suricata
detect-http-server-body.c
Go to the documentation of this file.
1 /* Copyright (C) 2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Giuseppe Longo <giuseppe@glongo.it>
22  *
23  * Tests for the hsbd with swf files
24  */
25 
26 #include "../suricata-common.h"
27 #include "../conf-yaml-loader.h"
28 #include "../decode.h"
29 #include "../flow.h"
30 #include "../detect.h"
31 #include "../detect-engine-build.h"
32 #include "../detect-engine-alert.h"
33 
34 /**
35  * \test Test parser accepting valid rules and rejecting invalid rules
36  */
37 static int DetectHttpServerBodyParserTest01(void)
38 {
39  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", true));
40  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; nocase; http_server_body; sid:1;)", true));
41  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; endswith; http_server_body; sid:1;)", true));
42  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; http_server_body; sid:1;)", true));
43  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; endswith; http_server_body; sid:1;)", true));
44 
45  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; rawbytes; http_server_body; sid:1;)", false));
46  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http_server_body; sid:1;)", false));
47  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", false));
48  PASS;
49 }
50 
51 /**
52  * \test Test parser accepting valid rules and rejecting invalid rules
53  */
54 static int DetectHttpServerBodyParserTest02(void)
55 {
56  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", true));
57  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; nocase; sid:1;)", true));
58  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; endswith; sid:1;)", true));
59  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; sid:1;)", true));
60  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; endswith; sid:1;)", true));
61  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; bsize:10; sid:1;)", true));
62 
63  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; rawbytes; sid:1;)", false));
64  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http.response_body; sid:1;)", false));
65  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", false));
66  PASS;
67 }
68 struct TestSteps {
69  const uint8_t *input;
70  size_t input_size; /**< if 0 strlen will be used */
71  int direction; /**< STREAM_TOSERVER, STREAM_TOCLIENT */
72  int expect;
73 };
74 
75 static int RunTest(struct TestSteps *steps, const char *sig, const char *yaml)
76 {
77  TcpSession ssn;
78  Flow f;
79  ThreadVars th_v;
80  DetectEngineThreadCtx *det_ctx = NULL;
83 
84  memset(&th_v, 0, sizeof(th_v));
85  memset(&f, 0, sizeof(f));
86  memset(&ssn, 0, sizeof(ssn));
87 
88  if (yaml) {
90  ConfInit();
92 
93  ConfYamlLoadString(yaml, strlen(yaml));
94  HTPConfigure();
96  }
97 
98  StreamTcpInitConfig(true);
99 
102  de_ctx->flags |= DE_QUIET;
103 
104  FLOW_INITIALIZE(&f);
105  f.protoctx = (void *)&ssn;
106  f.proto = IPPROTO_TCP;
107  f.flags |= FLOW_IPV4;
109 
110  SCLogDebug("sig %s", sig);
111  Signature *s = DetectEngineAppendSig(de_ctx, (char *)sig);
112  FAIL_IF_NULL(s);
113 
115  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
116  FAIL_IF_NULL(det_ctx);
117 
118  struct TestSteps *b = steps;
119  int i = 0;
120  while (b->input != NULL) {
121  SCLogDebug("chunk %p %d", b, i);
122  (void)i;
123  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
124  FAIL_IF_NULL(p);
125  p->flow = &f;
126  p->flowflags = (b->direction == STREAM_TOSERVER) ? FLOW_PKT_TOSERVER : FLOW_PKT_TOCLIENT;
129 
130  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, b->direction,
131  (uint8_t *)b->input,
132  b->input_size ? b->input_size : strlen((const char *)b->input));
133  FAIL_IF_NOT(r == 0);
134 
135  /* do detect */
136  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
137 
138  int match = PacketAlertCheck(p, 1);
139  FAIL_IF_NOT(b->expect == match);
140 
141  UTHFreePackets(&p, 1);
142  b++;
143  i++;
144  }
145 
146  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
149 
150  StreamTcpFreeConfig(true);
151  FLOW_DESTROY(&f);
152 
153  if (yaml) {
157  }
158  PASS;
159 }
160 
161 static int DetectEngineHttpServerBodyTest01(void)
162 {
163  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
164  "Host: www.openinfosecfoundation.org\r\n"
165  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
166  "Gecko/20091221 Firefox/3.5.7\r\n"
167  "\r\n";
168  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
169  "Content-Type: text/html\r\n"
170  "Content-Length: 7\r\n"
171  "\r\n"
172  "message";
173  struct TestSteps steps[] = {
174  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
175  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
176  { NULL, 0, 0, 0 },
177  };
178 
179  const char *sig = "alert http any any -> any any "
180  "(msg:\"http server body test\"; "
181  "content:\"message\"; http_server_body; "
182  "sid:1;)";
183  return RunTest(steps, sig, NULL);
184 }
185 
186 static int DetectEngineHttpServerBodyTest02(void)
187 {
188  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
189  "Host: www.openinfosecfoundation.org\r\n"
190  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
191  "Gecko/20091221 Firefox/3.5.7\r\n"
192  "\r\n";
193  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
194  "Content-Type: text/html\r\n"
195  "Content-Length: 7\r\n"
196  "\r\n"
197  "xxxxABC";
198  struct TestSteps steps[] = {
199  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
200  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
201  { NULL, 0, 0, 0 },
202  };
203 
204  const char *sig = "alert http any any -> any any "
205  "(msg:\"http server body test\"; "
206  "content:\"ABC\"; http_server_body; offset:4; "
207  "sid:1;)";
208  return RunTest(steps, sig, NULL);
209 }
210 
211 static int DetectEngineHttpServerBodyTest03(void)
212 {
213  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
214  "Host: www.openinfosecfoundation.org\r\n"
215  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
216  "Gecko/20091221 Firefox/3.5.7\r\n"
217  "\r\n";
218  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
219  "Content-Type: text/html\r\n"
220  "Content-Length: 17\r\n"
221  "\r\n"
222  "1234567";
223  uint8_t http_buf3[] = "8901234ABC";
224  struct TestSteps steps[] = {
225  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
226  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
227  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
228  { NULL, 0, 0, 0 },
229  };
230 
231  const char *sig = "alert http any any -> any any "
232  "(msg:\"http server body test\"; "
233  "content:\"ABC\"; http_server_body; offset:14; "
234  "sid:1;)";
235  return RunTest(steps, sig, NULL);
236 }
237 
238 static int DetectEngineHttpServerBodyTest04(void)
239 {
240  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
241  "Host: www.openinfosecfoundation.org\r\n"
242  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
243  "Gecko/20091221 Firefox/3.5.7\r\n"
244  "\r\n";
245  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
246  "Content-Type: text/html\r\n"
247  "Content-Length: 6\r\n"
248  "\r\n"
249  "abcdef";
250  struct TestSteps steps[] = {
251  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
252  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
253  { NULL, 0, 0, 0 },
254  };
255  const char *sig = "alert http any any -> any any "
256  "(msg:\"http server body test\"; "
257  "content:!\"abc\"; http_server_body; offset:3; "
258  "sid:1;)";
259  return RunTest(steps, sig, NULL);
260 }
261 
262 static int DetectEngineHttpServerBodyTest05(void)
263 {
264  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
265  "Host: www.openinfosecfoundation.org\r\n"
266  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
267  "Gecko/20091221 Firefox/3.5.7\r\n"
268  "\r\n";
269  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
270  "Content-Type: text/html\r\n"
271  "Content-Length: 6\r\n"
272  "\r\n"
273  "abcdef";
274  struct TestSteps steps[] = {
275  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
276  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
277  { NULL, 0, 0, 0 },
278  };
279  const char *sig = "alert http any any -> any any "
280  "(msg:\"http server body test\"; "
281  "content:\"abc\"; http_server_body; depth:3; "
282  "sid:1;)";
283  return RunTest(steps, sig, NULL);
284 }
285 
286 static int DetectEngineHttpServerBodyTest06(void)
287 {
288  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
289  "Host: www.openinfosecfoundation.org\r\n"
290  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
291  "Gecko/20091221 Firefox/3.5.7\r\n"
292  "\r\n";
293  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
294  "Content-Type: text/html\r\n"
295  "Content-Length: 6\r\n"
296  "\r\n"
297  "abcdef";
298  struct TestSteps steps[] = {
299  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
300  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
301  { NULL, 0, 0, 0 },
302  };
303  const char *sig = "alert http any any -> any any "
304  "(msg:\"http server body test\"; "
305  "content:!\"def\"; http_server_body; depth:3; "
306  "sid:1;)";
307  return RunTest(steps, sig, NULL);
308 }
309 
310 static int DetectEngineHttpServerBodyTest07(void)
311 {
312  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
313  "Host: www.openinfosecfoundation.org\r\n"
314  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
315  "Gecko/20091221 Firefox/3.5.7\r\n"
316  "\r\n";
317  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
318  "Content-Type: text/html\r\n"
319  "Content-Length: 6\r\n"
320  "\r\n"
321  "abcdef";
322  struct TestSteps steps[] = {
323  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
324  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
325  { NULL, 0, 0, 0 },
326  };
327  const char *sig = "alert http any any -> any any "
328  "(msg:\"http server body test\"; "
329  "content:!\"def\"; http_server_body; offset:3; "
330  "sid:1;)";
331  return RunTest(steps, sig, NULL);
332 }
333 
334 static int DetectEngineHttpServerBodyTest08(void)
335 {
336  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
337  "Host: www.openinfosecfoundation.org\r\n"
338  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
339  "Gecko/20091221 Firefox/3.5.7\r\n"
340  "\r\n";
341  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
342  "Content-Type: text/html\r\n"
343  "Content-Length: 6\r\n"
344  "\r\n"
345  "abcdef";
346 
347  struct TestSteps steps[] = {
348  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
349  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
350  { NULL, 0, 0, 0 },
351  };
352  const char *sig = "alert http any any -> any any "
353  "(msg:\"http server body test\"; "
354  "content:!\"abc\"; http_server_body; depth:3; "
355  "sid:1;)";
356  return RunTest(steps, sig, NULL);
357 }
358 
359 static int DetectEngineHttpServerBodyTest09(void)
360 {
361  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
362  "Host: www.openinfosecfoundation.org\r\n"
363  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
364  "Gecko/20091221 Firefox/3.5.7\r\n"
365  "\r\n";
366  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
367  "Content-Type: text/html\r\n"
368  "Content-Length: 6\r\n"
369  "\r\n"
370  "abcdef";
371  struct TestSteps steps[] = {
372  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
373  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
374  { NULL, 0, 0, 0 },
375  };
376  const char *sig = "alert http any any -> any any "
377  "(msg:\"http server body test\"; "
378  "content:\"abc\"; http_server_body; depth:3; "
379  "content:\"def\"; http_server_body; within:3; "
380  "sid:1;)";
381  return RunTest(steps, sig, NULL);
382 }
383 
384 static int DetectEngineHttpServerBodyTest10(void)
385 {
386  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
387  "Host: www.openinfosecfoundation.org\r\n"
388  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
389  "Gecko/20091221 Firefox/3.5.7\r\n"
390  "\r\n";
391  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
392  "Content-Type: text/html\r\n"
393  "Content-Length: 6\r\n"
394  "\r\n"
395  "abcdef";
396  struct TestSteps steps[] = {
397  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
398  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
