 0 },
3657  };
3658 
3659  const char *sig = "alert http any any -> any any (file_data; content:\"7890ab\"; depth:6; sid:1;)";
3660  return RunTest(steps, sig, yaml);
3661 }
3662 
3663 static int DetectEngineHttpServerBodyFileDataTest16(void)
3664 {
3665 
3666  const char yaml[] = "\
3667 %YAML 1.1\n\
3668 ---\n\
3669 libhtp:\n\
3670 \n\
3671  default-config:\n\
3672 \n\
3673  http-body-inline: yes\n\
3674  response-body-minimal-inspect-size: 9\n\
3675  response-body-inspect-window: 12\n\
3676 ";
3677 
3678  struct TestSteps steps[] = {
3679  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3680  "Host: www.openinfosecfoundation.org\r\n"
3681  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3682  "\r\n",
3683  0, STREAM_TOSERVER, 0 },
3684  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3685  "Content-Type: text/html\r\n"
3686  "Content-Length: 20\r\n"
3687  "\r\n"
3688  "aaaab",
3689  0, STREAM_TOCLIENT, 0 },
3690  { (const uint8_t *)"bbbbc",
3691  0, STREAM_TOCLIENT, 0 },
3692  { (const uint8_t *)"ccccd",
3693  0, STREAM_TOCLIENT, 0 },
3694  { (const uint8_t *)"dddde",
3695  0, STREAM_TOCLIENT, 0 },
3696  { NULL, 0, 0, 0 },
3697  };
3698 
3699  const char *sig = "alert http any any -> any any (file_data; content:\"aabb\"; depth:4; sid:1;)";
3700  return RunTest(steps, sig, yaml);
3701 }
3702 
3703 static int DetectEngineHttpServerBodyFileDataTest17(void)
3704 {
3705 
3706  const char yaml[] = "\
3707 %YAML 1.1\n\
3708 ---\n\
3709 libhtp:\n\
3710 \n\
3711  default-config:\n\
3712 \n\
3713  http-body-inline: yes\n\
3714  response-body-minimal-inspect-size: 8\n\
3715  response-body-inspect-window: 4\n\
3716 ";
3717 
3718  struct TestSteps steps[] = {
3719  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3720  "Host: www.openinfosecfoundation.org\r\n"
3721  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3722  "\r\n",
3723  0, STREAM_TOSERVER, 0 },
3724  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3725  "Content-Type: text/html\r\n"
3726  "Content-Length: 20\r\n"
3727  "\r\n"
3728  "aaaab",
3729  0, STREAM_TOCLIENT, 0 },
3730  { (const uint8_t *)"bbbbc",
3731  0, STREAM_TOCLIENT, 0 },
3732  { (const uint8_t *)"ccccd",
3733  0, STREAM_TOCLIENT, 0 },
3734  { (const uint8_t *)"dddde",
3735  0, STREAM_TOCLIENT, 0 },
3736  { NULL, 0, 0, 0 },
3737  };
3738 
3739  const char *sig = "alert http any any -> any any (file_data; content:\"bbbc\"; depth:4; sid:1;)";
3740  return RunTest(steps, sig, yaml);
3741 }
3742 
3743 static int DetectEngineHttpServerBodyFileDataTest18(void)
3744 {
3745 
3746  const char yaml[] = "\
3747 %YAML 1.1\n\
3748 ---\n\
3749 libhtp:\n\
3750 \n\
3751  default-config:\n\
3752 \n\
3753  http-body-inline: yes\n\
3754  response-body-minimal-inspect-size: 8\n\
3755  response-body-inspect-window: 4\n\
3756 ";
3757 
3758  struct TestSteps steps[] = {
3759  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
3760  "Host: www.openinfosecfoundation.org\r\n"
3761  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3762  "\r\n",
3763  0, STREAM_TOSERVER, 0 },
3764  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
3765  "Content-Type: text/html\r\n"
3766  "Content-Length: 20\r\n"
3767  "\r\n"
3768  "aaaab",
3769  0, STREAM_TOCLIENT, 0 },
3770  { (const uint8_t *)"bbbbc",
3771  0, STREAM_TOCLIENT, 0 },
3772  { (const uint8_t *)"ccccd",
3773  0, STREAM_TOCLIENT, 0 },
3774  { (const uint8_t *)"dddde",
3775  0, STREAM_TOCLIENT, 0 },
3776  { NULL, 0, 0, 0 },
3777  };
3778 
3779  const char *sig = "alert http any any -> any any (file_data; content:\"bccd\"; depth:4; sid:1;)";
3780  return RunTest(steps, sig, yaml);
3781 }
3782 static int DetectEngineHttpServerBodyFileDataTest19(void)
3783 {
3784  char input[] = "\
3785 %YAML 1.1\n\
3786 ---\n\
3787 libhtp:\n\
3788 \n\
3789  default-config:\n\
3790 \n\
3791  swf-decompression:\n\
3792  enabled: yes\n\
3793  type: both\n\
3794  compress-depth: 0\n\
3795  decompress-depth: 0\n\
3796 ";
3797  ConfCreateContextBackup();
3798  ConfInit();
3799  HtpConfigCreateBackup();
3800  ConfYamlLoadString(input, strlen(input));
3801  HTPConfigure();
3802  TcpSession ssn;
3803  Packet *p1 = NULL;
3804  Packet *p2 = NULL;
3805  ThreadVars th_v;
3806  DetectEngineCtx *de_ctx = NULL;
3807  DetectEngineThreadCtx *det_ctx = NULL;
3808  HtpState *http_state = NULL;
3809  Flow f;
3810  uint8_t http_buf1[] =
3811  "GET /file.swf HTTP/1.0\r\n"
3812  "Host: www.openinfosecfoundation.org\r\n"
3813  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3814  "\r\n";
3815  uint32_t http_len1 = sizeof(http_buf1) - 1;
3816  uint8_t http_buf2[] = {
3817  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
3818  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
3819  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
3820  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
3821  0x0d, 0x0a,
3822  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
3823  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
3824  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
3825  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
3826  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
3827  };
3828  uint32_t http_len2 = sizeof(http_buf2);
3829  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3830  FAIL_IF_NULL(alp_tctx);
3831 
3832  memset(&th_v, 0, sizeof(th_v));
3833  memset(&f, 0, sizeof(f));
3834  memset(&ssn, 0, sizeof(ssn));
3835 
3836  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3837  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3838 
3839  FLOW_INITIALIZE(&f);
3840  f.protoctx = (void *)&ssn;
3841  f.proto = IPPROTO_TCP;
3842  f.flags |= FLOW_IPV4;
3843 
3844  p1->flow = &f;
3845  p1->flowflags |= FLOW_PKT_TOSERVER;
3846  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3847  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3848  p2->flow = &f;
3849  p2->flowflags |= FLOW_PKT_TOCLIENT;
3850  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3851  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3852  f.alproto = ALPROTO_HTTP1;
3853 
3854  StreamTcpInitConfig(true);
3855 
3856  de_ctx = DetectEngineCtxInit();
3857  FAIL_IF_NULL(de_ctx);
3858 
3859  de_ctx->flags |= DE_QUIET;
3860 
3861  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
3862  "(flow:established,from_server; "
3863  "file_data; content:\"FWS\"; "
3864  "sid:1;)");
3865  FAIL_IF_NULL(de_ctx->sig_list);
3866 
3867  SigGroupBuild(de_ctx);
3868  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3869 
3870  int r = AppLayerParserParse(
3871  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
3872  FAIL_IF(r != 0);
3873 
3874  http_state = f.alstate;
3875  FAIL_IF_NULL(http_state);
3876 
3877  /* do detect */
3878  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3879 
3880  FAIL_IF((PacketAlertCheck(p1, 1)));
3881 
3882  r = AppLayerParserParse(
3883  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
3884  FAIL_IF(r != 0);
3885 
3886  /* do detect */
3887  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3888 
3889  FAIL_IF(!(PacketAlertCheck(p2, 1)));
3890 
3891  AppLayerParserThreadCtxFree(alp_tctx);
3892  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3893  DetectEngineCtxFree(de_ctx);
3894 
3895  HTPFreeConfig();
3896  HtpConfigRestoreBackup();
3897  ConfRestoreContextBackup();
3898 
3899  StreamTcpFreeConfig(true);
3900  FLOW_DESTROY(&f);
3901  UTHFreePackets(&p1, 1);
3902  UTHFreePackets(&p2, 1);
3903  PASS;
3904 }
3905 
3906 static int DetectEngineHttpServerBodyFileDataTest20(void)
3907 {
3908  char input[] = "\
3909 %YAML 1.1\n\
3910 ---\n\
3911 libhtp:\n\
3912 \n\
3913  default-config:\n\
3914 \n\
3915  swf-decompression:\n\
3916  enabled: no\n\
3917  type: both\n\
3918  compress-depth: 0\n\
3919  decompress-depth: 0\n\
3920 ";
3921 
3922  ConfCreateContextBackup();
3923  ConfInit();
3924  HtpConfigCreateBackup();
3925 
3926  ConfYamlLoadString(input, strlen(input));
3927  HTPConfigure();
3928 
3929  TcpSession ssn;
3930  Packet *p1 = NULL;
3931  Packet *p2 = NULL;
3932  ThreadVars th_v;
3933  DetectEngineCtx *de_ctx = NULL;
3934  DetectEngineThreadCtx *det_ctx = NULL;
3935  HtpState *http_state = NULL;
3936  Flow f;
3937  uint8_t http_buf1[] =
3938  "GET /file.swf HTTP/1.0\r\n"
3939  "Host: www.openinfosecfoundation.org\r\n"
3940  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3941  "\r\n";
3942  uint32_t http_len1 = sizeof(http_buf1) - 1;
3943  uint8_t http_buf2[] = {
3944  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
3945  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
3946  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
3947  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
3948  0x0d, 0x0a,
3949  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
3950  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
3951  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
3952  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
3953  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
3954  };
3955  uint32_t http_len2 = sizeof(http_buf2);
3956  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3957  FAIL_IF_NULL(alp_tctx);
3958 
3959  memset(&th_v, 0, sizeof(th_v));
3960  memset(&f, 0, sizeof(f));
3961  memset(&ssn, 0, sizeof(ssn));
3962 
3963  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3964  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3965 
3966  FLOW_INITIALIZE(&f);
3967  f.protoctx = (void *)&ssn;
3968  f.proto = IPPROTO_TCP;
3969  f.flags |= FLOW_IPV4;
3970 
3971  p1->flow = &f;
3972  p1->flowflags |= FLOW_PKT_TOSERVER;
3973  p1->flowflags |= FLOW_PKT_ESTABLISHED;
3974  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3975  p2->flow = &f;
3976  p2->flowflags |= FLOW_PKT_TOCLIENT;
3977  p2->flowflags |= FLOW_PKT_ESTABLISHED;
3978  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3979  f.alproto = ALPROTO_HTTP1;
3980 
3981  StreamTcpInitConfig(true);
3982 
3983  de_ctx = DetectEngineCtxInit();
3984  FAIL_IF_NULL(de_ctx);
3985 
3986  de_ctx->flags |= DE_QUIET;
3987 
3988  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
3989  "(flow:established,from_server; "
3990  "file_data; content:\"CWS\"; "
3991  "sid:1;)");
3992  FAIL_IF_NULL(de_ctx->sig_list);
3993 
3994  SigGroupBuild(de_ctx);
3995  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3996 
3997  int r = AppLayerParserParse(
3998  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
3999  FAIL_IF(r != 0);
4000 
4001  http_state = f.alstate;
4002  FAIL_IF_NULL(http_state);
4003 
4004  /* do detect */
4005  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4006 
4007  FAIL_IF((PacketAlertCheck(p1, 1)));
4008 
4009  r = AppLayerParserParse(
4010  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4011  FAIL_IF(r != 0);
4012 
4013  /* do detect */
4014  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4015 
4016  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4017 
4018  AppLayerParserThreadCtxFree(alp_tctx);
4019  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4020  DetectEngineCtxFree(de_ctx);
4021 
4022  HTPFreeConfig();
4023  HtpConfigRestoreBackup();
4024  ConfRestoreContextBackup();
4025 
4026  StreamTcpFreeConfig(true);
4027  FLOW_DESTROY(&f);
4028  UTHFreePackets(&p1, 1);
4029  UTHFreePackets(&p2, 1);
4030  PASS;
4031 }
4032 
4033 static int DetectEngineHttpServerBodyFileDataTest21(void)
4034 {
4035  char input[] = "\
4036 %YAML 1.1\n\
4037 ---\n\
4038 libhtp:\n\
4039 \n\
4040  default-config:\n\
4041 \n\
4042  swf-decompression:\n\
4043  enabled: yes\n\
4044  type: deflate\n\
4045  compress-depth: 0\n\
4046  decompress-depth: 0\n\
4047 ";
4048 
4049  ConfCreateContextBackup();
4050  ConfInit();
4051  HtpConfigCreateBackup();
4052 
4053  ConfYamlLoadString(input, strlen(input));
4054  HTPConfigure();
4055 
4056  TcpSession ssn;
4057  Packet *p1 = NULL;
4058  Packet *p2 = NULL;
4059  ThreadVars th_v;
4060  DetectEngineCtx *de_ctx = NULL;
4061  DetectEngineThreadCtx *det_ctx = NULL;
4062  HtpState *http_state = NULL;
4063  Flow f;
4064  uint8_t http_buf1[] =
4065  "GET /file.swf HTTP/1.0\r\n"
4066  "Host: www.openinfosecfoundation.org\r\n"
4067  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4068  "\r\n";
4069  uint32_t http_len1 = sizeof(http_buf1) - 1;
4070  uint8_t http_buf2[] = {
4071  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4072  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
4073  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4074  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
4075  0x0d, 0x0a,
4076  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
4077  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
4078  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
4079  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
4080  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
4081  };
4082  uint32_t http_len2 = sizeof(http_buf2);
4083  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4084  FAIL_IF_NULL(alp_tctx);
4085 
4086  memset(&th_v, 0, sizeof(th_v));
4087  memset(&f, 0, sizeof(f));
4088  memset(&ssn, 0, sizeof(ssn));
4089 
4090  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4091  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4092 
4093  FLOW_INITIALIZE(&f);
4094  f.protoctx = (void *)&ssn;
4095  f.proto = IPPROTO_TCP;
4096  f.flags |= FLOW_IPV4;
4097 
4098  p1->flow = &f;
4099  p1->flowflags |= FLOW_PKT_TOSERVER;
4100  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4101  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4102  p2->flow = &f;
4103  p2->flowflags |= FLOW_PKT_TOCLIENT;
4104  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4105  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4106  f.alproto = ALPROTO_HTTP1;
4107 
4108  StreamTcpInitConfig(true);
4109 
4110  de_ctx = DetectEngineCtxInit();
4111  FAIL_IF_NULL(de_ctx);
4112 
4113  de_ctx->flags |= DE_QUIET;
4114 
4115  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4116  "(flow:established,from_server; "
4117  "file_data; content:\"FWS\"; "
4118  "sid:1;)");
4119  FAIL_IF_NULL(de_ctx->sig_list);
4120 
4121  SigGroupBuild(de_ctx);
4122  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4123 
4124  int r = AppLayerParserParse(
4125  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4126  FAIL_IF(r != 0);
4127 
4128  http_state = f.alstate;
4129  FAIL_IF_NULL(http_state);
4130 
4131  /* do detect */
4132  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4133 
4134  FAIL_IF((PacketAlertCheck(p1, 1)));
4135 
4136  r = AppLayerParserParse(
4137  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4138  FAIL_IF(r != 0);
4139 
4140  /* do detect */
4141  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4142 
4143  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4144 
4145  AppLayerParserThreadCtxFree(alp_tctx);
4146  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4147  DetectEngineCtxFree(de_ctx);
4148 
4149  HTPFreeConfig();
4150  HtpConfigRestoreBackup();
4151  ConfRestoreContextBackup();
4152 
4153  StreamTcpFreeConfig(true);
4154  FLOW_DESTROY(&f);
4155  UTHFreePackets(&p1, 1);
4156  UTHFreePackets(&p2, 1);
4157  PASS;
4158 }
4159 
4160 static int DetectEngineHttpServerBodyFileDataTest22(void)
4161 {
4162  char input[] = "\
4163 %YAML 1.1\n\
4164 ---\n\
4165 libhtp:\n\
4166 \n\
4167  default-config:\n\
4168 \n\
4169  swf-decompression:\n\
4170  enabled: yes\n\
4171  type: lzma\n\
4172  compress-depth: 0\n\
4173  decompress-depth: 0\n\
4174 ";
4175 
4176  ConfCreateContextBackup();
4177  ConfInit();
4178  HtpConfigCreateBackup();
4179 
4180  ConfYamlLoadString(input, strlen(input));
4181  HTPConfigure();
4182 
4183  TcpSession ssn;
4184  Packet *p1 = NULL;
4185  Packet *p2 = NULL;
4186  ThreadVars th_v;
4187  DetectEngineCtx *de_ctx = NULL;
4188  DetectEngineThreadCtx *det_ctx = NULL;
4189  HtpState *http_state = NULL;
4190  Flow f;
4191  uint8_t http_buf1[] =
4192  "GET /file.swf HTTP/1.0\r\n"
4193  "Host: www.openinfosecfoundation.org\r\n"
4194  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4195  "\r\n";
4196  uint32_t http_len1 = sizeof(http_buf1) - 1;
4197  uint8_t http_buf2[] = {
4198  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4199  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
4200  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4201  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
4202  0x0d, 0x0a,
4203  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
4204  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
4205  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
