suricata
detect-http-server-body.c
Go to the documentation of this file.
1 /* Copyright (C) 2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Giuseppe Longo <giuseppe@glongo.it>
22  *
23  * Tests for the hsbd with swf files
24  */
25 
26 #include "../suricata-common.h"
27 #include "../conf-yaml-loader.h"
28 #include "../decode.h"
29 #include "../flow.h"
30 #include "../detect.h"
31 #include "../detect-engine-build.h"
32 #include "../detect-engine-alert.h"
33 
34 /**
35  * \test Test parser accepting valid rules and rejecting invalid rules
36  */
37 static int DetectHttpServerBodyParserTest01(void)
38 {
39  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", true));
40  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; nocase; http_server_body; sid:1;)", true));
41  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; endswith; http_server_body; sid:1;)", true));
42  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; http_server_body; sid:1;)", true));
43  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; endswith; http_server_body; sid:1;)", true));
44 
45  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; rawbytes; http_server_body; sid:1;)", false));
46  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http_server_body; sid:1;)", false));
47  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", false));
48  PASS;
49 }
50 
51 /**
52  * \test Test parser accepting valid rules and rejecting invalid rules
53  */
54 static int DetectHttpServerBodyParserTest02(void)
55 {
56  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", true));
57  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; nocase; sid:1;)", true));
58  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; endswith; sid:1;)", true));
59  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; sid:1;)", true));
60  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; endswith; sid:1;)", true));
61  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; bsize:10; sid:1;)", true));
62 
63  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; rawbytes; sid:1;)", false));
64  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http.response_body; sid:1;)", false));
65  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", false));
66  PASS;
67 }
68 struct TestSteps {
69  const uint8_t *input;
70  size_t input_size; /**< if 0 strlen will be used */
71  int direction; /**< STREAM_TOSERVER, STREAM_TOCLIENT */
72  int expect;
73 };
74 
75 static int RunTest(struct TestSteps *steps, const char *sig, const char *yaml)
76 {
77  TcpSession ssn;
78  Flow f;
79  ThreadVars th_v;
80  DetectEngineThreadCtx *det_ctx = NULL;
81  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
82  FAIL_IF_NULL(alp_tctx);
83 
84  memset(&th_v, 0, sizeof(th_v));
85  memset(&f, 0, sizeof(f));
86  memset(&ssn, 0, sizeof(ssn));
87 
88  if (yaml) {
89  SCConfCreateContextBackup();
90  SCConfInit();
91  HtpConfigCreateBackup();
92 
93  SCConfYamlLoadString(yaml, strlen(yaml));
94  HTPConfigure();
95  EngineModeSetIPS();
96  }
97 
98  StreamTcpInitConfig(true);
99 
100  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
101  FAIL_IF_NULL(de_ctx);
102  de_ctx->flags |= DE_QUIET;
103 
104  FLOW_INITIALIZE(&f);
105  f.protoctx = (void *)&ssn;
106  f.proto = IPPROTO_TCP;
107  f.flags |= FLOW_IPV4;
108  f.alproto = ALPROTO_HTTP1;
109 
110  SCLogDebug("sig %s", sig);
111  Signature *s = DetectEngineAppendSig(de_ctx, (char *)sig);
112  FAIL_IF_NULL(s);
113 
114  SigGroupBuild(de_ctx);
115  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
116  FAIL_IF_NULL(det_ctx);
117 
118  struct TestSteps *b = steps;
119  int i = 0;
120  while (b->input != NULL) {
121  SCLogDebug("chunk %p %d", b, i);
122  (void)i;
123  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
124  FAIL_IF_NULL(p);
125  p->flow = &f;
126  p->flowflags = (b->direction == STREAM_TOSERVER) ? FLOW_PKT_TOSERVER : FLOW_PKT_TOCLIENT;
127  p->flowflags |= FLOW_PKT_ESTABLISHED;
128  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
129 
130  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, b->direction,
131  (uint8_t *)b->input,
132  b->input_size ? b->input_size : strlen((const char *)b->input));
133  FAIL_IF_NOT(r == 0);
134 
135  /* do detect */
136  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
137 
138  int match = PacketAlertCheck(p, 1);
139  FAIL_IF_NOT(b->expect == match);
140 
141  UTHFreePackets(&p, 1);
142  b++;
143  i++;
144  }
145 
146  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
147  AppLayerParserThreadCtxFree(alp_tctx);
148  DetectEngineCtxFree(de_ctx);
149 
150  StreamTcpFreeConfig(true);
151  FLOW_DESTROY(&f);
152 
153  if (yaml) {
154  HTPFreeConfig();
155  SCConfDeInit();
156  HtpConfigRestoreBackup();
157  SCConfRestoreContextBackup();
158  EngineModeSetIDS();
159  }
160  StatsThreadCleanup(&th_v);
161  PASS;
162 }
163 
164 static int DetectEngineHttpServerBodyTest01(void)
165 {
166  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
167  "Host: www.openinfosecfoundation.org\r\n"
168  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
169  "Gecko/20091221 Firefox/3.5.7\r\n"
170  "\r\n";
171  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
172  "Content-Type: text/html\r\n"
173  "Content-Length: 7\r\n"
174  "\r\n"
175  "message";
176  struct TestSteps steps[] = {
177  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
178  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
179  { NULL, 0, 0, 0 },
180  };
181 
182  const char *sig = "alert http any any -> any any "
183  "(msg:\"http server body test\"; "
184  "content:\"message\"; http_server_body; "
185  "sid:1;)";
186  return RunTest(steps, sig, NULL);
187 }
188 
189 static int DetectEngineHttpServerBodyTest02(void)
190 {
191  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
192  "Host: www.openinfosecfoundation.org\r\n"
193  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
194  "Gecko/20091221 Firefox/3.5.7\r\n"
195  "\r\n";
196  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
197  "Content-Type: text/html\r\n"
198  "Content-Length: 7\r\n"
199  "\r\n"
200  "xxxxABC";
201  struct TestSteps steps[] = {
202  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
203  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
204  { NULL, 0, 0, 0 },
205  };
206 
207  const char *sig = "alert http any any -> any any "
208  "(msg:\"http server body test\"; "
209  "content:\"ABC\"; http_server_body; offset:4; "
210  "sid:1;)";
211  return RunTest(steps, sig, NULL);
212 }
213 
214 static int DetectEngineHttpServerBodyTest03(void)
215 {
216  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
217  "Host: www.openinfosecfoundation.org\r\n"
218  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
219  "Gecko/20091221 Firefox/3.5.7\r\n"
220  "\r\n";
221  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
222  "Content-Type: text/html\r\n"
223  "Content-Length: 17\r\n"
224  "\r\n"
225  "1234567";
226  uint8_t http_buf3[] = "8901234ABC";
227  struct TestSteps steps[] = {
228  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
229  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
230  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
231  { NULL, 0, 0, 0 },
232  };
233 
234  const char *sig = "alert http any any -> any any "
235  "(msg:\"http server body test\"; "
236  "content:\"ABC\"; http_server_body; offset:14; "
237  "sid:1;)";
238  return RunTest(steps, sig, NULL);
239 }
240 
241 static int DetectEngineHttpServerBodyTest04(void)
242 {
243  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
244  "Host: www.openinfosecfoundation.org\r\n"
245  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
246  "Gecko/20091221 Firefox/3.5.7\r\n"
247  "\r\n";
248  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
249  "Content-Type: text/html\r\n"
250  "Content-Length: 6\r\n"
251  "\r\n"
252  "abcdef";
253  struct TestSteps steps[] = {
254  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
255  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
256  { NULL, 0, 0, 0 },
257  };
258  const char *sig = "alert http any any -> any any "
259  "(msg:\"http server body test\"; "
260  "content:!\"abc\"; http_server_body; offset:3; "
261  "sid:1;)";
262  return RunTest(steps, sig, NULL);
263 }
264 
265 static int DetectEngineHttpServerBodyTest05(void)
266 {
267  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
268  "Host: www.openinfosecfoundation.org\r\n"
269  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
270  "Gecko/20091221 Firefox/3.5.7\r\n"
271  "\r\n";
272  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
273  "Content-Type: text/html\r\n"
274  "Content-Length: 6\r\n"
275  "\r\n"
276  "abcdef";
277  struct TestSteps steps[] = {
278  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
279  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
280  { NULL, 0, 0, 0 },
281  };
282  const char *sig = "alert http any any -> any any "
283  "(msg:\"http server body test\"; "
284  "content:\"abc\"; http_server_body; depth:3; "
285  "sid:1;)";
286  return RunTest(steps, sig, NULL);
287 }
288 
289 static int DetectEngineHttpServerBodyTest06(void)
290 {
291  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
292  "Host: www.openinfosecfoundation.org\r\n"
293  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
294  "Gecko/20091221 Firefox/3.5.7\r\n"
295  "\r\n";
296  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
297  "Content-Type: text/html\r\n"
298  "Content-Length: 6\r\n"
299  "\r\n"
300  "abcdef";
301  struct TestSteps steps[] = {
302  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
303  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
304  { NULL, 0, 0, 0 },
305  };
306  const char *sig = "alert http any any -> any any "
307  "(msg:\"http server body test\"; "
308  "content:!\"def\"; http_server_body; depth:3; "
309  "sid:1;)";
310  return RunTest(steps, sig, NULL);
311 }
312 
313 static int DetectEngineHttpServerBodyTest07(void)
314 {
315  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
316  "Host: www.openinfosecfoundation.org\r\n"
317  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
318  "Gecko/20091221 Firefox/3.5.7\r\n"
319  "\r\n";
320  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
321  "Content-Type: text/html\r\n"
322  "Content-Length: 6\r\n"
323  "\r\n"
324  "abcdef";
325  struct TestSteps steps[] = {
326  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
327  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
328  { NULL, 0, 0, 0 },
329  };
330  const char *sig = "alert http any any -> any any "
331  "(msg:\"http server body test\"; "
332  "content:!\"def\"; http_server_body; offset:3; "
333  "sid:1;)";
334  return RunTest(steps, sig, NULL);
335 }
336 
337 static int DetectEngineHttpServerBodyTest08(void)
338 {
339  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
340  "Host: www.openinfosecfoundation.org\r\n"
341  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
342  "Gecko/20091221 Firefox/3.5.7\r\n"
343  "\r\n";
344  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
345  "Content-Type: text/html\r\n"
346  "Content-Length: 6\r\n"
347  "\r\n"
348  "abcdef";
349 
350  struct TestSteps steps[] = {
351  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
352  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
353  { NULL, 0, 0, 0 },
354  };
355  const char *sig = "alert http any any -> any any "
356  "(msg:\"http server body test\"; "
357  "content:!\"abc\"; http_server_body; depth:3; "
358  "sid:1;)";
359  return RunTest(steps, sig, NULL);
360 }
361 
362 static int DetectEngineHttpServerBodyTest09(void)
363 {
364  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
365  "Host: www.openinfosecfoundation.org\r\n"
366  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
367  "Gecko/20091221 Firefox/3.5.7\r\n"
368  "\r\n";
369  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
370  "Content-Type: text/html\r\n"
371  "Content-Length: 6\r\n"
372  "\r\n"
373  "abcdef";
374  struct TestSteps steps[] = {
375  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
376  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
377  { NULL, 0, 0, 0 },
378  };
379  const char *sig = "alert http any any -> any any "
380  "(msg:\"http server body test\"; "
381  "content:\"abc\"; http_server_body; depth:3; "
382  "content:\"def\"; http_server_body; within:3; "
383  "sid:1;)";
384  return RunTest(steps, sig, NULL);
385 }
386 
387 static int DetectEngineHttpServerBodyTest10(void)
388 {
389  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
390  "Host: www.openinfosecfoundation.org\r\n"
391  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
392  "Gecko/20091221 Firefox/3.5.7\r\n"