399  { NULL, 0, 0, 0 },
400  };
401  const char *sig = "alert http any any -> any any "
402  "(msg:\"http server body test\"; "
403  "content:\"abc\"; http_server_body; depth:3; "
404  "content:!\"xyz\"; http_server_body; within:3; "
405  "sid:1;)";
406  return RunTest(steps, sig, NULL);
407 }
408 
409 static int DetectEngineHttpServerBodyTest11(void)
410 {
411  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
412  "Host: www.openinfosecfoundation.org\r\n"
413  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
414  "Gecko/20091221 Firefox/3.5.7\r\n"
415  "\r\n";
416  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
417  "Content-Type: text/html\r\n"
418  "Content-Length: 6\r\n"
419  "\r\n"
420  "abcdef";
421  struct TestSteps steps[] = {
422  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
423  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
424  { NULL, 0, 0, 0 },
425  };
426  const char *sig = "alert http any any -> any any "
427  "(msg:\"http server body test\"; "
428  "content:\"abc\"; http_server_body; depth:3; "
429  "content:\"xyz\"; http_server_body; within:3; "
430  "sid:1;)";
431  return RunTest(steps, sig, NULL);
432 }
433 
434 static int DetectEngineHttpServerBodyTest12(void)
435 {
436  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
437  "Host: www.openinfosecfoundation.org\r\n"
438  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
439  "Gecko/20091221 Firefox/3.5.7\r\n"
440  "\r\n";
441  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
442  "Content-Type: text/html\r\n"
443  "Content-Length: 6\r\n"
444  "\r\n"
445  "abcdef";
446  struct TestSteps steps[] = {
447  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
448  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
449  { NULL, 0, 0, 0 },
450  };
451  const char *sig = "alert http any any -> any any "
452  "(msg:\"http server body test\"; "
453  "content:\"ab\"; http_server_body; depth:2; "
454  "content:\"ef\"; http_server_body; distance:2; "
455  "sid:1;)";
456  return RunTest(steps, sig, NULL);
457 }
458 
459 static int DetectEngineHttpServerBodyTest13(void)
460 {
461  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
462  "Host: www.openinfosecfoundation.org\r\n"
463  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
464  "Gecko/20091221 Firefox/3.5.7\r\n"
465  "\r\n";
466  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
467  "Content-Type: text/html\r\n"
468  "Content-Length: 6\r\n"
469  "\r\n"
470  "abcdef";
471  struct TestSteps steps[] = {
472  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
473  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
474  { NULL, 0, 0, 0 },
475  };
476  const char *sig = "alert http any any -> any any "
477  "(msg:\"http server body test\"; "
478  "content:\"ab\"; http_server_body; depth:3; "
479  "content:!\"yz\"; http_server_body; distance:2; "
480  "sid:1;)";
481  return RunTest(steps, sig, NULL);
482 }
483 
484 static int DetectEngineHttpServerBodyTest14(void)
485 {
486  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
487  "Host: www.openinfosecfoundation.org\r\n"
488  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
489  "Gecko/20091221 Firefox/3.5.7\r\n"
490  "\r\n";
491  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
492  "Content-Type: text/html\r\n"
493  "Content-Length: 6\r\n"
494  "\r\n"
495  "abcdef";
496  struct TestSteps steps[] = {
497  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
498  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
499  { NULL, 0, 0, 0 },
500  };
501  const char *sig = "alert http any any -> any any "
502  "(msg:\"http server body test\"; "
503  "pcre:/ab/Q; "
504  "content:\"ef\"; http_server_body; distance:2; "
505  "sid:1;)";
506  return RunTest(steps, sig, NULL);
507 }
508 
509 static int DetectEngineHttpServerBodyTest15(void)
510 {
511  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
512  "Host: www.openinfosecfoundation.org\r\n"
513  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
514  "Gecko/20091221 Firefox/3.5.7\r\n"
515  "\r\n";
516  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
517  "Content-Type: text/html\r\n"
518  "Content-Length: 6\r\n"
519  "\r\n"
520  "abcdef";
521  struct TestSteps steps[] = {
522  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
523  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
524  { NULL, 0, 0, 0 },
525  };
526  const char *sig = "alert http any any -> any any "
527  "(msg:\"http server body test\"; "
528  "pcre:/abc/Q; "
529  "content:!\"xyz\"; http_server_body; distance:0; within:3; "
530  "sid:1;)";
531  return RunTest(steps, sig, NULL);
532 }
533 
534 static int DetectEngineHttpServerBodyTest16(void)
535 {
536  char input[] = "\
537 %YAML 1.1\n\
538 ---\n\
539 libhtp:\n\
540 \n\
541  default-config:\n\
542  personality: IDS\n\
543  request-body-limit: 0\n\
544  response-body-limit: 0\n\
545 \n\
546  request-body-inspect-window: 0\n\
547  response-body-inspect-window: 0\n\
548  request-body-minimal-inspect-size: 0\n\
549  response-body-minimal-inspect-size: 0\n\
550 ";
551  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
552  "Host: www.openinfosecfoundation.org\r\n"
553  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
554  "Gecko/20091221 Firefox/3.5.7\r\n"
555  "\r\n";
556  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
557  "Content-Type: text/html\r\n"
558  "Content-Length: 17\r\n"
559  "\r\n"
560  "1234567";
561  uint8_t http_buf3[] = "8901234ABC";
562  struct TestSteps steps[] = {
563  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
564  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
565  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
566  { NULL, 0, 0, 0 },
567  };
568  const char *sig = "alert http any any -> any any ("
569  "content:\"890\"; within:3; http_server_body; "
570  "sid:1;)";
571  return RunTest(steps, sig, input);
572 }
573 
574 static int DetectEngineHttpServerBodyTest17(void)
575 {
576  char input[] = "\
577 %YAML 1.1\n\
578 ---\n\
579 libhtp:\n\
580 \n\
581  default-config:\n\
582  personality: IDS\n\
583  request-body-limit: 0\n\
584  response-body-limit: 0\n\
585 \n\
586  request-body-inspect-window: 0\n\
587  response-body-inspect-window: 0\n\
588  request-body-minimal-inspect-size: 0\n\
589  response-body-minimal-inspect-size: 0\n\
590 ";
591  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
592  "Host: www.openinfosecfoundation.org\r\n"
593  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
594  "Gecko/20091221 Firefox/3.5.7\r\n"
595  "\r\n";
596  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
597  "Content-Type: text/html\r\n"
598  "Content-Length: 17\r\n"
599  "\r\n"
600  "1234567";
601  uint8_t http_buf3[] = "8901234ABC";
602  struct TestSteps steps[] = {
603  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
604  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
605  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
606  { NULL, 0, 0, 0 },
607  };
608  const char *sig = "alert http any any -> any any ("
609  "content:\"890\"; depth:3; http_server_body; "
610  "sid:1;)";
611  return RunTest(steps, sig, input);
612 }
613 
614 /*
615  * gzip stream
616  */
617 static int DetectEngineHttpServerBodyTest18(void)
618 {
619  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
620  "Host: www.openinfosecfoundation.org\r\n"
621  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
622  "Gecko/20091221 Firefox/3.5.7\r\n"
623  "\r\n";
624  // clang-format off
625  uint8_t http_buf2[] = {
626  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
627  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
628  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
629  'g', 'z', 'i', 'p', 0x0d, 0x0a,
630  0x0d, 0x0a,
631  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51, 0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
632  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
633  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
634  0x00, 0x00, 0x00,
635  };
636  // clang-format on
637  struct TestSteps steps[] = {
638  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
639  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
640  { NULL, 0, 0, 0 },
641  };
642  const char *sig = "alert http any any -> any any "
643  "(msg:\"http server body test\"; "
644  "content:\"file\"; http_server_body; "
645  "sid:1;)";
646  return RunTest(steps, sig, NULL);
647 }
648 
649 /*
650  * deflate stream
651  */
652 static int DetectEngineHttpServerBodyTest19(void)
653 {
654  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
655  "Host: www.openinfosecfoundation.org\r\n"
656  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
657  "Gecko/20091221 Firefox/3.5.7\r\n"
658  "\r\n";
659  // clang-format off
660  uint8_t http_buf2[] = {
661  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
662  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '2', '4', 0x0d, 0x0a,
663  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
664  'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
665  0x0d, 0x0a,
666  0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54, 0x85, 0xcc, 0x3c,
667  0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00,
668  };
669  // clang-format on
670  // 0xb2, 0x7d, 0xac, 0x9b, 0x19, 0x00, 0x00, 0x00,
671  struct TestSteps steps[] = {
672  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
673  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
674  { NULL, 0, 0, 0 },
675  };
676  const char *sig = "alert http any any -> any any "
677  "(msg:\"http server body test\"; "
678  "content:\"file\"; http_server_body; "
679  "sid:1;)";
680  return RunTest(steps, sig, NULL);
681 }
682 
683 /*
684  * deflate stream with gzip set as content-encoding
685  */
686 static int DetectEngineHttpServerBodyTest20(void)
687 {
688  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
689  "Host: www.openinfosecfoundation.org\r\n"
690  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
691  "Gecko/20091221 Firefox/3.5.7\r\n"
692  "\r\n";
693  // clang-format off
694  uint8_t http_buf2[] = {
695  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
696  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '2', '4', 0x0d, 0x0a,
697  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
698  'g', 'z', 'i', 'p', 0x0d, 0x0a,
699  0x0d, 0x0a,
700  0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54, 0x85, 0xcc, 0x3c,
701  0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00,
702  };
703  // clang-format on
704  // 0xb2, 0x7d, 0xac, 0x9b, 0x19, 0x00, 0x00, 0x00,
705  struct TestSteps steps[] = {
706  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
707  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
708  { NULL, 0, 0, 0 },
709  };
710  const char *sig = "alert http any any -> any any "
711  "(msg:\"http server body test\"; "
712  "content:\"file\"; http_server_body; "
713  "sid:1;)";
714  return RunTest(steps, sig, NULL);
715 }
716 
717 /*
718  * gzip stream with deflate set as content-encoding.
719  */
720 static int DetectEngineHttpServerBodyTest21(void)
721 {
722  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
723  "Host: www.openinfosecfoundation.org\r\n"
724  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
725  "Gecko/20091221 Firefox/3.5.7\r\n"
726  "\r\n";
727  // clang-format off
728  uint8_t http_buf2[] = {
729  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
730  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
731  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
732  'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
733  0x0d, 0x0a,
734  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51, 0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
735  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
736  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
737  0x00, 0x00, 0x00,
738  };
739  // clang-format on
740  struct TestSteps steps[] = {
741  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
742  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
743  { NULL, 0, 0, 0 },
744  };
745  const char *sig = "alert http any any -> any any "
746  "(msg:\"http server body test\"; "
747  "content:\"file\"; http_server_body; "
748  "sid:1;)";
749  return RunTest(steps, sig, NULL);
750 }
751 
752 /*
753  * gzip stream.
754  * We have 2 content-encoding headers. First gzip and second deflate.