4206  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
4207  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
4208  };
4209  uint32_t http_len2 = sizeof(http_buf2);
4210  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4211  FAIL_IF_NULL(alp_tctx);
4212 
4213  memset(&th_v, 0, sizeof(th_v));
4214  memset(&f, 0, sizeof(f));
4215  memset(&ssn, 0, sizeof(ssn));
4216 
4217  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4218  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4219 
4220  FLOW_INITIALIZE(&f);
4221  f.protoctx = (void *)&ssn;
4222  f.proto = IPPROTO_TCP;
4223  f.flags |= FLOW_IPV4;
4224 
4225  p1->flow = &f;
4226  p1->flowflags |= FLOW_PKT_TOSERVER;
4227  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4228  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4229  p2->flow = &f;
4230  p2->flowflags |= FLOW_PKT_TOCLIENT;
4231  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4232  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4233  f.alproto = ALPROTO_HTTP1;
4234 
4235  StreamTcpInitConfig(true);
4236 
4237  de_ctx = DetectEngineCtxInit();
4238  FAIL_IF_NULL(de_ctx);
4239 
4240  de_ctx->flags |= DE_QUIET;
4241 
4242  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4243  "(flow:established,from_server; "
4244  "file_data; content:\"CWS\"; "
4245  "sid:1;)");
4246  FAIL_IF_NULL(de_ctx->sig_list);
4247 
4248  SigGroupBuild(de_ctx);
4249  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4250 
4251  int r = AppLayerParserParse(
4252  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4253  FAIL_IF(r != 0);
4254 
4255  http_state = f.alstate;
4256  FAIL_IF_NULL(http_state);
4257 
4258  /* do detect */
4259  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4260 
4261  FAIL_IF((PacketAlertCheck(p1, 1)));
4262 
4263  r = AppLayerParserParse(
4264  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4265  FAIL_IF(r != 0);
4266 
4267  /* do detect */
4268  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4269 
4270  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4271 
4272  AppLayerParserThreadCtxFree(alp_tctx);
4273  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4274  DetectEngineCtxFree(de_ctx);
4275 
4276  HTPFreeConfig();
4277  HtpConfigRestoreBackup();
4278  ConfRestoreContextBackup();
4279 
4280  StreamTcpFreeConfig(true);
4281  FLOW_DESTROY(&f);
4282  UTHFreePackets(&p1, 1);
4283  UTHFreePackets(&p2, 1);
4284  PASS;
4285 }
4286 
4287 static int DetectEngineHttpServerBodyFileDataTest23(void)
4288 {
4289  char input[] = "\
4290 %YAML 1.1\n\
4291 ---\n\
4292 libhtp:\n\
4293 \n\
4294  default-config:\n\
4295 \n\
4296  swf-decompression:\n\
4297  enabled: yes\n\
4298  type: both\n\
4299  compress-depth: 0\n\
4300  decompress-depth: 0\n\
4301 ";
4302 
4303  ConfCreateContextBackup();
4304  ConfInit();
4305  HtpConfigCreateBackup();
4306 
4307  ConfYamlLoadString(input, strlen(input));
4308  HTPConfigure();
4309 
4310  TcpSession ssn;
4311  Packet *p1 = NULL;
4312  Packet *p2 = NULL;
4313  ThreadVars th_v;
4314  DetectEngineCtx *de_ctx = NULL;
4315  DetectEngineThreadCtx *det_ctx = NULL;
4316  HtpState *http_state = NULL;
4317  Flow f;
4318  uint8_t http_buf1[] =
4319  "GET /file.swf HTTP/1.0\r\n"
4320  "Host: www.openinfosecfoundation.org\r\n"
4321  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4322  "\r\n";
4323  uint32_t http_len1 = sizeof(http_buf1) - 1;
4324  uint8_t http_buf2[] = {
4325  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4326  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
4327  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4328  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
4329  0x0d, 0x0a,
4330  0x43, 0x57, 0x53, 0x01, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
4331  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
4332  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
4333  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
4334  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
4335  };
4336  uint32_t http_len2 = sizeof(http_buf2);
4337  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4338  FAIL_IF_NULL(alp_tctx);
4339 
4340  memset(&th_v, 0, sizeof(th_v));
4341  memset(&f, 0, sizeof(f));
4342  memset(&ssn, 0, sizeof(ssn));
4343 
4344  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4345  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4346 
4347  FLOW_INITIALIZE(&f);
4348  f.protoctx = (void *)&ssn;
4349  f.proto = IPPROTO_TCP;
4350  f.flags |= FLOW_IPV4;
4351 
4352  p1->flow = &f;
4353  p1->flowflags |= FLOW_PKT_TOSERVER;
4354  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4355  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4356  p2->flow = &f;
4357  p2->flowflags |= FLOW_PKT_TOCLIENT;
4358  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4359  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4360  f.alproto = ALPROTO_HTTP1;
4361 
4362  StreamTcpInitConfig(true);
4363 
4364  de_ctx = DetectEngineCtxInit();
4365  FAIL_IF_NULL(de_ctx);
4366 
4367  de_ctx->flags |= DE_QUIET;
4368 
4369  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4370  "(flow:established,from_server; "
4371  "file_data; content:\"CWS\"; "
4372  "sid:1;)");
4373  FAIL_IF_NULL(de_ctx->sig_list);
4374 
4375  SigGroupBuild(de_ctx);
4376  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4377 
4378  int r = AppLayerParserParse(
4379  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4380  FAIL_IF(r != 0);
4381 
4382  http_state = f.alstate;
4383  FAIL_IF_NULL(http_state);
4384 
4385  /* do detect */
4386  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4387 
4388  FAIL_IF((PacketAlertCheck(p1, 1)));
4389 
4390  r = AppLayerParserParse(
4391  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4392  FAIL_IF(r != 0);
4393 
4394  /* do detect */
4395  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4396 
4397  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4398 
4399  AppLayerParserThreadCtxFree(alp_tctx);
4400  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4401  DetectEngineCtxFree(de_ctx);
4402 
4403  HTPFreeConfig();
4404  HtpConfigRestoreBackup();
4405  ConfRestoreContextBackup();
4406 
4407  StreamTcpFreeConfig(true);
4408  FLOW_DESTROY(&f);
4409  UTHFreePackets(&p1, 1);
4410  UTHFreePackets(&p2, 1);
4411  PASS;
4412 }
4413 
4414 static int DetectEngineHttpServerBodyFileDataTest24(void)
4415 {
4416  char input[] = "\
4417 %YAML 1.1\n\
4418 ---\n\
4419 libhtp:\n\
4420 \n\
4421  default-config:\n\
4422 \n\
4423  swf-decompression:\n\
4424  enabled: yes\n\
4425  type: both\n\
4426  compress-depth: 0\n\
4427  decompress-depth: 0\n\
4428 ";
4429 
4430  ConfCreateContextBackup();
4431  ConfInit();
4432  HtpConfigCreateBackup();
4433 
4434  ConfYamlLoadString(input, strlen(input));
4435  HTPConfigure();
4436 
4437  TcpSession ssn;
4438  Packet *p1 = NULL;
4439  Packet *p2 = NULL;
4440  ThreadVars th_v;
4441  DetectEngineCtx *de_ctx = NULL;
4442  DetectEngineThreadCtx *det_ctx = NULL;
4443  HtpState *http_state = NULL;
4444  Flow f;
4445  uint8_t http_buf1[] =
4446  "GET /file.swf HTTP/1.0\r\n"
4447  "Host: www.openinfosecfoundation.org\r\n"
4448  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4449  "\r\n";
4450  uint32_t http_len1 = sizeof(http_buf1) - 1;
4451  uint8_t http_buf2[] = {
4452  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4453  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '1', '0', '3', 0x0d, 0x0a,
4454  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4455  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
4456  0x0d, 0x0a,
4457  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
4458  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
4459  0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe,
4460  0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37,
4461  0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
4462  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08, 0xe9,
4463  0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86
4464  };
4465  uint32_t http_len2 = sizeof(http_buf2);
4466  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4467  FAIL_IF_NULL(alp_tctx);
4468 
4469  memset(&th_v, 0, sizeof(th_v));
4470  memset(&f, 0, sizeof(f));
4471  memset(&ssn, 0, sizeof(ssn));
4472 
4473  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4474  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4475 
4476  FLOW_INITIALIZE(&f);
4477  f.protoctx = (void *)&ssn;
4478  f.proto = IPPROTO_TCP;
4479  f.flags |= FLOW_IPV4;
4480 
4481  p1->flow = &f;
4482  p1->flowflags |= FLOW_PKT_TOSERVER;
4483  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4484  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4485  p2->flow = &f;
4486  p2->flowflags |= FLOW_PKT_TOCLIENT;
4487  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4488  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4489  f.alproto = ALPROTO_HTTP1;
4490 
4491  StreamTcpInitConfig(true);
4492 
4493  de_ctx = DetectEngineCtxInit();
4494  FAIL_IF_NULL(de_ctx);
4495 
4496 
4497  de_ctx->flags |= DE_QUIET;
4498 
4499  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4500  "(flow:established,from_server; "
4501  "file_data; content:\"FWS\"; "
4502  "sid:1;)");
4503  FAIL_IF_NULL(de_ctx->sig_list);
4504 
4505  SigGroupBuild(de_ctx);
4506  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4507 
4508  int r = AppLayerParserParse(
4509  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4510  FAIL_IF(r != 0);
4511 
4512  http_state = f.alstate;
4513  FAIL_IF_NULL(http_state);
4514 
4515  /* do detect */
4516  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4517 
4518  FAIL_IF((PacketAlertCheck(p1, 1)));
4519 
4520  r = AppLayerParserParse(
4521  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4522  FAIL_IF(r != 0);
4523 
4524  /* do detect */
4525  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4526 
4527  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4528 
4529  AppLayerParserThreadCtxFree(alp_tctx);
4530  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4531  DetectEngineCtxFree(de_ctx);
4532 
4533  HTPFreeConfig();
4534  HtpConfigRestoreBackup();
4535  ConfRestoreContextBackup();
4536 
4537  StreamTcpFreeConfig(true);
4538  FLOW_DESTROY(&f);
4539  UTHFreePackets(&p1, 1);
4540  UTHFreePackets(&p2, 1);
4541  PASS;
4542 }
4543 
4544 static int DetectEngineHttpServerBodyFileDataTest25(void)
4545 {
4546  char input[] = "\
4547 %YAML 1.1\n\
4548 ---\n\
4549 libhtp:\n\
4550 \n\
4551  default-config:\n\
4552 \n\
4553  swf-decompression:\n\
4554  enabled: no\n\
4555  type: both\n\
4556  compress-depth: 0\n\
4557  decompress-depth: 0\n\
4558 ";
4559 
4560  ConfCreateContextBackup();
4561  ConfInit();
4562  HtpConfigCreateBackup();
4563 
4564  ConfYamlLoadString(input, strlen(input));
4565  HTPConfigure();
4566 
4567  TcpSession ssn;
4568  Packet *p1 = NULL;
4569  Packet *p2 = NULL;
4570  ThreadVars th_v;
4571  DetectEngineCtx *de_ctx = NULL;
4572  DetectEngineThreadCtx *det_ctx = NULL;
4573  HtpState *http_state = NULL;
4574  Flow f;
4575  uint8_t http_buf1[] =
4576  "GET /file.swf HTTP/1.0\r\n"
4577  "Host: www.openinfosecfoundation.org\r\n"
4578  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4579  "\r\n";
4580  uint32_t http_len1 = sizeof(http_buf1) - 1;
4581  uint8_t http_buf2[] = {
4582  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4583  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '1', '0', '3', 0x0d, 0x0a,
4584  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4585  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
4586  0x0d, 0x0a,
4587  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20, 0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19,
4588  0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05,
4589  0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2,
4590  0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0, 0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59,
4591  0x56, 0x06, 0x08, 0xe9, 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86
4592  };
4593  uint32_t http_len2 = sizeof(http_buf2);
4594  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4595  FAIL_IF_NULL(alp_tctx);
4596 
4597  memset(&th_v, 0, sizeof(th_v));
4598  memset(&f, 0, sizeof(f));
4599  memset(&ssn, 0, sizeof(ssn));
4600 
4601  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4602  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4603 
4604  FLOW_INITIALIZE(&f);
4605  f.protoctx = (void *)&ssn;
4606  f.proto = IPPROTO_TCP;
4607  f.flags |= FLOW_IPV4;
4608 
4609  p1->flow = &f;
4610  p1->flowflags |= FLOW_PKT_TOSERVER;
4611  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4612  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4613  p2->flow = &f;
4614  p2->flowflags |= FLOW_PKT_TOCLIENT;
4615  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4616  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4617  f.alproto = ALPROTO_HTTP1;
4618 
4619  StreamTcpInitConfig(true);
4620 
4621  de_ctx = DetectEngineCtxInit();
4622  FAIL_IF_NULL(de_ctx);
4623 
4624  de_ctx->flags |= DE_QUIET;
4625 
4626  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4627  "(flow:established,from_server; "
4628  "file_data; content:\"ZWS\"; "
4629  "sid:1;)");
4630  FAIL_IF_NULL(de_ctx->sig_list);
4631 
4632  SigGroupBuild(de_ctx);
4633  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4634 
4635  int r = AppLayerParserParse(
4636  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4637  FAIL_IF(r != 0);
4638 
4639  http_state = f.alstate;
4640  FAIL_IF_NULL(http_state);
4641 
4642  /* do detect */
4643  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4644 
4645  FAIL_IF((PacketAlertCheck(p1, 1)));
4646 
4647  r = AppLayerParserParse(
4648  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4649  FAIL_IF(r != 0);
4650 
4651  /* do detect */
4652  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4653 
4654  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4655 
4656  AppLayerParserThreadCtxFree(alp_tctx);
4657  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4658  DetectEngineCtxFree(de_ctx);
4659 
4660  HTPFreeConfig();
4661  HtpConfigRestoreBackup();
4662  ConfRestoreContextBackup();
4663 
4664  StreamTcpFreeConfig(true);
4665  FLOW_DESTROY(&f);
4666  UTHFreePackets(&p1, 1);
4667  UTHFreePackets(&p2, 1);
4668  PASS;
4669 }
4670 
4671 static int DetectEngineHttpServerBodyFileDataTest26(void)
4672 {
4673  char input[] = "\
4674 %YAML 1.1\n\
4675 ---\n\
4676 libhtp:\n\
4677 \n\
4678  default-config:\n\
4679 \n\
4680  swf-decompression:\n\
4681  enabled: yes\n\
4682  type: lzma\n\
4683  compress-depth: 0\n\
4684  decompress-depth: 0\n\
4685 ";
4686 
4687  ConfCreateContextBackup();
4688  ConfInit();
4689  HtpConfigCreateBackup();
4690 
4691  ConfYamlLoadString(input, strlen(input));
4692  HTPConfigure();
4693 
4694  TcpSession ssn;
4695  Packet *p1 = NULL;
4696  Packet *p2 = NULL;
4697  ThreadVars th_v;
4698  DetectEngineCtx *de_ctx = NULL;
4699  DetectEngineThreadCtx *det_ctx = NULL;
4700  HtpState *http_state = NULL;
4701  Flow f;
4702  uint8_t http_buf1[] =
4703  "GET /file.swf HTTP/1.0\r\n"
4704  "Host: www.openinfosecfoundation.org\r\n"
4705  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4706  "\r\n";
4707  uint32_t http_len1 = sizeof(http_buf1) - 1;
4708  uint8_t http_buf2[] = {
4709  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4710  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '1', '0', '3', 0x0d, 0x0a,
4711  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4712  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
4713  0x0d, 0x0a,
4714  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
4715  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
4716  0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe,
4717  0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37,
4718  0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
4719  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08, 0xe9,
4720  0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86
4721  };
4722  uint32_t http_len2 = sizeof(http_buf2);
4723  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4724  FAIL_IF_NULL(alp_tctx);
4725 
4726  memset(&th_v, 0, sizeof(th_v));
4727  memset(&f, 0, sizeof(f));
4728  memset(&ssn, 0, sizeof(ssn));
4729 
4730  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4731  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4732 
4733  FLOW_INITIALIZE(&f);
4734  f.protoctx = (void *)&ssn;
4735  f.proto = IPPROTO_TCP;
4736  f.flags |= FLOW_IPV4;