393  "\r\n";
394  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
395  "Content-Type: text/html\r\n"
396  "Content-Length: 6\r\n"
397  "\r\n"
398  "abcdef";
399  struct TestSteps steps[] = {
400  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
401  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
402  { NULL, 0, 0, 0 },
403  };
404  const char *sig = "alert http any any -> any any "
405  "(msg:\"http server body test\"; "
406  "content:\"abc\"; http_server_body; depth:3; "
407  "content:!\"xyz\"; http_server_body; within:3; "
408  "sid:1;)";
409  return RunTest(steps, sig, NULL);
410 }
411 
412 static int DetectEngineHttpServerBodyTest11(void)
413 {
414  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
415  "Host: www.openinfosecfoundation.org\r\n"
416  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
417  "Gecko/20091221 Firefox/3.5.7\r\n"
418  "\r\n";
419  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
420  "Content-Type: text/html\r\n"
421  "Content-Length: 6\r\n"
422  "\r\n"
423  "abcdef";
424  struct TestSteps steps[] = {
425  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
426  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
427  { NULL, 0, 0, 0 },
428  };
429  const char *sig = "alert http any any -> any any "
430  "(msg:\"http server body test\"; "
431  "content:\"abc\"; http_server_body; depth:3; "
432  "content:\"xyz\"; http_server_body; within:3; "
433  "sid:1;)";
434  return RunTest(steps, sig, NULL);
435 }
436 
437 static int DetectEngineHttpServerBodyTest12(void)
438 {
439  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
440  "Host: www.openinfosecfoundation.org\r\n"
441  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
442  "Gecko/20091221 Firefox/3.5.7\r\n"
443  "\r\n";
444  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
445  "Content-Type: text/html\r\n"
446  "Content-Length: 6\r\n"
447  "\r\n"
448  "abcdef";
449  struct TestSteps steps[] = {
450  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
451  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
452  { NULL, 0, 0, 0 },
453  };
454  const char *sig = "alert http any any -> any any "
455  "(msg:\"http server body test\"; "
456  "content:\"ab\"; http_server_body; depth:2; "
457  "content:\"ef\"; http_server_body; distance:2; "
458  "sid:1;)";
459  return RunTest(steps, sig, NULL);
460 }
461 
462 static int DetectEngineHttpServerBodyTest13(void)
463 {
464  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
465  "Host: www.openinfosecfoundation.org\r\n"
466  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
467  "Gecko/20091221 Firefox/3.5.7\r\n"
468  "\r\n";
469  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
470  "Content-Type: text/html\r\n"
471  "Content-Length: 6\r\n"
472  "\r\n"
473  "abcdef";
474  struct TestSteps steps[] = {
475  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
476  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
477  { NULL, 0, 0, 0 },
478  };
479  const char *sig = "alert http any any -> any any "
480  "(msg:\"http server body test\"; "
481  "content:\"ab\"; http_server_body; depth:3; "
482  "content:!\"yz\"; http_server_body; distance:2; "
483  "sid:1;)";
484  return RunTest(steps, sig, NULL);
485 }
486 
487 static int DetectEngineHttpServerBodyTest14(void)
488 {
489  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
490  "Host: www.openinfosecfoundation.org\r\n"
491  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
492  "Gecko/20091221 Firefox/3.5.7\r\n"
493  "\r\n";
494  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
495  "Content-Type: text/html\r\n"
496  "Content-Length: 6\r\n"
497  "\r\n"
498  "abcdef";
499  struct TestSteps steps[] = {
500  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
501  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
502  { NULL, 0, 0, 0 },
503  };
504  const char *sig = "alert http any any -> any any "
505  "(msg:\"http server body test\"; "
506  "pcre:/ab/Q; "
507  "content:\"ef\"; http_server_body; distance:2; "
508  "sid:1;)";
509  return RunTest(steps, sig, NULL);
510 }
511 
512 static int DetectEngineHttpServerBodyTest15(void)
513 {
514  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
515  "Host: www.openinfosecfoundation.org\r\n"
516  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
517  "Gecko/20091221 Firefox/3.5.7\r\n"
518  "\r\n";
519  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
520  "Content-Type: text/html\r\n"
521  "Content-Length: 6\r\n"
522  "\r\n"
523  "abcdef";
524  struct TestSteps steps[] = {
525  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
526  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
527  { NULL, 0, 0, 0 },
528  };
529  const char *sig = "alert http any any -> any any "
530  "(msg:\"http server body test\"; "
531  "pcre:/abc/Q; "
532  "content:!\"xyz\"; http_server_body; distance:0; within:3; "
533  "sid:1;)";
534  return RunTest(steps, sig, NULL);
535 }
536 
537 static int DetectEngineHttpServerBodyTest16(void)
538 {
539  char input[] = "\
540 %YAML 1.1\n\
541 ---\n\
542 libhtp:\n\
543 \n\
544  default-config:\n\
545  personality: IDS\n\
546  request-body-limit: 0\n\
547  response-body-limit: 0\n\
548 \n\
549  request-body-inspect-window: 0\n\
550  response-body-inspect-window: 0\n\
551  request-body-minimal-inspect-size: 0\n\
552  response-body-minimal-inspect-size: 0\n\
553 ";
554  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
555  "Host: www.openinfosecfoundation.org\r\n"
556  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
557  "Gecko/20091221 Firefox/3.5.7\r\n"
558  "\r\n";
559  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
560  "Content-Type: text/html\r\n"
561  "Content-Length: 17\r\n"
562  "\r\n"
563  "1234567";
564  uint8_t http_buf3[] = "8901234ABC";
565  struct TestSteps steps[] = {
566  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
567  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
568  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
569  { NULL, 0, 0, 0 },
570  };
571  const char *sig = "alert http any any -> any any ("
572  "content:\"890\"; within:3; http_server_body; "
573  "sid:1;)";
574  return RunTest(steps, sig, input);
575 }
576 
577 static int DetectEngineHttpServerBodyTest17(void)
578 {
579  char input[] = "\
580 %YAML 1.1\n\
581 ---\n\
582 libhtp:\n\
583 \n\
584  default-config:\n\
585  personality: IDS\n\
586  request-body-limit: 0\n\
587  response-body-limit: 0\n\
588 \n\
589  request-body-inspect-window: 0\n\
590  response-body-inspect-window: 0\n\
591  request-body-minimal-inspect-size: 0\n\
592  response-body-minimal-inspect-size: 0\n\
593 ";
594  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
595  "Host: www.openinfosecfoundation.org\r\n"
596  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
597  "Gecko/20091221 Firefox/3.5.7\r\n"
598  "\r\n";
599  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
600  "Content-Type: text/html\r\n"
601  "Content-Length: 17\r\n"
602  "\r\n"
603  "1234567";
604  uint8_t http_buf3[] = "8901234ABC";
605  struct TestSteps steps[] = {
606  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
607  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
608  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
609  { NULL, 0, 0, 0 },
610  };
611  const char *sig = "alert http any any -> any any ("
612  "content:\"890\"; depth:3; http_server_body; "
613  "sid:1;)";
614  return RunTest(steps, sig, input);
615 }
616 
617 /*
618  * gzip stream
619  */
620 static int DetectEngineHttpServerBodyTest18(void)
621 {
622  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
623  "Host: www.openinfosecfoundation.org\r\n"
624  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
625  "Gecko/20091221 Firefox/3.5.7\r\n"
626  "\r\n";
627  // clang-format off
628  uint8_t http_buf2[] = {
629  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
630  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
631  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
632  'g', 'z', 'i', 'p', 0x0d, 0x0a,
633  0x0d, 0x0a,
634  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51, 0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
635  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
636  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
637  0x00, 0x00, 0x00,
638  };
639  // clang-format on
640  struct TestSteps steps[] = {
641  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
642  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
643  { NULL, 0, 0, 0 },
644  };
645  const char *sig = "alert http any any -> any any "
646  "(msg:\"http server body test\"; "
647  "content:\"file\"; http_server_body; "
648  "sid:1;)";
649  return RunTest(steps, sig, NULL);
650 }
651 
652 /*
653  * deflate stream
654  */
655 static int DetectEngineHttpServerBodyTest19(void)
656 {
657  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
658  "Host: www.openinfosecfoundation.org\r\n"
659  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
660  "Gecko/20091221 Firefox/3.5.7\r\n"
661  "\r\n";
662  // clang-format off
663  uint8_t http_buf2[] = {
664  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
665  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '2', '4', 0x0d, 0x0a,
666  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
667  'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
668  0x0d, 0x0a,
669  0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54, 0x85, 0xcc, 0x3c,
670  0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00,
671  };
672  // clang-format on
673  // 0xb2, 0x7d, 0xac, 0x9b, 0x19, 0x00, 0x00, 0x00,
674  struct TestSteps steps[] = {
675  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
676  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
677  { NULL, 0, 0, 0 },
678  };
679  const char *sig = "alert http any any -> any any "
680  "(msg:\"http server body test\"; "
681  "content:\"file\"; http_server_body; "
682  "sid:1;)";
683  return RunTest(steps, sig, NULL);
684 }
685 
686 /*
687  * deflate stream with gzip set as content-encoding
688  */
689 static int DetectEngineHttpServerBodyTest20(void)
690 {
691  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
692  "Host: www.openinfosecfoundation.org\r\n"
693  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
694  "Gecko/20091221 Firefox/3.5.7\r\n"
695  "\r\n";
696  // clang-format off
697  uint8_t http_buf2[] = {
698  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
699  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '2', '4', 0x0d, 0x0a,
700  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
701  'g', 'z', 'i', 'p', 0x0d, 0x0a,
702  0x0d, 0x0a,
703  0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54, 0x85, 0xcc, 0x3c,
704  0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00,
705  };
706  // clang-format on
707  // 0xb2, 0x7d, 0xac, 0x9b, 0x19, 0x00, 0x00, 0x00,
708  struct TestSteps steps[] = {
709  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
710  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
711  { NULL, 0, 0, 0 },
712  };
713  const char *sig = "alert http any any -> any any "
714  "(msg:\"http server body test\"; "
715  "content:\"file\"; http_server_body; "
716  "sid:1;)";
717  return RunTest(steps, sig, NULL);
718 }
719 
720 /*
721  * gzip stream with deflate set as content-encoding.
722  */
723 static int DetectEngineHttpServerBodyTest21(void)
724 {
725  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
726  "Host: www.openinfosecfoundation.org\r\n"
727  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
728  "Gecko/20091221 Firefox/3.5.7\r\n"
729  "\r\n";
730  // clang-format off
731  uint8_t http_buf2[] = {
732  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
733  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
734  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
735  'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
736  0x0d, 0x0a,
737  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51, 0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
738  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
739  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
740  0x00, 0x00, 0x00,
741  };
742  // clang-format on
743  struct TestSteps steps[] = {
744  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
745  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
746  { NULL, 0, 0, 0 },
747  };
748  const char *sig = "alert http any any -> any any "
749  "(msg:\"http server body test\"; "
750  "content:\"file\"; http_server_body; "
751  "sid:1;)";
752  return RunTest(steps, sig, NULL);
753 }
754 
755 /*
756  * gzip stream.
757  * We have 2 content-encoding headers. First gzip and second deflate.