755  */
756 static int DetectEngineHttpServerBodyTest22(void)
757 {
758  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
759  "Host: www.openinfosecfoundation.org\r\n"
760  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
761  "Gecko/20091221 Firefox/3.5.7\r\n"
762  "\r\n";
763  // clang-format off
764  uint8_t http_buf2[] = {
765  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
766  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
767  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
768  'g', 'z', 'i', 'p', 0x0d, 0x0a,
769  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
770  'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
771  0x0d, 0x0a,
772  0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51, 0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
773  0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
774  0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
775  0x00, 0x00, 0x00,
776  };
777  // clang-format on
778  struct TestSteps steps[] = {
779  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
780  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
781  { NULL, 0, 0, 0 },
782  };
783  const char *sig = "alert http any any -> any any "
784  "(msg:\"http server body test\"; "
785  "content:\"file\"; http_server_body; "
786  "sid:1;)";
787  return RunTest(steps, sig, NULL);
788 }
789 
790 static int DetectEngineHttpServerBodyFileDataTest01(void)
791 {
792  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
793  "Host: www.openinfosecfoundation.org\r\n"
794  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
795  "Gecko/20091221 Firefox/3.5.7\r\n"
796  "\r\n";
797  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
798  "Content-Type: text/html\r\n"
799  "Content-Length: 6\r\n"
800  "\r\n"
801  "abcdef";
802  struct TestSteps steps[] = {
803  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
804  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
805  { NULL, 0, 0, 0 },
806  };
807  const char *sig = "alert http any any -> any any "
808  "(msg:\"http server body test\"; "
809  "file_data; pcre:/ab/; "
810  "content:\"ef\"; distance:2; "
811  "sid:1;)";
812  return RunTest(steps, sig, NULL);
813 }
814 
815 static int DetectEngineHttpServerBodyFileDataTest02(void)
816 {
817  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
818  "Host: www.openinfosecfoundation.org\r\n"
819  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
820  "Gecko/20091221 Firefox/3.5.7\r\n"
821  "\r\n";
822  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
823  "Content-Type: text/html\r\n"
824  "Content-Length: 6\r\n"
825  "\r\n"
826  "abcdef";
827  struct TestSteps steps[] = {
828  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
829  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
830  { NULL, 0, 0, 0 },
831  };
832  const char *sig = "alert http any any -> any any "
833  "(msg:\"http server body test\"; "
834  "file_data; pcre:/abc/; "
835  "content:!\"xyz\"; distance:0; within:3; "
836  "sid:1;)";
837  return RunTest(steps, sig, NULL);
838 }
839 
840 /* \test recursive relative byte test */
841 static int DetectEngineHttpServerBodyFileDataTest03(void)
842 {
843  TcpSession ssn;
844  Packet *p1 = NULL;
845  Packet *p2 = NULL;
846  ThreadVars th_v;
847  DetectEngineThreadCtx *det_ctx = NULL;
848  HtpState *http_state = NULL;
849  Flow f;
850  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
851  "Host: www.openinfosecfoundation.org\r\n"
852  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
853  "Gecko/20091221 Firefox/3.5.7\r\n"
854  "\r\n";
855  uint32_t http_len1 = sizeof(http_buf1) - 1;
856  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
857  "Content-Type: text/html\r\n"
858  "Content-Length: 33\r\n"
859  "\r\n"
860  "XYZ_klm_1234abcd_XYZ_klm_5678abcd";
861  uint32_t http_len2 = sizeof(http_buf2) - 1;
863 
864  memset(&th_v, 0, sizeof(th_v));
865  memset(&f, 0, sizeof(f));
866  memset(&ssn, 0, sizeof(ssn));
867 
868  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
869  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
870 
871  FLOW_INITIALIZE(&f);
872  f.protoctx = (void *)&ssn;
873  f.proto = IPPROTO_TCP;
874  f.flags |= FLOW_IPV4;
875 
876  p1->flow = &f;
880  p2->flow = &f;
885 
886  StreamTcpInitConfig(true);
887 
890  de_ctx->flags |= DE_QUIET;
891 
893  "alert http any any -> any any "
894  "(msg:\"match on 1st\"; "
895  "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; "
896  "distance:4; byte_test:4,=,1234,-8,relative,string;"
897  "sid:1;)");
898  FAIL_IF_NULL(s);
900  "alert http any any -> any any "
901  "(msg:\"match on 2nd\"; "
902  "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; "
903  "distance:4; byte_test:4,=,5678,-8,relative,string;"
904  "sid:2;)");
905  FAIL_IF_NULL(s);
906 
908  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
909 
910  int r = AppLayerParserParse(
911  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
912  FAIL_IF(r != 0);
913  http_state = f.alstate;
914  FAIL_IF_NULL(http_state);
915 
916  /* do detect */
917  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
918  FAIL_IF(PacketAlertCheck(p1, 1));
919 
921  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
922  FAIL_IF(r != 0);
923 
924  /* do detect */
925  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
926 
929 
932  StreamTcpFreeConfig(true);
933  FLOW_DESTROY(&f);
934  UTHFreePackets(&p1, 1);
935  UTHFreePackets(&p2, 1);
936  PASS;
937 }
938 
939 static int DetectEngineHttpServerBodyFileDataTest04(void)
940 {
941 
942  const char yaml[] = "\
943 %YAML 1.1\n\
944 ---\n\
945 libhtp:\n\
946 \n\
947  default-config:\n\
948 \n\
949  http-body-inline: yes\n\
950  response-body-minimal-inspect-size: 6\n\
951  response-body-inspect-window: 3\n\
952 ";
953 
954  struct TestSteps steps[] = {
955  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
956  "Host: www.openinfosecfoundation.org\r\n"
957  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
958  "Gecko/20091221 Firefox/3.5.7\r\n"
959  "\r\n",
960  0, STREAM_TOSERVER, 0 },
961  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
962  "Content-Type: text/html\r\n"
963  "Content-Length: 6\r\n"
964  "\r\n"
965  "ab",
966  0, STREAM_TOCLIENT, 0 },
967  { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 1 },
968  { (const uint8_t *)"ef", 0, STREAM_TOCLIENT, 0 },
969  { NULL, 0, 0, 0 },
970  };
971 
972  const char *sig = "alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)";
973  return RunTest(steps, sig, yaml);
974 }
975 
976 static int DetectEngineHttpServerBodyFileDataTest05(void)
977 {
978 
979  const char yaml[] = "\
980 %YAML 1.1\n\
981 ---\n\
982 libhtp:\n\
983 \n\
984  default-config:\n\
985 \n\
986  http-body-inline: yes\n\
987  response-body-minimal-inspect-size: 6\n\
988  response-body-inspect-window: 3\n\
989 ";
990 
991  struct TestSteps steps[] = {
992  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
993  "Host: www.openinfosecfoundation.org\r\n"
994  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
995  "Gecko/20091221 Firefox/3.5.7\r\n"
996  "\r\n",
997  0, STREAM_TOSERVER, 0 },
998  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
999  "Content-Type: text/html\r\n"
1000  "Content-Length: 6\r\n"
1001  "\r\n"
1002  "ab",
1003  0, STREAM_TOCLIENT, 0 },
1004  { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 0 },
1005  { (const uint8_t *)"ef", 0, STREAM_TOCLIENT, 1 },
1006  { NULL, 0, 0, 0 },
1007  };
1008 
1009  const char *sig = "alert http any any -> any any (file_data; content:\"abcdef\"; sid:1;)";
1010  return RunTest(steps, sig, yaml);
1011 }
1012 
1013 static int DetectEngineHttpServerBodyFileDataTest06(void)
1014 {
1015 
1016  const char yaml[] = "\
1017 %YAML 1.1\n\
1018 ---\n\
1019 libhtp:\n\
1020 \n\
1021  default-config:\n\
1022 \n\
1023  http-body-inline: yes\n\
1024  response-body-minimal-inspect-size: 6\n\
1025  response-body-inspect-window: 3\n\
1026 ";
1027 
1028  struct TestSteps steps[] = {
1029  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1030  "Host: www.openinfosecfoundation.org\r\n"
1031  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1032  "Gecko/20091221 Firefox/3.5.7\r\n"
1033  "\r\n",
1034  0, STREAM_TOSERVER, 0 },
1035  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1036  "Content-Type: text/html\r\n"
1037  "Content-Length: 6\r\n"
1038  "\r\n"
1039  "ab",
1040  0, STREAM_TOCLIENT, 0 },
1041  { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 0 },
1042  { (const uint8_t *)"ef", 0, STREAM_TOCLIENT, 1 },
1043  { NULL, 0, 0, 0 },
1044  };
1045 
1046  const char *sig =
1047  "alert http any any -> any any (file_data; content:\"bcdef\"; offset:1; sid:1;)";
1048  return RunTest(steps, sig, yaml);
1049 }
1050 
1051 static int DetectEngineHttpServerBodyFileDataTest07(void)
1052 {
1053 
1054  const char yaml[] = "\
1055 %YAML 1.1\n\
1056 ---\n\
1057 libhtp:\n\
1058 \n\
1059  default-config:\n\
1060 \n\
1061  http-body-inline: yes\n\
1062  response-body-minimal-inspect-size: 6\n\
1063  response-body-inspect-window: 3\n\
1064 ";
1065 
1066  struct TestSteps steps[] = {
1067  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1068  "Host: www.openinfosecfoundation.org\r\n"
1069  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1070  "Gecko/20091221 Firefox/3.5.7\r\n"
1071  "\r\n",
1072  0, STREAM_TOSERVER, 0 },
1073  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1074  "Content-Type: text/html\r\n"
1075  "Content-Length: 13\r\n"
1076  "\r\n"
1077  "ab",
1078  0, STREAM_TOCLIENT, 0 },
1079  { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 1 },
1080  { (const uint8_t *)"123456789", 0, STREAM_TOCLIENT, 0 },
1081  { NULL, 0, 0, 0 },
1082  };
1083 
1084  const char *sig =
1085  "alert http any any -> any any (file_data; content:\"bc\"; offset:1; depth:2; sid:1;)";
1086  return RunTest(steps, sig, yaml);
1087 }
1088 
1089 static int DetectEngineHttpServerBodyFileDataTest08(void)
1090 {
1091 
1092  const char yaml[] = "\
1093 %YAML 1.1\n\
1094 ---\n\
1095 libhtp:\n\
1096 \n\
1097  default-config:\n\
1098 \n\
1099  http-body-inline: yes\n\
1100  response-body-minimal-inspect-size: 6\n\
1101  response-body-inspect-window: 3\n\
1102 ";
1103 
1104  struct TestSteps steps[] = {
1105  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1106  "Host: www.openinfosecfoundation.org\r\n"
1107  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1108  "Gecko/20091221 Firefox/3.5.7\r\n"
1109  "\r\n",
1110  0, STREAM_TOSERVER, 0 },
1111  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1112  "Content-Type: text/html\r\n"
1113  "Content-Length: 14\r\n"
1114  "\r\n"
1115  "ab",
1116  0, STREAM_TOCLIENT, 0 },
1117  { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 0 },
1118  { (const uint8_t *)"1234567890", 0, STREAM_TOCLIENT, 1 },
1119  { NULL, 0, 0, 0 },
1120  };
1121 
1122  const char *sig =
1123  "alert http any any -> any any (file_data; content:\"d123456789\"; offset:3; sid:1;)";
1124  return RunTest(steps, sig, yaml);
1125 }
1126 
1127 static int DetectEngineHttpServerBodyFileDataTest09(void)
1128 {
1129 
1130  const char yaml[] = "\
1131 %YAML 1.1\n\
1132 ---\n\
1133 libhtp:\n\
1134 \n\
1135  default-config:\n\
1136 \n\
1137  http-body-inline: yes\n\
1138  response-body-minimal-inspect-size: 6\n\
1139  response-body-inspect-window: 3\n\
1140 ";
1141 
1142  struct TestSteps steps[] = {
1143  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1144  "Host: www.openinfosecfoundation.org\r\n"
1145  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1146  "Gecko/20091221 Firefox/3.5.7\r\n"
1147  "\r\n",