4737 
4738  p1->flow = &f;
4739  p1->flowflags |= FLOW_PKT_TOSERVER;
4740  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4741  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4742  p2->flow = &f;
4743  p2->flowflags |= FLOW_PKT_TOCLIENT;
4744  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4745  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4746  f.alproto = ALPROTO_HTTP1;
4747 
4748  StreamTcpInitConfig(true);
4749 
4750  de_ctx = DetectEngineCtxInit();
4751  FAIL_IF_NULL(de_ctx);
4752 
4753  de_ctx->flags |= DE_QUIET;
4754 
4755  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4756  "(flow:established,from_server; "
4757  "file_data; content:\"FWS\"; "
4758  "sid:1;)");
4759  FAIL_IF_NULL(de_ctx->sig_list);
4760 
4761  SigGroupBuild(de_ctx);
4762  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4763 
4764  int r = AppLayerParserParse(
4765  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4766  FAIL_IF(r != 0);
4767 
4768  http_state = f.alstate;
4769  FAIL_IF_NULL(http_state);
4770 
4771  /* do detect */
4772  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4773 
4774  FAIL_IF((PacketAlertCheck(p1, 1)));
4775 
4776  r = AppLayerParserParse(
4777  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4778  FAIL_IF(r != 0);
4779 
4780  /* do detect */
4781  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4782 
4783  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4784 
4785  AppLayerParserThreadCtxFree(alp_tctx);
4786  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4787  DetectEngineCtxFree(de_ctx);
4788 
4789  HTPFreeConfig();
4790  HtpConfigRestoreBackup();
4791  ConfRestoreContextBackup();
4792 
4793  StreamTcpFreeConfig(true);
4794  FLOW_DESTROY(&f);
4795  UTHFreePackets(&p1, 1);
4796  UTHFreePackets(&p2, 1);
4797  PASS;
4798 }
4799 
4800 static int DetectEngineHttpServerBodyFileDataTest27(void)
4801 {
4802  char input[] = "\
4803 %YAML 1.1\n\
4804 ---\n\
4805 libhtp:\n\
4806 \n\
4807  default-config:\n\
4808 \n\
4809  swf-decompression:\n\
4810  enabled: yes\n\
4811  type: deflate\n\
4812  compress-depth: 0\n\
4813  decompress-depth: 0\n\
4814 ";
4815 
4816  ConfCreateContextBackup();
4817  ConfInit();
4818  HtpConfigCreateBackup();
4819 
4820  ConfYamlLoadString(input, strlen(input));
4821  HTPConfigure();
4822 
4823  TcpSession ssn;
4824  Packet *p1 = NULL;
4825  Packet *p2 = NULL;
4826  ThreadVars th_v;
4827  DetectEngineCtx *de_ctx = NULL;
4828  DetectEngineThreadCtx *det_ctx = NULL;
4829  HtpState *http_state = NULL;
4830  Flow f;
4831  uint8_t http_buf1[] =
4832  "GET /file.swf HTTP/1.0\r\n"
4833  "Host: www.openinfosecfoundation.org\r\n"
4834  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4835  "\r\n";
4836  uint32_t http_len1 = sizeof(http_buf1) - 1;
4837  uint8_t http_buf2[] = {
4838  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4839  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
4840  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4841  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
4842  0x0d, 0x0a,
4843  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
4844  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
4845  0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61,
4846  0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b,
4847  0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1,
4848  };
4849  uint32_t http_len2 = sizeof(http_buf2);
4850  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4851  FAIL_IF_NULL(alp_tctx);
4852 
4853  memset(&th_v, 0, sizeof(th_v));
4854  memset(&f, 0, sizeof(f));
4855  memset(&ssn, 0, sizeof(ssn));
4856 
4857  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4858  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4859 
4860  FLOW_INITIALIZE(&f);
4861  f.protoctx = (void *)&ssn;
4862  f.proto = IPPROTO_TCP;
4863  f.flags |= FLOW_IPV4;
4864 
4865  p1->flow = &f;
4866  p1->flowflags |= FLOW_PKT_TOSERVER;
4867  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4868  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4869  p2->flow = &f;
4870  p2->flowflags |= FLOW_PKT_TOCLIENT;
4871  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4872  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4873  f.alproto = ALPROTO_HTTP1;
4874 
4875  StreamTcpInitConfig(true);
4876 
4877  de_ctx = DetectEngineCtxInit();
4878  FAIL_IF_NULL(de_ctx);
4879 
4880  de_ctx->flags |= DE_QUIET;
4881 
4882  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
4883  "(flow:established,from_server; "
4884  "file_data; content:\"ZWS\"; "
4885  "sid:1;)");
4886  FAIL_IF_NULL(de_ctx->sig_list);
4887 
4888  SigGroupBuild(de_ctx);
4889  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4890 
4891  int r = AppLayerParserParse(
4892  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
4893  FAIL_IF(r != 0);
4894 
4895  http_state = f.alstate;
4896  FAIL_IF_NULL(http_state);
4897 
4898  /* do detect */
4899  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4900 
4901  FAIL_IF((PacketAlertCheck(p1, 1)));
4902 
4903  r = AppLayerParserParse(
4904  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
4905  FAIL_IF(r != 0);
4906 
4907  /* do detect */
4908  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4909 
4910  FAIL_IF(!(PacketAlertCheck(p2, 1)));
4911 
4912  AppLayerParserThreadCtxFree(alp_tctx);
4913  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4914  DetectEngineCtxFree(de_ctx);
4915 
4916  HTPFreeConfig();
4917  HtpConfigRestoreBackup();
4918  ConfRestoreContextBackup();
4919 
4920  StreamTcpFreeConfig(true);
4921  FLOW_DESTROY(&f);
4922  UTHFreePackets(&p1, 1);
4923  UTHFreePackets(&p2, 1);
4924  PASS;
4925 }
4926 
4927 static int DetectEngineHttpServerBodyFileDataTest28(void)
4928 {
4929  char input[] = "\
4930 %YAML 1.1\n\
4931 ---\n\
4932 libhtp:\n\
4933 \n\
4934  default-config:\n\
4935 \n\
4936  swf-decompression:\n\
4937  enabled: yes\n\
4938  type: both\n\
4939  compress-depth: 0\n\
4940  decompress-depth: 0\n\
4941 ";
4942 
4943  ConfCreateContextBackup();
4944  ConfInit();
4945  HtpConfigCreateBackup();
4946 
4947  ConfYamlLoadString(input, strlen(input));
4948  HTPConfigure();
4949 
4950  TcpSession ssn;
4951  Packet *p1 = NULL;
4952  Packet *p2 = NULL;
4953  ThreadVars th_v;
4954  DetectEngineCtx *de_ctx = NULL;
4955  DetectEngineThreadCtx *det_ctx = NULL;
4956  HtpState *http_state = NULL;
4957  Flow f;
4958  uint8_t http_buf1[] =
4959  "GET /file.swf HTTP/1.0\r\n"
4960  "Host: www.openinfosecfoundation.org\r\n"
4961  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4962  "\r\n";
4963  uint32_t http_len1 = sizeof(http_buf1) - 1;
4964  uint8_t http_buf2[] = {
4965  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
4966  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
4967  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
4968  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
4969  0x0d, 0x0a,
4970  0x5a, 0x57, 0x53, 0x01, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
4971  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
4972  0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61,
4973  0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b,
4974  0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1,
4975  };
4976  uint32_t http_len2 = sizeof(http_buf2);
4977  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4978  FAIL_IF_NULL(alp_tctx);
4979 
4980  memset(&th_v, 0, sizeof(th_v));
4981  memset(&f, 0, sizeof(f));
4982  memset(&ssn, 0, sizeof(ssn));
4983 
4984  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4985  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4986 
4987  FLOW_INITIALIZE(&f);
4988  f.protoctx = (void *)&ssn;
4989  f.proto = IPPROTO_TCP;
4990  f.flags |= FLOW_IPV4;
4991 
4992  p1->flow = &f;
4993  p1->flowflags |= FLOW_PKT_TOSERVER;
4994  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4995  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4996  p2->flow = &f;
4997  p2->flowflags |= FLOW_PKT_TOCLIENT;
4998  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4999  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5000  f.alproto = ALPROTO_HTTP1;
5001 
5002  StreamTcpInitConfig(true);
5003 
5004  de_ctx = DetectEngineCtxInit();
5005  FAIL_IF_NULL(de_ctx);
5006 
5007  de_ctx->flags |= DE_QUIET;
5008 
5009  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
5010  "(flow:established,from_server; "
5011  "file_data; content:\"ZWS\"; "
5012  "sid:1;)");
5013  FAIL_IF_NULL(de_ctx->sig_list);
5014 
5015  SigGroupBuild(de_ctx);
5016  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5017 
5018  int r = AppLayerParserParse(
5019  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
5020  FAIL_IF(r != 0);
5021 
5022  http_state = f.alstate;
5023  FAIL_IF_NULL(http_state);
5024 
5025  /* do detect */
5026  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5027 
5028  FAIL_IF((PacketAlertCheck(p1, 1)));
5029 
5030  r = AppLayerParserParse(
5031  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
5032  FAIL_IF(r != 0);
5033 
5034  /* do detect */
5035  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5036 
5037  FAIL_IF(!(PacketAlertCheck(p2, 1)));
5038 
5039  AppLayerParserThreadCtxFree(alp_tctx);
5040  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
5041  DetectEngineCtxFree(de_ctx);
5042 
5043  HTPFreeConfig();
5044  HtpConfigRestoreBackup();
5045  ConfRestoreContextBackup();
5046 
5047  StreamTcpFreeConfig(true);
5048  FLOW_DESTROY(&f);
5049  UTHFreePackets(&p1, 1);
5050  UTHFreePackets(&p2, 1);
5051  PASS;
5052 }
5053 
5054 static int DetectEngineHttpServerBodyFileDataTest29(void)
5055 {
5056  char input[] = "\
5057 %YAML 1.1\n\
5058 ---\n\
5059 libhtp:\n\
5060 \n\
5061  default-config:\n\
5062 \n\
5063  swf-decompression:\n\
5064  enabled: yes\n\
5065  type: both\n\
5066  compress-depth: 1000\n\
5067  decompress-depth: 0\n\
5068 ";
5069 
5070  ConfCreateContextBackup();
5071  ConfInit();
5072  HtpConfigCreateBackup();
5073  ConfYamlLoadString(input, strlen(input));
5074  HTPConfigure();
5075 
5076  TcpSession ssn;
5077  Packet *p1 = NULL;
5078  Packet *p2 = NULL;
5079  ThreadVars th_v;
5080  DetectEngineCtx *de_ctx = NULL;
5081  DetectEngineThreadCtx *det_ctx = NULL;
5082  HtpState *http_state = NULL;
5083  Flow f;
5084  uint8_t http_buf1[] =
5085  "GET /file.swf HTTP/1.0\r\n"
5086  "Host: www.openinfosecfoundation.org\r\n"
5087  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5088  "\r\n";
5089  uint32_t http_len1 = sizeof(http_buf1) - 1;
5090  uint8_t http_buf2[] = {
5091  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
5092  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
5093  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
5094  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
5095  0x0d, 0x0a,
5096  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
5097  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
5098  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
5099  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
5100  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
5101  };
5102  uint32_t http_len2 = sizeof(http_buf2);
5103  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5104  FAIL_IF_NULL(alp_tctx);
5105 
5106  memset(&th_v, 0, sizeof(th_v));
5107  memset(&f, 0, sizeof(f));
5108  memset(&ssn, 0, sizeof(ssn));
5109 
5110  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5111  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5112 
5113  FLOW_INITIALIZE(&f);
5114  f.protoctx = (void *)&ssn;
5115  f.proto = IPPROTO_TCP;
5116  f.flags |= FLOW_IPV4;
5117 
5118  p1->flow = &f;
5119  p1->flowflags |= FLOW_PKT_TOSERVER;
5120  p1->flowflags |= FLOW_PKT_ESTABLISHED;
5121  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5122  p2->flow = &f;
5123  p2->flowflags |= FLOW_PKT_TOCLIENT;
5124  p2->flowflags |= FLOW_PKT_ESTABLISHED;
5125  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5126  f.alproto = ALPROTO_HTTP1;
5127 
5128  StreamTcpInitConfig(true);
5129 
5130  de_ctx = DetectEngineCtxInit();
5131  FAIL_IF_NULL(de_ctx);
5132 
5133  de_ctx->flags |= DE_QUIET;
5134 
5135  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
5136  "(flow:established,from_server; "
5137  "file_data; content:\"FWS\"; "
5138  "sid:1;)");
5139  FAIL_IF_NULL(de_ctx->sig_list);
5140 
5141  SigGroupBuild(de_ctx);
5142  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5143 
5144  int r = AppLayerParserParse(
5145  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
5146  FAIL_IF(r != 0);
5147 
5148  http_state = f.alstate;
5149  FAIL_IF_NULL(http_state);
5150 
5151  /* do detect */
5152  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5153 
5154  FAIL_IF((PacketAlertCheck(p1, 1)));
5155 
5156  r = AppLayerParserParse(
5157  &th_v, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
5158  FAIL_IF(r != 0);
5159 
5160  /* do detect */
5161  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5162 
5163  FAIL_IF(!(PacketAlertCheck(p2, 1)));
5164 
5165  AppLayerParserThreadCtxFree(alp_tctx);
5166  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
5167  DetectEngineCtxFree(de_ctx);
5168 
5169  HTPFreeConfig();
5170  HtpConfigRestoreBackup();
5171  ConfRestoreContextBackup();
5172 
5173  StreamTcpFreeConfig(true);
5174  FLOW_DESTROY(&f);
5175  UTHFreePackets(&p1, 1);
5176  UTHFreePackets(&p2, 1);
5177  PASS;
5178 }
5179 
5180 /**
5181  *\test Test that the http_server_body content matches against a http request
5182  * which holds the content.
5183  */
5184 static int DetectHttpServerBodyTest06(void)
5185 {
5186  TcpSession ssn;
5187  Packet *p = NULL;
5188  ThreadVars th_v;
5189  DetectEngineCtx *de_ctx = NULL;
5190  DetectEngineThreadCtx *det_ctx = NULL;
5191  HtpState *http_state = NULL;
5192  Flow f;
5193  uint8_t http_buf[] =
5194  "GET /index.html HTTP/1.0\r\n"
5195  "Host: www.openinfosecfoundation.org\r\n"
5196  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5197  "\r\n";
5198  uint32_t http_len = sizeof(http_buf) - 1;
5199  uint8_t http_buf2[] =
5200  "HTTP/1.0 200 ok\r\n"
5201  "Content-Type: text/html\r\n"
5202  "Content-Length: 7\r\n"
5203  "\r\n"
5204  "message";
5205  uint32_t http_len2 = sizeof(http_buf2) - 1;
5206  int result = 0;
5207  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5208 
5209  memset(&th_v, 0, sizeof(th_v));
5210  memset(&f, 0, sizeof(f));
5211  memset(&ssn, 0, sizeof(ssn));
5212 
5213  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5214 
5215  FLOW_INITIALIZE(&f);
5216  f.protoctx = (void *)&ssn;
5217  f.proto = IPPROTO_TCP;
5218  f.flags |= FLOW_IPV4;
5219 
5220  p->flow = &f;
5221  p->flowflags |= FLOW_PKT_TOCLIENT;
5222  p->flowflags |= FLOW_PKT_ESTABLISHED;
5223  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5224  f.alproto = ALPROTO_HTTP1;
5225 
5226  StreamTcpInitConfig(true);
5227 
5228  de_ctx = DetectEngineCtxInit();
5229  if (de_ctx == NULL)
5230  goto end;
5231 
5232  de_ctx->flags |= DE_QUIET;
5233 
5234  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5235  "(msg:\"http server body test\"; "
5236  "content:\"message\"; http_server_body; "
5237  "sid:1;)");
5238  if (de_ctx->sig_list == NULL)
5239  goto end;
5240 
5241  SigGroupBuild(de_ctx);
5242  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5243 
5244  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1,
5245  STREAM_TOSERVER | STREAM_START | STREAM_EOF, http_buf, http_len);
5246  if (r != 0) {
5247  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5248  result = 0;
5249  goto end;
5250  }
5251  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1,
5252  STREAM_TOCLIENT | STREAM_START | STREAM_EOF, http_buf2, http_len2);
5253  if (r != 0) {
5254  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5255  result = 0;
5256  goto end;
5257  }
5258 
5259  http_state = f.alstate;
5260  if (http_state == NULL) {
5261  printf("no http state: \n");
5262  result = 0;
5263  goto end;
5264  }
5265 
5266  /* do detect */
5267  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5268 
5269  if (!(PacketAlertCheck(p, 1))) {
5270  printf("sid 1 didn't match but should have: ");
5271  goto end;
5272  }
5273 
5274  result = 1;
5275 end:
5276  if (alp_tctx != NULL)
5277  AppLayerParserThreadCtxFree(alp_tctx);
5278  if (de_ctx != NULL)
5279  DetectEngineCtxFree(de_ctx);
5280 
5281  StreamTcpFreeConfig(true);
5282  FLOW_DESTROY(&f);
5283  UTHFreePackets(&p, 1);
5284  return result;
5285 }
5286 
5287 /**
5288  *\test Test that the http_server_body content matches against a http request
5289  * which holds the content.