758  */
759 static int DetectEngineHttpServerBodyTest22(void)
760 {
761  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
762  "Host: www.openinfosecfoundation.org\r\n"
763  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
764  "Gecko/20091221 Firefox/3.5.7\r\n"
765  "\r\n";
766  // clang-format off
767  uint8_t http_buf2[] = {
768  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
769  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
770  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
771  'g', 'z', 'i', 'p', 0x0d, 0x0a,
772  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
773  'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
774  0x0d, 0x0a,
775  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51, 0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
776  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
777  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
778  0x00, 0x00, 0x00,
779  };
780  // clang-format on
781  struct TestSteps steps[] = {
782  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
783  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
784  { NULL, 0, 0, 0 },
785  };
786  const char *sig = "alert http any any -> any any "
787  "(msg:\"http server body test\"; "
788  "content:\"file\"; http_server_body; "
789  "sid:1;)";
790  return RunTest(steps, sig, NULL);
791 }
792 
793 static int DetectEngineHttpServerBodyFileDataTest01(void)
794 {
795  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
796  "Host: www.openinfosecfoundation.org\r\n"
797  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
798  "Gecko/20091221 Firefox/3.5.7\r\n"
799  "\r\n";
800  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
801  "Content-Type: text/html\r\n"
802  "Content-Length: 6\r\n"
803  "\r\n"
804  "abcdef";
805  struct TestSteps steps[] = {
806  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
807  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
808  { NULL, 0, 0, 0 },
809  };
810  const char *sig = "alert http any any -> any any "
811  "(msg:\"http server body test\"; "
812  "file_data; pcre:/ab/; "
813  "content:\"ef\"; distance:2; "
814  "sid:1;)";
815  return RunTest(steps, sig, NULL);
816 }
817 
818 static int DetectEngineHttpServerBodyFileDataTest02(void)
819 {
820  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
821  "Host: www.openinfosecfoundation.org\r\n"
822  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
823  "Gecko/20091221 Firefox/3.5.7\r\n"
824  "\r\n";
825  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
826  "Content-Type: text/html\r\n"
827  "Content-Length: 6\r\n"
828  "\r\n"
829  "abcdef";
830  struct TestSteps steps[] = {
831  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
832  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
833  { NULL, 0, 0, 0 },
834  };
835  const char *sig = "alert http any any -> any any "
836  "(msg:\"http server body test\"; "
837  "file_data; pcre:/abc/; "
838  "content:!\"xyz\"; distance:0; within:3; "
839  "sid:1;)";
840  return RunTest(steps, sig, NULL);
841 }
842 
843 /* \test recursive relative byte test */
844 static int DetectEngineHttpServerBodyFileDataTest03(void)
845 {
846  TcpSession ssn;
847  Packet *p1 = NULL;
848  Packet *p2 = NULL;
849  ThreadVars th_v;
850  DetectEngineThreadCtx *det_ctx = NULL;
851  HtpState *http_state = NULL;
852  Flow f;
853  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
854  "Host: www.openinfosecfoundation.org\r\n"
855  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
856  "Gecko/20091221 Firefox/3.5.7\r\n"
857  "\r\n";
858  uint32_t http_len1 = sizeof(http_buf1) - 1;
859  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
860  "Content-Type: text/html\r\n"
861  "Content-Length: 33\r\n"
862  "\r\n"
863  "XYZ_klm_1234abcd_XYZ_klm_5678abcd";
864  uint32_t http_len2 = sizeof(http_buf2) - 1;
865  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
866 
867  memset(&th_v, 0, sizeof(th_v));
868  memset(&f, 0, sizeof(f));
869  memset(&ssn, 0, sizeof(ssn));
870 
871  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
872  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
873 
874  FLOW_INITIALIZE(&f);
875  f.protoctx = (void *)&ssn;
876  f.proto = IPPROTO_TCP;
877  f.flags |= FLOW_IPV4;
878 
879  p1->flow = &f;
880  p1->flowflags |= FLOW_PKT_TOSERVER;
881  p1->flowflags |= FLOW_PKT_ESTABLISHED;
882  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
883  p2->flow = &f;
884  p2->flowflags |= FLOW_PKT_TOCLIENT;
885  p2->flowflags |= FLOW_PKT_ESTABLISHED;
886  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
887  f.alproto = ALPROTO_HTTP1;
888 
889  StreamTcpInitConfig(true);
890 
891  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
892  FAIL_IF_NULL(de_ctx);
893  de_ctx->flags |= DE_QUIET;
894 
895  Signature *s = DetectEngineAppendSig(de_ctx,
896  "alert http any any -> any any "
897  "(msg:\"match on 1st\"; "
898  "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; "
899  "distance:4; byte_test:4,=,1234,-8,relative,string;"
900  "sid:1;)");
901  FAIL_IF_NULL(s);
902  s = DetectEngineAppendSig(de_ctx,
903  "alert http any any -> any any "
904  "(msg:\"match on 2nd\"; "
905  "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; "
906  "distance:4; byte_test:4,=,5678,-8,relative,string;"
907  "sid:2;)");
908  FAIL_IF_NULL(s);
909 
910  SigGroupBuild(de_ctx);
911  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
912 
913  int r = AppLayerParserParse(
914  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
915  FAIL_IF(r != 0);
916  http_state = f.alstate;
917  FAIL_IF_NULL(http_state);
918 
919  /* do detect */
920  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
921  FAIL_IF(PacketAlertCheck(p1, 1));
922 
923  r = AppLayerParserParse(
924  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
925  FAIL_IF(r != 0);
926 
927  /* do detect */
928  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
929 
930  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
931  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
932 
933  AppLayerParserThreadCtxFree(alp_tctx);
934  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
935  DetectEngineCtxFree(de_ctx);
936  StreamTcpFreeConfig(true);
937  FLOW_DESTROY(&f);
938  UTHFreePackets(&p1, 1);
939  UTHFreePackets(&p2, 1);
940  StatsThreadCleanup(&th_v);
941  PASS;
942 }
943 
944 static int DetectEngineHttpServerBodyFileDataTest04(void)
945 {
946 
947  const char yaml[] = "\
948 %YAML 1.1\n\
949 ---\n\
950 libhtp:\n\
951 \n\
952  default-config:\n\
953 \n\
954  http-body-inline: yes\n\
955  response-body-minimal-inspect-size: 6\n\
956  response-body-inspect-window: 3\n\
957 ";
958 
959  struct TestSteps steps[] = {
960  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
961  "Host: www.openinfosecfoundation.org\r\n"
962  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
963  "Gecko/20091221 Firefox/3.5.7\r\n"
964  "\r\n",
965  0, STREAM_TOSERVER, 0 },
966  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
967  "Content-Type: text/html\r\n"
968  "Content-Length: 6\r\n"
969  "\r\n"
970  "ab",
971  0, STREAM_TOCLIENT, 0 },
972  { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 1 },
973  { (const uint8_t *)"ef", 0, STREAM_TOCLIENT, 0 },
974  { NULL, 0, 0, 0 },
975  };
976 
977  const char *sig = "alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)";
978  return RunTest(steps, sig, yaml);
979 }
980 
981 static int DetectEngineHttpServerBodyFileDataTest05(void)
982 {
983 
984  const char yaml[] = "\
985 %YAML 1.1\n\
986 ---\n\
987 libhtp:\n\
988 \n\
989  default-config:\n\
990 \n\
991  http-body-inline: yes\n\
992  response-body-minimal-inspect-size: 6\n\
993  response-body-inspect-window: 3\n\
994 ";
995 
996  struct TestSteps steps[] = {
997  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
998  "Host: www.openinfosecfoundation.org\r\n"
999  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1000  "Gecko/20091221 Firefox/3.5.7\r\n"
1001  "\r\n",
1002  0, STREAM_TOSERVER, 0 },
1003  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1004  "Content-Type: text/html\r\n"
1005  "Content-Length: 6\r\n"
1006  "\r\n"
1007  "ab",
1008  0, STREAM_TOCLIENT, 0 },
1009  { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 0 },
1010  { (const uint8_t *)"ef", 0, STREAM_TOCLIENT, 1 },
1011  { NULL, 0, 0, 0 },
1012  };
1013 
1014  const char *sig = "alert http any any -> any any (file_data; content:\"abcdef\"; sid:1;)";
1015  return RunTest(steps, sig, yaml);
1016 }
1017 
1018 static int DetectEngineHttpServerBodyFileDataTest06(void)
1019 {
1020 
1021  const char yaml[] = "\
1022 %YAML 1.1\n\
1023 ---\n\
1024 libhtp:\n\
1025 \n\
1026  default-config:\n\
1027 \n\
1028  http-body-inline: yes\n\
1029  response-body-minimal-inspect-size: 6\n\
1030  response-body-inspect-window: 3\n\
1031 ";
1032 
1033  struct TestSteps steps[] = {
1034  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1035  "Host: www.openinfosecfoundation.org\r\n"
1036  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1037  "Gecko/20091221 Firefox/3.5.7\r\n"
1038  "\r\n",
1039  0, STREAM_TOSERVER, 0 },
1040  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1041  "Content-Type: text/html\r\n"
1042  "Content-Length: 6\r\n"
1043  "\r\n"
1044  "ab",
1045  0, STREAM_TOCLIENT, 0 },
1046  { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 0 },
1047  { (const uint8_t *)"ef", 0, STREAM_TOCLIENT, 1 },
1048  { NULL, 0, 0, 0 },
1049  };
1050 
1051  const char *sig =
1052  "alert http any any -> any any (file_data; content:\"bcdef\"; offset:1; sid:1;)";
1053  return RunTest(steps, sig, yaml);
1054 }
1055 
1056 static int DetectEngineHttpServerBodyFileDataTest07(void)
1057 {
1058 
1059  const char yaml[] = "\
1060 %YAML 1.1\n\
1061 ---\n\
1062 libhtp:\n\
1063 \n\
1064  default-config:\n\
1065 \n\
1066  http-body-inline: yes\n\
1067  response-body-minimal-inspect-size: 6\n\
1068  response-body-inspect-window: 3\n\
1069 ";
1070 
1071  struct TestSteps steps[] = {
1072  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1073  "Host: www.openinfosecfoundation.org\r\n"
1074  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1075  "Gecko/20091221 Firefox/3.5.7\r\n"
1076  "\r\n",
1077  0, STREAM_TOSERVER, 0 },
1078  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1079  "Content-Type: text/html\r\n"
1080  "Content-Length: 13\r\n"
1081  "\r\n"
1082  "ab",
1083  0, STREAM_TOCLIENT, 0 },
1084  { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 1 },
1085  { (const uint8_t *)"123456789", 0, STREAM_TOCLIENT, 0 },
1086  { NULL, 0, 0, 0 },
1087  };
1088 
1089  const char *sig =
1090  "alert http any any -> any any (file_data; content:\"bc\"; offset:1; depth:2; sid:1;)";
1091  return RunTest(steps, sig, yaml);
1092 }
1093 
1094 static int DetectEngineHttpServerBodyFileDataTest08(void)
1095 {
1096 
1097  const char yaml[] = "\
1098 %YAML 1.1\n\
1099 ---\n\
1100 libhtp:\n\
1101 \n\
1102  default-config:\n\
1103 \n\
1104  http-body-inline: yes\n\
1105  response-body-minimal-inspect-size: 6\n\
1106  response-body-inspect-window: 3\n\
1107 ";
1108 
1109  struct TestSteps steps[] = {
1110  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1111  "Host: www.openinfosecfoundation.org\r\n"
1112  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1113  "Gecko/20091221 Firefox/3.5.7\r\n"
1114  "\r\n",
1115  0, STREAM_TOSERVER, 0 },
1116  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1117  "Content-Type: text/html\r\n"
1118  "Content-Length: 14\r\n"
1119  "\r\n"
1120  "ab",
1121  0, STREAM_TOCLIENT, 0 },
1122  { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 0 },
1123  { (const uint8_t *)"1234567890", 0, STREAM_TOCLIENT, 1 },
1124  { NULL, 0, 0, 0 },
1125  };
1126 
1127  const char *sig =
1128  "alert http any any -> any any (file_data; content:\"d123456789\"; offset:3; sid:1;)";
1129  return RunTest(steps, sig, yaml);
1130 }
1131 
1132 static int DetectEngineHttpServerBodyFileDataTest09(void)
1133 {
1134 
1135  const char yaml[] = "\
1136 %YAML 1.1\n\
1137 ---\n\
1138 libhtp:\n\
1139 \n\
1140  default-config:\n\
1141 \n\
1142  http-body-inline: yes\n\
1143  response-body-minimal-inspect-size: 6\n\
1144  response-body-inspect-window: 3\n\
1145 ";
1146 
1147  struct TestSteps steps[] = {
1148  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1149  "Host: www.openinfosecfoundation.org\r\n"
1150  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1151  "Gecko/20091221 Firefox/3.5.7\r\n"
1152  "\r\n",
1153  0, STREAM_TOSERVER, 0 },
1154  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1155  "Content-Type: text/html\r\n"
1156  "Content-Length: 13\r\n"
1157  "\r\n"
1158  "ab",
1159  0, STREAM_TOCLIENT, 0 },
1160  { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 0 },
1161  { (const uint8_t *)"123456789", 0, STREAM_TOCLIENT, 1 },
1162  { NULL, 0, 0, 0 },
1163  };
1164 
1165  const char *sig =
1166  "alert http any any -> any any (file_data; content:\"abcd12\"; depth:6; sid:1;)";
1167  return RunTest(steps, sig, yaml);
1168 }
1169 
1170 static int DetectEngineHttpServerBodyFileDataTest10(void)
1171 {
1172 
1173  const char yaml[] = "\
1174 %YAML 1.1\n\
1175 ---\n\
1176 libhtp:\n\
1177 \n\
1178  default-config:\n\
1179 \n\
1180  http-body-inline: yes\n\
1181  response-body-minimal-inspect-size: 6\n\
1182  response-body-inspect-window: 3\n\
1183 ";
1184 
1185  struct TestSteps steps[] = {
1186  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1187  "Host: www.openinfosecfoundation.org\r\n"
1188  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1189  "Gecko/20091221 Firefox/3.5.7\r\n"
1190  "\r\n",
1191  0, STREAM_TOSERVER, 0 },
1192  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1193  "Content-Type: text/html\r\n"
1194  "Content-Length: 5\r\n"
1195  "\r\n"
1196  "ab",
1197  0, STREAM_TOCLIENT, 0 },
1198  { (const uint8_t *)"c", 0, STREAM_TOCLIENT, 1 },
1199  { (const uint8_t *)"de", 0, STREAM_TOCLIENT, 0 },
1200  { NULL, 0, 0, 0 },
1201  };
1202 
1203  const char *sig = "alert http any any -> any any (file_data; content:\"abc\"; depth:3; sid:1;)";
1204  return RunTest(steps, sig, yaml);
1205 }
1206 
1207 static int DetectEngineHttpServerBodyFileDataTest11(void)
1208 {
1209 
1210  const char yaml[] = "\
1211 %YAML 1.1\n\
1212 ---\n\
1213 libhtp:\n\
1214 \n\
1215  default-config:\n\
1216 \n\
1217  http-body-inline: yes\n\
1218  response-body-minimal-inspect-size: 6\n\
1219  response-body-inspect-window: 3\n\
1220 ";
1221 
1222  struct TestSteps steps[] = {
1223  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1224  "Host: www.openinfosecfoundation.org\r\n"