1148  0, STREAM_TOSERVER, 0 },
1149  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1150  "Content-Type: text/html\r\n"
1151  "Content-Length: 13\r\n"
1152  "\r\n"
1153  "ab",
1154  0, STREAM_TOCLIENT, 0 },
1155  { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 0 },
1156  { (const uint8_t *)"123456789", 0, STREAM_TOCLIENT, 1 },
1157  { NULL, 0, 0, 0 },
1158  };
1159 
1160  const char *sig =
1161  "alert http any any -> any any (file_data; content:\"abcd12\"; depth:6; sid:1;)";
1162  return RunTest(steps, sig, yaml);
1163 }
1164 
1165 static int DetectEngineHttpServerBodyFileDataTest10(void)
1166 {
1167 
1168  const char yaml[] = "\
1169 %YAML 1.1\n\
1170 ---\n\
1171 libhtp:\n\
1172 \n\
1173  default-config:\n\
1174 \n\
1175  http-body-inline: yes\n\
1176  response-body-minimal-inspect-size: 6\n\
1177  response-body-inspect-window: 3\n\
1178 ";
1179 
1180  struct TestSteps steps[] = {
1181  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1182  "Host: www.openinfosecfoundation.org\r\n"
1183  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1184  "Gecko/20091221 Firefox/3.5.7\r\n"
1185  "\r\n",
1186  0, STREAM_TOSERVER, 0 },
1187  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1188  "Content-Type: text/html\r\n"
1189  "Content-Length: 5\r\n"
1190  "\r\n"
1191  "ab",
1192  0, STREAM_TOCLIENT, 0 },
1193  { (const uint8_t *)"c", 0, STREAM_TOCLIENT, 1 },
1194  { (const uint8_t *)"de", 0, STREAM_TOCLIENT, 0 },
1195  { NULL, 0, 0, 0 },
1196  };
1197 
1198  const char *sig = "alert http any any -> any any (file_data; content:\"abc\"; depth:3; sid:1;)";
1199  return RunTest(steps, sig, yaml);
1200 }
1201 
1202 static int DetectEngineHttpServerBodyFileDataTest11(void)
1203 {
1204 
1205  const char yaml[] = "\
1206 %YAML 1.1\n\
1207 ---\n\
1208 libhtp:\n\
1209 \n\
1210  default-config:\n\
1211 \n\
1212  http-body-inline: yes\n\
1213  response-body-minimal-inspect-size: 6\n\
1214  response-body-inspect-window: 3\n\
1215 ";
1216 
1217  struct TestSteps steps[] = {
1218  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1219  "Host: www.openinfosecfoundation.org\r\n"
1220  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1221  "Gecko/20091221 Firefox/3.5.7\r\n"
1222  "\r\n",
1223  0, STREAM_TOSERVER, 0 },
1224  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1225  "Content-Type: text/html\r\n"
1226  "Content-Length: 5\r\n"
1227  "\r\n"
1228  "ab",
1229  0, STREAM_TOCLIENT, 0 },
1230  { (const uint8_t *)"c", 0, STREAM_TOCLIENT, 0 },
1231  { (const uint8_t *)"de", 0, STREAM_TOCLIENT, 1 },
1232  { NULL, 0, 0, 0 },
1233  };
1234 
1235  const char *sig = "alert http any any -> any any (file_data; content:\"bcde\"; offset:1; "
1236  "depth:4; sid:1;)";
1237  return RunTest(steps, sig, yaml);
1238 }
1239 
1240 static int DetectEngineHttpServerBodyFileDataTest12(void)
1241 {
1242 
1243  const char yaml[] = "\
1244 %YAML 1.1\n\
1245 ---\n\
1246 libhtp:\n\
1247 \n\
1248  default-config:\n\
1249 \n\
1250  http-body-inline: yes\n\
1251  response-body-minimal-inspect-size: 6\n\
1252  response-body-inspect-window: 3\n\
1253 ";
1254 
1255  struct TestSteps steps[] = {
1256  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1257  "Host: www.openinfosecfoundation.org\r\n"
1258  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1259  "Gecko/20091221 Firefox/3.5.7\r\n"
1260  "\r\n",
1261  0, STREAM_TOSERVER, 0 },
1262  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1263  "Content-Type: text/html\r\n"
1264  "Content-Length: 13\r\n"
1265  "\r\n"
1266  "a",
1267  0, STREAM_TOCLIENT, 0 },
1268  { (const uint8_t *)"b", 0, STREAM_TOCLIENT, 0 },
1269  { (const uint8_t *)"c", 0, STREAM_TOCLIENT, 0 },
1270  { (const uint8_t *)"d", 0, STREAM_TOCLIENT, 1 },
1271  { (const uint8_t *)"efghijklm", 0, STREAM_TOCLIENT, 0 },
1272  { NULL, 0, 0, 0 },
1273  };
1274 
1275  const char *sig = "alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)";
1276  return RunTest(steps, sig, yaml);
1277 }
1278 
1279 static int DetectEngineHttpServerBodyFileDataTest13(void)
1280 {
1281 
1282  const char yaml[] = "\
1283 %YAML 1.1\n\
1284 ---\n\
1285 libhtp:\n\
1286 \n\
1287  default-config:\n\
1288 \n\
1289  http-body-inline: yes\n\
1290  response-body-minimal-inspect-size: 9\n\
1291  response-body-inspect-window: 12\n\
1292 ";
1293 
1294  struct TestSteps steps[] = {
1295  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1296  "Host: www.openinfosecfoundation.org\r\n"
1297  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1298  "Gecko/20091221 Firefox/3.5.7\r\n"
1299  "\r\n",
1300  0, STREAM_TOSERVER, 0 },
1301  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1302  "Content-Type: text/html\r\n"
1303  "Content-Length: 13\r\n"
1304  "\r\n"
1305  "a",
1306  0, STREAM_TOCLIENT, 0 },
1307  { (const uint8_t *)"b", 0, STREAM_TOCLIENT, 0 },
1308  { (const uint8_t *)"c", 0, STREAM_TOCLIENT, 0 },
1309  { (const uint8_t *)"d", 0, STREAM_TOCLIENT, 0 },
1310  { (const uint8_t *)"efghijklm", 0, STREAM_TOCLIENT, 1 },
1311  { NULL, 0, 0, 0 },
1312  };
1313 
1314  const char *sig =
1315  "alert http any any -> any any (file_data; content:\"abcdefghijklm\"; sid:1;)";
1316  return RunTest(steps, sig, yaml);
1317 }
1318 
1319 static int DetectEngineHttpServerBodyFileDataTest14(void)
1320 {
1321 
1322  const char yaml[] = "\
1323 %YAML 1.1\n\
1324 ---\n\
1325 libhtp:\n\
1326 \n\
1327  default-config:\n\
1328 \n\
1329  http-body-inline: yes\n\
1330  response-body-minimal-inspect-size: 9\n\
1331  response-body-inspect-window: 12\n\
1332 ";
1333 
1334  struct TestSteps steps[] = {
1335  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1336  "Host: www.openinfosecfoundation.org\r\n"
1337  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1338  "Gecko/20091221 Firefox/3.5.7\r\n"
1339  "\r\n",
1340  0, STREAM_TOSERVER, 0 },
1341  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1342  "Content-Type: text/html\r\n"
1343  "Content-Length: 20\r\n"
1344  "\r\n"
1345  "1234567890",
1346  0, STREAM_TOCLIENT, 0 },
1347  { (const uint8_t *)"abcdefghi", 0, STREAM_TOCLIENT, 1 },
1348  { NULL, 0, 0, 0 },
1349  };
1350 
1351  const char *sig = "alert http any any -> any any (file_data; content:\"890abcdefghi\"; sid:1;)";
1352  return RunTest(steps, sig, yaml);
1353 }
1354 
1355 static int DetectEngineHttpServerBodyFileDataTest15(void)
1356 {
1357 
1358  const char yaml[] = "\
1359 %YAML 1.1\n\
1360 ---\n\
1361 libhtp:\n\
1362 \n\
1363  default-config:\n\
1364 \n\
1365  http-body-inline: yes\n\
1366  response-body-minimal-inspect-size: 9\n\
1367  response-body-inspect-window: 12\n\
1368 ";
1369 
1370  struct TestSteps steps[] = {
1371  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1372  "Host: www.openinfosecfoundation.org\r\n"
1373  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1374  "Gecko/20091221 Firefox/3.5.7\r\n"
1375  "\r\n",
1376  0, STREAM_TOSERVER, 0 },
1377  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1378  "Content-Type: text/html\r\n"
1379  "Content-Length: 20\r\n"
1380  "\r\n"
1381  "1234567890",
1382  0, STREAM_TOCLIENT, 0 },
1383  { (const uint8_t *)"abcdefghi", 0, STREAM_TOCLIENT, 0 },
1384  { NULL, 0, 0, 0 },
1385  };
1386 
1387  const char *sig =
1388  "alert http any any -> any any (file_data; content:\"7890ab\"; depth:6; sid:1;)";
1389  return RunTest(steps, sig, yaml);
1390 }
1391 
1392 static int DetectEngineHttpServerBodyFileDataTest16(void)
1393 {
1394 
1395  const char yaml[] = "\
1396 %YAML 1.1\n\
1397 ---\n\
1398 libhtp:\n\
1399 \n\
1400  default-config:\n\
1401 \n\
1402  http-body-inline: yes\n\
1403  response-body-minimal-inspect-size: 9\n\
1404  response-body-inspect-window: 12\n\
1405 ";
1406 
1407  struct TestSteps steps[] = {
1408  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1409  "Host: www.openinfosecfoundation.org\r\n"
1410  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1411  "Gecko/20091221 Firefox/3.5.7\r\n"
1412  "\r\n",
1413  0, STREAM_TOSERVER, 0 },
1414  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1415  "Content-Type: text/html\r\n"
1416  "Content-Length: 20\r\n"
1417  "\r\n"
1418  "aaaab",
1419  0, STREAM_TOCLIENT, 0 },
1420  { (const uint8_t *)"bbbbc", 0, STREAM_TOCLIENT, 0 },
1421  { (const uint8_t *)"ccccd", 0, STREAM_TOCLIENT, 0 },
1422  { (const uint8_t *)"dddde", 0, STREAM_TOCLIENT, 0 },
1423  { NULL, 0, 0, 0 },
1424  };
1425 
1426  const char *sig =
1427  "alert http any any -> any any (file_data; content:\"aabb\"; depth:4; sid:1;)";
1428  return RunTest(steps, sig, yaml);
1429 }
1430 
1431 static int DetectEngineHttpServerBodyFileDataTest17(void)
1432 {
1433 
1434  const char yaml[] = "\
1435 %YAML 1.1\n\
1436 ---\n\
1437 libhtp:\n\
1438 \n\
1439  default-config:\n\
1440 \n\
1441  http-body-inline: yes\n\
1442  response-body-minimal-inspect-size: 8\n\
1443  response-body-inspect-window: 4\n\
1444 ";
1445 
1446  struct TestSteps steps[] = {
1447  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1448  "Host: www.openinfosecfoundation.org\r\n"
1449  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1450  "Gecko/20091221 Firefox/3.5.7\r\n"
1451  "\r\n",
1452  0, STREAM_TOSERVER, 0 },
1453  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1454  "Content-Type: text/html\r\n"
1455  "Content-Length: 20\r\n"
1456  "\r\n"
1457  "aaaab",
1458  0, STREAM_TOCLIENT, 0 },
1459  { (const uint8_t *)"bbbbc", 0, STREAM_TOCLIENT, 0 },
1460  { (const uint8_t *)"ccccd", 0, STREAM_TOCLIENT, 0 },
1461  { (const uint8_t *)"dddde", 0, STREAM_TOCLIENT, 0 },
1462  { NULL, 0, 0, 0 },
1463  };
1464 
1465  const char *sig =
1466  "alert http any any -> any any (file_data; content:\"bbbc\"; depth:4; sid:1;)";
1467  return RunTest(steps, sig, yaml);
1468 }
1469 
1470 static int DetectEngineHttpServerBodyFileDataTest18(void)
1471 {
1472 
1473  const char yaml[] = "\
1474 %YAML 1.1\n\
1475 ---\n\
1476 libhtp:\n\
1477 \n\
1478  default-config:\n\
1479 \n\
1480  http-body-inline: yes\n\
1481  response-body-minimal-inspect-size: 8\n\
1482  response-body-inspect-window: 4\n\
1483 ";
1484 
1485  struct TestSteps steps[] = {
1486  { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1487  "Host: www.openinfosecfoundation.org\r\n"
1488  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1489  "Gecko/20091221 Firefox/3.5.7\r\n"
1490  "\r\n",
1491  0, STREAM_TOSERVER, 0 },
1492  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1493  "Content-Type: text/html\r\n"
1494  "Content-Length: 20\r\n"
1495  "\r\n"
1496  "aaaab",
1497  0, STREAM_TOCLIENT, 0 },
1498  { (const uint8_t *)"bbbbc", 0, STREAM_TOCLIENT, 0 },
1499  { (const uint8_t *)"ccccd", 0, STREAM_TOCLIENT, 0 },
1500  { (const uint8_t *)"dddde", 0, STREAM_TOCLIENT, 0 },
1501  { NULL, 0, 0, 0 },
1502  };
1503 
1504  const char *sig =
1505  "alert http any any -> any any (file_data; content:\"bccd\"; depth:4; sid:1;)";
1506  return RunTest(steps, sig, yaml);
1507 }
1508 static int DetectEngineHttpServerBodyFileDataTest19(void)
1509 {
1510  char input[] = "\
1511 %YAML 1.1\n\
1512 ---\n\
1513 libhtp:\n\
1514 \n\
1515  default-config:\n\
1516 \n\
1517  swf-decompression:\n\
1518  enabled: yes\n\
1519  type: both\n\
1520  compress-depth: 0\n\
1521  decompress-depth: 0\n\
1522 ";
1523  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1524  "Host: www.openinfosecfoundation.org\r\n"
1525  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1526  "Gecko/20091221 Firefox/3.5.7\r\n"
1527  "\r\n";
1528  // clang-format off
1529  uint8_t http_buf2[] = {
1530  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1531  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '1', '0', '3', 0x0d, 0x0a,