5290  */
5291 static int DetectHttpServerBodyTest07(void)
5292 {
5293  TcpSession ssn;
5294  Packet *p1 = NULL;
5295  Packet *p2 = NULL;
5296  ThreadVars th_v;
5297  DetectEngineCtx *de_ctx = NULL;
5298  DetectEngineThreadCtx *det_ctx = NULL;
5299  HtpState *http_state = NULL;
5300  Flow f;
5301  uint8_t http_buf1[] =
5302  "GET /index.html HTTP/1.0\r\n"
5303  "Host: www.openinfosecfoundation.org\r\n"
5304  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5305  "\r\n";
5306  uint32_t http_len1 = sizeof(http_buf1) - 1;
5307  uint8_t http_buf2[] =
5308  "HTTP/1.0 200 ok\r\n"
5309  "Content-Type: text/html\r\n"
5310  "Content-Length: 14\r\n"
5311  "\r\n";
5312  uint32_t http_len2 = sizeof(http_buf2) - 1;
5313  uint8_t http_buf3[] =
5314  "message";
5315  uint32_t http_len3 = sizeof(http_buf3) - 1;
5316  int result = 0;
5317  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5318 
5319  memset(&th_v, 0, sizeof(th_v));
5320  memset(&f, 0, sizeof(f));
5321  memset(&ssn, 0, sizeof(ssn));
5322 
5323  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5324  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5325 
5326  FLOW_INITIALIZE(&f);
5327  f.protoctx = (void *)&ssn;
5328  f.proto = IPPROTO_TCP;
5329  f.flags |= FLOW_IPV4;
5330 
5331  p1->flow = &f;
5332  p1->flowflags |= FLOW_PKT_TOCLIENT;
5333  p1->flowflags |= FLOW_PKT_ESTABLISHED;
5334  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5335 
5336  p2->flow = &f;
5337  p2->flowflags |= FLOW_PKT_TOCLIENT;
5338  p2->flowflags |= FLOW_PKT_ESTABLISHED;
5339  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5340  f.alproto = ALPROTO_HTTP1;
5341 
5342  StreamTcpInitConfig(true);
5343 
5344  de_ctx = DetectEngineCtxInit();
5345  if (de_ctx == NULL)
5346  goto end;
5347 
5348  de_ctx->flags |= DE_QUIET;
5349 
5350  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5351  "(msg:\"http server body test\"; "
5352  "content:\"message\"; http_server_body; "
5353  "sid:1;)");
5354  if (de_ctx->sig_list == NULL)
5355  goto end;
5356 
5357  SigGroupBuild(de_ctx);
5358  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5359 
5360  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START,
5361  http_buf1, http_len1);
5362  if (r != 0) {
5363  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5364  goto end;
5365  }
5366 
5367  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_START,
5368  http_buf2, http_len2);
5369  if (r != 0) {
5370  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
5371  goto end;
5372  }
5373 
5374  http_state = f.alstate;
5375  if (http_state == NULL) {
5376  printf("no http state: ");
5377  goto end;
5378  }
5379 
5380  /* do detect */
5381  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5382 
5383  if ((PacketAlertCheck(p1, 1))) {
5384  printf("sid 1 matched on chunk2 but shouldn't have: ");
5385  goto end;
5386  }
5387 
5388  r = AppLayerParserParse(
5389  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, http_buf3, http_len3);
5390  if (r != 0) {
5391  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
5392  goto end;
5393  }
5394 
5395  /* do detect */
5396  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5397  if (!(PacketAlertCheck(p2, 1))) {
5398  printf("sid 1 didn't match on p2 (chunk3) but should have: ");
5399  goto end;
5400  }
5401 
5402  result = 1;
5403 end:
5404  if (alp_tctx != NULL)
5405  AppLayerParserThreadCtxFree(alp_tctx);
5406  if (de_ctx != NULL)
5407  DetectEngineCtxFree(de_ctx);
5408 
5409  StreamTcpFreeConfig(true);
5410  FLOW_DESTROY(&f);
5411  UTHFreePackets(&p1, 1);
5412  UTHFreePackets(&p2, 1);
5413  return result;
5414 }
5415 
5416 /**
5417  *\test Test that the http_server_body content matches against a http request
5418  * which holds the content.
5419  */
5420 static int DetectHttpServerBodyTest08(void)
5421 {
5422  TcpSession ssn;
5423  Packet *p1 = NULL;
5424  Packet *p2 = NULL;
5425  ThreadVars th_v;
5426  DetectEngineCtx *de_ctx = NULL;
5427  DetectEngineThreadCtx *det_ctx = NULL;
5428  HtpState *http_state = NULL;
5429  Flow f;
5430  uint8_t http_buf1[] =
5431  "GET /index.html HTTP/1.0\r\n"
5432  "Host: www.openinfosecfoundation.org\r\n"
5433  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5434  "\r\n";
5435  uint32_t http_len1 = sizeof(http_buf1) - 1;
5436  uint8_t http_buf2[] =
5437  "HTTP/1.0 200 ok\r\n"
5438  "Content-Type: text/html\r\n"
5439  "Content-Length: 14\r\n"
5440  "\r\n"
5441  "bigmes";
5442  uint32_t http_len2 = sizeof(http_buf2) - 1;
5443  uint8_t http_buf3[] =
5444  "sage4u!!";
5445  uint32_t http_len3 = sizeof(http_buf3) - 1;
5446  int result = 0;
5447  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5448 
5449  memset(&th_v, 0, sizeof(th_v));
5450  memset(&f, 0, sizeof(f));
5451  memset(&ssn, 0, sizeof(ssn));
5452 
5453  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5454  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5455 
5456  FLOW_INITIALIZE(&f);
5457  f.protoctx = (void *)&ssn;
5458  f.proto = IPPROTO_TCP;
5459  f.flags |= FLOW_IPV4;
5460 
5461  p1->flow = &f;
5462  p1->flowflags |= FLOW_PKT_TOCLIENT;
5463  p1->flowflags |= FLOW_PKT_ESTABLISHED;
5464  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5465  p2->flow = &f;
5466  p2->flowflags |= FLOW_PKT_TOCLIENT;
5467  p2->flowflags |= FLOW_PKT_ESTABLISHED;
5468  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5469  f.alproto = ALPROTO_HTTP1;
5470 
5471  StreamTcpInitConfig(true);
5472 
5473  de_ctx = DetectEngineCtxInit();
5474  if (de_ctx == NULL)
5475  goto end;
5476 
5477  de_ctx->flags |= DE_QUIET;
5478 
5479  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5480  "(msg:\"http client body test\"; "
5481  "content:\"message\"; http_server_body; "
5482  "sid:1;)");
5483  if (de_ctx->sig_list == NULL)
5484  goto end;
5485 
5486  SigGroupBuild(de_ctx);
5487  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5488 
5489  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START,
5490  http_buf1, http_len1);
5491  if (r != 0) {
5492  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5493  result = 0;
5494  goto end;
5495  }
5496 
5497  http_state = f.alstate;
5498  if (http_state == NULL) {
5499  printf("no http state: ");
5500  result = 0;
5501  goto end;
5502  }
5503 
5504  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_START,
5505  http_buf2, http_len2);
5506  if (r != 0) {
5507  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5508  result = 0;
5509  goto end;
5510  }
5511 
5512  /* do detect */
5513  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5514 
5515  if ((PacketAlertCheck(p1, 1))) {
5516  printf("sid 1 matched but shouldn't have: ");
5517  goto end;
5518  }
5519 
5520  r = AppLayerParserParse(
5521  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, http_buf3, http_len3);
5522  if (r != 0) {
5523  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5524  result = 0;
5525  goto end;
5526  }
5527 
5528  /* do detect */
5529  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5530 
5531  if (!(PacketAlertCheck(p2, 1))) {
5532  printf("sid 1 didn't match but should have: ");
5533  goto end;
5534  }
5535 
5536  result = 1;
5537 end:
5538  if (alp_tctx != NULL)
5539  AppLayerParserThreadCtxFree(alp_tctx);
5540  if (de_ctx != NULL)
5541  DetectEngineCtxFree(de_ctx);
5542 
5543  StreamTcpFreeConfig(true);
5544  FLOW_DESTROY(&f);
5545  UTHFreePackets(&p1, 1);
5546  UTHFreePackets(&p2, 1);
5547  return result;
5548 }
5549 
5550 /**
5551  *\test Test that the http_server_body content matches against a http request
5552  * which holds the content.
5553  */
5554 static int DetectHttpServerBodyTest09(void)
5555 {
5556  TcpSession ssn;
5557  Packet *p1 = NULL;
5558  Packet *p2 = NULL;
5559  ThreadVars th_v;
5560  DetectEngineCtx *de_ctx = NULL;
5561  DetectEngineThreadCtx *det_ctx = NULL;
5562  HtpState *http_state = NULL;
5563  Flow f;
5564  uint8_t http_buf1[] =
5565  "GET /index.html HTTP/1.0\r\n"
5566  "Host: www.openinfosecfoundation.org\r\n"
5567  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5568  "\r\n";
5569  uint32_t http_len1 = sizeof(http_buf1) - 1;
5570  uint8_t http_buf2[] =
5571  "HTTP/1.0 200 ok\r\n"
5572  "Content-Type: text/html\r\n"
5573  "Content-Length: 14\r\n"
5574  "\r\n"
5575  "bigmes";
5576  uint32_t http_len2 = sizeof(http_buf2) - 1;
5577  uint8_t http_buf3[] =
5578  "sag";
5579  uint32_t http_len3 = sizeof(http_buf3) - 1;
5580  uint8_t http_buf4[] =
5581  "e4u!!";
5582  uint32_t http_len4 = sizeof(http_buf4) - 1;
5583  int result = 0;
5584  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5585 
5586  memset(&th_v, 0, sizeof(th_v));
5587  memset(&f, 0, sizeof(f));
5588  memset(&ssn, 0, sizeof(ssn));
5589 
5590  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5591  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5592 
5593  FLOW_INITIALIZE(&f);
5594  f.protoctx = (void *)&ssn;
5595  f.proto = IPPROTO_TCP;
5596  f.flags |= FLOW_IPV4;
5597 
5598  p1->flow = &f;
5599  p1->flowflags |= FLOW_PKT_TOCLIENT;
5600  p1->flowflags |= FLOW_PKT_ESTABLISHED;
5601  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5602  p2->flow = &f;
5603  p2->flowflags |= FLOW_PKT_TOCLIENT;
5604  p2->flowflags |= FLOW_PKT_ESTABLISHED;
5605  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5606  f.alproto = ALPROTO_HTTP1;
5607 
5608  StreamTcpInitConfig(true);
5609 
5610  de_ctx = DetectEngineCtxInit();
5611  if (de_ctx == NULL)
5612  goto end;
5613 
5614  de_ctx->flags |= DE_QUIET;
5615 
5616  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5617  "(msg:\"http client body test\"; "
5618  "content:\"message\"; http_server_body; "
5619  "sid:1;)");
5620  if (de_ctx->sig_list == NULL)
5621  goto end;
5622 
5623  SigGroupBuild(de_ctx);
5624  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5625 
5626  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START,
5627  http_buf1, http_len1);
5628  if (r != 0) {
5629  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5630  result = 0;
5631  goto end;
5632  }
5633 
5634  http_state = f.alstate;
5635  if (http_state == NULL) {
5636  printf("no http state: ");
5637  result = 0;
5638  goto end;
5639  }
5640 
5641  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_START,
5642  http_buf2, http_len2);
5643  if (r != 0) {
5644  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5645  result = 0;
5646  goto end;
5647  }
5648 
5649  /* do detect */
5650  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5651 
5652  if ((PacketAlertCheck(p1, 1))) {
5653  printf("sid 1 matched but shouldn't have: ");
5654  goto end;
5655  }
5656 
5657  r = AppLayerParserParse(
5658  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf3, http_len3);
5659  if (r != 0) {
5660  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5661  result = 0;
5662  goto end;
5663  }
5664 
5665  r = AppLayerParserParse(
5666  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, http_buf4, http_len4);
5667  if (r != 0) {
5668  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5669  result = 0;
5670  goto end;
5671  }
5672 
5673  /* do detect */
5674  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5675 
5676  if (!(PacketAlertCheck(p2, 1))) {
5677  printf("sid 1 didn't match but should have: ");
5678  goto end;
5679  }
5680 
5681  result = 1;
5682 end:
5683  if (alp_tctx != NULL)
5684  AppLayerParserThreadCtxFree(alp_tctx);
5685  if (de_ctx != NULL)
5686  DetectEngineCtxFree(de_ctx);
5687 
5688  StreamTcpFreeConfig(true);
5689  FLOW_DESTROY(&f);
5690  UTHFreePackets(&p1, 1);
5691  UTHFreePackets(&p2, 1);
5692  return result;
5693 }
5694 
5695 /**
5696  *\test Test that the http_server_body content matches against a http request
5697  * which holds the content. Case insensitive.
5698  */
5699 static int DetectHttpServerBodyTest10(void)
5700 {
5701  TcpSession ssn;
5702  Packet *p1 = NULL;
5703  Packet *p2 = NULL;
5704  ThreadVars th_v;
5705  DetectEngineCtx *de_ctx = NULL;
5706  DetectEngineThreadCtx *det_ctx = NULL;
5707  HtpState *http_state = NULL;
5708  Flow f;
5709  uint8_t http_buf1[] =
5710  "GET /index.html HTTP/1.0\r\n"
5711  "Host: www.openinfosecfoundation.org\r\n"
5712  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5713  "\r\n";
5714  uint32_t http_len1 = sizeof(http_buf1) - 1;
5715  uint8_t http_buf2[] =
5716  "HTTP/1.0 200 ok\r\n"
5717  "Content-Type: text/html\r\n"
5718  "Content-Length: 14\r\n"
5719  "\r\n"
5720  "bigmes";
5721  uint32_t http_len2 = sizeof(http_buf2) - 1;
5722  uint8_t http_buf3[] =
5723  "sag";
5724  uint32_t http_len3 = sizeof(http_buf3) - 1;
5725  uint8_t http_buf4[] =
5726  "e4u!!";
5727  uint32_t http_len4 = sizeof(http_buf4) - 1;
5728  int result = 0;
5729  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5730 
5731  memset(&th_v, 0, sizeof(th_v));
5732  memset(&f, 0, sizeof(f));
5733  memset(&ssn, 0, sizeof(ssn));
5734 
5735  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5736  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5737 
5738  FLOW_INITIALIZE(&f);
5739  f.protoctx = (void *)&ssn;
5740  f.proto = IPPROTO_TCP;
5741  f.flags |= FLOW_IPV4;
5742 
5743  p1->flow = &f;
5744  p1->flowflags |= FLOW_PKT_TOCLIENT;
5745  p1->flowflags |= FLOW_PKT_ESTABLISHED;
5746  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5747  p2->flow = &f;
5748  p2->flowflags |= FLOW_PKT_TOCLIENT;
5749  p2->flowflags |= FLOW_PKT_ESTABLISHED;
5750  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5751  f.alproto = ALPROTO_HTTP1;
5752 
5753  StreamTcpInitConfig(true);
5754 
5755  de_ctx = DetectEngineCtxInit();
5756  if (de_ctx == NULL)
5757  goto end;
5758 
5759  de_ctx->flags |= DE_QUIET;
5760 
5761  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5762  "(msg:\"http client body test\"; "
5763  "content:\"MeSSaGE\"; http_server_body; nocase; "
5764  "sid:1;)");
5765  if (de_ctx->sig_list == NULL)
5766  goto end;
5767 
5768  SigGroupBuild(de_ctx);
5769  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5770 
5771  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START,
5772  http_buf1, http_len1);
5773  if (r != 0) {
5774  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5775  result = 0;
5776  goto end;
5777  }
5778 
5779  http_state = f.alstate;
5780  if (http_state == NULL) {
5781  printf("no http state: ");
5782  result = 0;
5783  goto end;
5784  }
5785 
5786  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_START,
5787  http_buf2, http_len2);
5788  if (r != 0) {
5789  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5790  result = 0;
5791  goto end;
5792  }
5793 
5794  /* do detect */
5795  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5796 
5797  if ((PacketAlertCheck(p1, 1))) {
5798  printf("sid 1 matched but shouldn't have: ");
5799  goto end;
5800  }
5801 
5802  r = AppLayerParserParse(
5803  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf3, http_len3);
5804  if (r != 0) {
5805  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5806  result = 0;
5807  goto end;
5808  }
5809 
5810  r = AppLayerParserParse(
5811  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, http_buf4, http_len4);
5812  if (r != 0) {
5813  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5814  result = 0;
5815  goto end;
5816  }
5817 
5818  /* do detect */
5819  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5820 
5821  if (!(PacketAlertCheck(p2, 1))) {
5822  printf("sid 1 didn't match but should have: ");
5823  goto end;
5824  }
5825 
5826  result = 1;
5827 end:
5828  if (alp_tctx != NULL)
5829  AppLayerParserThreadCtxFree(alp_tctx);
5830  if (de_ctx != NULL)
5831  DetectEngineCtxFree(de_ctx);
5832 
5833  StreamTcpFreeConfig(true);
5834  FLOW_DESTROY(&f);
5835  UTHFreePackets(&p1, 1);
5836  UTHFreePackets(&p2, 1);
5837  return result;
5838 }
5839 
5840 /**
5841  *\test Test that the http_server_body content matches against a http request
5842  * which holds the content. Negated match.
5843  */
5844 static int DetectHttpServerBodyTest11(void)
5845 {
5846  TcpSession ssn;
5847  Packet *p1 = NULL;
5848  Packet *p2 = NULL;
5849  ThreadVars th_v;
5850  DetectEngineCtx *de_ctx = NULL;
5851  DetectEngineThreadCtx *det_ctx = NULL;
5852  HtpState *http_state = NULL;
5853  Flow f;
5854  uint8_t http_buf1[] =
5855  "GET /index.html HTTP/1.0\r\n"
5856  "Host: www.openinfosecfoundation.org\r\n"
5857  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5858  "\r\n";
5859  uint32_t http_len1 = sizeof(http_buf1) - 1;
5860  uint8_t http_buf2[] =
5861  "HTTP/1.0 200 ok\r\n"
5862  "Content-Type: text/html\r\n"
5863  "Content-Length: 14\r\n"
5864  "\r\n";
5865  uint32_t http_len2 = sizeof(http_buf2) - 1;
5866  uint8_t http_buf3[] =
5867  "bigmessage4u!!";
5868  uint32_t http_len3 = sizeof(http_buf3) - 1;
5869  int result = 0;
5870  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
5871 
5872  memset(&th_v, 0, sizeof(th_v));
5873  memset(&f, 0, sizeof(f));
5874  memset(&ssn, 0, sizeof(ssn));
5875 
5876  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5877  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5878 
5879  FLOW_INITIALIZE(&f);
5880  f.protoctx = (void *)&ssn;
5881  f.proto = IPPROTO_TCP;
5882  f.flags |= FLOW_IPV4;
5883 
5884  p1->flow = &f;
5885  p1->flowflags |= FLOW_PKT_TOCLIENT;
5886  p1->flowflags |= FLOW_PKT_ESTABLISHED;
5887  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5888  p2->flow = &f;
5889  p2->flowflags |= FLOW_PKT_TOCLIENT;
5890  p2->flowflags |= FLOW_PKT_ESTABLISHED;
5891  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5892  f.alproto = ALPROTO_HTTP1;
5893 
5894  StreamTcpInitConfig(true);
5895 
5896  de_ctx = DetectEngineCtxInit();
5897  if (de_ctx == NULL)
5898  goto end;
5899 
5900  de_ctx->flags |= DE_QUIET;
5901 
5902  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5903  "(msg:\"http client body test\"; "
5904  "content:!\"MaSSaGE\"; http_server_body; nocase; "
5905  "sid:1;)");
5906  if (de_ctx->sig_list == NULL)
5907  goto end;
5908 
5909  SigGroupBuild(de_ctx);
5910  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5911 
5912  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START,
5913  http_buf1, http_len1);
5914  if (r != 0) {
5915  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5916  result = 0;
5917  goto end;
5918  }
5919 
5920  http_state = f.alstate;
5921  if (http_state == NULL) {
5922  printf("no http state: ");
5923  result = 0;
5924  goto end;
5925  }
5926 
5927  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_START,
5928  http_buf2, http_len2);
5929  if (r != 0) {
5930  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5931  result = 0;
5932  goto end;
5933  }
5934 
5935  /* do detect */
5936  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5937 
5938  if (PacketAlertCheck(p1, 1)) {
5939  printf("sid 1 matched but shouldn't have (p1): ");
5940  goto end;
5941  }
5942 
5943  r = AppLayerParserParse(
5944  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, http_buf3, http_len3);
5945  if (r != 0) {
5946  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5947  result = 0;
5948  goto end;
5949  }
5950 
5951  /* do detect */
5952  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5953 
5954  if (!(PacketAlertCheck(p2, 1))) {
5955  printf("sid 1 didn't match but should have (p2): ");
5956  goto end;
5957  }
5958 
5959  result = 1;
5960 end:
5961  if (alp_tctx != NULL)
5962  AppLayerParserThreadCtxFree(alp_tctx);
5963  if (de_ctx != NULL)
5964  DetectEngineCtxFree(de_ctx);
5965 
5966  StreamTcpFreeConfig(true);
5967  FLOW_DESTROY(&f);
5968  UTHFreePackets(&p1, 1);
5969  UTHFreePackets(&p2, 1);
5970  return result;
5971 }
5972 
5973 /**
5974  *\test Test that the http_server_body content matches against a http request
5975  * which holds the content. Negated match.