1225  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1226  "Gecko/20091221 Firefox/3.5.7\r\n"
1227  "\r\n",
1228  0, STREAM_TOSERVER, 0 },
1229  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1230  "Content-Type: text/html\r\n"
1231  "Content-Length: 5\r\n"
1232  "\r\n"
1233  "ab",
1234  0, STREAM_TOCLIENT, 0 },
1235  { (const uint8_t *)"c", 0, STREAM_TOCLIENT, 0 },
1236  { (const uint8_t *)"de", 0, STREAM_TOCLIENT, 1 },
1237  { NULL, 0, 0, 0 },
1238  };
1239 
1240  const char *sig = "alert http any any -> any any (file_data; content:\"bcde\"; offset:1; "
1241  "depth:4; sid:1;)";
1242  return RunTest(steps, sig, yaml);
1243 }
1244 
1245 static int DetectEngineHttpServerBodyFileDataTest12(void)
1246 {
1247 
1248  const char yaml[] = "\
1249 %YAML 1.1\n\
1250 ---\n\
1251 libhtp:\n\
1252 \n\
1253  default-config:\n\
1254 \n\
1255  http-body-inline: yes\n\
1256  response-body-minimal-inspect-size: 6\n\
1257  response-body-inspect-window: 3\n\
1258 ";
1259 
1260  struct TestSteps steps[] = {
1261  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1262  "Host: www.openinfosecfoundation.org\r\n"
1263  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1264  "Gecko/20091221 Firefox/3.5.7\r\n"
1265  "\r\n",
1266  0, STREAM_TOSERVER, 0 },
1267  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1268  "Content-Type: text/html\r\n"
1269  "Content-Length: 13\r\n"
1270  "\r\n"
1271  "a",
1272  0, STREAM_TOCLIENT, 0 },
1273  { (const uint8_t *)"b", 0, STREAM_TOCLIENT, 0 },
1274  { (const uint8_t *)"c", 0, STREAM_TOCLIENT, 0 },
1275  { (const uint8_t *)"d", 0, STREAM_TOCLIENT, 1 },
1276  { (const uint8_t *)"efghijklm", 0, STREAM_TOCLIENT, 0 },
1277  { NULL, 0, 0, 0 },
1278  };
1279 
1280  const char *sig = "alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)";
1281  return RunTest(steps, sig, yaml);
1282 }
1283 
1284 static int DetectEngineHttpServerBodyFileDataTest13(void)
1285 {
1286 
1287  const char yaml[] = "\
1288 %YAML 1.1\n\
1289 ---\n\
1290 libhtp:\n\
1291 \n\
1292  default-config:\n\
1293 \n\
1294  http-body-inline: yes\n\
1295  response-body-minimal-inspect-size: 9\n\
1296  response-body-inspect-window: 12\n\
1297 ";
1298 
1299  struct TestSteps steps[] = {
1300  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1301  "Host: www.openinfosecfoundation.org\r\n"
1302  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1303  "Gecko/20091221 Firefox/3.5.7\r\n"
1304  "\r\n",
1305  0, STREAM_TOSERVER, 0 },
1306  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1307  "Content-Type: text/html\r\n"
1308  "Content-Length: 13\r\n"
1309  "\r\n"
1310  "a",
1311  0, STREAM_TOCLIENT, 0 },
1312  { (const uint8_t *)"b", 0, STREAM_TOCLIENT, 0 },
1313  { (const uint8_t *)"c", 0, STREAM_TOCLIENT, 0 },
1314  { (const uint8_t *)"d", 0, STREAM_TOCLIENT, 0 },
1315  { (const uint8_t *)"efghijklm", 0, STREAM_TOCLIENT, 1 },
1316  { NULL, 0, 0, 0 },
1317  };
1318 
1319  const char *sig =
1320  "alert http any any -> any any (file_data; content:\"abcdefghijklm\"; sid:1;)";
1321  return RunTest(steps, sig, yaml);
1322 }
1323 
1324 static int DetectEngineHttpServerBodyFileDataTest14(void)
1325 {
1326 
1327  const char yaml[] = "\
1328 %YAML 1.1\n\
1329 ---\n\
1330 libhtp:\n\
1331 \n\
1332  default-config:\n\
1333 \n\
1334  http-body-inline: yes\n\
1335  response-body-minimal-inspect-size: 9\n\
1336  response-body-inspect-window: 12\n\
1337 ";
1338 
1339  struct TestSteps steps[] = {
1340  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1341  "Host: www.openinfosecfoundation.org\r\n"
1342  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1343  "Gecko/20091221 Firefox/3.5.7\r\n"
1344  "\r\n",
1345  0, STREAM_TOSERVER, 0 },
1346  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1347  "Content-Type: text/html\r\n"
1348  "Content-Length: 20\r\n"
1349  "\r\n"
1350  "1234567890",
1351  0, STREAM_TOCLIENT, 0 },
1352  { (const uint8_t *)"abcdefghi", 0, STREAM_TOCLIENT, 1 },
1353  { NULL, 0, 0, 0 },
1354  };
1355 
1356  const char *sig = "alert http any any -> any any (file_data; content:\"890abcdefghi\"; sid:1;)";
1357  return RunTest(steps, sig, yaml);
1358 }
1359 
1360 static int DetectEngineHttpServerBodyFileDataTest15(void)
1361 {
1362 
1363  const char yaml[] = "\
1364 %YAML 1.1\n\
1365 ---\n\
1366 libhtp:\n\
1367 \n\
1368  default-config:\n\
1369 \n\
1370  http-body-inline: yes\n\
1371  response-body-minimal-inspect-size: 9\n\
1372  response-body-inspect-window: 12\n\
1373 ";
1374 
1375  struct TestSteps steps[] = {
1376  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1377  "Host: www.openinfosecfoundation.org\r\n"
1378  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1379  "Gecko/20091221 Firefox/3.5.7\r\n"
1380  "\r\n",
1381  0, STREAM_TOSERVER, 0 },
1382  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1383  "Content-Type: text/html\r\n"
1384  "Content-Length: 20\r\n"
1385  "\r\n"
1386  "1234567890",
1387  0, STREAM_TOCLIENT, 0 },
1388  { (const uint8_t *)"abcdefghi", 0, STREAM_TOCLIENT, 0 },
1389  { NULL, 0, 0, 0 },
1390  };
1391 
1392  const char *sig =
1393  "alert http any any -> any any (file_data; content:\"7890ab\"; depth:6; sid:1;)";
1394  return RunTest(steps, sig, yaml);
1395 }
1396 
1397 static int DetectEngineHttpServerBodyFileDataTest16(void)
1398 {
1399 
1400  const char yaml[] = "\
1401 %YAML 1.1\n\
1402 ---\n\
1403 libhtp:\n\
1404 \n\
1405  default-config:\n\
1406 \n\
1407  http-body-inline: yes\n\
1408  response-body-minimal-inspect-size: 9\n\
1409  response-body-inspect-window: 12\n\
1410 ";
1411 
1412  struct TestSteps steps[] = {
1413  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1414  "Host: www.openinfosecfoundation.org\r\n"
1415  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1416  "Gecko/20091221 Firefox/3.5.7\r\n"
1417  "\r\n",
1418  0, STREAM_TOSERVER, 0 },
1419  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1420  "Content-Type: text/html\r\n"
1421  "Content-Length: 20\r\n"
1422  "\r\n"
1423  "aaaab",
1424  0, STREAM_TOCLIENT, 0 },
1425  { (const uint8_t *)"bbbbc", 0, STREAM_TOCLIENT, 0 },
1426  { (const uint8_t *)"ccccd", 0, STREAM_TOCLIENT, 0 },
1427  { (const uint8_t *)"dddde", 0, STREAM_TOCLIENT, 0 },
1428  { NULL, 0, 0, 0 },
1429  };
1430 
1431  const char *sig =
1432  "alert http any any -> any any (file_data; content:\"aabb\"; depth:4; sid:1;)";
1433  return RunTest(steps, sig, yaml);
1434 }
1435 
1436 static int DetectEngineHttpServerBodyFileDataTest17(void)
1437 {
1438 
1439  const char yaml[] = "\
1440 %YAML 1.1\n\
1441 ---\n\
1442 libhtp:\n\
1443 \n\
1444  default-config:\n\
1445 \n\
1446  http-body-inline: yes\n\
1447  response-body-minimal-inspect-size: 8\n\
1448  response-body-inspect-window: 4\n\
1449 ";
1450 
1451  struct TestSteps steps[] = {
1452  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1453  "Host: www.openinfosecfoundation.org\r\n"
1454  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1455  "Gecko/20091221 Firefox/3.5.7\r\n"
1456  "\r\n",
1457  0, STREAM_TOSERVER, 0 },
1458  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1459  "Content-Type: text/html\r\n"
1460  "Content-Length: 20\r\n"
1461  "\r\n"
1462  "aaaab",
1463  0, STREAM_TOCLIENT, 0 },
1464  { (const uint8_t *)"bbbbc", 0, STREAM_TOCLIENT, 0 },
1465  { (const uint8_t *)"ccccd", 0, STREAM_TOCLIENT, 0 },
1466  { (const uint8_t *)"dddde", 0, STREAM_TOCLIENT, 0 },
1467  { NULL, 0, 0, 0 },
1468  };
1469 
1470  const char *sig =
1471  "alert http any any -> any any (file_data; content:\"bbbc\"; depth:4; sid:1;)";
1472  return RunTest(steps, sig, yaml);
1473 }
1474 
1475 static int DetectEngineHttpServerBodyFileDataTest18(void)
1476 {
1477 
1478  const char yaml[] = "\
1479 %YAML 1.1\n\
1480 ---\n\
1481 libhtp:\n\
1482 \n\
1483  default-config:\n\
1484 \n\
1485  http-body-inline: yes\n\
1486  response-body-minimal-inspect-size: 8\n\
1487  response-body-inspect-window: 4\n\
1488 ";
1489 
1490  struct TestSteps steps[] = {
1491  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1492  "Host: www.openinfosecfoundation.org\r\n"
1493  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1494  "Gecko/20091221 Firefox/3.5.7\r\n"
1495  "\r\n",
1496  0, STREAM_TOSERVER, 0 },
1497  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1498  "Content-Type: text/html\r\n"
1499  "Content-Length: 20\r\n"
1500  "\r\n"
1501  "aaaab",
1502  0, STREAM_TOCLIENT, 0 },
1503  { (const uint8_t *)"bbbbc", 0, STREAM_TOCLIENT, 0 },
1504  { (const uint8_t *)"ccccd", 0, STREAM_TOCLIENT, 0 },
1505  { (const uint8_t *)"dddde", 0, STREAM_TOCLIENT, 0 },
1506  { NULL, 0, 0, 0 },
1507  };
1508 
1509  const char *sig =
1510  "alert http any any -> any any (file_data; content:\"bccd\"; depth:4; sid:1;)";
1511  return RunTest(steps, sig, yaml);
1512 }
1513 static int DetectEngineHttpServerBodyFileDataTest19(void)
1514 {
1515  char input[] = "\
1516 %YAML 1.1\n\
1517 ---\n\
1518 libhtp:\n\
1519 \n\
1520  default-config:\n\
1521 \n\
1522  swf-decompression:\n\
1523  enabled: yes\n\
1524  type: both\n\
1525  compress-depth: 0\n\
1526  decompress-depth: 0\n\
1527 ";
1528  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1529  "Host: www.openinfosecfoundation.org\r\n"
1530  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1531  "Gecko/20091221 Firefox/3.5.7\r\n"
1532  "\r\n";
1533  // clang-format off
1534  uint8_t http_buf2[] = {
1535  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1536  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '1', '0', '3', 0x0d, 0x0a,
1537  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1538  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
1539  0x0d, 0x0a,
1540  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
1541  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
1542  0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe,
1543  0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37,
1544  0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
1545  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08, 0xe9,
1546  0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86
1547  };
1548  // clang-format on
1549  struct TestSteps steps[] = {
1550  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1551  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1552  { NULL, 0, 0, 0 },
1553  };
1554  const char *sig = "alert tcp any any -> any any "
1555  "(flow:established,from_server; "
1556  "file_data; content:\"FWS\"; "
1557  "sid:1;)";
1558  return RunTest(steps, sig, input);
1559 }
1560 
1561 static int DetectEngineHttpServerBodyFileDataTest20(void)
1562 {
1563  char input[] = "\
1564 %YAML 1.1\n\
1565 ---\n\
1566 libhtp:\n\
1567 \n\
1568  default-config:\n\
1569 \n\
1570  swf-decompression:\n\
1571  enabled: no\n\
1572  type: both\n\
1573  compress-depth: 0\n\
1574  decompress-depth: 0\n\
1575 ";
1576  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1577  "Host: www.openinfosecfoundation.org\r\n"
1578  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1579  "Gecko/20091221 Firefox/3.5.7\r\n"
1580  "\r\n";
1581  // clang-format off
1582  uint8_t http_buf2[] = {
1583  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1584  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1585  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1586  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1587  0x0d, 0x0a,
1588  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1589  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
1590  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
1591  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
1592  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
1593  };
1594  // clang-format on
1595  struct TestSteps steps[] = {
1596  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1597  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1598  { NULL, 0, 0, 0 },
1599  };
1600  const char *sig = "alert tcp any any -> any any "
1601  "(flow:established,from_server; "
1602  "file_data; content:\"CWS\"; "
1603  "sid:1;)";
1604  return RunTest(steps, sig, input);
1605 }
1606 
1607 static int DetectEngineHttpServerBodyFileDataTest21(void)
1608 {
1609  char input[] = "\
1610 %YAML 1.1\n\
1611 ---\n\
1612 libhtp:\n\
1613 \n\
1614  default-config:\n\
1615 \n\
1616  swf-decompression:\n\
1617  enabled: yes\n\
1618  type: deflate\n\
1619  compress-depth: 0\n\
1620  decompress-depth: 0\n\
1621 ";
1622  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1623  "Host: www.openinfosecfoundation.org\r\n"
1624  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1625  "Gecko/20091221 Firefox/3.5.7\r\n"
1626  "\r\n";
1627  // clang-format off
1628  uint8_t http_buf2[] = {
1629  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1630  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1631  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1632  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1633  0x0d, 0x0a,
1634  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1635  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
1636  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
1637  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
1638  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
1639  };
1640  // clang-format on
1641  struct TestSteps steps[] = {
1642  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1643  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1644  { NULL, 0, 0, 0 },
1645  };
1646  const char *sig = "alert tcp any any -> any any "
1647  "(flow:established,from_server; "
1648  "file_data; content:\"FWS\"; "
1649  "sid:1;)";
1650  return RunTest(steps, sig, input);
1651 }
1652 
1653 static int DetectEngineHttpServerBodyFileDataTest22(void)
1654 {
1655  char input[] = "\
1656 %YAML 1.1\n\
1657 ---\n\
1658 libhtp:\n\
1659 \n\
1660  default-config:\n\
1661 \n\
1662  swf-decompression:\n\
1663  enabled: yes\n\
1664  type: lzma\n\
1665  compress-depth: 0\n\
1666  decompress-depth: 0\n\
1667 ";
1668  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1669  "Host: www.openinfosecfoundation.org\r\n"
1670  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1671  "Gecko/20091221 Firefox/3.5.7\r\n"
1672  "\r\n";
1673  // clang-format off
1674  uint8_t http_buf2[] = {
1675  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1676  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1677  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1678  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1679  0x0d, 0x0a,
1680  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1681  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