1532  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1533  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
1534  0x0d, 0x0a,
1535  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
1536  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
1537  0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe,
1538  0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37,
1539  0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
1540  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08, 0xe9,
1541  0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86
1542  };
1543  // clang-format on
1544  struct TestSteps steps[] = {
1545  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1546  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1547  { NULL, 0, 0, 0 },
1548  };
1549  const char *sig = "alert tcp any any -> any any "
1550  "(flow:established,from_server; "
1551  "file_data; content:\"FWS\"; "
1552  "sid:1;)";
1553  return RunTest(steps, sig, input);
1554 }
1555 
1556 static int DetectEngineHttpServerBodyFileDataTest20(void)
1557 {
1558  char input[] = "\
1559 %YAML 1.1\n\
1560 ---\n\
1561 libhtp:\n\
1562 \n\
1563  default-config:\n\
1564 \n\
1565  swf-decompression:\n\
1566  enabled: no\n\
1567  type: both\n\
1568  compress-depth: 0\n\
1569  decompress-depth: 0\n\
1570 ";
1571  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1572  "Host: www.openinfosecfoundation.org\r\n"
1573  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1574  "Gecko/20091221 Firefox/3.5.7\r\n"
1575  "\r\n";
1576  // clang-format off
1577  uint8_t http_buf2[] = {
1578  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1579  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1580  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1581  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1582  0x0d, 0x0a,
1583  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1584  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
1585  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
1586  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
1587  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
1588  };
1589  // clang-format on
1590  struct TestSteps steps[] = {
1591  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1592  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1593  { NULL, 0, 0, 0 },
1594  };
1595  const char *sig = "alert tcp any any -> any any "
1596  "(flow:established,from_server; "
1597  "file_data; content:\"CWS\"; "
1598  "sid:1;)";
1599  return RunTest(steps, sig, input);
1600 }
1601 
1602 static int DetectEngineHttpServerBodyFileDataTest21(void)
1603 {
1604  char input[] = "\
1605 %YAML 1.1\n\
1606 ---\n\
1607 libhtp:\n\
1608 \n\
1609  default-config:\n\
1610 \n\
1611  swf-decompression:\n\
1612  enabled: yes\n\
1613  type: deflate\n\
1614  compress-depth: 0\n\
1615  decompress-depth: 0\n\
1616 ";
1617  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1618  "Host: www.openinfosecfoundation.org\r\n"
1619  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1620  "Gecko/20091221 Firefox/3.5.7\r\n"
1621  "\r\n";
1622  // clang-format off
1623  uint8_t http_buf2[] = {
1624  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1625  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1626  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1627  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1628  0x0d, 0x0a,
1629  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1630  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
1631  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
1632  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
1633  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
1634  };
1635  // clang-format on
1636  struct TestSteps steps[] = {
1637  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1638  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1639  { NULL, 0, 0, 0 },
1640  };
1641  const char *sig = "alert tcp any any -> any any "
1642  "(flow:established,from_server; "
1643  "file_data; content:\"FWS\"; "
1644  "sid:1;)";
1645  return RunTest(steps, sig, input);
1646 }
1647 
1648 static int DetectEngineHttpServerBodyFileDataTest22(void)
1649 {
1650  char input[] = "\
1651 %YAML 1.1\n\
1652 ---\n\
1653 libhtp:\n\
1654 \n\
1655  default-config:\n\
1656 \n\
1657  swf-decompression:\n\
1658  enabled: yes\n\
1659  type: lzma\n\
1660  compress-depth: 0\n\
1661  decompress-depth: 0\n\
1662 ";
1663  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1664  "Host: www.openinfosecfoundation.org\r\n"
1665  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1666  "Gecko/20091221 Firefox/3.5.7\r\n"
1667  "\r\n";
1668  // clang-format off
1669  uint8_t http_buf2[] = {
1670  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1671  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1672  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1673  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1674  0x0d, 0x0a,
1675  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1676  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
1677  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
1678  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
1679  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
1680  };
1681  // clang-format on
1682  struct TestSteps steps[] = {
1683  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1684  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1685  { NULL, 0, 0, 0 },
1686  };
1687  const char *sig = "alert tcp any any -> any any "
1688  "(flow:established,from_server; "
1689  "file_data; content:\"CWS\"; "
1690  "sid:1;)";
1691  return RunTest(steps, sig, input);
1692 }
1693 
1694 static int DetectEngineHttpServerBodyFileDataTest23(void)
1695 {
1696  char input[] = "\
1697 %YAML 1.1\n\
1698 ---\n\
1699 libhtp:\n\
1700 \n\
1701  default-config:\n\
1702 \n\
1703  swf-decompression:\n\
1704  enabled: yes\n\
1705  type: both\n\
1706  compress-depth: 0\n\
1707  decompress-depth: 0\n\
1708 ";
1709  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1710  "Host: www.openinfosecfoundation.org\r\n"
1711  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1712  "Gecko/20091221 Firefox/3.5.7\r\n"
1713  "\r\n";
1714  // clang-format off
1715  uint8_t http_buf2[] = {
1716  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1717  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1718  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1719  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1720  0x0d, 0x0a,
1721  0x43, 0x57, 0x53, 0x01, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1722  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
1723  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
1724  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
1725  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
1726  };
1727  // clang-format on
1728  struct TestSteps steps[] = {
1729  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1730  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1731  { NULL, 0, 0, 0 },
1732  };
1733  const char *sig = "alert tcp any any -> any any "
1734  "(flow:established,from_server; "
1735  "file_data; content:\"CWS\"; "
1736  "sid:1;)";
1737  return RunTest(steps, sig, input);
1738 }
1739 
1740 static int DetectEngineHttpServerBodyFileDataTest24(void)
1741 {
1742  char input[] = "\
1743 %YAML 1.1\n\
1744 ---\n\
1745 libhtp:\n\
1746 \n\
1747  default-config:\n\
1748 \n\
1749  swf-decompression:\n\
1750  enabled: yes\n\
1751  type: both\n\
1752  compress-depth: 0\n\
1753  decompress-depth: 0\n\
1754 ";
1755  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1756  "Host: www.openinfosecfoundation.org\r\n"
1757  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1758  "Gecko/20091221 Firefox/3.5.7\r\n"
1759  "\r\n";
1760  uint8_t http_buf2[] = { 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k',
1761  0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ',
1762  '1', '0', '3', 0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':',
1763  ' ', 'a', 'p', 'p', 'l', 'i', 'c', 'a', 't', 'i', 'o', 'n', '/', 'o', 'c', 't', 'e', 't',
1764  '-', 's', 't', 'r', 'e', 'a', 'm', 0x0d, 0x0a, 0x0d, 0x0a, 0x5a, 0x57, 0x53, 0x17, 0x5c,
1765  0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20, 0x00, 0x00, 0x3b, 0xff,
1766  0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f,
1767  0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c,
1768  0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01,
1769  0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
1770  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08,
1771  0xe9, 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86 };
1772  struct TestSteps steps[] = {
1773  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1774  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1775  { NULL, 0, 0, 0 },
1776  };
1777  const char *sig = "alert tcp any any -> any any "
1778  "(flow:established,from_server; "
1779  "file_data; content:\"FWS\"; "
1780  "sid:1;)";
1781  return RunTest(steps, sig, input);
1782 }
1783 
1784 static int DetectEngineHttpServerBodyFileDataTest25(void)
1785 {
1786  char input[] = "\
1787 %YAML 1.1\n\
1788 ---\n\
1789 libhtp:\n\
1790 \n\
1791  default-config:\n\
1792 \n\
1793  swf-decompression:\n\
1794  enabled: no\n\
1795  type: both\n\
1796  compress-depth: 0\n\
1797  decompress-depth: 0\n\
1798 ";
1799  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1800  "Host: www.openinfosecfoundation.org\r\n"
1801  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1802  "Gecko/20091221 Firefox/3.5.7\r\n"
1803  "\r\n";
1804  uint8_t http_buf2[] = { 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k',
1805  0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ',
1806  '1', '0', '3', 0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':',
1807  ' ', 'a', 'p', 'p', 'l', 'i', 'c', 'a', 't', 'i', 'o', 'n', '/', 'o', 'c', 't', 'e', 't',
1808  '-', 's', 't', 'r', 'e', 'a', 'm', 0x0d, 0x0a, 0x0d, 0x0a, 0x5a, 0x57, 0x53, 0x17, 0x5c,
1809  0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20, 0x00, 0x00, 0x3b, 0xff,
1810  0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f,
1811  0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c,
1812  0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01,
1813  0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
1814  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08,
1815  0xe9, 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86 };
1816  struct TestSteps steps[] = {
1817  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1818  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1819  { NULL, 0, 0, 0 },
1820  };
1821  const char *sig = "alert tcp any any -> any any "
1822  "(flow:established,from_server; "
1823  "file_data; content:\"ZWS\"; "
1824  "sid:1;)";
1825  return RunTest(steps, sig, input);
1826 }
1827 
1828 static int DetectEngineHttpServerBodyFileDataTest26(void)
1829 {
1830  char input[] = "\
1831 %YAML 1.1\n\
1832 ---\n\
1833 libhtp:\n\
1834 \n\
1835  default-config:\n\
1836 \n\
1837  swf-decompression:\n\
1838  enabled: yes\n\
1839  type: lzma\n\
1840  compress-depth: 0\n\
1841  decompress-depth: 0\n\
1842 ";
1843  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1844  "Host: www.openinfosecfoundation.org\r\n"
1845  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1846  "Gecko/20091221 Firefox/3.5.7\r\n"
1847  "\r\n";
1848  uint8_t http_buf2[] = { 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k',
1849  0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ',