5976  */
5977 static int DetectHttpServerBodyTest12(void)
5978 {
5979  TcpSession ssn;
5980  Packet *p1 = NULL;
5981  Packet *p2 = NULL;
5982  ThreadVars th_v;
5983  DetectEngineCtx *de_ctx = NULL;
5984  DetectEngineThreadCtx *det_ctx = NULL;
5985  HtpState *http_state = NULL;
5986  Flow f;
5987  uint8_t http_buf1[] =
5988  "GET /index.html HTTP/1.0\r\n"
5989  "Host: www.openinfosecfoundation.org\r\n"
5990  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5991  "\r\n";
5992  uint32_t http_len1 = sizeof(http_buf1) - 1;
5993  uint8_t http_buf2[] =
5994  "HTTP/1.0 200 ok\r\n"
5995  "Content-Type: text/html\r\n"
5996  "Content-Length: 14\r\n"
5997  "\r\n";
5998  uint32_t http_len2 = sizeof(http_buf2) - 1;
5999  uint8_t http_buf3[] =
6000  "bigmessage4u!!";
6001  uint32_t http_len3 = sizeof(http_buf3) - 1;
6002  int result = 0;
6003  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
6004 
6005  memset(&th_v, 0, sizeof(th_v));
6006  memset(&f, 0, sizeof(f));
6007  memset(&ssn, 0, sizeof(ssn));
6008 
6009  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6010  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6011 
6012  FLOW_INITIALIZE(&f);
6013  f.protoctx = (void *)&ssn;
6014  f.proto = IPPROTO_TCP;
6015  f.flags |= FLOW_IPV4;
6016 
6017  p1->flow = &f;
6018  p1->flowflags |= FLOW_PKT_TOCLIENT;
6019  p1->flowflags |= FLOW_PKT_ESTABLISHED;
6020  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6021  p2->flow = &f;
6022  p2->flowflags |= FLOW_PKT_TOCLIENT;
6023  p2->flowflags |= FLOW_PKT_ESTABLISHED;
6024  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6025  f.alproto = ALPROTO_HTTP1;
6026 
6027  StreamTcpInitConfig(true);
6028 
6029  de_ctx = DetectEngineCtxInit();
6030  if (de_ctx == NULL)
6031  goto end;
6032 
6033  de_ctx->flags |= DE_QUIET;
6034 
6035  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
6036  "(msg:\"http client body test\"; "
6037  "content:!\"MeSSaGE\"; http_server_body; nocase; "
6038  "sid:1;)");
6039  if (de_ctx->sig_list == NULL)
6040  goto end;
6041 
6042  SigGroupBuild(de_ctx);
6043  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6044 
6045  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START,
6046  http_buf1, http_len1);
6047  if (r != 0) {
6048  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6049  result = 0;
6050  goto end;
6051  }
6052 
6053  http_state = f.alstate;
6054  if (http_state == NULL) {
6055  printf("no http state: ");
6056  result = 0;
6057  goto end;
6058  }
6059 
6060  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_START,
6061  http_buf2, http_len2);
6062  if (r != 0) {
6063  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6064  result = 0;
6065  goto end;
6066  }
6067 
6068  /* do detect */
6069  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
6070 
6071  if (PacketAlertCheck(p1, 1)) {
6072  printf("sid 1 matched but shouldn't have (p1): ");
6073  goto end;
6074  }
6075 
6076  r = AppLayerParserParse(
6077  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, http_buf3, http_len3);
6078  if (r != 0) {
6079  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6080  result = 0;
6081  goto end;
6082  }
6083 
6084  /* do detect */
6085  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
6086 
6087  if (PacketAlertCheck(p2, 1)) {
6088  printf("sid 1 matched but shouldn't have (p2): ");
6089  goto end;
6090  }
6091 
6092  result = 1;
6093 end:
6094  if (alp_tctx != NULL)
6095  AppLayerParserThreadCtxFree(alp_tctx);
6096  if (de_ctx != NULL)
6097  DetectEngineCtxFree(de_ctx);
6098 
6099  StreamTcpFreeConfig(true);
6100  FLOW_DESTROY(&f);
6101  UTHFreePackets(&p1, 1);
6102  UTHFreePackets(&p2, 1);
6103  return result;
6104 }
6105 
6106 static int DetectHttpServerBodyTest13(void)
6107 {
6108  TcpSession ssn;
6109  Packet *p = NULL;
6110  ThreadVars th_v;
6111  DetectEngineCtx *de_ctx = NULL;
6112  DetectEngineThreadCtx *det_ctx = NULL;
6113  HtpState *http_state = NULL;
6114  Flow f;
6115  uint8_t http_buf[] =
6116  "GET /index.html HTTP/1.0\r\n"
6117  "Host: www.openinfosecfoundation.org\r\n"
6118  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
6119  "\r\n";
6120  uint32_t http_len = sizeof(http_buf) - 1;
6121  uint8_t http_buf2[] =
6122  "HTTP/1.0 200 ok\r\n"
6123  "Content-Type: text/html\r\n"
6124  "Content-Length: 55\r\n"
6125  "\r\n"
6126  "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend";
6127  uint32_t http_len2 = sizeof(http_buf2) - 1;
6128  int result = 0;
6129  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
6130 
6131  memset(&th_v, 0, sizeof(th_v));
6132  memset(&f, 0, sizeof(f));
6133  memset(&ssn, 0, sizeof(ssn));
6134 
6135  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6136 
6137  FLOW_INITIALIZE(&f);
6138  f.protoctx = (void *)&ssn;
6139  f.proto = IPPROTO_TCP;
6140  f.flags |= FLOW_IPV4;
6141 
6142  p->flow = &f;
6143  p->flowflags |= FLOW_PKT_TOCLIENT;
6144  p->flowflags |= FLOW_PKT_ESTABLISHED;
6145  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6146  f.alproto = ALPROTO_HTTP1;
6147 
6148  StreamTcpInitConfig(true);
6149 
6150  de_ctx = DetectEngineCtxInit();
6151  if (de_ctx == NULL)
6152  goto end;
6153 
6154  de_ctx->flags |= DE_QUIET;
6155 
6156  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
6157  "(msg:\"http server body test\"; "
6158  "content:\"longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\"; http_server_body; "
6159  "sid:1;)");
6160  if (de_ctx->sig_list == NULL)
6161  goto end;
6162 
6163  SigGroupBuild(de_ctx);
6164  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6165 
6166  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1,
6167  STREAM_TOSERVER | STREAM_START | STREAM_EOF, http_buf, http_len);
6168  if (r != 0) {
6169  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6170  result = 0;
6171  goto end;
6172  }
6173  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1,
6174  STREAM_TOCLIENT | STREAM_START | STREAM_EOF, http_buf2, http_len2);
6175  if (r != 0) {
6176  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6177  result = 0;
6178  goto end;
6179  }
6180 
6181  http_state = f.alstate;
6182  if (http_state == NULL) {
6183  printf("no http state: \n");
6184  result = 0;
6185  goto end;
6186  }
6187 
6188  /* do detect */
6189  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
6190 
6191  if (!(PacketAlertCheck(p, 1))) {
6192  printf("sid 1 didn't match but should have: ");
6193  goto end;
6194  }
6195 
6196  result = 1;
6197 end:
6198  if (alp_tctx != NULL)
6199  AppLayerParserThreadCtxFree(alp_tctx);
6200  if (de_ctx != NULL)
6201  DetectEngineCtxFree(de_ctx);
6202 
6203  StreamTcpFreeConfig(true);
6204  FLOW_DESTROY(&f);
6205  UTHFreePackets(&p, 1);
6206  return result;
6207 }
6208 
6209 /** \test multiple http transactions and body chunks of request handling */
6210 static int DetectHttpServerBodyTest14(void)
6211 {
6212  int result = 0;
6213  Signature *s = NULL;
6214  DetectEngineThreadCtx *det_ctx = NULL;
6215  ThreadVars th_v;
6216  Flow f;
6217  TcpSession ssn;
6218  Packet *p = NULL;
6219  uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
6220  "User-Agent: Mozilla/1.0\r\n"
6221  "Host: www.openinfosecfoundation.org\r\n"
6222  "Connection: keep-alive\r\n"
6223  "Cookie: dummy1\r\n\r\n";
6224  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
6225  uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
6226  "Content-Type: text/html\r\n"
6227  "Content-Length: 3\r\n"
6228  "\r\n"
6229  "one";
6230  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
6231  uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
6232  "User-Agent: Firefox/1.0\r\n"
6233  "Host: www.openinfosecfoundation.org\r\n"
6234  "Connection: keep-alive\r\n"
6235  "Cookie: dummy2\r\n\r\n";
6236  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
6237  uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
6238  "Content-Type: text/html\r\n"
6239  "Content-Length: 3\r\n"
6240  "\r\n"
6241  "two";
6242  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
6243  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
6244 
6245  memset(&th_v, 0, sizeof(th_v));
6246  memset(&f, 0, sizeof(f));
6247  memset(&ssn, 0, sizeof(ssn));
6248 
6249  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6250 
6251  FLOW_INITIALIZE(&f);
6252  f.protoctx = (void *)&ssn;
6253  f.proto = IPPROTO_TCP;
6254  f.flags |= FLOW_IPV4;
6255 
6256  p->flow = &f;
6257  p->flowflags |= FLOW_PKT_TOCLIENT;
6258  p->flowflags |= FLOW_PKT_ESTABLISHED;
6259  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6260  f.alproto = ALPROTO_HTTP1;
6261 
6262  StreamTcpInitConfig(true);
6263 
6264  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
6265  if (de_ctx == NULL) {
6266  goto end;
6267  }
6268 
6269  de_ctx->flags |= DE_QUIET;
6270 
6271  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; content:\"one\"; http_server_body; sid:1; rev:1;)");
6272  if (s == NULL) {
6273  printf("sig parse failed: ");
6274  goto end;
6275  }
6276  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; content:\"two\"; http_server_body; sid:2; rev:1;)");
6277  if (s == NULL) {
6278  printf("sig2 parse failed: ");
6279  goto end;
6280  }
6281 
6282  SigGroupBuild(de_ctx);
6283  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6284 
6285  SCLogDebug("add chunk 1");
6286 
6287  int r = AppLayerParserParse(
6288  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
6289  if (r != 0) {
6290  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6291  goto end;
6292  }
6293 
6294  SCLogDebug("add chunk 2");
6295 
6296  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
6297  if (r != 0) {
6298  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
6299  goto end;
6300  }
6301 
6302  SCLogDebug("inspect chunk 1");
6303 
6304  /* do detect */
6305  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
6306  if (!(PacketAlertCheck(p, 1))) {
6307  printf("sig 1 didn't alert (tx 1): ");
6308  goto end;
6309  }
6310  p->alerts.cnt = 0;
6311 
6312  SCLogDebug("add chunk 3");
6313 
6314  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
6315  if (r != 0) {
6316  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
6317  goto end;
6318  }
6319 
6320  SCLogDebug("add chunk 4");
6321 
6322  r = AppLayerParserParse(
6323  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
6324  if (r != 0) {
6325  printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
6326  goto end;
6327  }
6328 
6329  SCLogDebug("inspect chunk 4");
6330 
6331  /* do detect */
6332  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
6333  if ((PacketAlertCheck(p, 1))) {
6334  printf("sig 1 alerted (tx 2): ");
6335  goto end;
6336  }
6337  if (!(PacketAlertCheck(p, 2))) {
6338  printf("sig 2 didn't alert (tx 2): ");
6339  goto end;
6340  }
6341  p->alerts.cnt = 0;
6342 
6343  HtpState *htp_state = f.alstate;
6344  if (htp_state == NULL) {
6345  printf("no http state: ");
6346  goto end;
6347  }
6348 
6349  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
6350  printf("The http app layer doesn't have 2 transactions, but it should: ");
6351  goto end;
6352  }
6353 
6354  result = 1;
6355 end:
6356  if (alp_tctx != NULL)
6357  AppLayerParserThreadCtxFree(alp_tctx);
6358  if (det_ctx != NULL) {
6359  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
6360  }
6361  if (de_ctx != NULL) {
6362  DetectEngineCtxFree(de_ctx);
6363  }
6364 
6365  StreamTcpFreeConfig(true);
6366  FLOW_DESTROY(&f);
6367  UTHFreePacket(p);
6368  return result;
6369 }
6370 
6371 static int DetectHttpServerBodyTest15(void)
6372 {
6373  int result = 0;
6374  Signature *s = NULL;
6375  DetectEngineThreadCtx *det_ctx = NULL;
6376  ThreadVars th_v;
6377  Flow f;
6378  TcpSession ssn;
6379  Packet *p = NULL;
6380  uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
6381  "User-Agent: Mozilla/1.0\r\n"
6382  "Host: www.openinfosecfoundation.org\r\n"
6383  "Connection: keep-alive\r\n"
6384  "Cookie: dummy1\r\n\r\n";
6385  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
6386  uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
6387  "Content-Type: text/html\r\n"
6388  "Content-Length: 3\r\n"
6389  "\r\n"
6390  "one";
6391  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
6392  uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
6393  "User-Agent: Firefox/1.0\r\n"
6394  "Host: www.openinfosecfoundation.org\r\n"
6395  "Connection: keep-alive\r\n"
6396  "Cookie: dummy2\r\n\r\n";
6397  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
6398  uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
6399  "Content-Type: text/html\r\n"
6400  "Content-Length: 3\r\n"
6401  "\r\n"
6402  "two";
6403  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
6404  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
6405 
6406  memset(&th_v, 0, sizeof(th_v));
6407  memset(&f, 0, sizeof(f));
6408  memset(&ssn, 0, sizeof(ssn));
6409 
6410  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6411 
6412  FLOW_INITIALIZE(&f);
6413  f.protoctx = (void *)&ssn;
6414  f.proto = IPPROTO_TCP;
6415  f.flags |= FLOW_IPV4;
6416 
6417  p->flow = &f;
6418  p->flowflags |= FLOW_PKT_TOCLIENT;
6419  p->flowflags |= FLOW_PKT_ESTABLISHED;
6420  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6421  f.alproto = ALPROTO_HTTP1;
6422 
6423  StreamTcpInitConfig(true);
6424 
6425  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
6426  if (de_ctx == NULL) {
6427  goto end;
6428  }
6429 
6430  de_ctx->flags |= DE_QUIET;
6431 
6432  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; content:\"one\"; http_server_body; sid:1; rev:1;)");
6433  if (s == NULL) {
6434  printf("sig parse failed: ");
6435  goto end;
6436  }
6437  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; content:\"two\"; http_server_body; sid:2; rev:1;)");
6438  if (s == NULL) {
6439  printf("sig2 parse failed: ");
6440  goto end;
6441  }
6442 
6443  SigGroupBuild(de_ctx);
6444  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6445 
6446  int r = AppLayerParserParse(
6447  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
6448  if (r != 0) {
6449  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6450  goto end;
6451  }
6452 
6453  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
6454  if (r != 0) {
6455  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
6456  goto end;
6457  }
6458 
6459  /* do detect */
6460  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
6461  if (!(PacketAlertCheck(p, 1))) {
6462  printf("sig 1 didn't alert (tx 1): ");
6463  goto end;
6464  }
6465  if (PacketAlertCheck(p, 2)) {
6466  printf("sig 2 alerted (tx 1): ");
6467  goto end;
6468  }
6469  p->alerts.cnt = 0;
6470 
6471  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
6472  if (r != 0) {
6473  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
6474  goto end;
6475  }
6476 
6477  r = AppLayerParserParse(
6478  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
6479  if (r != 0) {
6480  printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
6481  goto end;
6482  }
6483 
6484  /* do detect */
6485  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
6486  if ((PacketAlertCheck(p, 1))) {
6487  printf("sig 1 alerted (tx 2): ");
6488  goto end;
6489  }
6490  if (!(PacketAlertCheck(p, 2))) {
6491  printf("sig 2 didn't alert (tx 2): ");
6492  goto end;
6493  }
6494  p->alerts.cnt = 0;
6495 
6496  HtpState *htp_state = f.alstate;
6497  if (htp_state == NULL) {
6498  printf("no http state: ");
6499  goto end;
6500  }
6501 
6502  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
6503  printf("The http app layer doesn't have 2 transactions, but it should: ");
6504  goto end;
6505  }
6506 
6507  result = 1;
6508 end:
6509  if (alp_tctx != NULL)
6510  AppLayerParserThreadCtxFree(alp_tctx);
6511  if (det_ctx != NULL) {
6512  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
6513  }
6514  if (de_ctx != NULL) {
6515  DetectEngineCtxFree(de_ctx);
6516  }
6517 
6518  StreamTcpFreeConfig(true);
6519  FLOW_DESTROY(&f);
6520  UTHFreePacket(p);
6521  return result;
6522 }
6523 
6524 /**
6525  *\test Test that the http_server_body content matches against a http request
6526  * which holds the content.