1682  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
1683  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
1684  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
1685  };
1686  // clang-format on
1687  struct TestSteps steps[] = {
1688  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1689  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1690  { NULL, 0, 0, 0 },
1691  };
1692  const char *sig = "alert tcp any any -> any any "
1693  "(flow:established,from_server; "
1694  "file_data; content:\"CWS\"; "
1695  "sid:1;)";
1696  return RunTest(steps, sig, input);
1697 }
1698 
1699 static int DetectEngineHttpServerBodyFileDataTest23(void)
1700 {
1701  char input[] = "\
1702 %YAML 1.1\n\
1703 ---\n\
1704 libhtp:\n\
1705 \n\
1706  default-config:\n\
1707 \n\
1708  swf-decompression:\n\
1709  enabled: yes\n\
1710  type: both\n\
1711  compress-depth: 0\n\
1712  decompress-depth: 0\n\
1713 ";
1714  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1715  "Host: www.openinfosecfoundation.org\r\n"
1716  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1717  "Gecko/20091221 Firefox/3.5.7\r\n"
1718  "\r\n";
1719  // clang-format off
1720  uint8_t http_buf2[] = {
1721  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1722  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1723  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1724  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1725  0x0d, 0x0a,
1726  0x43, 0x57, 0x53, 0x01, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1727  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
1728  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
1729  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
1730  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
1731  };
1732  // clang-format on
1733  struct TestSteps steps[] = {
1734  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1735  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1736  { NULL, 0, 0, 0 },
1737  };
1738  const char *sig = "alert tcp any any -> any any "
1739  "(flow:established,from_server; "
1740  "file_data; content:\"CWS\"; "
1741  "sid:1;)";
1742  return RunTest(steps, sig, input);
1743 }
1744 
1745 static int DetectEngineHttpServerBodyFileDataTest24(void)
1746 {
1747  char input[] = "\
1748 %YAML 1.1\n\
1749 ---\n\
1750 libhtp:\n\
1751 \n\
1752  default-config:\n\
1753 \n\
1754  swf-decompression:\n\
1755  enabled: yes\n\
1756  type: both\n\
1757  compress-depth: 0\n\
1758  decompress-depth: 0\n\
1759 ";
1760  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1761  "Host: www.openinfosecfoundation.org\r\n"
1762  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1763  "Gecko/20091221 Firefox/3.5.7\r\n"
1764  "\r\n";
1765  uint8_t http_buf2[] = { 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k',
1766  0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ',
1767  '1', '0', '3', 0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':',
1768  ' ', 'a', 'p', 'p', 'l', 'i', 'c', 'a', 't', 'i', 'o', 'n', '/', 'o', 'c', 't', 'e', 't',
1769  '-', 's', 't', 'r', 'e', 'a', 'm', 0x0d, 0x0a, 0x0d, 0x0a, 0x5a, 0x57, 0x53, 0x17, 0x5c,
1770  0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20, 0x00, 0x00, 0x3b, 0xff,
1771  0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f,
1772  0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c,
1773  0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01,
1774  0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
1775  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08,
1776  0xe9, 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86 };
1777  struct TestSteps steps[] = {
1778  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1779  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1780  { NULL, 0, 0, 0 },
1781  };
1782  const char *sig = "alert tcp any any -> any any "
1783  "(flow:established,from_server; "
1784  "file_data; content:\"FWS\"; "
1785  "sid:1;)";
1786  return RunTest(steps, sig, input);
1787 }
1788 
1789 static int DetectEngineHttpServerBodyFileDataTest25(void)
1790 {
1791  char input[] = "\
1792 %YAML 1.1\n\
1793 ---\n\
1794 libhtp:\n\
1795 \n\
1796  default-config:\n\
1797 \n\
1798  swf-decompression:\n\
1799  enabled: no\n\
1800  type: both\n\
1801  compress-depth: 0\n\
1802  decompress-depth: 0\n\
1803 ";
1804  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1805  "Host: www.openinfosecfoundation.org\r\n"
1806  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1807  "Gecko/20091221 Firefox/3.5.7\r\n"
1808  "\r\n";
1809  uint8_t http_buf2[] = { 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k',
1810  0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ',
1811  '1', '0', '3', 0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':',
1812  ' ', 'a', 'p', 'p', 'l', 'i', 'c', 'a', 't', 'i', 'o', 'n', '/', 'o', 'c', 't', 'e', 't',
1813  '-', 's', 't', 'r', 'e', 'a', 'm', 0x0d, 0x0a, 0x0d, 0x0a, 0x5a, 0x57, 0x53, 0x17, 0x5c,
1814  0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20, 0x00, 0x00, 0x3b, 0xff,
1815  0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f,
1816  0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c,
1817  0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01,
1818  0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
1819  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08,
1820  0xe9, 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86 };
1821  struct TestSteps steps[] = {
1822  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1823  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1824  { NULL, 0, 0, 0 },
1825  };
1826  const char *sig = "alert tcp any any -> any any "
1827  "(flow:established,from_server; "
1828  "file_data; content:\"ZWS\"; "
1829  "sid:1;)";
1830  return RunTest(steps, sig, input);
1831 }
1832 
1833 static int DetectEngineHttpServerBodyFileDataTest26(void)
1834 {
1835  char input[] = "\
1836 %YAML 1.1\n\
1837 ---\n\
1838 libhtp:\n\
1839 \n\
1840  default-config:\n\
1841 \n\
1842  swf-decompression:\n\
1843  enabled: yes\n\
1844  type: lzma\n\
1845  compress-depth: 0\n\
1846  decompress-depth: 0\n\
1847 ";
1848  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1849  "Host: www.openinfosecfoundation.org\r\n"
1850  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1851  "Gecko/20091221 Firefox/3.5.7\r\n"
1852  "\r\n";
1853  uint8_t http_buf2[] = { 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k',
1854  0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ',
1855  '1', '0', '3', 0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':',
1856  ' ', 'a', 'p', 'p', 'l', 'i', 'c', 'a', 't', 'i', 'o', 'n', '/', 'o', 'c', 't', 'e', 't',
1857  '-', 's', 't', 'r', 'e', 'a', 'm', 0x0d, 0x0a, 0x0d, 0x0a, 0x5a, 0x57, 0x53, 0x17, 0x5c,
1858  0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20, 0x00, 0x00, 0x3b, 0xff,
1859  0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f,
1860  0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c,
1861  0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01,
1862  0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
1863  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08,
1864  0xe9, 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86 };
1865  struct TestSteps steps[] = {
1866  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1867  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1868  { NULL, 0, 0, 0 },
1869  };
1870  const char *sig = "alert tcp any any -> any any "
1871  "(flow:established,from_server; "
1872  "file_data; content:\"FWS\"; "
1873  "sid:1;)";
1874  return RunTest(steps, sig, input);
1875 }
1876 
1877 static int DetectEngineHttpServerBodyFileDataTest27(void)
1878 {
1879  char input[] = "\
1880 %YAML 1.1\n\
1881 ---\n\
1882 libhtp:\n\
1883 \n\
1884  default-config:\n\
1885 \n\
1886  swf-decompression:\n\
1887  enabled: yes\n\
1888  type: deflate\n\
1889  compress-depth: 0\n\
1890  decompress-depth: 0\n\
1891 ";
1892  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1893  "Host: www.openinfosecfoundation.org\r\n"
1894  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1895  "Gecko/20091221 Firefox/3.5.7\r\n"
1896  "\r\n";
1897  // clang-format off
1898  uint8_t http_buf2[] = {
1899  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1900  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1901  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1902  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
1903  0x0d, 0x0a,
1904  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
1905  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
1906  0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61,
1907  0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b,
1908  0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1,
1909  };
1910  // clang-format on
1911  struct TestSteps steps[] = {
1912  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1913  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1914  { NULL, 0, 0, 0 },
1915  };
1916  const char *sig = "alert tcp any any -> any any "
1917  "(flow:established,from_server; "
1918  "file_data; content:\"ZWS\"; "
1919  "sid:1;)";
1920  return RunTest(steps, sig, input);
1921 }
1922 
1923 static int DetectEngineHttpServerBodyFileDataTest28(void)
1924 {
1925  char input[] = "\
1926 %YAML 1.1\n\
1927 ---\n\
1928 libhtp:\n\
1929 \n\
1930  default-config:\n\
1931 \n\
1932  swf-decompression:\n\
1933  enabled: yes\n\
1934  type: both\n\
1935  compress-depth: 0\n\
1936  decompress-depth: 0\n\
1937 ";
1938  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1939  "Host: www.openinfosecfoundation.org\r\n"
1940  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1941  "Gecko/20091221 Firefox/3.5.7\r\n"
1942  "\r\n";
1943  // clang-format off
1944  uint8_t http_buf2[] = {
1945  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1946  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1947  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1948  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
1949  0x0d, 0x0a,
1950  0x5a, 0x57, 0x53, 0x01, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
1951  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
1952  0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61,
1953  0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b,
1954  0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1,
1955  };
1956  // clang-format on
1957  struct TestSteps steps[] = {
1958  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1959  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1960  { NULL, 0, 0, 0 },
1961  };
1962  const char *sig = "alert tcp any any -> any any "
1963  "(flow:established,from_server; "
1964  "file_data; content:\"ZWS\"; "
1965  "sid:1;)";
1966  return RunTest(steps, sig, input);
1967 }
1968 
1969 static int DetectEngineHttpServerBodyFileDataTest29(void)
1970 {
1971  char input[] = "\
1972 %YAML 1.1\n\
1973 ---\n\
1974 libhtp:\n\
1975 \n\
1976  default-config:\n\
1977 \n\
1978  swf-decompression:\n\
1979  enabled: yes\n\
1980  type: both\n\
1981  compress-depth: 1000\n\
1982  decompress-depth: 0\n\
1983 ";
1984  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1985  "Host: www.openinfosecfoundation.org\r\n"
1986  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1987  "Gecko/20091221 Firefox/3.5.7\r\n"
1988  "\r\n";
1989  // clang-format off
1990  uint8_t http_buf2[] = {
1991  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1992  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1993  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1994  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1995  0x0d, 0x0a,
1996  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1997  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
1998  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
1999  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
2000  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
2001  };
2002  // clang-format on
2003  struct TestSteps steps[] = {
2004  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2005  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
2006  { NULL, 0, 0, 0 },
2007  };
2008  const char *sig = "alert tcp any any -> any any "
2009  "(flow:established,from_server; "
2010  "file_data; content:\"FWS\"; "
2011  "sid:1;)";
2012  return RunTest(steps, sig, input);
2013 }
2014 
2015 /**
2016  *\test Test that the http_server_body content matches against a http request
2017  * which holds the content.
2018  */
2019 static int DetectHttpServerBodyTest06(void)
2020 {
2021  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2022  "Host: www.openinfosecfoundation.org\r\n"
2023  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2024  "Gecko/20091221 Firefox/3.5.7\r\n"
2025  "\r\n";
2026  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2027  "Content-Type: text/html\r\n"
2028  "Content-Length: 7\r\n"
2029  "\r\n"
2030  "message";
2031  struct TestSteps steps[] = {
2032  { (const uint8_t *)http_buf, sizeof(http_buf) - 1, STREAM_TOSERVER, 0 },
2033  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
2034  { NULL, 0, 0, 0 },
2035  };
2036  const char *sig = "alert http any any -> any any "
2037  "(msg:\"http server body test\"; "
2038  "content:\"message\"; http_server_body; "
2039  "sid:1;)";
2040  return RunTest(steps, sig, NULL);
2041 }
2042 
2043 /**
2044  *\test Test that the http_server_body content matches against a http request
2045  * which holds the content.
2046  */
2047 static int DetectHttpServerBodyTest07(void)
2048 {
2049  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2050  "Host: www.openinfosecfoundation.org\r\n"
2051  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2052  "Gecko/20091221 Firefox/3.5.7\r\n"
2053  "\r\n";
2054  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2055  "Content-Type: text/html\r\n"
2056  "Content-Length: 14\r\n"
2057  "\r\n";
2058  uint8_t http_buf3[] = "message";
2059  struct TestSteps steps[] = {
2060  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2061  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2062  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT | STREAM_EOF, 1 },
2063  { NULL, 0, 0, 0 },
2064  };
2065  const char *sig = "alert http any any -> any any "
2066  "(msg:\"http server body test\"; "
2067  "content:\"message\"; http_server_body; "
2068  "sid:1;)";
2069  return RunTest(steps, sig, NULL);
2070 }
2071 
2072 /**
2073  *\test Test that the http_server_body content matches against a http request
2074  * which holds the content.