1850  '1', '0', '3', 0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':',
1851  ' ', 'a', 'p', 'p', 'l', 'i', 'c', 'a', 't', 'i', 'o', 'n', '/', 'o', 'c', 't', 'e', 't',
1852  '-', 's', 't', 'r', 'e', 'a', 'm', 0x0d, 0x0a, 0x0d, 0x0a, 0x5a, 0x57, 0x53, 0x17, 0x5c,
1853  0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20, 0x00, 0x00, 0x3b, 0xff,
1854  0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f,
1855  0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c,
1856  0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01,
1857  0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
1858  0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08,
1859  0xe9, 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86 };
1860  struct TestSteps steps[] = {
1861  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1862  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1863  { NULL, 0, 0, 0 },
1864  };
1865  const char *sig = "alert tcp any any -> any any "
1866  "(flow:established,from_server; "
1867  "file_data; content:\"FWS\"; "
1868  "sid:1;)";
1869  return RunTest(steps, sig, input);
1870 }
1871 
1872 static int DetectEngineHttpServerBodyFileDataTest27(void)
1873 {
1874  char input[] = "\
1875 %YAML 1.1\n\
1876 ---\n\
1877 libhtp:\n\
1878 \n\
1879  default-config:\n\
1880 \n\
1881  swf-decompression:\n\
1882  enabled: yes\n\
1883  type: deflate\n\
1884  compress-depth: 0\n\
1885  decompress-depth: 0\n\
1886 ";
1887  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1888  "Host: www.openinfosecfoundation.org\r\n"
1889  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1890  "Gecko/20091221 Firefox/3.5.7\r\n"
1891  "\r\n";
1892  // clang-format off
1893  uint8_t http_buf2[] = {
1894  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1895  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1896  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1897  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
1898  0x0d, 0x0a,
1899  0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
1900  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
1901  0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61,
1902  0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b,
1903  0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1,
1904  };
1905  // clang-format on
1906  struct TestSteps steps[] = {
1907  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1908  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1909  { NULL, 0, 0, 0 },
1910  };
1911  const char *sig = "alert tcp any any -> any any "
1912  "(flow:established,from_server; "
1913  "file_data; content:\"ZWS\"; "
1914  "sid:1;)";
1915  return RunTest(steps, sig, input);
1916 }
1917 
1918 static int DetectEngineHttpServerBodyFileDataTest28(void)
1919 {
1920  char input[] = "\
1921 %YAML 1.1\n\
1922 ---\n\
1923 libhtp:\n\
1924 \n\
1925  default-config:\n\
1926 \n\
1927  swf-decompression:\n\
1928  enabled: yes\n\
1929  type: both\n\
1930  compress-depth: 0\n\
1931  decompress-depth: 0\n\
1932 ";
1933  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1934  "Host: www.openinfosecfoundation.org\r\n"
1935  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1936  "Gecko/20091221 Firefox/3.5.7\r\n"
1937  "\r\n";
1938  // clang-format off
1939  uint8_t http_buf2[] = {
1940  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1941  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1942  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1943  'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
1944  0x0d, 0x0a,
1945  0x5a, 0x57, 0x53, 0x01, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
1946  0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
1947  0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61,
1948  0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b,
1949  0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1,
1950  };
1951  // clang-format on
1952  struct TestSteps steps[] = {
1953  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1954  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1955  { NULL, 0, 0, 0 },
1956  };
1957  const char *sig = "alert tcp any any -> any any "
1958  "(flow:established,from_server; "
1959  "file_data; content:\"ZWS\"; "
1960  "sid:1;)";
1961  return RunTest(steps, sig, input);
1962 }
1963 
1964 static int DetectEngineHttpServerBodyFileDataTest29(void)
1965 {
1966  char input[] = "\
1967 %YAML 1.1\n\
1968 ---\n\
1969 libhtp:\n\
1970 \n\
1971  default-config:\n\
1972 \n\
1973  swf-decompression:\n\
1974  enabled: yes\n\
1975  type: both\n\
1976  compress-depth: 1000\n\
1977  decompress-depth: 0\n\
1978 ";
1979  uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1980  "Host: www.openinfosecfoundation.org\r\n"
1981  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1982  "Gecko/20091221 Firefox/3.5.7\r\n"
1983  "\r\n";
1984  // clang-format off
1985  uint8_t http_buf2[] = {
1986  'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1987  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1988  'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1989  'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1990  0x0d, 0x0a,
1991  0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1992  0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
1993  0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
1994  0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
1995  0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
1996  };
1997  // clang-format on
1998  struct TestSteps steps[] = {
1999  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2000  { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
2001  { NULL, 0, 0, 0 },
2002  };
2003  const char *sig = "alert tcp any any -> any any "
2004  "(flow:established,from_server; "
2005  "file_data; content:\"FWS\"; "
2006  "sid:1;)";
2007  return RunTest(steps, sig, input);
2008 }
2009 
2010 /**
2011  *\test Test that the http_server_body content matches against a http request
2012  * which holds the content.
2013  */
2014 static int DetectHttpServerBodyTest06(void)
2015 {
2016  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2017  "Host: www.openinfosecfoundation.org\r\n"
2018  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2019  "Gecko/20091221 Firefox/3.5.7\r\n"
2020  "\r\n";
2021  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2022  "Content-Type: text/html\r\n"
2023  "Content-Length: 7\r\n"
2024  "\r\n"
2025  "message";
2026  struct TestSteps steps[] = {
2027  { (const uint8_t *)http_buf, sizeof(http_buf) - 1, STREAM_TOSERVER, 0 },
2028  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
2029  { NULL, 0, 0, 0 },
2030  };
2031  const char *sig = "alert http any any -> any any "
2032  "(msg:\"http server body test\"; "
2033  "content:\"message\"; http_server_body; "
2034  "sid:1;)";
2035  return RunTest(steps, sig, NULL);
2036 }
2037 
2038 /**
2039  *\test Test that the http_server_body content matches against a http request
2040  * which holds the content.
2041  */
2042 static int DetectHttpServerBodyTest07(void)
2043 {
2044  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2045  "Host: www.openinfosecfoundation.org\r\n"
2046  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2047  "Gecko/20091221 Firefox/3.5.7\r\n"
2048  "\r\n";
2049  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2050  "Content-Type: text/html\r\n"
2051  "Content-Length: 14\r\n"
2052  "\r\n";
2053  uint8_t http_buf3[] = "message";
2054  struct TestSteps steps[] = {
2055  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2056  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2057  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT | STREAM_EOF, 1 },
2058  { NULL, 0, 0, 0 },
2059  };
2060  const char *sig = "alert http any any -> any any "
2061  "(msg:\"http server body test\"; "
2062  "content:\"message\"; http_server_body; "
2063  "sid:1;)";
2064  return RunTest(steps, sig, NULL);
2065 }
2066 
2067 /**
2068  *\test Test that the http_server_body content matches against a http request
2069  * which holds the content.
2070  */
2071 static int DetectHttpServerBodyTest08(void)
2072 {
2073  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2074  "Host: www.openinfosecfoundation.org\r\n"
2075  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2076  "Gecko/20091221 Firefox/3.5.7\r\n"
2077  "\r\n";
2078  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2079  "Content-Type: text/html\r\n"
2080  "Content-Length: 14\r\n"
2081  "\r\n"
2082  "bigmes";
2083  uint8_t http_buf3[] = "sage4u!!";
2084  struct TestSteps steps[] = {
2085  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2086  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2087  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
2088  { NULL, 0, 0, 0 },
2089  };
2090  const char *sig = "alert http any any -> any any "
2091  "(msg:\"http client body test\"; "
2092  "content:\"message\"; http_server_body; "
2093  "sid:1;)";
2094  return RunTest(steps, sig, NULL);
2095 }
2096 
2097 /**
2098  *\test Test that the http_server_body content matches against a http request
2099  * which holds the content.
2100  */
2101 static int DetectHttpServerBodyTest09(void)
2102 {
2103  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2104  "Host: www.openinfosecfoundation.org\r\n"
2105  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2106  "Gecko/20091221 Firefox/3.5.7\r\n"
2107  "\r\n";
2108  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2109  "Content-Type: text/html\r\n"
2110  "Content-Length: 14\r\n"
2111  "\r\n"
2112  "bigmes";
2113  uint8_t http_buf3[] = "sag";
2114  uint8_t http_buf4[] = "e4u!!";
2115  struct TestSteps steps[] = {
2116  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2117  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2118  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2119  { (const uint8_t *)http_buf4, sizeof(http_buf4) - 1, STREAM_TOCLIENT, 1 },
2120  { NULL, 0, 0, 0 },
2121  };
2122  const char *sig = "alert http any any -> any any "
2123  "(msg:\"http client body test\"; "
2124  "content:\"message\"; http_server_body; "
2125  "sid:1;)";
2126  return RunTest(steps, sig, NULL);
2127 }
2128 
2129 /**
2130  *\test Test that the http_server_body content matches against a http request
2131  * which holds the content. Case insensitive.
2132  */
2133 static int DetectHttpServerBodyTest10(void)
2134 {
2135  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2136  "Host: www.openinfosecfoundation.org\r\n"
2137  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2138  "Gecko/20091221 Firefox/3.5.7\r\n"
2139  "\r\n";
2140  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2141  "Content-Type: text/html\r\n"
2142  "Content-Length: 14\r\n"
2143  "\r\n"
2144  "bigmes";
2145  uint8_t http_buf3[] = "sag";
2146  uint8_t http_buf4[] =
2147  "e4u!!";
2148  struct TestSteps steps[] = {
2149  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2150  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2151  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2152  { (const uint8_t *)http_buf4, sizeof(http_buf4) - 1, STREAM_TOCLIENT, 1 },
2153  { NULL, 0, 0, 0 },
2154  };
2155  const char *sig = "alert http any any -> any any "
2156  "(msg:\"http client body test\"; "
2157  "content:\"MeSSaGE\"; http_server_body; nocase; "
2158  "sid:1;)";
2159  return RunTest(steps, sig, NULL);
2160 }
2161 
2162 /**
2163  *\test Test that the http_server_body content matches against a http request
2164  * which holds the content. Negated match.