6527  */
6528 static int DetectHttpServerBodyFileDataTest01(void)
6529 {
6530  TcpSession ssn;
6531  Packet *p = NULL;
6532  ThreadVars th_v;
6533  DetectEngineCtx *de_ctx = NULL;
6534  DetectEngineThreadCtx *det_ctx = NULL;
6535  HtpState *http_state = NULL;
6536  Flow f;
6537  uint8_t http_buf[] =
6538  "GET /index.html HTTP/1.0\r\n"
6539  "Host: www.openinfosecfoundation.org\r\n"
6540  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
6541  "\r\n";
6542  uint32_t http_len = sizeof(http_buf) - 1;
6543  uint8_t http_buf2[] =
6544  "HTTP/1.0 200 ok\r\n"
6545  "Content-Type: text/html\r\n"
6546  "Content-Length: 7\r\n"
6547  "\r\n"
6548  "message";
6549  uint32_t http_len2 = sizeof(http_buf2) - 1;
6550  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
6551 
6552  memset(&th_v, 0, sizeof(th_v));
6553  memset(&f, 0, sizeof(f));
6554  memset(&ssn, 0, sizeof(ssn));
6555 
6556  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6557 
6558  FLOW_INITIALIZE(&f);
6559  f.protoctx = (void *)&ssn;
6560  f.proto = IPPROTO_TCP;
6561  f.flags |= FLOW_IPV4;
6562 
6563  p->flow = &f;
6564  p->flowflags |= FLOW_PKT_TOCLIENT;
6565  p->flowflags |= FLOW_PKT_ESTABLISHED;
6566  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6567  f.alproto = ALPROTO_HTTP1;
6568 
6569  StreamTcpInitConfig(true);
6570 
6571  de_ctx = DetectEngineCtxInit();
6572  FAIL_IF_NULL(de_ctx);
6573  de_ctx->flags |= DE_QUIET;
6574 
6575  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
6576  "(msg:\"http server body test\"; "
6577  "file_data; content:\"message\"; "
6578  "sid:1;)");
6579  FAIL_IF_NULL(de_ctx->sig_list);
6580 
6581  SigGroupBuild(de_ctx);
6582  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6583 
6584  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1,
6585  STREAM_TOSERVER | STREAM_START | STREAM_EOF, http_buf, http_len);
6586  FAIL_IF(r != 0);
6587  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1,
6588  STREAM_TOCLIENT | STREAM_START | STREAM_EOF, http_buf2, http_len2);
6589  FAIL_IF(r != 0);
6590  http_state = f.alstate;
6591  FAIL_IF_NULL(http_state);
6592 
6593  /* do detect */
6594  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
6595 
6596  FAIL_IF(!(PacketAlertCheck(p, 1)));
6597 
6598  AppLayerParserThreadCtxFree(alp_tctx);
6599  DetectEngineCtxFree(de_ctx);
6600 
6601  StreamTcpFreeConfig(true);
6602  FLOW_DESTROY(&f);
6603  UTHFreePackets(&p, 1);
6604  PASS;
6605 }
6606 
6607 /**
6608  *\test Test that the http_server_body content matches against a http request
6609  * which holds the content.
6610  */
6611 static int DetectHttpServerBodyFileDataTest02(void)
6612 {
6613  TcpSession ssn;
6614  Packet *p1 = NULL;
6615  Packet *p2 = NULL;
6616  ThreadVars th_v;
6617  DetectEngineCtx *de_ctx = NULL;
6618  DetectEngineThreadCtx *det_ctx = NULL;
6619  HtpState *http_state = NULL;
6620  Flow f;
6621  uint8_t http_buf1[] =
6622  "GET /index.html HTTP/1.0\r\n"
6623  "Host: www.openinfosecfoundation.org\r\n"
6624  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
6625  "\r\n";
6626  uint32_t http_len1 = sizeof(http_buf1) - 1;
6627  uint8_t http_buf2[] =
6628  "HTTP/1.0 200 ok\r\n"
6629  "Content-Type: text/html\r\n"
6630  "Content-Length: 14\r\n"
6631  "\r\n";
6632  uint32_t http_len2 = sizeof(http_buf2) - 1;
6633  uint8_t http_buf3[] =
6634  "message";
6635  uint32_t http_len3 = sizeof(http_buf3) - 1;
6636  int result = 0;
6637  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
6638 
6639  memset(&th_v, 0, sizeof(th_v));
6640  memset(&f, 0, sizeof(f));
6641  memset(&ssn, 0, sizeof(ssn));
6642 
6643  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6644  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6645 
6646  FLOW_INITIALIZE(&f);
6647  f.protoctx = (void *)&ssn;
6648  f.proto = IPPROTO_TCP;
6649  f.flags |= FLOW_IPV4;
6650 
6651  p1->flow = &f;
6652  p1->flowflags |= FLOW_PKT_TOCLIENT;
6653  p1->flowflags |= FLOW_PKT_ESTABLISHED;
6654  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6655 
6656  p2->flow = &f;
6657  p2->flowflags |= FLOW_PKT_TOCLIENT;
6658  p2->flowflags |= FLOW_PKT_ESTABLISHED;
6659  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6660  f.alproto = ALPROTO_HTTP1;
6661 
6662  StreamTcpInitConfig(true);
6663 
6664  de_ctx = DetectEngineCtxInit();
6665  if (de_ctx == NULL)
6666  goto end;
6667 
6668  de_ctx->flags |= DE_QUIET;
6669 
6670  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
6671  "(msg:\"http server body test\"; "
6672  "file_data; content:\"message\"; "
6673  "sid:1;)");
6674  if (de_ctx->sig_list == NULL)
6675  goto end;
6676 
6677  SigGroupBuild(de_ctx);
6678  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6679 
6680  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START,
6681  http_buf1, http_len1);
6682  if (r != 0) {
6683  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6684  result = 0;
6685  goto end;
6686  }
6687 
6688  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_START,
6689  http_buf2, http_len2);
6690  if (r != 0) {
6691  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
6692  result = 0;
6693  goto end;
6694  }
6695 
6696  http_state = f.alstate;
6697  if (http_state == NULL) {
6698  printf("no http state: ");
6699  goto end;
6700  }
6701 
6702  /* do detect */
6703  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
6704 
6705  if (PacketAlertCheck(p1, 1)) {
6706  printf("sid 1 matched on p1 but should have: ");
6707  goto end;
6708  }
6709 
6710  r = AppLayerParserParse(
6711  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, http_buf3, http_len3);
6712  if (r != 0) {
6713  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
6714  goto end;
6715  }
6716 
6717  /* do detect */
6718  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
6719  if (!(PacketAlertCheck(p2, 1))) {
6720  printf("sid 1 didn't match on p2 but should have: ");
6721  goto end;
6722  }
6723 
6724  result = 1;
6725 end:
6726  if (alp_tctx != NULL)
6727  AppLayerParserThreadCtxFree(alp_tctx);
6728  if (de_ctx != NULL)
6729  DetectEngineCtxFree(de_ctx);
6730 
6731  StreamTcpFreeConfig(true);
6732  FLOW_DESTROY(&f);
6733  UTHFreePackets(&p1, 1);
6734  UTHFreePackets(&p2, 1);
6735  return result;
6736 }
6737 
6738 /**
6739  *\test Test that the http_server_body content matches against a http request
6740  * which holds the content.
6741  */
6742 static int DetectHttpServerBodyFileDataTest03(void)
6743 {
6744  TcpSession ssn;
6745  Packet *p1 = NULL;
6746  Packet *p2 = NULL;
6747  ThreadVars th_v;
6748  DetectEngineCtx *de_ctx = NULL;
6749  DetectEngineThreadCtx *det_ctx = NULL;
6750  HtpState *http_state = NULL;
6751  Flow f;
6752  uint8_t http_buf1[] =
6753  "GET /index.html HTTP/1.0\r\n"
6754  "Host: www.openinfosecfoundation.org\r\n"
6755  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
6756  "\r\n";
6757  uint32_t http_len1 = sizeof(http_buf1) - 1;
6758  uint8_t http_buf2[] =
6759  "HTTP/1.0 200 ok\r\n"
6760  "Content-Type: text/html\r\n"
6761  "Content-Length: 14\r\n"
6762  "\r\n"
6763  "bigmes";
6764  uint32_t http_len2 = sizeof(http_buf2) - 1;
6765  uint8_t http_buf3[] =
6766  "sage4u!!";
6767  uint32_t http_len3 = sizeof(http_buf3) - 1;
6768  int result = 0;
6769  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
6770 
6771  memset(&th_v, 0, sizeof(th_v));
6772  memset(&f, 0, sizeof(f));
6773  memset(&ssn, 0, sizeof(ssn));
6774 
6775  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6776  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6777 
6778  FLOW_INITIALIZE(&f);
6779  f.protoctx = (void *)&ssn;
6780  f.proto = IPPROTO_TCP;
6781  f.flags |= FLOW_IPV4;
6782 
6783  p1->flow = &f;
6784  p1->flowflags |= FLOW_PKT_TOCLIENT;
6785  p1->flowflags |= FLOW_PKT_ESTABLISHED;
6786  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6787  p2->flow = &f;
6788  p2->flowflags |= FLOW_PKT_TOCLIENT;
6789  p2->flowflags |= FLOW_PKT_ESTABLISHED;
6790  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6791  f.alproto = ALPROTO_HTTP1;
6792 
6793  StreamTcpInitConfig(true);
6794 
6795  de_ctx = DetectEngineCtxInit();
6796  if (de_ctx == NULL)
6797  goto end;
6798 
6799  de_ctx->flags |= DE_QUIET;
6800 
6801  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
6802  "(msg:\"http client body test\"; "
6803  "file_data; content:\"message\"; "
6804  "sid:1;)");
6805  if (de_ctx->sig_list == NULL)
6806  goto end;
6807 
6808  SigGroupBuild(de_ctx);
6809  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6810 
6811  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START,
6812  http_buf1, http_len1);
6813  if (r != 0) {
6814  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6815  result = 0;
6816  goto end;
6817  }
6818 
6819  http_state = f.alstate;
6820  if (http_state == NULL) {
6821  printf("no http state: ");
6822  result = 0;
6823  goto end;
6824  }
6825 
6826  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_START,
6827  http_buf2, http_len2);
6828  if (r != 0) {
6829  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6830  result = 0;
6831  goto end;
6832  }
6833 
6834  /* do detect */
6835  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
6836 
6837  if ((PacketAlertCheck(p1, 1))) {
6838  printf("sid 1 matched but shouldn't have: ");
6839  goto end;
6840  }
6841 
6842  r = AppLayerParserParse(
6843  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, http_buf3, http_len3);
6844  if (r != 0) {
6845  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6846  result = 0;
6847  goto end;
6848  }
6849 
6850 
6851  /* do detect */
6852  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
6853 
6854  if (!(PacketAlertCheck(p2, 1))) {
6855  printf("sid 1 didn't match but should have: ");
6856  goto end;
6857  }
6858 
6859  result = 1;
6860 end:
6861  if (alp_tctx != NULL)
6862  AppLayerParserThreadCtxFree(alp_tctx);
6863  if (de_ctx != NULL)
6864  DetectEngineCtxFree(de_ctx);
6865 
6866  StreamTcpFreeConfig(true);
6867  FLOW_DESTROY(&f);
6868  UTHFreePackets(&p1, 1);
6869  UTHFreePackets(&p2, 1);
6870  return result;
6871 }
6872 
6873 /**
6874  *\test Test that the http_server_body content matches against a http request
6875  * which holds the content.
6876  */
6877 static int DetectHttpServerBodyFileDataTest04(void)
6878 {
6879  TcpSession ssn;
6880  Packet *p1 = NULL;
6881  Packet *p2 = NULL;
6882  ThreadVars th_v;
6883  DetectEngineCtx *de_ctx = NULL;
6884  DetectEngineThreadCtx *det_ctx = NULL;
6885  HtpState *http_state = NULL;
6886  Flow f;
6887  uint8_t http_buf1[] =
6888  "GET /index.html HTTP/1.0\r\n"
6889  "Host: www.openinfosecfoundation.org\r\n"
6890  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
6891  "\r\n";
6892  uint32_t http_len1 = sizeof(http_buf1) - 1;
6893  uint8_t http_buf2[] =
6894  "HTTP/1.0 200 ok\r\n"
6895  "Content-Type: text/html\r\n"
6896  "Content-Length: 14\r\n"
6897  "\r\n"
6898  "bigmes";
6899  uint32_t http_len2 = sizeof(http_buf2) - 1;
6900  uint8_t http_buf3[] =
6901  "sag";
6902  uint32_t http_len3 = sizeof(http_buf3) - 1;
6903  uint8_t http_buf4[] =
6904  "e4u!!";
6905  uint32_t http_len4 = sizeof(http_buf4) - 1;
6906  int result = 0;
6907  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
6908 
6909  memset(&th_v, 0, sizeof(th_v));
6910  memset(&f, 0, sizeof(f));
6911  memset(&ssn, 0, sizeof(ssn));
6912 
6913  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6914  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6915 
6916  FLOW_INITIALIZE(&f);
6917  f.protoctx = (void *)&ssn;
6918  f.proto = IPPROTO_TCP;
6919  f.flags |= FLOW_IPV4;
6920 
6921  p1->flow = &f;
6922  p1->flowflags |= FLOW_PKT_TOCLIENT;
6923  p1->flowflags |= FLOW_PKT_ESTABLISHED;
6924  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6925  p2->flow = &f;
6926  p2->flowflags |= FLOW_PKT_TOCLIENT;
6927  p2->flowflags |= FLOW_PKT_ESTABLISHED;
6928  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
6929  f.alproto = ALPROTO_HTTP1;
6930 
6931  StreamTcpInitConfig(true);
6932 
6933  de_ctx = DetectEngineCtxInit();
6934  if (de_ctx == NULL)
6935  goto end;
6936 
6937  de_ctx->flags |= DE_QUIET;
6938 
6939  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
6940  "(msg:\"http client body test\"; "
6941  "file_data; content:\"message\"; "
6942  "sid:1;)");
6943  if (de_ctx->sig_list == NULL)
6944  goto end;
6945 
6946  SigGroupBuild(de_ctx);
6947  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6948 
6949  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START,
6950  http_buf1, http_len1);
6951  if (r != 0) {
6952  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6953  result = 0;
6954  goto end;
6955  }
6956 
6957  http_state = f.alstate;
6958  if (http_state == NULL) {
6959  printf("no http state: ");
6960  result = 0;
6961  goto end;
6962  }
6963 
6964  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_START,
6965  http_buf2, http_len2);
6966  if (r != 0) {
6967  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6968  result = 0;
6969  goto end;
6970  }
6971 
6972  /* do detect */
6973  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
6974 
6975  if ((PacketAlertCheck(p1, 1))) {
6976  printf("sid 1 matched but shouldn't have: ");
6977  goto end;
6978  }
6979 
6980  r = AppLayerParserParse(
6981  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf3, http_len3);
6982  if (r != 0) {
6983  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6984  result = 0;
6985  goto end;
6986  }
6987 
6988  r = AppLayerParserParse(
6989  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, http_buf4, http_len4);
6990  if (r != 0) {
6991  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6992  result = 0;
6993  goto end;
6994  }
6995 
6996  /* do detect */
6997  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
6998 
6999  if (!(PacketAlertCheck(p2, 1))) {
7000  printf("sid 1 didn't match but should have: ");
7001  goto end;
7002  }
7003 
7004  result = 1;
7005 end:
7006  if (alp_tctx != NULL)
7007  AppLayerParserThreadCtxFree(alp_tctx);
7008  if (de_ctx != NULL)
7009  DetectEngineCtxFree(de_ctx);
7010 
7011  StreamTcpFreeConfig(true);
7012  FLOW_DESTROY(&f);
7013  UTHFreePackets(&p1, 1);
7014  UTHFreePackets(&p2, 1);
7015  return result;
7016 }
7017 
7018 /**
7019  *\test Test that the http_server_body content matches against a http request
7020  * which holds the content. Case insensitive.