2075  */
2076 static int DetectHttpServerBodyTest08(void)
2077 {
2078  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2079  "Host: www.openinfosecfoundation.org\r\n"
2080  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2081  "Gecko/20091221 Firefox/3.5.7\r\n"
2082  "\r\n";
2083  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2084  "Content-Type: text/html\r\n"
2085  "Content-Length: 14\r\n"
2086  "\r\n"
2087  "bigmes";
2088  uint8_t http_buf3[] = "sage4u!!";
2089  struct TestSteps steps[] = {
2090  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2091  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2092  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
2093  { NULL, 0, 0, 0 },
2094  };
2095  const char *sig = "alert http any any -> any any "
2096  "(msg:\"http client body test\"; "
2097  "content:\"message\"; http_server_body; "
2098  "sid:1;)";
2099  return RunTest(steps, sig, NULL);
2100 }
2101 
2102 /**
2103  *\test Test that the http_server_body content matches against a http request
2104  * which holds the content.
2105  */
2106 static int DetectHttpServerBodyTest09(void)
2107 {
2108  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2109  "Host: www.openinfosecfoundation.org\r\n"
2110  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2111  "Gecko/20091221 Firefox/3.5.7\r\n"
2112  "\r\n";
2113  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2114  "Content-Type: text/html\r\n"
2115  "Content-Length: 14\r\n"
2116  "\r\n"
2117  "bigmes";
2118  uint8_t http_buf3[] = "sag";
2119  uint8_t http_buf4[] = "e4u!!";
2120  struct TestSteps steps[] = {
2121  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2122  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2123  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2124  { (const uint8_t *)http_buf4, sizeof(http_buf4) - 1, STREAM_TOCLIENT, 1 },
2125  { NULL, 0, 0, 0 },
2126  };
2127  const char *sig = "alert http any any -> any any "
2128  "(msg:\"http client body test\"; "
2129  "content:\"message\"; http_server_body; "
2130  "sid:1;)";
2131  return RunTest(steps, sig, NULL);
2132 }
2133 
2134 /**
2135  *\test Test that the http_server_body content matches against a http request
2136  * which holds the content. Case insensitive.
2137  */
2138 static int DetectHttpServerBodyTest10(void)
2139 {
2140  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2141  "Host: www.openinfosecfoundation.org\r\n"
2142  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2143  "Gecko/20091221 Firefox/3.5.7\r\n"
2144  "\r\n";
2145  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2146  "Content-Type: text/html\r\n"
2147  "Content-Length: 14\r\n"
2148  "\r\n"
2149  "bigmes";
2150  uint8_t http_buf3[] = "sag";
2151  uint8_t http_buf4[] =
2152  "e4u!!";
2153  struct TestSteps steps[] = {
2154  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2155  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2156  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2157  { (const uint8_t *)http_buf4, sizeof(http_buf4) - 1, STREAM_TOCLIENT, 1 },
2158  { NULL, 0, 0, 0 },
2159  };
2160  const char *sig = "alert http any any -> any any "
2161  "(msg:\"http client body test\"; "
2162  "content:\"MeSSaGE\"; http_server_body; nocase; "
2163  "sid:1;)";
2164  return RunTest(steps, sig, NULL);
2165 }
2166 
2167 /**
2168  *\test Test that the http_server_body content matches against a http request
2169  * which holds the content. Negated match.
2170  */
2171 static int DetectHttpServerBodyTest11(void)
2172 {
2173  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2174  "Host: www.openinfosecfoundation.org\r\n"
2175  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2176  "Gecko/20091221 Firefox/3.5.7\r\n"
2177  "\r\n";
2178  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2179  "Content-Type: text/html\r\n"
2180  "Content-Length: 14\r\n"
2181  "\r\n";
2182  uint8_t http_buf3[] = "bigmessage4u!!";
2183  struct TestSteps steps[] = {
2184  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2185  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2186  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
2187  { NULL, 0, 0, 0 },
2188  };
2189  const char *sig = "alert http any any -> any any "
2190  "(msg:\"http client body test\"; "
2191  "content:!\"MaSSaGE\"; http_server_body; nocase; "
2192  "sid:1;)";
2193  return RunTest(steps, sig, NULL);
2194 }
2195 
2196 /**
2197  *\test Test that the http_server_body content matches against a http request
2198  * which holds the content. Negated match.
2199  */
2200 static int DetectHttpServerBodyTest12(void)
2201 {
2202  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2203  "Host: www.openinfosecfoundation.org\r\n"
2204  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2205  "Gecko/20091221 Firefox/3.5.7\r\n"
2206  "\r\n";
2207  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2208  "Content-Type: text/html\r\n"
2209  "Content-Length: 14\r\n"
2210  "\r\n";
2211  uint8_t http_buf3[] = "bigmessage4u!!";
2212  struct TestSteps steps[] = {
2213  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2214  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2215  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2216  { NULL, 0, 0, 0 },
2217  };
2218  const char *sig = "alert http any any -> any any "
2219  "(msg:\"http client body test\"; "
2220  "content:!\"MeSSaGE\"; http_server_body; nocase; "
2221  "sid:1;)";
2222  return RunTest(steps, sig, NULL);
2223 }
2224 
2225 static int DetectHttpServerBodyTest13(void)
2226 {
2227  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2228  "Host: www.openinfosecfoundation.org\r\n"
2229  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2230  "Gecko/20091221 Firefox/3.5.7\r\n"
2231  "\r\n";
2232  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2233  "Content-Type: text/html\r\n"
2234  "Content-Length: 55\r\n"
2235  "\r\n"
2236  "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend";
2237  struct TestSteps steps[] = {
2238  { (const uint8_t *)http_buf, sizeof(http_buf) - 1, STREAM_TOSERVER, 0 },
2239  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
2240  { NULL, 0, 0, 0 },
2241  };
2242  const char *sig = "alert http any any -> any any "
2243  "(msg:\"http server body test\"; "
2244  "content:\"longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\"; "
2245  "http_server_body; "
2246  "sid:1;)";
2247  return RunTest(steps, sig, NULL);
2248 }
2249 
2250 /** \test multiple http transactions and body chunks of request handling */
2251 static int DetectHttpServerBodyTest14(void)
2252 {
2253  DetectEngineThreadCtx *det_ctx = NULL;
2254  ThreadVars th_v;
2255  Flow f;
2256  TcpSession ssn;
2257  uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
2258  "User-Agent: Mozilla/1.0\r\n"
2259  "Host: www.openinfosecfoundation.org\r\n"
2260  "Connection: keep-alive\r\n"
2261  "Cookie: dummy1\r\n\r\n";
2262  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2263  uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
2264  "Content-Type: text/html\r\n"
2265  "Content-Length: 3\r\n"
2266  "\r\n"
2267  "one";
2268  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2269  uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
2270  "User-Agent: Firefox/1.0\r\n"
2271  "Host: www.openinfosecfoundation.org\r\n"
2272  "Connection: keep-alive\r\n"
2273  "Cookie: dummy2\r\n\r\n";
2274  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
2275  uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
2276  "Content-Type: text/html\r\n"
2277  "Content-Length: 3\r\n"
2278  "\r\n"
2279  "two";
2280  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
2281 
2282  memset(&th_v, 0, sizeof(th_v));
2283  memset(&f, 0, sizeof(f));
2284  memset(&ssn, 0, sizeof(ssn));
2285 
2286  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2287  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2288 
2289  FLOW_INITIALIZE(&f);
2290  f.protoctx = (void *)&ssn;
2291  f.proto = IPPROTO_TCP;
2292  f.flags |= FLOW_IPV4;
2293 
2294  p->flow = &f;
2295  p->flowflags |= FLOW_PKT_TOCLIENT;
2296  p->flowflags |= FLOW_PKT_ESTABLISHED;
2297  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2298  f.alproto = ALPROTO_HTTP1;
2299 
2300  StreamTcpInitConfig(true);
2301 
2302  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2303  FAIL_IF_NULL(de_ctx);
2304  de_ctx->flags |= DE_QUIET;
2305 
2306  Signature *s = DetectEngineAppendSig(de_ctx,
2307  "alert tcp any any -> any any (flow:established,to_client; "
2308  "content:\"one\"; http_server_body; sid:1; rev:1;)");
2309  FAIL_IF_NULL(s);
2310  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; "
2311  "content:\"two\"; http_server_body; sid:2; rev:1;)");
2312  FAIL_IF_NULL(s);
2313 
2314  SigGroupBuild(de_ctx);
2315  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2316 
2317  SCLogDebug("add chunk 1");
2318  int r = AppLayerParserParse(
2319  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
2320  FAIL_IF(r != 0);
2321 
2322  SCLogDebug("add chunk 2");
2323 
2324  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2325  FAIL_IF(r != 0);
2326 
2327  SCLogDebug("inspect chunk 1");
2328 
2329  /* do detect */
2330  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2331  FAIL_IF(!(PacketAlertCheck(p, 1)));
2332  p->alerts.cnt = 0;
2333 
2334  SCLogDebug("add chunk 3");
2335 
2336  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
2337  FAIL_IF(r != 0);
2338 
2339  SCLogDebug("add chunk 4");
2340 
2341  r = AppLayerParserParse(
2342  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
2343  FAIL_IF(r != 0);
2344 
2345  SCLogDebug("inspect chunk 4");
2346 
2347  /* do detect */
2348  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2349  FAIL_IF((PacketAlertCheck(p, 1)));
2350  FAIL_IF(!(PacketAlertCheck(p, 2)));
2351  p->alerts.cnt = 0;
2352 
2353  HtpState *htp_state = f.alstate;
2354  FAIL_IF_NULL(htp_state);
2355  FAIL_IF(AppLayerParserGetTxCnt(&f, htp_state) != 2);
2356 
2357  UTHFreePacket(p);
2358  FLOW_DESTROY(&f);
2359 
2360  AppLayerParserThreadCtxFree(alp_tctx);
2361  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2362  DetectEngineCtxFree(de_ctx);
2363  StreamTcpFreeConfig(true);
2364  StatsThreadCleanup(&th_v);
2365  PASS;
2366 }
2367 
2368 static int DetectHttpServerBodyTest15(void)
2369 {
2370  DetectEngineThreadCtx *det_ctx = NULL;
2371  ThreadVars th_v;
2372  Flow f;
2373  TcpSession ssn;
2374  uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
2375  "User-Agent: Mozilla/1.0\r\n"
2376  "Host: www.openinfosecfoundation.org\r\n"
2377  "Connection: keep-alive\r\n"
2378  "Cookie: dummy1\r\n\r\n";
2379  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2380  uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
2381  "Content-Type: text/html\r\n"
2382  "Content-Length: 3\r\n"
2383  "\r\n"
2384  "one";
2385  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2386  uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
2387  "User-Agent: Firefox/1.0\r\n"
2388  "Host: www.openinfosecfoundation.org\r\n"
2389  "Connection: keep-alive\r\n"
2390  "Cookie: dummy2\r\n\r\n";
2391  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
2392  uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
2393  "Content-Type: text/html\r\n"
2394  "Content-Length: 3\r\n"
2395  "\r\n"
2396  "two";
2397  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
2398 
2399  memset(&th_v, 0, sizeof(th_v));
2400  memset(&f, 0, sizeof(f));
2401  memset(&ssn, 0, sizeof(ssn));
2402 
2403  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2404  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2405 
2406  FLOW_INITIALIZE(&f);
2407  f.protoctx = (void *)&ssn;
2408  f.proto = IPPROTO_TCP;
2409  f.flags |= FLOW_IPV4;
2410 
2411  p->flow = &f;
2412  p->flowflags |= FLOW_PKT_TOCLIENT;
2413  p->flowflags |= FLOW_PKT_ESTABLISHED;
2414  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2415  f.alproto = ALPROTO_HTTP1;
2416 
2417  StreamTcpInitConfig(true);
2418 
2419  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2420  FAIL_IF_NULL(de_ctx);
2421  de_ctx->flags |= DE_QUIET;
2422 
2423  Signature *s = DetectEngineAppendSig(de_ctx,
2424  "alert tcp any any -> any any (flow:established,to_client; "
2425  "content:\"one\"; http_server_body; sid:1; rev:1;)");
2426  FAIL_IF_NULL(s);
2427  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; "
2428  "content:\"two\"; http_server_body; sid:2; rev:1;)");
2429  FAIL_IF_NULL(s);
2430 
2431  SigGroupBuild(de_ctx);
2432  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2433 
2434  int r = AppLayerParserParse(
2435  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
2436  FAIL_IF(r != 0);
2437 
2438  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2439  FAIL_IF(r != 0);
2440 
2441  /* do detect */
2442  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2443  FAIL_IF(!(PacketAlertCheck(p, 1)));
2444  FAIL_IF(PacketAlertCheck(p, 2));
2445  p->alerts.cnt = 0;
2446 
2447  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
2448  FAIL_IF(r != 0);
2449 
2450  r = AppLayerParserParse(
2451  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
2452  FAIL_IF(r != 0);
2453 
2454  /* do detect */
2455  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2456  FAIL_IF((PacketAlertCheck(p, 1)));
2457  FAIL_IF(!(PacketAlertCheck(p, 2)));
2458  p->alerts.cnt = 0;
2459 
2460  HtpState *htp_state = f.alstate;
2461  FAIL_IF_NULL(htp_state);
2462  FAIL_IF(AppLayerParserGetTxCnt(&f, htp_state) != 2);
2463 
2464  UTHFreePacket(p);
2465  FLOW_DESTROY(&f);
2466 
2467  AppLayerParserThreadCtxFree(alp_tctx);
2468  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2469  DetectEngineCtxFree(de_ctx);
2470  StreamTcpFreeConfig(true);
2471  StatsThreadCleanup(&th_v);
2472  PASS;
2473 }
2474 
2475 /**
2476  *\test Test that the http_server_body content matches against a http request
2477  * which holds the content.