2165  */
2166 static int DetectHttpServerBodyTest11(void)
2167 {
2168  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2169  "Host: www.openinfosecfoundation.org\r\n"
2170  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2171  "Gecko/20091221 Firefox/3.5.7\r\n"
2172  "\r\n";
2173  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2174  "Content-Type: text/html\r\n"
2175  "Content-Length: 14\r\n"
2176  "\r\n";
2177  uint8_t http_buf3[] = "bigmessage4u!!";
2178  struct TestSteps steps[] = {
2179  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2180  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2181  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
2182  { NULL, 0, 0, 0 },
2183  };
2184  const char *sig = "alert http any any -> any any "
2185  "(msg:\"http client body test\"; "
2186  "content:!\"MaSSaGE\"; http_server_body; nocase; "
2187  "sid:1;)";
2188  return RunTest(steps, sig, NULL);
2189 }
2190 
2191 /**
2192  *\test Test that the http_server_body content matches against a http request
2193  * which holds the content. Negated match.
2194  */
2195 static int DetectHttpServerBodyTest12(void)
2196 {
2197  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2198  "Host: www.openinfosecfoundation.org\r\n"
2199  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2200  "Gecko/20091221 Firefox/3.5.7\r\n"
2201  "\r\n";
2202  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2203  "Content-Type: text/html\r\n"
2204  "Content-Length: 14\r\n"
2205  "\r\n";
2206  uint8_t http_buf3[] = "bigmessage4u!!";
2207  struct TestSteps steps[] = {
2208  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2209  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2210  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2211  { NULL, 0, 0, 0 },
2212  };
2213  const char *sig = "alert http any any -> any any "
2214  "(msg:\"http client body test\"; "
2215  "content:!\"MeSSaGE\"; http_server_body; nocase; "
2216  "sid:1;)";
2217  return RunTest(steps, sig, NULL);
2218 }
2219 
2220 static int DetectHttpServerBodyTest13(void)
2221 {
2222  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2223  "Host: www.openinfosecfoundation.org\r\n"
2224  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2225  "Gecko/20091221 Firefox/3.5.7\r\n"
2226  "\r\n";
2227  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2228  "Content-Type: text/html\r\n"
2229  "Content-Length: 55\r\n"
2230  "\r\n"
2231  "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend";
2232  struct TestSteps steps[] = {
2233  { (const uint8_t *)http_buf, sizeof(http_buf) - 1, STREAM_TOSERVER, 0 },
2234  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
2235  { NULL, 0, 0, 0 },
2236  };
2237  const char *sig = "alert http any any -> any any "
2238  "(msg:\"http server body test\"; "
2239  "content:\"longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\"; "
2240  "http_server_body; "
2241  "sid:1;)";
2242  return RunTest(steps, sig, NULL);
2243 }
2244 
2245 /** \test multiple http transactions and body chunks of request handling */
2246 static int DetectHttpServerBodyTest14(void)
2247 {
2248  int result = 0;
2249  Signature *s = NULL;
2250  DetectEngineThreadCtx *det_ctx = NULL;
2251  ThreadVars th_v;
2252  Flow f;
2253  TcpSession ssn;
2254  Packet *p = NULL;
2255  uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
2256  "User-Agent: Mozilla/1.0\r\n"
2257  "Host: www.openinfosecfoundation.org\r\n"
2258  "Connection: keep-alive\r\n"
2259  "Cookie: dummy1\r\n\r\n";
2260  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2261  uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
2262  "Content-Type: text/html\r\n"
2263  "Content-Length: 3\r\n"
2264  "\r\n"
2265  "one";
2266  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2267  uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
2268  "User-Agent: Firefox/1.0\r\n"
2269  "Host: www.openinfosecfoundation.org\r\n"
2270  "Connection: keep-alive\r\n"
2271  "Cookie: dummy2\r\n\r\n";
2272  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
2273  uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
2274  "Content-Type: text/html\r\n"
2275  "Content-Length: 3\r\n"
2276  "\r\n"
2277  "two";
2278  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
2280 
2281  memset(&th_v, 0, sizeof(th_v));
2282  memset(&f, 0, sizeof(f));
2283  memset(&ssn, 0, sizeof(ssn));
2284 
2285  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2286 
2287  FLOW_INITIALIZE(&f);
2288  f.protoctx = (void *)&ssn;
2289  f.proto = IPPROTO_TCP;
2290  f.flags |= FLOW_IPV4;
2291 
2292  p->flow = &f;
2296  f.alproto = ALPROTO_HTTP1;
2297 
2298  StreamTcpInitConfig(true);
2299 
2301  if (de_ctx == NULL) {
2302  goto end;
2303  }
2304 
2305  de_ctx->flags |= DE_QUIET;
2306 
2307  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; "
2308  "content:\"one\"; http_server_body; sid:1; rev:1;)");
2309  if (s == NULL) {
2310  printf("sig parse failed: ");
2311  goto end;
2312  }
2313  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; "
2314  "content:\"two\"; http_server_body; sid:2; rev:1;)");
2315  if (s == NULL) {
2316  printf("sig2 parse failed: ");
2317  goto end;
2318  }
2319 
2321  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2322 
2323  SCLogDebug("add chunk 1");
2324 
2325  int r = AppLayerParserParse(
2326  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
2327  if (r != 0) {
2328  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2329  goto end;
2330  }
2331 
2332  SCLogDebug("add chunk 2");
2333 
2334  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2335  if (r != 0) {
2336  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
2337  goto end;
2338  }
2339 
2340  SCLogDebug("inspect chunk 1");
2341 
2342  /* do detect */
2343  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2344  if (!(PacketAlertCheck(p, 1))) {
2345  printf("sig 1 didn't alert (tx 1): ");
2346  goto end;
2347  }
2348  p->alerts.cnt = 0;
2349 
2350  SCLogDebug("add chunk 3");
2351 
2352  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
2353  if (r != 0) {
2354  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
2355  goto end;
2356  }
2357 
2358  SCLogDebug("add chunk 4");
2359 
2360  r = AppLayerParserParse(
2361  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
2362  if (r != 0) {
2363  printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
2364  goto end;
2365  }
2366 
2367  SCLogDebug("inspect chunk 4");
2368 
2369  /* do detect */
2370  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2371  if ((PacketAlertCheck(p, 1))) {
2372  printf("sig 1 alerted (tx 2): ");
2373  goto end;
2374  }
2375  if (!(PacketAlertCheck(p, 2))) {
2376  printf("sig 2 didn't alert (tx 2): ");
2377  goto end;
2378  }
2379  p->alerts.cnt = 0;
2380 
2381  HtpState *htp_state = f.alstate;
2382  if (htp_state == NULL) {
2383  printf("no http state: ");
2384  goto end;
2385  }
2386 
2387  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
2388  printf("The http app layer doesn't have 2 transactions, but it should: ");
2389  goto end;
2390  }
2391 
2392  result = 1;
2393 end:
2394  if (alp_tctx != NULL)
2396  if (det_ctx != NULL) {
2397  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2398  }
2399  if (de_ctx != NULL) {
2401  }
2402 
2403  StreamTcpFreeConfig(true);
2404  FLOW_DESTROY(&f);
2405  UTHFreePacket(p);
2406  return result;
2407 }
2408 
2409 static int DetectHttpServerBodyTest15(void)
2410 {
2411  int result = 0;
2412  Signature *s = NULL;
2413  DetectEngineThreadCtx *det_ctx = NULL;
2414  ThreadVars th_v;
2415  Flow f;
2416  TcpSession ssn;
2417  Packet *p = NULL;
2418  uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
2419  "User-Agent: Mozilla/1.0\r\n"
2420  "Host: www.openinfosecfoundation.org\r\n"
2421  "Connection: keep-alive\r\n"
2422  "Cookie: dummy1\r\n\r\n";
2423  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2424  uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
2425  "Content-Type: text/html\r\n"
2426  "Content-Length: 3\r\n"
2427  "\r\n"
2428  "one";
2429  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2430  uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
2431  "User-Agent: Firefox/1.0\r\n"
2432  "Host: www.openinfosecfoundation.org\r\n"
2433  "Connection: keep-alive\r\n"
2434  "Cookie: dummy2\r\n\r\n";
2435  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
2436  uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
2437  "Content-Type: text/html\r\n"
2438  "Content-Length: 3\r\n"
2439  "\r\n"
2440  "two";
2441  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
2443 
2444  memset(&th_v, 0, sizeof(th_v));
2445  memset(&f, 0, sizeof(f));
2446  memset(&ssn, 0, sizeof(ssn));
2447 
2448  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2449 
2450  FLOW_INITIALIZE(&f);
2451  f.protoctx = (void *)&ssn;
2452  f.proto = IPPROTO_TCP;
2453  f.flags |= FLOW_IPV4;
2454 
2455  p->flow = &f;
2459  f.alproto = ALPROTO_HTTP1;
2460 
2461  StreamTcpInitConfig(true);
2462 
2464  if (de_ctx == NULL) {
2465  goto end;
2466  }
2467 
2468  de_ctx->flags |= DE_QUIET;
2469 
2470  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; "
2471  "content:\"one\"; http_server_body; sid:1; rev:1;)");
2472  if (s == NULL) {
2473  printf("sig parse failed: ");
2474  goto end;
2475  }
2476  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; "
2477  "content:\"two\"; http_server_body; sid:2; rev:1;)");
2478  if (s == NULL) {
2479  printf("sig2 parse failed: ");
2480  goto end;
2481  }
2482 
2484  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2485 
2486  int r = AppLayerParserParse(
2487  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
2488  if (r != 0) {
2489  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2490  goto end;
2491  }
2492 
2493  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2494  if (r != 0) {
2495  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
2496  goto end;
2497  }
2498 
2499  /* do detect */
2500  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2501  if (!(PacketAlertCheck(p, 1))) {
2502  printf("sig 1 didn't alert (tx 1): ");
2503  goto end;
2504  }
2505  if (PacketAlertCheck(p, 2)) {
2506  printf("sig 2 alerted (tx 1): ");
2507  goto end;
2508  }
2509  p->alerts.cnt = 0;
2510 
2511  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
2512  if (r != 0) {
2513  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
2514  goto end;
2515  }
2516 
2517  r = AppLayerParserParse(
2518  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
2519  if (r != 0) {
2520  printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
2521  goto end;
2522  }
2523 
2524  /* do detect */
2525  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2526  if ((PacketAlertCheck(p, 1))) {
2527  printf("sig 1 alerted (tx 2): ");
2528  goto end;
2529  }
2530  if (!(PacketAlertCheck(p, 2))) {
2531  printf("sig 2 didn't alert (tx 2): ");
2532  goto end;
2533  }
2534  p->alerts.cnt = 0;
2535 
2536  HtpState *htp_state = f.alstate;
2537  if (htp_state == NULL) {
2538  printf("no http state: ");
2539  goto end;
2540  }
2541 
2542  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
2543  printf("The http app layer doesn't have 2 transactions, but it should: ");
2544  goto end;
2545  }
2546 
2547  result = 1;
2548 end:
2549  if (alp_tctx != NULL)
2551  if (det_ctx != NULL) {
2552  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2553  }
2554  if (de_ctx != NULL) {
2556  }
2557 
2558  StreamTcpFreeConfig(true);
2559  FLOW_DESTROY(&f);
2560  UTHFreePacket(p);
2561  return result;
2562 }
2563 
2564 /**
2565  *\test Test that the http_server_body content matches against a http request
2566  * which holds the content.