7021  */
7022 static int DetectHttpServerBodyFileDataTest05(void)
7023 {
7024  TcpSession ssn;
7025  Packet *p1 = NULL;
7026  Packet *p2 = NULL;
7027  ThreadVars th_v;
7028  DetectEngineCtx *de_ctx = NULL;
7029  DetectEngineThreadCtx *det_ctx = NULL;
7030  HtpState *http_state = NULL;
7031  Flow f;
7032  uint8_t http_buf1[] =
7033  "GET /index.html HTTP/1.0\r\n"
7034  "Host: www.openinfosecfoundation.org\r\n"
7035  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
7036  "\r\n";
7037  uint32_t http_len1 = sizeof(http_buf1) - 1;
7038  uint8_t http_buf2[] =
7039  "HTTP/1.0 200 ok\r\n"
7040  "Content-Type: text/html\r\n"
7041  "Content-Length: 14\r\n"
7042  "\r\n"
7043  "bigmes";
7044  uint32_t http_len2 = sizeof(http_buf2) - 1;
7045  uint8_t http_buf3[] =
7046  "sag";
7047  uint32_t http_len3 = sizeof(http_buf3) - 1;
7048  uint8_t http_buf4[] =
7049  "e4u!!";
7050  uint32_t http_len4 = sizeof(http_buf4) - 1;
7051  int result = 0;
7052  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
7053 
7054  memset(&th_v, 0, sizeof(th_v));
7055  memset(&f, 0, sizeof(f));
7056  memset(&ssn, 0, sizeof(ssn));
7057 
7058  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
7059  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
7060 
7061  FLOW_INITIALIZE(&f);
7062  f.protoctx = (void *)&ssn;
7063  f.proto = IPPROTO_TCP;
7064  f.flags |= FLOW_IPV4;
7065 
7066  p1->flow = &f;
7067  p1->flowflags |= FLOW_PKT_TOCLIENT;
7068  p1->flowflags |= FLOW_PKT_ESTABLISHED;
7069  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
7070  p2->flow = &f;
7071  p2->flowflags |= FLOW_PKT_TOCLIENT;
7072  p2->flowflags |= FLOW_PKT_ESTABLISHED;
7073  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
7074  f.alproto = ALPROTO_HTTP1;
7075 
7076  StreamTcpInitConfig(true);
7077 
7078  de_ctx = DetectEngineCtxInit();
7079  if (de_ctx == NULL)
7080  goto end;
7081 
7082  de_ctx->flags |= DE_QUIET;
7083 
7084  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
7085  "(msg:\"http client body test\"; "
7086  "file_data; content:\"MeSSaGE\"; nocase; "
7087  "sid:1;)");
7088  if (de_ctx->sig_list == NULL)
7089  goto end;
7090 
7091  SigGroupBuild(de_ctx);
7092  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
7093 
7094  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START,
7095  http_buf1, http_len1);
7096  if (r != 0) {
7097  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
7098  result = 0;
7099  goto end;
7100  }
7101 
7102  http_state = f.alstate;
7103  if (http_state == NULL) {
7104  printf("no http state: ");
7105  result = 0;
7106  goto end;
7107  }
7108 
7109  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_START,
7110  http_buf2, http_len2);
7111  if (r != 0) {
7112  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
7113  result = 0;
7114  goto end;
7115  }
7116 
7117  /* do detect */
7118  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
7119 
7120  if ((PacketAlertCheck(p1, 1))) {
7121  printf("sid 1 matched but shouldn't have: ");
7122  goto end;
7123  }
7124 
7125  r = AppLayerParserParse(
7126  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf3, http_len3);
7127  if (r != 0) {
7128  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
7129  result = 0;
7130  goto end;
7131  }
7132 
7133  r = AppLayerParserParse(
7134  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, http_buf4, http_len4);
7135  if (r != 0) {
7136  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
7137  result = 0;
7138  goto end;
7139  }
7140 
7141  /* do detect */
7142  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
7143 
7144  if (!(PacketAlertCheck(p2, 1))) {
7145  printf("sid 1 didn't match but should have: ");
7146  goto end;
7147  }
7148 
7149  result = 1;
7150 end:
7151  if (alp_tctx != NULL)
7152  AppLayerParserThreadCtxFree(alp_tctx);
7153  if (de_ctx != NULL)
7154  DetectEngineCtxFree(de_ctx);
7155 
7156  StreamTcpFreeConfig(true);
7157  FLOW_DESTROY(&f);
7158  UTHFreePackets(&p1, 1);
7159  UTHFreePackets(&p2, 1);
7160  return result;
7161 }
7162 
7163 /**
7164  *\test Test that the http_server_body content matches against a http request
7165  * which holds the content. Negated match.
7166  */
7167 static int DetectHttpServerBodyFileDataTest06(void)
7168 {
7169  TcpSession ssn;
7170  Packet *p1 = NULL;
7171  Packet *p2 = NULL;
7172  ThreadVars th_v;
7173  DetectEngineCtx *de_ctx = NULL;
7174  DetectEngineThreadCtx *det_ctx = NULL;
7175  HtpState *http_state = NULL;
7176  Flow f;
7177  uint8_t http_buf1[] =
7178  "GET /index.html HTTP/1.0\r\n"
7179  "Host: www.openinfosecfoundation.org\r\n"
7180  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
7181  "\r\n";
7182  uint32_t http_len1 = sizeof(http_buf1) - 1;
7183  uint8_t http_buf2[] =
7184  "HTTP/1.0 200 ok\r\n"
7185  "Content-Type: text/html\r\n"
7186  "Content-Length: 14\r\n"
7187  "\r\n";
7188  uint32_t http_len2 = sizeof(http_buf2) - 1;
7189  uint8_t http_buf3[] =
7190  "bigmessage4u!!";
7191  uint32_t http_len3 = sizeof(http_buf3) - 1;
7192  int result = 0;
7193  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
7194 
7195  memset(&th_v, 0, sizeof(th_v));
7196  memset(&f, 0, sizeof(f));
7197  memset(&ssn, 0, sizeof(ssn));
7198 
7199  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
7200  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
7201 
7202  FLOW_INITIALIZE(&f);
7203  f.protoctx = (void *)&ssn;
7204  f.proto = IPPROTO_TCP;
7205  f.flags |= FLOW_IPV4;
7206 
7207  p1->flow = &f;
7208  p1->flowflags |= FLOW_PKT_TOCLIENT;
7209  p1->flowflags |= FLOW_PKT_ESTABLISHED;
7210  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
7211  p2->flow = &f;
7212  p2->flowflags |= FLOW_PKT_TOCLIENT;
7213  p2->flowflags |= FLOW_PKT_ESTABLISHED;
7214  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
7215  f.alproto = ALPROTO_HTTP1;
7216 
7217  StreamTcpInitConfig(true);
7218 
7219  de_ctx = DetectEngineCtxInit();
7220  if (de_ctx == NULL)
7221  goto end;
7222 
7223  de_ctx->flags |= DE_QUIET;
7224 
7225  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
7226  "(msg:\"http file_data test\"; "
7227  "file_data; content:!\"MaSSaGE\"; nocase; "
7228  "sid:1;)");
7229  if (de_ctx->sig_list == NULL)
7230  goto end;
7231 
7232  SigGroupBuild(de_ctx);
7233  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
7234 
7235  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START,
7236  http_buf1, http_len1);
7237  if (r != 0) {
7238  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
7239  result = 0;
7240  goto end;
7241  }
7242 
7243  http_state = f.alstate;
7244  if (http_state == NULL) {
7245  printf("no http state: ");
7246  result = 0;
7247  goto end;
7248  }
7249 
7250  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_START,
7251  http_buf2, http_len2);
7252  if (r != 0) {
7253  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
7254  result = 0;
7255  goto end;
7256  }
7257 
7258  /* do detect */
7259  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
7260 
7261  if (PacketAlertCheck(p1, 1)) {
7262  printf("sid 1 matched but shouldn't have (p1): ");
7263  goto end;
7264  }
7265 
7266  r = AppLayerParserParse(
7267  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, http_buf3, http_len3);
7268  if (r != 0) {
7269  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
7270  result = 0;
7271  goto end;
7272  }
7273 
7274  /* do detect */
7275  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
7276 
7277  if (!(PacketAlertCheck(p2, 1))) {
7278  printf("sid 1 didn't match but should have (p2): ");
7279  goto end;
7280  }
7281 
7282  result = 1;
7283 end:
7284  if (alp_tctx != NULL)
7285  AppLayerParserThreadCtxFree(alp_tctx);
7286  if (de_ctx != NULL)
7287  DetectEngineCtxFree(de_ctx);
7288 
7289  StreamTcpFreeConfig(true);
7290  FLOW_DESTROY(&f);
7291  UTHFreePackets(&p1, 1);
7292  UTHFreePackets(&p2, 1);
7293  return result;
7294 }
7295 
7296 /**
7297  *\test Test that the http_server_body content matches against a http request
7298  * which holds the content. Negated match.
7299  */
7300 static int DetectHttpServerBodyFileDataTest07(void)
7301 {
7302  TcpSession ssn;
7303  Packet *p1 = NULL;
7304  Packet *p2 = NULL;
7305  ThreadVars th_v;
7306  DetectEngineCtx *de_ctx = NULL;
7307  DetectEngineThreadCtx *det_ctx = NULL;
7308  HtpState *http_state = NULL;
7309  Flow f;
7310  uint8_t http_buf1[] =
7311  "GET /index.html HTTP/1.0\r\n"
7312  "Host: www.openinfosecfoundation.org\r\n"
7313  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
7314  "\r\n";
7315  uint32_t http_len1 = sizeof(http_buf1) - 1;
7316  uint8_t http_buf2[] =
7317  "HTTP/1.0 200 ok\r\n"
7318  "Content-Type: text/html\r\n"
7319  "Content-Length: 14\r\n"
7320  "\r\n";
7321  uint32_t http_len2 = sizeof(http_buf2) - 1;
7322  uint8_t http_buf3[] =
7323  "bigmessage4u!!";
7324  uint32_t http_len3 = sizeof(http_buf3) - 1;
7325  int result = 0;
7326  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
7327 
7328  memset(&th_v, 0, sizeof(th_v));
7329  memset(&f, 0, sizeof(f));
7330  memset(&ssn, 0, sizeof(ssn));
7331 
7332  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
7333  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
7334 
7335  FLOW_INITIALIZE(&f);
7336  f.protoctx = (void *)&ssn;
7337  f.proto = IPPROTO_TCP;
7338  f.flags |= FLOW_IPV4;
7339 
7340  p1->flow = &f;
7341  p1->flowflags |= FLOW_PKT_TOCLIENT;
7342  p1->flowflags |= FLOW_PKT_ESTABLISHED;
7343  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
7344  p2->flow = &f;
7345  p2->flowflags |= FLOW_PKT_TOCLIENT;
7346  p2->flowflags |= FLOW_PKT_ESTABLISHED;
7347  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
7348  f.alproto = ALPROTO_HTTP1;
7349 
7350  StreamTcpInitConfig(true);
7351 
7352  de_ctx = DetectEngineCtxInit();
7353  if (de_ctx == NULL)
7354  goto end;
7355 
7356  de_ctx->flags |= DE_QUIET;
7357 
7358  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
7359  "(msg:\"http file_data test\"; "
7360  "file_data; content:!\"MeSSaGE\"; nocase; "
7361  "sid:1;)");
7362  if (de_ctx->sig_list == NULL)
7363  goto end;
7364 
7365  SigGroupBuild(de_ctx);
7366  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
7367 
7368  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START,
7369  http_buf1, http_len1);
7370  if (r != 0) {
7371  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
7372  result = 0;
7373  goto end;
7374  }
7375 
7376  http_state = f.alstate;
7377  if (http_state == NULL) {
7378  printf("no http state: ");
7379  result = 0;
7380  goto end;
7381  }
7382 
7383  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_START,
7384  http_buf2, http_len2);
7385  if (r != 0) {
7386  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
7387  result = 0;
7388  goto end;
7389  }
7390 
7391  /* do detect */
7392  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
7393 
7394  if (PacketAlertCheck(p1, 1)) {
7395  printf("sid 1 matched but shouldn't have (p1): ");
7396  goto end;
7397  }
7398 
7399  r = AppLayerParserParse(
7400  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, http_buf3, http_len3);
7401  if (r != 0) {
7402  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
7403  result = 0;
7404  goto end;
7405  }
7406 
7407  /* do detect */
7408  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
7409 
7410  if (PacketAlertCheck(p2, 1)) {
7411  printf("sid 1 matched but shouldn't have (p2): ");
7412  goto end;
7413  }
7414 
7415  result = 1;
7416 end:
7417  if (alp_tctx != NULL)
7418  AppLayerParserThreadCtxFree(alp_tctx);
7419  if (de_ctx != NULL)
7420  DetectEngineCtxFree(de_ctx);
7421 
7422  StreamTcpFreeConfig(true);
7423  FLOW_DESTROY(&f);
7424  UTHFreePackets(&p1, 1);
7425  UTHFreePackets(&p2, 1);
7426  return result;
7427 }
7428 
7429 static int DetectHttpServerBodyFileDataTest08(void)
7430 {
7431  TcpSession ssn;
7432  Packet *p = NULL;
7433  ThreadVars th_v;
7434  DetectEngineCtx *de_ctx = NULL;
7435  DetectEngineThreadCtx *det_ctx = NULL;
7436  HtpState *http_state = NULL;
7437  Flow f;
7438  uint8_t http_buf[] =
7439  "GET /index.html HTTP/1.0\r\n"
7440  "Host: www.openinfosecfoundation.org\r\n"
7441  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
7442  "\r\n";
7443  uint32_t http_len = sizeof(http_buf) - 1;
7444  uint8_t http_buf2[] =
7445  "HTTP/1.0 200 ok\r\n"
7446  "Content-Type: text/html\r\n"
7447  "Content-Length: 55\r\n"
7448  "\r\n"
7449  "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend";
7450  uint32_t http_len2 = sizeof(http_buf2) - 1;
7451  int result = 0;
7452  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
7453 
7454  memset(&th_v, 0, sizeof(th_v));
7455  memset(&f, 0, sizeof(f));
7456  memset(&ssn, 0, sizeof(ssn));
7457 
7458  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
7459 
7460  FLOW_INITIALIZE(&f);
7461  f.protoctx = (void *)&ssn;
7462  f.proto = IPPROTO_TCP;
7463  f.flags |= FLOW_IPV4;
7464 
7465  p->flow = &f;
7466  p->flowflags |= FLOW_PKT_TOCLIENT;
7467  p->flowflags |= FLOW_PKT_ESTABLISHED;
7468  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
7469  f.alproto = ALPROTO_HTTP1;
7470 
7471  StreamTcpInitConfig(true);
7472 
7473  de_ctx = DetectEngineCtxInit();
7474  if (de_ctx == NULL)
7475  goto end;
7476 
7477  de_ctx->flags |= DE_QUIET;
7478 
7479  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
7480  "(msg:\"http server body test\"; "
7481  "file_data; content:\"longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\"; "
7482  "sid:1;)");
7483  if (de_ctx->sig_list == NULL)
7484  goto end;
7485 
7486  SigGroupBuild(de_ctx);
7487  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
7488 
7489  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1,
7490  STREAM_TOSERVER | STREAM_START | STREAM_EOF, http_buf, http_len);
7491  if (r != 0) {
7492  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
7493  result = 0;
7494  goto end;
7495  }
7496  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1,
7497  STREAM_TOCLIENT | STREAM_START | STREAM_EOF, http_buf2, http_len2);
7498  if (r != 0) {
7499  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
7500  result = 0;
7501  goto end;
7502  }
7503 
7504  http_state = f.alstate;
7505  if (http_state == NULL) {
7506  printf("no http state: \n");
7507  result = 0;
7508  goto end;
7509  }
7510 
7511  /* do detect */
7512  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
7513 
7514  if (!(PacketAlertCheck(p, 1))) {
7515  printf("sid 1 didn't match but should have: ");
7516  goto end;
7517  }
7518 
7519  result = 1;
7520 end:
7521  if (alp_tctx != NULL)
7522  AppLayerParserThreadCtxFree(alp_tctx);
7523  if (de_ctx != NULL)
7524  DetectEngineCtxFree(de_ctx);
7525 
7526  StreamTcpFreeConfig(true);
7527  FLOW_DESTROY(&f);
7528  UTHFreePackets(&p, 1);
7529  return result;
7530 }
7531 
7532 /** \test multiple http transactions and body chunks of request handling */
7533 static int DetectHttpServerBodyFileDataTest09(void)
7534 {
7535  int result = 0;
7536  Signature *s = NULL;
7537  DetectEngineThreadCtx *det_ctx = NULL;
7538  ThreadVars th_v;
7539  Flow f;
7540  TcpSession ssn;
7541  Packet *p = NULL;
7542  uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
7543  "User-Agent: Mozilla/1.0\r\n"
7544  "Host: www.openinfosecfoundation.org\r\n"
7545  "Connection: keep-alive\r\n"
7546  "Cookie: dummy1\r\n\r\n";
7547  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
7548  uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
7549  "Content-Type: text/html\r\n"
7550  "Content-Length: 3\r\n"
7551  "\r\n"
7552  "one";
7553  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
7554  uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
7555  "User-Agent: Firefox/1.0\r\n"
7556  "Host: www.openinfosecfoundation.org\r\n"
7557  "Connection: keep-alive\r\n"
7558  "Cookie: dummy2\r\n\r\n";
7559  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
7560  uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
7561  "Content-Type: text/html\r\n"
7562  "Content-Length: 3\r\n"
7563  "\r\n"
7564  "two";
7565  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
7566  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
7567 
7568  memset(&th_v, 0, sizeof(th_v));
7569  memset(&f, 0, sizeof(f));
7570  memset(&ssn, 0, sizeof(ssn));
7571 
7572  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
7573 
7574  FLOW_INITIALIZE(&f);
7575  f.protoctx = (void *)&ssn;
7576  f.proto = IPPROTO_TCP;
7577  f.flags |= FLOW_IPV4;
7578 
7579  p->flow = &f;
7580  p->flowflags |= FLOW_PKT_TOCLIENT;
7581  p->flowflags |= FLOW_PKT_ESTABLISHED;
7582  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
7583  f.alproto = ALPROTO_HTTP1;
7584 
7585  StreamTcpInitConfig(true);
7586 
7587  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
7588  if (de_ctx == NULL) {
7589  goto end;
7590  }
7591 
7592  de_ctx->flags |= DE_QUIET;
7593 
7594  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; file_data; content:\"one\"; sid:1; rev:1;)");
7595  if (s == NULL) {
7596  printf("sig parse failed: ");
7597  goto end;
7598  }
7599  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; file_data; content:\"two\"; sid:2; rev:1;)");
7600  if (s == NULL) {
7601  printf("sig2 parse failed: ");
7602  goto end;
7603  }
7604 
7605  SigGroupBuild(de_ctx);
7606  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
7607 
7608  int r = AppLayerParserParse(
7609  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
7610  if (r != 0) {
7611  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
7612  goto end;
7613  }
7614 
7615  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
7616  if (r != 0) {
7617  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
7618  goto end;
7619  }
7620 
7621  /* do detect */
7622  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