2478  */
2479 static int DetectHttpServerBodyFileDataTest01(void)
2480 {
2481  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2482  "Host: www.openinfosecfoundation.org\r\n"
2483  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2484  "Gecko/20091221 Firefox/3.5.7\r\n"
2485  "\r\n";
2486  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2487  "Content-Type: text/html\r\n"
2488  "Content-Length: 7\r\n"
2489  "\r\n"
2490  "message";
2491  struct TestSteps steps[] = {
2492  { (const uint8_t *)http_buf, sizeof(http_buf) - 1, STREAM_TOSERVER, 0 },
2493  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
2494  { NULL, 0, 0, 0 },
2495  };
2496  const char *sig = "alert http any any -> any any "
2497  "(msg:\"http server body test\"; "
2498  "file_data; content:\"message\"; "
2499  "sid:1;)";
2500  return RunTest(steps, sig, NULL);
2501 }
2502 
2503 /**
2504  *\test Test that the http_server_body content matches against a http request
2505  * which holds the content.
2506  */
2507 static int DetectHttpServerBodyFileDataTest02(void)
2508 {
2509  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2510  "Host: www.openinfosecfoundation.org\r\n"
2511  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2512  "Gecko/20091221 Firefox/3.5.7\r\n"
2513  "\r\n";
2514  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2515  "Content-Type: text/html\r\n"
2516  "Content-Length: 14\r\n"
2517  "\r\n";
2518  uint8_t http_buf3[] = "message";
2519  struct TestSteps steps[] = {
2520  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2521  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2522  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT | STREAM_EOF, 1 },
2523  { NULL, 0, 0, 0 },
2524  };
2525  const char *sig = "alert http any any -> any any "
2526  "(msg:\"http server body test\"; "
2527  "file_data; content:\"message\"; "
2528  "sid:1;)";
2529  return RunTest(steps, sig, NULL);
2530 }
2531 
2532 /**
2533  *\test Test that the http_server_body content matches against a http request
2534  * which holds the content.
2535  */
2536 static int DetectHttpServerBodyFileDataTest03(void)
2537 {
2538  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2539  "Host: www.openinfosecfoundation.org\r\n"
2540  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2541  "Gecko/20091221 Firefox/3.5.7\r\n"
2542  "\r\n";
2543  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2544  "Content-Type: text/html\r\n"
2545  "Content-Length: 14\r\n"
2546  "\r\n"
2547  "bigmes";
2548  uint8_t http_buf3[] = "sage4u!!";
2549  struct TestSteps steps[] = {
2550  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2551  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2552  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
2553  { NULL, 0, 0, 0 },
2554  };
2555  const char *sig = "alert http any any -> any any "
2556  "(msg:\"http server body test\"; "
2557  "file_data; content:\"message\"; "
2558  "sid:1;)";
2559  return RunTest(steps, sig, NULL);
2560 }
2561 
2562 /**
2563  *\test Test that the http_server_body content matches against a http request
2564  * which holds the content.
2565  */
2566 static int DetectHttpServerBodyFileDataTest04(void)
2567 {
2568  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2569  "Host: www.openinfosecfoundation.org\r\n"
2570  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2571  "Gecko/20091221 Firefox/3.5.7\r\n"
2572  "\r\n";
2573  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2574  "Content-Type: text/html\r\n"
2575  "Content-Length: 14\r\n"
2576  "\r\n"
2577  "bigmes";
2578  uint8_t http_buf3[] = "sag";
2579  uint8_t http_buf4[] = "e4u!!";
2580  struct TestSteps steps[] = {
2581  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2582  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2583  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2584  { (const uint8_t *)http_buf4, sizeof(http_buf4) - 1, STREAM_TOCLIENT, 1 },
2585  { NULL, 0, 0, 0 },
2586  };
2587  const char *sig = "alert http any any -> any any "
2588  "(msg:\"http server body test\"; "
2589  "file_data; content:\"message\"; "
2590  "sid:1;)";
2591  return RunTest(steps, sig, NULL);
2592 }
2593 
2594 /**
2595  *\test Test that the http_server_body content matches against a http request
2596  * which holds the content. Case insensitive.
2597  */
2598 static int DetectHttpServerBodyFileDataTest05(void)
2599 {
2600  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2601  "Host: www.openinfosecfoundation.org\r\n"
2602  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2603  "Gecko/20091221 Firefox/3.5.7\r\n"
2604  "\r\n";
2605  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2606  "Content-Type: text/html\r\n"
2607  "Content-Length: 14\r\n"
2608  "\r\n"
2609  "bigmes";
2610  uint8_t http_buf3[] = "sag";
2611  uint8_t http_buf4[] = "e4u!!";
2612  struct TestSteps steps[] = {
2613  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2614  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2615  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2616  { (const uint8_t *)http_buf4, sizeof(http_buf4) - 1, STREAM_TOCLIENT, 1 },
2617  { NULL, 0, 0, 0 },
2618  };
2619  const char *sig = "alert http any any -> any any "
2620  "(msg:\"http client body test\"; "
2621  "file_data; content:\"MeSSaGE\"; nocase; "
2622  "sid:1;)";
2623  return RunTest(steps, sig, NULL);
2624 }
2625 
2626 /**
2627  *\test Test that the http_server_body content matches against a http request
2628  * which holds the content. Negated match.
2629  */
2630 static int DetectHttpServerBodyFileDataTest06(void)
2631 {
2632  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2633  "Host: www.openinfosecfoundation.org\r\n"
2634  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2635  "Gecko/20091221 Firefox/3.5.7\r\n"
2636  "\r\n";
2637  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2638  "Content-Type: text/html\r\n"
2639  "Content-Length: 14\r\n"
2640  "\r\n";
2641  uint8_t http_buf3[] = "bigmessage4u!!";
2642  struct TestSteps steps[] = {
2643  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2644  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2645  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
2646  { NULL, 0, 0, 0 },
2647  };
2648  const char *sig = "alert http any any -> any any "
2649  "(msg:\"http file_data test\"; "
2650  "file_data; content:!\"MaSSaGE\"; nocase; "
2651  "sid:1;)";
2652  return RunTest(steps, sig, NULL);
2653 }
2654 
2655 /**
2656  *\test Test that the http_server_body content matches against a http request
2657  * which holds the content. Negated match.
2658  */
2659 static int DetectHttpServerBodyFileDataTest07(void)
2660 {
2661  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2662  "Host: www.openinfosecfoundation.org\r\n"
2663  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2664  "Gecko/20091221 Firefox/3.5.7\r\n"
2665  "\r\n";
2666  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2667  "Content-Type: text/html\r\n"
2668  "Content-Length: 14\r\n"
2669  "\r\n";
2670  uint8_t http_buf3[] = "bigmessage4u!!";
2671  struct TestSteps steps[] = {
2672  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2673  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2674  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2675  { NULL, 0, 0, 0 },
2676  };
2677  const char *sig = "alert http any any -> any any "
2678  "(msg:\"http file_data test\"; "
2679  "file_data; content:!\"MeSSaGE\"; nocase; "
2680  "sid:1;)";
2681  return RunTest(steps, sig, NULL);
2682 }
2683 
2684 static int DetectHttpServerBodyFileDataTest08(void)
2685 {
2686  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2687  "Host: www.openinfosecfoundation.org\r\n"
2688  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2689  "Gecko/20091221 Firefox/3.5.7\r\n"
2690  "\r\n";
2691  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2692  "Content-Type: text/html\r\n"
2693  "Content-Length: 55\r\n"
2694  "\r\n"
2695  "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend";
2696  struct TestSteps steps[] = {
2697  { (const uint8_t *)http_buf, sizeof(http_buf) - 1, STREAM_TOSERVER, 0 },
2698  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
2699  { NULL, 0, 0, 0 },
2700  };
2701  const char *sig =
2702  "alert http any any -> any any "
2703  "(msg:\"http server body test\"; "
2704  "file_data; content:\"longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\"; "
2705  "sid:1;)";
2706  return RunTest(steps, sig, NULL);
2707 }
2708 
2709 /** \test multiple http transactions and body chunks of request handling */
2710 static int DetectHttpServerBodyFileDataTest09(void)
2711 {
2712  DetectEngineThreadCtx *det_ctx = NULL;
2713  ThreadVars th_v;
2714  Flow f;
2715  TcpSession ssn;
2716  uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
2717  "User-Agent: Mozilla/1.0\r\n"
2718  "Host: www.openinfosecfoundation.org\r\n"
2719  "Connection: keep-alive\r\n"
2720  "Cookie: dummy1\r\n\r\n";
2721  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2722  uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
2723  "Content-Type: text/html\r\n"
2724  "Content-Length: 3\r\n"
2725  "\r\n"
2726  "one";
2727  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2728  uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
2729  "User-Agent: Firefox/1.0\r\n"
2730  "Host: www.openinfosecfoundation.org\r\n"
2731  "Connection: keep-alive\r\n"
2732  "Cookie: dummy2\r\n\r\n";
2733  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
2734  uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
2735  "Content-Type: text/html\r\n"
2736  "Content-Length: 3\r\n"
2737  "\r\n"
2738  "two";
2739  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
2740 
2741  memset(&th_v, 0, sizeof(th_v));
2742  memset(&f, 0, sizeof(f));
2743  memset(&ssn, 0, sizeof(ssn));
2744 
2745  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2746  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2747 
2748  FLOW_INITIALIZE(&f);
2749  f.protoctx = (void *)&ssn;
2750  f.proto = IPPROTO_TCP;
2751  f.flags |= FLOW_IPV4;
2752 
2753  p->flow = &f;
2754  p->flowflags |= FLOW_PKT_TOCLIENT;
2755  p->flowflags |= FLOW_PKT_ESTABLISHED;
2756  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2757  f.alproto = ALPROTO_HTTP1;
2758 
2759  StreamTcpInitConfig(true);
2760 
2761  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2762  FAIL_IF_NULL(de_ctx);
2763  de_ctx->flags |= DE_QUIET;
2764 
2765  Signature *s = DetectEngineAppendSig(de_ctx,
2766  "alert tcp any any -> any any (flow:established,to_client; file_data; "
2767  "content:\"one\"; sid:1; rev:1;)");
2768  FAIL_IF_NULL(s);
2769  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; file_data; content:\"two\"; sid:2; rev:1;)");
2770  FAIL_IF_NULL(s);
2771 
2772  SigGroupBuild(de_ctx);
2773  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2774 
2775  int r = AppLayerParserParse(
2776  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
2777  FAIL_IF(r != 0);
2778 
2779  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2780  FAIL_IF(r != 0);
2781 
2782  /* do detect */
2783  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2784  FAIL_IF(!(PacketAlertCheck(p, 1)));
2785  p->alerts.cnt = 0;
2786 
2787  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
2788  FAIL_IF(r != 0);
2789 
2790  r = AppLayerParserParse(
2791  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
2792  FAIL_IF(r != 0);
2793 
2794  /* do detect */
2795  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2796  FAIL_IF((PacketAlertCheck(p, 1)));
2797  FAIL_IF(!(PacketAlertCheck(p, 2)));
2798 
2799  HtpState *htp_state = f.alstate;
2800  FAIL_IF_NULL(htp_state);
2801  FAIL_IF(AppLayerParserGetTxCnt(&f, htp_state) != 2);
2802 
2803  UTHFreePacket(p);
2804  FLOW_DESTROY(&f);
2805 
2806  AppLayerParserThreadCtxFree(alp_tctx);
2807  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2808  DetectEngineCtxFree(de_ctx);
2809  StreamTcpFreeConfig(true);
2810  StatsThreadCleanup(&th_v);
2811  PASS;
2812 }
2813 
2814 static int DetectHttpServerBodyFileDataTest10(void)
2815 {
2816  DetectEngineThreadCtx *det_ctx = NULL;
2817  ThreadVars th_v;
2818  Flow f;
2819  TcpSession ssn;
2820  uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
2821  "User-Agent: Mozilla/1.0\r\n"
2822  "Host: www.openinfosecfoundation.org\r\n"
2823  "Connection: keep-alive\r\n"
2824  "Cookie: dummy1\r\n\r\n";
2825  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2826  uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
2827  "Content-Type: text/html\r\n"
2828  "Content-Length: 3\r\n"
2829  "\r\n"
2830  "one";
2831  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2832  uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
2833  "User-Agent: Firefox/1.0\r\n"
2834  "Host: www.openinfosecfoundation.org\r\n"
2835  "Connection: keep-alive\r\n"
2836  "Cookie: dummy2\r\n\r\n";
2837  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
2838  uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
2839  "Content-Type: text/html\r\n"
2840  "Content-Length: 3\r\n"
2841  "\r\n"
2842  "two";
2843  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
2844 
2845  memset(&th_v, 0, sizeof(th_v));
2846  memset(&f, 0, sizeof(f));
2847  memset(&ssn, 0, sizeof(ssn));
2848 
2849  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2850  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2851 
2852  FLOW_INITIALIZE(&f);
2853  f.protoctx = (void *)&ssn;
2854  f.proto = IPPROTO_TCP;
2855  f.flags |= FLOW_IPV4;
2856 
2857  p->flow = &f;
2858  p->flowflags |= FLOW_PKT_TOCLIENT;
2859  p->flowflags |= FLOW_PKT_ESTABLISHED;
2860  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2861  f.alproto = ALPROTO_HTTP1;
2862 
2863  StreamTcpInitConfig(true);
2864 
2865  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2866  FAIL_IF_NULL(de_ctx);
2867  de_ctx->flags |= DE_QUIET;
2868 
2869  Signature *s = DetectEngineAppendSig(de_ctx,
2870  "alert tcp any any -> any any (flow:established,to_client; file_data; "
2871  "content:\"one\"; sid:1; rev:1;)");
2872  FAIL_IF_NULL(s);
2873  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; file_data; content:\"two\"; sid:2; rev:1;)");
2874  FAIL_IF_NULL(s);
2875 
2876  SigGroupBuild(de_ctx);
2877  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2878 
2879  int r = AppLayerParserParse(
2880  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
2881  FAIL_IF(r != 0);
2882 
2883  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2884  FAIL_IF(r != 0);
2885 
2886  /* do detect */
2887  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2888  FAIL_IF(!(PacketAlertCheck(p, 1)));
2889  p->alerts.cnt = 0;
2890 
2891  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
2892  FAIL_IF(r != 0);
2893 
2894  r = AppLayerParserParse(
2895  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
2896  FAIL_IF(r != 0);
2897 
2898  /* do detect */
2899  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2900  FAIL_IF((PacketAlertCheck(p, 1)));
2901  FAIL_IF(!(PacketAlertCheck(p, 2)));
2902 
2903  HtpState *htp_state = f.alstate;
2904  FAIL_IF_NULL(htp_state);
2905  FAIL_IF(AppLayerParserGetTxCnt(&f, htp_state) != 2);
2906 
2907  UTHFreePacket(p);
2908  FLOW_DESTROY(&f);
2909 
2910  AppLayerParserThreadCtxFree(alp_tctx);
2911  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2912  DetectEngineCtxFree(de_ctx);
2913  StreamTcpFreeConfig(true);
2914  StatsThreadCleanup(&th_v);
2915  PASS;
2916 }
2917 
2918 void DetectHttpServerBodyRegisterTests(void)
2919 {
2920  UtRegisterTest("DetectHttpServerBodyParserTest01", DetectHttpServerBodyParserTest01);
2921  UtRegisterTest("DetectHttpServerBodyParserTest02", DetectHttpServerBodyParserTest02);
2922 
2923  UtRegisterTest("DetectHttpServerBodyTest06", DetectHttpServerBodyTest06);
2924  UtRegisterTest("DetectHttpServerBodyTest07", DetectHttpServerBodyTest07);
2925  UtRegisterTest("DetectHttpServerBodyTest08", DetectHttpServerBodyTest08);
2926  UtRegisterTest("DetectHttpServerBodyTest09", DetectHttpServerBodyTest09);
2927  UtRegisterTest("DetectHttpServerBodyTest10", DetectHttpServerBodyTest10);
2928  UtRegisterTest("DetectHttpServerBodyTest11", DetectHttpServerBodyTest11);
2929  UtRegisterTest("DetectHttpServerBodyTest12", DetectHttpServerBodyTest12);
2930  UtRegisterTest("DetectHttpServerBodyTest13", DetectHttpServerBodyTest13);
2931  UtRegisterTest("DetectHttpServerBodyTest14", DetectHttpServerBodyTest14);
2932  UtRegisterTest("DetectHttpServerBodyTest15", DetectHttpServerBodyTest15);
2933 
2934  UtRegisterTest("DetectHttpServerBodyFileDataTest01",
2935  DetectHttpServerBodyFileDataTest01);
2936  UtRegisterTest("DetectHttpServerBodyFileDataTest02",
2937  DetectHttpServerBodyFileDataTest02);
2938  UtRegisterTest("DetectHttpServerBodyFileDataTest03",
2939  DetectHttpServerBodyFileDataTest03);
2940  UtRegisterTest("DetectHttpServerBodyFileDataTest04",
2941  DetectHttpServerBodyFileDataTest04);
2942  UtRegisterTest("DetectHttpServerBodyFileDataTest05",
2943  DetectHttpServerBodyFileDataTest05);
2944  UtRegisterTest("DetectHttpServerBodyFileDataTest06",
2945  DetectHttpServerBodyFileDataTest06);
2946  UtRegisterTest("DetectHttpServerBodyFileDataTest07",
2947  DetectHttpServerBodyFileDataTest07);
2948  UtRegisterTest("DetectHttpServerBodyFileDataTest08",
2949  DetectHttpServerBodyFileDataTest08);
2950  UtRegisterTest("DetectHttpServerBodyFileDataTest09",
2951  DetectHttpServerBodyFileDataTest09);
2952  UtRegisterTest("DetectHttpServerBodyFileDataTest10",
2953  DetectHttpServerBodyFileDataTest10);
2954 
2955  UtRegisterTest("DetectEngineHttpServerBodyTest01",
2956  DetectEngineHttpServerBodyTest01);
2957  UtRegisterTest("DetectEngineHttpServerBodyTest02",
2958  DetectEngineHttpServerBodyTest02);
2959  UtRegisterTest("DetectEngineHttpServerBodyTest03",
2960  DetectEngineHttpServerBodyTest03);
2961  UtRegisterTest("DetectEngineHttpServerBodyTest04",
2962  DetectEngineHttpServerBodyTest04);
2963  UtRegisterTest("DetectEngineHttpServerBodyTest05",
2964  DetectEngineHttpServerBodyTest05);
2965  UtRegisterTest("DetectEngineHttpServerBodyTest06",
2966  DetectEngineHttpServerBodyTest06);
2967  UtRegisterTest("DetectEngineHttpServerBodyTest07",
2968  DetectEngineHttpServerBodyTest07);
2969  UtRegisterTest("DetectEngineHttpServerBodyTest08",
2970  DetectEngineHttpServerBodyTest08);
2971  UtRegisterTest("DetectEngineHttpServerBodyTest09",
2972  DetectEngineHttpServerBodyTest09);
2973  UtRegisterTest("DetectEngineHttpServerBodyTest10",
2974  DetectEngineHttpServerBodyTest10);
2975  UtRegisterTest("DetectEngineHttpServerBodyTest11",
2976  DetectEngineHttpServerBodyTest11);
2977  UtRegisterTest("DetectEngineHttpServerBodyTest12",
2978  DetectEngineHttpServerBodyTest12);
2979  UtRegisterTest("DetectEngineHttpServerBodyTest13",
2980  DetectEngineHttpServerBodyTest13);
2981  UtRegisterTest("DetectEngineHttpServerBodyTest14",
2982  DetectEngineHttpServerBodyTest14);
2983  UtRegisterTest("DetectEngineHttpServerBodyTest15",
2984  DetectEngineHttpServerBodyTest15);
2985  UtRegisterTest("DetectEngineHttpServerBodyTest16",
2986  DetectEngineHttpServerBodyTest16);
2987  UtRegisterTest("DetectEngineHttpServerBodyTest17",
2988  DetectEngineHttpServerBodyTest17);
2989  UtRegisterTest("DetectEngineHttpServerBodyTest18",
2990  DetectEngineHttpServerBodyTest18);
2991  UtRegisterTest("DetectEngineHttpServerBodyTest19",
2992  DetectEngineHttpServerBodyTest19);
2993  UtRegisterTest("DetectEngineHttpServerBodyTest20",
2994  DetectEngineHttpServerBodyTest20);
2995  UtRegisterTest("DetectEngineHttpServerBodyTest21",
2996  DetectEngineHttpServerBodyTest21);
2997  UtRegisterTest("DetectEngineHttpServerBodyTest22",
2998  DetectEngineHttpServerBodyTest22);
2999 
3000  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest01",
3001  DetectEngineHttpServerBodyFileDataTest01);
3002  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest02",
3003  DetectEngineHttpServerBodyFileDataTest02);
3004  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest03",
3005  DetectEngineHttpServerBodyFileDataTest03);
3006  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest04",
3007  DetectEngineHttpServerBodyFileDataTest04);
3008  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest05",
3009  DetectEngineHttpServerBodyFileDataTest05);
3010  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest06",
3011  DetectEngineHttpServerBodyFileDataTest06);
3012  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest07",
3013  DetectEngineHttpServerBodyFileDataTest07);
3014  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest08",
3015  DetectEngineHttpServerBodyFileDataTest08);
3016  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest09",
3017  DetectEngineHttpServerBodyFileDataTest09);
3018  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest10",
3019  DetectEngineHttpServerBodyFileDataTest10);
3020  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest11",
3021  DetectEngineHttpServerBodyFileDataTest11);
3022  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest12",
3023  DetectEngineHttpServerBodyFileDataTest12);
3024  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest13",
3025  DetectEngineHttpServerBodyFileDataTest13);
3026  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest14",
3027  DetectEngineHttpServerBodyFileDataTest14);
3028  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest15",
3029  DetectEngineHttpServerBodyFileDataTest15);
3030  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest16",
3031  DetectEngineHttpServerBodyFileDataTest16);
3032  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest17",
3033  DetectEngineHttpServerBodyFileDataTest17);
3034  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest18",
3035  DetectEngineHttpServerBodyFileDataTest18);
3036 
3037  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest19",
3038  DetectEngineHttpServerBodyFileDataTest19);
3039  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest20",
3040  DetectEngineHttpServerBodyFileDataTest20);
3041  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest21",
3042  DetectEngineHttpServerBodyFileDataTest21);
3043  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest22",
3044  DetectEngineHttpServerBodyFileDataTest22);
3045  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest23",
3046  DetectEngineHttpServerBodyFileDataTest23);
3047  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest24",
3048  DetectEngineHttpServerBodyFileDataTest24);
3049  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest25",
3050  DetectEngineHttpServerBodyFileDataTest25);
3051  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest26",
3052  DetectEngineHttpServerBodyFileDataTest26);
3053  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest27",
3054  DetectEngineHttpServerBodyFileDataTest27);
3055  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest28",
3056  DetectEngineHttpServerBodyFileDataTest28);
3057  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest29",
3058  DetectEngineHttpServerBodyFileDataTest29);
3059 }
TestSteps
Definition: detect-http-client-body.c:107
SCConfYamlLoadString
int SCConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:523
UTHParseSignature
int UTHParseSignature(const char *str, bool expect)
parser a sig and see if the expected result is correct
Definition: util-unittest-helper.c:913
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
TestSteps::direction
int direction
Definition: detect-http-client-body.c:110
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
TestSteps::input
const uint8_t * input
Definition: detect-http-client-body.c:108
Flow_::proto
uint8_t proto
Definition: flow.h:370
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:287
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
Flow_
Flow data structure.
Definition: flow.h:348
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2416
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3439
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
Flow_::protoctx
void * protoctx
Definition: flow.h:433
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:620
HTPConfigure
void HTPConfigure(void)
Definition: app-layer-htp.c:2351
HtpState_
Definition: app-layer-htp.h:181
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
SCConfInit
void SCConfInit(void)
Initialize the configuration system.
Definition: conf.c:120
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
TestSteps::expect
int expect
Definition: detect-http-client-body.c:111
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
HtpConfigCreateBackup
void HtpConfigCreateBackup(void)
Definition: app-layer-htp.c:2687
DetectEngineThreadCtx_
Definition: detect.h:1244
EngineModeSetIDS
void EngineModeSetIDS(void)
Definition: suricata.c:264
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3364
EngineModeSetIPS
void EngineModeSetIPS(void)
Definition: suricata.c:259
Packet_
Definition: decode.h:501
SCConfCreateContextBackup
void SCConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition: conf.c:684
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2194
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1291
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3596
SCConfDeInit
void SCConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:703
HtpConfigRestoreBackup
void HtpConfigRestoreBackup(void)
Definition: app-layer-htp.c:2692
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:473
Flow_::alstate
void * alstate
Definition: flow.h:471
Flow_::flags
uint32_t flags
Definition: flow.h:413
SCConfRestoreContextBackup
void SCConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition: conf.c:694
Signature_
Signature container.
Definition: detect.h:668
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
HTPFreeConfig
void HTPFreeConfig(void)
Clears the HTTP server configuration memory used by HTP library.
Definition: app-layer-htp.c:1591
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
DetectHttpServerBodyRegisterTests
void DetectHttpServerBodyRegisterTests(void)
Definition: detect-http-server-body.c:2918
StatsThreadCleanup
void StatsThreadCleanup(ThreadVars *tv)
Definition: counters.c:1324
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1102
TestSteps::input_size
size_t input_size
Definition: detect-http-client-body.c:109
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456