7623  if (!(PacketAlertCheck(p, 1))) {
7624  printf("sig 1 didn't alert (tx 1): ");
7625  goto end;
7626  }
7627  p->alerts.cnt = 0;
7628 
7629  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
7630  if (r != 0) {
7631  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
7632  goto end;
7633  }
7634 
7635  r = AppLayerParserParse(
7636  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
7637  if (r != 0) {
7638  printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
7639  goto end;
7640  }
7641 
7642  /* do detect */
7643  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
7644  if ((PacketAlertCheck(p, 1))) {
7645  printf("sig 1 alerted (tx 2): ");
7646  goto end;
7647  }
7648  if (!(PacketAlertCheck(p, 2))) {
7649  printf("sig 2 didn't alert (tx 2): ");
7650  goto end;
7651  }
7652  p->alerts.cnt = 0;
7653 
7654  HtpState *htp_state = f.alstate;
7655  if (htp_state == NULL) {
7656  printf("no http state: ");
7657  goto end;
7658  }
7659 
7660  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
7661  printf("The http app layer doesn't have 2 transactions, but it should: ");
7662  goto end;
7663  }
7664 
7665  result = 1;
7666 end:
7667  if (alp_tctx != NULL)
7668  AppLayerParserThreadCtxFree(alp_tctx);
7669  if (det_ctx != NULL) {
7670  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
7671  }
7672  if (de_ctx != NULL) {
7673  DetectEngineCtxFree(de_ctx);
7674  }
7675 
7676  StreamTcpFreeConfig(true);
7677  FLOW_DESTROY(&f);
7678  UTHFreePacket(p);
7679  return result;
7680 }
7681 
7682 static int DetectHttpServerBodyFileDataTest10(void)
7683 {
7684  int result = 0;
7685  Signature *s = NULL;
7686  DetectEngineThreadCtx *det_ctx = NULL;
7687  ThreadVars th_v;
7688  Flow f;
7689  TcpSession ssn;
7690  Packet *p = NULL;
7691  uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
7692  "User-Agent: Mozilla/1.0\r\n"
7693  "Host: www.openinfosecfoundation.org\r\n"
7694  "Connection: keep-alive\r\n"
7695  "Cookie: dummy1\r\n\r\n";
7696  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
7697  uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
7698  "Content-Type: text/html\r\n"
7699  "Content-Length: 3\r\n"
7700  "\r\n"
7701  "one";
7702  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
7703  uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
7704  "User-Agent: Firefox/1.0\r\n"
7705  "Host: www.openinfosecfoundation.org\r\n"
7706  "Connection: keep-alive\r\n"
7707  "Cookie: dummy2\r\n\r\n";
7708  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
7709  uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
7710  "Content-Type: text/html\r\n"
7711  "Content-Length: 3\r\n"
7712  "\r\n"
7713  "two";
7714  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
7715  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
7716 
7717  memset(&th_v, 0, sizeof(th_v));
7718  memset(&f, 0, sizeof(f));
7719  memset(&ssn, 0, sizeof(ssn));
7720 
7721  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
7722 
7723  FLOW_INITIALIZE(&f);
7724  f.protoctx = (void *)&ssn;
7725  f.proto = IPPROTO_TCP;
7726  f.flags |= FLOW_IPV4;
7727 
7728  p->flow = &f;
7729  p->flowflags |= FLOW_PKT_TOCLIENT;
7730  p->flowflags |= FLOW_PKT_ESTABLISHED;
7731  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
7732  f.alproto = ALPROTO_HTTP1;
7733 
7734  StreamTcpInitConfig(true);
7735 
7736  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
7737  if (de_ctx == NULL) {
7738  goto end;
7739  }
7740 
7741  de_ctx->flags |= DE_QUIET;
7742 
7743  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; file_data; content:\"one\"; sid:1; rev:1;)");
7744  if (s == NULL) {
7745  printf("sig parse failed: ");
7746  goto end;
7747  }
7748  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; file_data; content:\"two\"; sid:2; rev:1;)");
7749  if (s == NULL) {
7750  printf("sig2 parse failed: ");
7751  goto end;
7752  }
7753 
7754  SigGroupBuild(de_ctx);
7755  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
7756 
7757  int r = AppLayerParserParse(
7758  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
7759  if (r != 0) {
7760  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
7761  goto end;
7762  }
7763 
7764  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
7765  if (r != 0) {
7766  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
7767  goto end;
7768  }
7769 
7770  /* do detect */
7771  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
7772  if (!(PacketAlertCheck(p, 1))) {
7773  printf("sig 1 didn't alert (tx 1): ");
7774  goto end;
7775  }
7776  p->alerts.cnt = 0;
7777 
7778  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
7779  if (r != 0) {
7780  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
7781  goto end;
7782  }
7783 
7784  r = AppLayerParserParse(
7785  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
7786  if (r != 0) {
7787  printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
7788  goto end;
7789  }
7790 
7791  /* do detect */
7792  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
7793  if ((PacketAlertCheck(p, 1))) {
7794  printf("sig 1 alerted (tx 2): ");
7795  goto end;
7796  }
7797  if (!(PacketAlertCheck(p, 2))) {
7798  printf("sig 2 didn't alert (tx 2): ");
7799  goto end;
7800  }
7801  p->alerts.cnt = 0;
7802 
7803  HtpState *htp_state = f.alstate;
7804  if (htp_state == NULL) {
7805  printf("no http state: ");
7806  goto end;
7807  }
7808 
7809  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
7810  printf("The http app layer doesn't have 2 transactions, but it should: ");
7811  goto end;
7812  }
7813 
7814  result = 1;
7815 end:
7816  if (alp_tctx != NULL)
7817  AppLayerParserThreadCtxFree(alp_tctx);
7818  if (det_ctx != NULL) {
7819  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
7820  }
7821  if (de_ctx != NULL) {
7822  DetectEngineCtxFree(de_ctx);
7823  }
7824 
7825  StreamTcpFreeConfig(true);
7826  FLOW_DESTROY(&f);
7827  UTHFreePacket(p);
7828  return result;
7829 }
7830 
7831 void DetectHttpServerBodyRegisterTests(void)
7832 {
7833  UtRegisterTest("DetectHttpServerBodyParserTest01", DetectHttpServerBodyParserTest01);
7834  UtRegisterTest("DetectHttpServerBodyParserTest02", DetectHttpServerBodyParserTest02);
7835 
7836  UtRegisterTest("DetectHttpServerBodyTest06", DetectHttpServerBodyTest06);
7837  UtRegisterTest("DetectHttpServerBodyTest07", DetectHttpServerBodyTest07);
7838  UtRegisterTest("DetectHttpServerBodyTest08", DetectHttpServerBodyTest08);
7839  UtRegisterTest("DetectHttpServerBodyTest09", DetectHttpServerBodyTest09);
7840  UtRegisterTest("DetectHttpServerBodyTest10", DetectHttpServerBodyTest10);
7841  UtRegisterTest("DetectHttpServerBodyTest11", DetectHttpServerBodyTest11);
7842  UtRegisterTest("DetectHttpServerBodyTest12", DetectHttpServerBodyTest12);
7843  UtRegisterTest("DetectHttpServerBodyTest13", DetectHttpServerBodyTest13);
7844  UtRegisterTest("DetectHttpServerBodyTest14", DetectHttpServerBodyTest14);
7845  UtRegisterTest("DetectHttpServerBodyTest15", DetectHttpServerBodyTest15);
7846 
7847  UtRegisterTest("DetectHttpServerBodyFileDataTest01",
7848  DetectHttpServerBodyFileDataTest01);
7849  UtRegisterTest("DetectHttpServerBodyFileDataTest02",
7850  DetectHttpServerBodyFileDataTest02);
7851  UtRegisterTest("DetectHttpServerBodyFileDataTest03",
7852  DetectHttpServerBodyFileDataTest03);
7853  UtRegisterTest("DetectHttpServerBodyFileDataTest04",
7854  DetectHttpServerBodyFileDataTest04);
7855  UtRegisterTest("DetectHttpServerBodyFileDataTest05",
7856  DetectHttpServerBodyFileDataTest05);
7857  UtRegisterTest("DetectHttpServerBodyFileDataTest06",
7858  DetectHttpServerBodyFileDataTest06);
7859  UtRegisterTest("DetectHttpServerBodyFileDataTest07",
7860  DetectHttpServerBodyFileDataTest07);
7861  UtRegisterTest("DetectHttpServerBodyFileDataTest08",
7862  DetectHttpServerBodyFileDataTest08);
7863  UtRegisterTest("DetectHttpServerBodyFileDataTest09",
7864  DetectHttpServerBodyFileDataTest09);
7865  UtRegisterTest("DetectHttpServerBodyFileDataTest10",
7866  DetectHttpServerBodyFileDataTest10);
7867 
7868  UtRegisterTest("DetectEngineHttpServerBodyTest01",
7869  DetectEngineHttpServerBodyTest01);
7870  UtRegisterTest("DetectEngineHttpServerBodyTest02",
7871  DetectEngineHttpServerBodyTest02);
7872  UtRegisterTest("DetectEngineHttpServerBodyTest03",
7873  DetectEngineHttpServerBodyTest03);
7874  UtRegisterTest("DetectEngineHttpServerBodyTest04",
7875  DetectEngineHttpServerBodyTest04);
7876  UtRegisterTest("DetectEngineHttpServerBodyTest05",
7877  DetectEngineHttpServerBodyTest05);
7878  UtRegisterTest("DetectEngineHttpServerBodyTest06",
7879  DetectEngineHttpServerBodyTest06);
7880  UtRegisterTest("DetectEngineHttpServerBodyTest07",
7881  DetectEngineHttpServerBodyTest07);
7882  UtRegisterTest("DetectEngineHttpServerBodyTest08",
7883  DetectEngineHttpServerBodyTest08);
7884  UtRegisterTest("DetectEngineHttpServerBodyTest09",
7885  DetectEngineHttpServerBodyTest09);
7886  UtRegisterTest("DetectEngineHttpServerBodyTest10",
7887  DetectEngineHttpServerBodyTest10);
7888  UtRegisterTest("DetectEngineHttpServerBodyTest11",
7889  DetectEngineHttpServerBodyTest11);
7890  UtRegisterTest("DetectEngineHttpServerBodyTest12",
7891  DetectEngineHttpServerBodyTest12);
7892  UtRegisterTest("DetectEngineHttpServerBodyTest13",
7893  DetectEngineHttpServerBodyTest13);
7894  UtRegisterTest("DetectEngineHttpServerBodyTest14",
7895  DetectEngineHttpServerBodyTest14);
7896  UtRegisterTest("DetectEngineHttpServerBodyTest15",
7897  DetectEngineHttpServerBodyTest15);
7898  UtRegisterTest("DetectEngineHttpServerBodyTest16",
7899  DetectEngineHttpServerBodyTest16);
7900  UtRegisterTest("DetectEngineHttpServerBodyTest17",
7901  DetectEngineHttpServerBodyTest17);
7902  UtRegisterTest("DetectEngineHttpServerBodyTest18",
7903  DetectEngineHttpServerBodyTest18);
7904  UtRegisterTest("DetectEngineHttpServerBodyTest19",
7905  DetectEngineHttpServerBodyTest19);
7906  UtRegisterTest("DetectEngineHttpServerBodyTest20",
7907  DetectEngineHttpServerBodyTest20);
7908  UtRegisterTest("DetectEngineHttpServerBodyTest21",
7909  DetectEngineHttpServerBodyTest21);
7910  UtRegisterTest("DetectEngineHttpServerBodyTest22",
7911  DetectEngineHttpServerBodyTest22);
7912 
7913  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest01",
7914  DetectEngineHttpServerBodyFileDataTest01);
7915  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest02",
7916  DetectEngineHttpServerBodyFileDataTest02);
7917  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest03",
7918  DetectEngineHttpServerBodyFileDataTest03);
7919  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest04",
7920  DetectEngineHttpServerBodyFileDataTest04);
7921  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest05",
7922  DetectEngineHttpServerBodyFileDataTest05);
7923  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest06",
7924  DetectEngineHttpServerBodyFileDataTest06);
7925  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest07",
7926  DetectEngineHttpServerBodyFileDataTest07);
7927  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest08",
7928  DetectEngineHttpServerBodyFileDataTest08);
7929  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest09",
7930  DetectEngineHttpServerBodyFileDataTest09);
7931  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest10",
7932  DetectEngineHttpServerBodyFileDataTest10);
7933  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest11",
7934  DetectEngineHttpServerBodyFileDataTest11);
7935  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest12",
7936  DetectEngineHttpServerBodyFileDataTest12);
7937  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest13",
7938  DetectEngineHttpServerBodyFileDataTest13);
7939  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest14",
7940  DetectEngineHttpServerBodyFileDataTest14);
7941  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest15",
7942  DetectEngineHttpServerBodyFileDataTest15);
7943  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest16",
7944  DetectEngineHttpServerBodyFileDataTest16);
7945  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest17",
7946  DetectEngineHttpServerBodyFileDataTest17);
7947  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest18",
7948  DetectEngineHttpServerBodyFileDataTest18);
7949 
7950  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest19",
7951  DetectEngineHttpServerBodyFileDataTest19);
7952  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest20",
7953  DetectEngineHttpServerBodyFileDataTest20);
7954  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest21",
7955  DetectEngineHttpServerBodyFileDataTest21);
7956  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest22",
7957  DetectEngineHttpServerBodyFileDataTest22);
7958  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest23",
7959  DetectEngineHttpServerBodyFileDataTest23);
7960  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest24",
7961  DetectEngineHttpServerBodyFileDataTest24);
7962  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest25",
7963  DetectEngineHttpServerBodyFileDataTest25);
7964  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest26",
7965  DetectEngineHttpServerBodyFileDataTest26);
7966  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest27",
7967  DetectEngineHttpServerBodyFileDataTest27);
7968  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest28",
7969  DetectEngineHttpServerBodyFileDataTest28);
7970  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest29",
7971  DetectEngineHttpServerBodyFileDataTest29);
7972 }
TestSteps
Definition: detect-http-client-body.c:107
UTHParseSignature
int UTHParseSignature(const char *str, bool expect)
parser a sig and see if the expected result is correct
Definition: util-unittest-helper.c:871
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1022
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
TestSteps::direction
int direction
Definition: detect-http-client-body.c:110
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
TestSteps::input
const uint8_t * input
Definition: detect-http-client-body.c:108
Flow_::proto
uint8_t proto
Definition: flow.h:373
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:290
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:474
Flow_
Flow data structure.
Definition: flow.h:351
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:839
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2533
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:306
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
DE_QUIET
#define DE_QUIET
Definition: detect.h:324
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:340
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1897
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2620
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:468
Flow_::protoctx
void * protoctx
Definition: flow.h:441
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:601
HTPConfigure
void HTPConfigure(void)
Definition: app-layer-htp.c:2996
HtpState_
Definition: app-layer-htp.h:244
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:463
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
TestSteps::expect
int expect
Definition: detect-http-client-body.c:111
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
HtpConfigCreateBackup
void HtpConfigCreateBackup(void)
Definition: app-layer-htp.c:3317
DetectEngineThreadCtx_
Definition: detect.h:1095
EngineModeSetIDS
void EngineModeSetIDS(void)
Definition: suricata.c:248
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
EngineModeSetIPS
void EngineModeSetIPS(void)
Definition: suricata.c:243
ConfYamlLoadString
int ConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:522
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2314
Packet_
Definition: decode.h:437
ConfCreateContextBackup
void ConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition: conf.c:670
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:224
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:285
Packet_::flow
struct Flow_ * flow
Definition: decode.h:476
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3244
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:794
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1286
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3454
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
ConfRestoreContextBackup
void ConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition: conf.c:682
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:847
HtpConfigRestoreBackup
void HtpConfigRestoreBackup(void)
Definition: app-layer-htp.c:3324
ConfInit
void ConfInit(void)
Initialize the configuration system.
Definition: conf.c:120
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:448
Flow_::alstate
void * alstate
Definition: flow.h:476
Flow_::flags
uint32_t flags
Definition: flow.h:421
Signature_
Signature container.
Definition: detect.h:596
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:225
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2494
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:841
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:59
TcpSession_
Definition: stream-tcp-private.h:283
HTPFreeConfig
void HTPFreeConfig(void)
Clears the HTTP server configuration memory used by HTP library.
Definition: app-layer-htp.c:2104
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
DetectHttpServerBodyRegisterTests
void DetectHttpServerBodyRegisterTests(void)
Definition: detect-http-server-body.c:7831
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1101
TestSteps::input_size
size_t input_size
Definition: detect-http-client-body.c:109
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1019
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:431