2567  */
2568 static int DetectHttpServerBodyFileDataTest01(void)
2569 {
2570  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2571  "Host: www.openinfosecfoundation.org\r\n"
2572  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2573  "Gecko/20091221 Firefox/3.5.7\r\n"
2574  "\r\n";
2575  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2576  "Content-Type: text/html\r\n"
2577  "Content-Length: 7\r\n"
2578  "\r\n"
2579  "message";
2580  struct TestSteps steps[] = {
2581  { (const uint8_t *)http_buf, sizeof(http_buf) - 1, STREAM_TOSERVER, 0 },
2582  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
2583  { NULL, 0, 0, 0 },
2584  };
2585  const char *sig = "alert http any any -> any any "
2586  "(msg:\"http server body test\"; "
2587  "file_data; content:\"message\"; "
2588  "sid:1;)";
2589  return RunTest(steps, sig, NULL);
2590 }
2591 
2592 /**
2593  *\test Test that the http_server_body content matches against a http request
2594  * which holds the content.
2595  */
2596 static int DetectHttpServerBodyFileDataTest02(void)
2597 {
2598  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2599  "Host: www.openinfosecfoundation.org\r\n"
2600  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2601  "Gecko/20091221 Firefox/3.5.7\r\n"
2602  "\r\n";
2603  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2604  "Content-Type: text/html\r\n"
2605  "Content-Length: 14\r\n"
2606  "\r\n";
2607  uint8_t http_buf3[] = "message";
2608  struct TestSteps steps[] = {
2609  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2610  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2611  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT | STREAM_EOF, 1 },
2612  { NULL, 0, 0, 0 },
2613  };
2614  const char *sig = "alert http any any -> any any "
2615  "(msg:\"http server body test\"; "
2616  "file_data; content:\"message\"; "
2617  "sid:1;)";
2618  return RunTest(steps, sig, NULL);
2619 }
2620 
2621 /**
2622  *\test Test that the http_server_body content matches against a http request
2623  * which holds the content.
2624  */
2625 static int DetectHttpServerBodyFileDataTest03(void)
2626 {
2627  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2628  "Host: www.openinfosecfoundation.org\r\n"
2629  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2630  "Gecko/20091221 Firefox/3.5.7\r\n"
2631  "\r\n";
2632  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2633  "Content-Type: text/html\r\n"
2634  "Content-Length: 14\r\n"
2635  "\r\n"
2636  "bigmes";
2637  uint8_t http_buf3[] = "sage4u!!";
2638  struct TestSteps steps[] = {
2639  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2640  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2641  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
2642  { NULL, 0, 0, 0 },
2643  };
2644  const char *sig = "alert http any any -> any any "
2645  "(msg:\"http server body test\"; "
2646  "file_data; content:\"message\"; "
2647  "sid:1;)";
2648  return RunTest(steps, sig, NULL);
2649 }
2650 
2651 /**
2652  *\test Test that the http_server_body content matches against a http request
2653  * which holds the content.
2654  */
2655 static int DetectHttpServerBodyFileDataTest04(void)
2656 {
2657  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2658  "Host: www.openinfosecfoundation.org\r\n"
2659  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2660  "Gecko/20091221 Firefox/3.5.7\r\n"
2661  "\r\n";
2662  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2663  "Content-Type: text/html\r\n"
2664  "Content-Length: 14\r\n"
2665  "\r\n"
2666  "bigmes";
2667  uint8_t http_buf3[] = "sag";
2668  uint8_t http_buf4[] = "e4u!!";
2669  struct TestSteps steps[] = {
2670  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2671  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2672  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2673  { (const uint8_t *)http_buf4, sizeof(http_buf4) - 1, STREAM_TOCLIENT, 1 },
2674  { NULL, 0, 0, 0 },
2675  };
2676  const char *sig = "alert http any any -> any any "
2677  "(msg:\"http server body test\"; "
2678  "file_data; content:\"message\"; "
2679  "sid:1;)";
2680  return RunTest(steps, sig, NULL);
2681 }
2682 
2683 /**
2684  *\test Test that the http_server_body content matches against a http request
2685  * which holds the content. Case insensitive.
2686  */
2687 static int DetectHttpServerBodyFileDataTest05(void)
2688 {
2689  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2690  "Host: www.openinfosecfoundation.org\r\n"
2691  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2692  "Gecko/20091221 Firefox/3.5.7\r\n"
2693  "\r\n";
2694  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2695  "Content-Type: text/html\r\n"
2696  "Content-Length: 14\r\n"
2697  "\r\n"
2698  "bigmes";
2699  uint8_t http_buf3[] = "sag";
2700  uint8_t http_buf4[] = "e4u!!";
2701  struct TestSteps steps[] = {
2702  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2703  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2704  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2705  { (const uint8_t *)http_buf4, sizeof(http_buf4) - 1, STREAM_TOCLIENT, 1 },
2706  { NULL, 0, 0, 0 },
2707  };
2708  const char *sig = "alert http any any -> any any "
2709  "(msg:\"http client body test\"; "
2710  "file_data; content:\"MeSSaGE\"; nocase; "
2711  "sid:1;)";
2712  return RunTest(steps, sig, NULL);
2713 }
2714 
2715 /**
2716  *\test Test that the http_server_body content matches against a http request
2717  * which holds the content. Negated match.
2718  */
2719 static int DetectHttpServerBodyFileDataTest06(void)
2720 {
2721  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2722  "Host: www.openinfosecfoundation.org\r\n"
2723  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2724  "Gecko/20091221 Firefox/3.5.7\r\n"
2725  "\r\n";
2726  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2727  "Content-Type: text/html\r\n"
2728  "Content-Length: 14\r\n"
2729  "\r\n";
2730  uint8_t http_buf3[] = "bigmessage4u!!";
2731  struct TestSteps steps[] = {
2732  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2733  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2734  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
2735  { NULL, 0, 0, 0 },
2736  };
2737  const char *sig = "alert http any any -> any any "
2738  "(msg:\"http file_data test\"; "
2739  "file_data; content:!\"MaSSaGE\"; nocase; "
2740  "sid:1;)";
2741  return RunTest(steps, sig, NULL);
2742 }
2743 
2744 /**
2745  *\test Test that the http_server_body content matches against a http request
2746  * which holds the content. Negated match.
2747  */
2748 static int DetectHttpServerBodyFileDataTest07(void)
2749 {
2750  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2751  "Host: www.openinfosecfoundation.org\r\n"
2752  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2753  "Gecko/20091221 Firefox/3.5.7\r\n"
2754  "\r\n";
2755  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2756  "Content-Type: text/html\r\n"
2757  "Content-Length: 14\r\n"
2758  "\r\n";
2759  uint8_t http_buf3[] = "bigmessage4u!!";
2760  struct TestSteps steps[] = {
2761  { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2762  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2763  { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2764  { NULL, 0, 0, 0 },
2765  };
2766  const char *sig = "alert http any any -> any any "
2767  "(msg:\"http file_data test\"; "
2768  "file_data; content:!\"MeSSaGE\"; nocase; "
2769  "sid:1;)";
2770  return RunTest(steps, sig, NULL);
2771 }
2772 
2773 static int DetectHttpServerBodyFileDataTest08(void)
2774 {
2775  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2776  "Host: www.openinfosecfoundation.org\r\n"
2777  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2778  "Gecko/20091221 Firefox/3.5.7\r\n"
2779  "\r\n";
2780  uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2781  "Content-Type: text/html\r\n"
2782  "Content-Length: 55\r\n"
2783  "\r\n"
2784  "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend";
2785  struct TestSteps steps[] = {
2786  { (const uint8_t *)http_buf, sizeof(http_buf) - 1, STREAM_TOSERVER, 0 },
2787  { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
2788  { NULL, 0, 0, 0 },
2789  };
2790  const char *sig =
2791  "alert http any any -> any any "
2792  "(msg:\"http server body test\"; "
2793  "file_data; content:\"longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\"; "
2794  "sid:1;)";
2795  return RunTest(steps, sig, NULL);
2796 }
2797 
2798 /** \test multiple http transactions and body chunks of request handling */
2799 static int DetectHttpServerBodyFileDataTest09(void)
2800 {
2801  int result = 0;
2802  Signature *s = NULL;
2803  DetectEngineThreadCtx *det_ctx = NULL;
2804  ThreadVars th_v;
2805  Flow f;
2806  TcpSession ssn;
2807  Packet *p = NULL;
2808  uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
2809  "User-Agent: Mozilla/1.0\r\n"
2810  "Host: www.openinfosecfoundation.org\r\n"
2811  "Connection: keep-alive\r\n"
2812  "Cookie: dummy1\r\n\r\n";
2813  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2814  uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
2815  "Content-Type: text/html\r\n"
2816  "Content-Length: 3\r\n"
2817  "\r\n"
2818  "one";
2819  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2820  uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
2821  "User-Agent: Firefox/1.0\r\n"
2822  "Host: www.openinfosecfoundation.org\r\n"
2823  "Connection: keep-alive\r\n"
2824  "Cookie: dummy2\r\n\r\n";
2825  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
2826  uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
2827  "Content-Type: text/html\r\n"
2828  "Content-Length: 3\r\n"
2829  "\r\n"
2830  "two";
2831  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
2833 
2834  memset(&th_v, 0, sizeof(th_v));
2835  memset(&f, 0, sizeof(f));
2836  memset(&ssn, 0, sizeof(ssn));
2837 
2838  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2839 
2840  FLOW_INITIALIZE(&f);
2841  f.protoctx = (void *)&ssn;
2842  f.proto = IPPROTO_TCP;
2843  f.flags |= FLOW_IPV4;
2844 
2845  p->flow = &f;
2849  f.alproto = ALPROTO_HTTP1;
2850 
2851  StreamTcpInitConfig(true);
2852 
2854  if (de_ctx == NULL) {
2855  goto end;
2856  }
2857 
2858  de_ctx->flags |= DE_QUIET;
2859 
2860  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; file_data; content:\"one\"; sid:1; rev:1;)");
2861  if (s == NULL) {
2862  printf("sig parse failed: ");
2863  goto end;
2864  }
2865  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; file_data; content:\"two\"; sid:2; rev:1;)");
2866  if (s == NULL) {
2867  printf("sig2 parse failed: ");
2868  goto end;
2869  }
2870 
2872  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2873 
2874  int r = AppLayerParserParse(
2875  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
2876  if (r != 0) {
2877  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2878  goto end;
2879  }
2880 
2881  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2882  if (r != 0) {
2883  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
2884  goto end;
2885  }
2886 
2887  /* do detect */
2888  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2889  if (!(PacketAlertCheck(p, 1))) {
2890  printf("sig 1 didn't alert (tx 1): ");
2891  goto end;
2892  }
2893  p->alerts.cnt = 0;
2894 
2895  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
2896  if (r != 0) {
2897  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
2898  goto end;
2899  }
2900 
2901  r = AppLayerParserParse(
2902  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
2903  if (r != 0) {
2904  printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
2905  goto end;
2906  }
2907 
2908  /* do detect */
2909  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2910  if ((PacketAlertCheck(p, 1))) {
2911  printf("sig 1 alerted (tx 2): ");
2912  goto end;
2913  }
2914  if (!(PacketAlertCheck(p, 2))) {
2915  printf("sig 2 didn't alert (tx 2): ");
2916  goto end;
2917  }
2918  p->alerts.cnt = 0;
2919 
2920  HtpState *htp_state = f.alstate;
2921  if (htp_state == NULL) {
2922  printf("no http state: ");
2923  goto end;
2924  }
2925 
2926  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
2927  printf("The http app layer doesn't have 2 transactions, but it should: ");
2928  goto end;
2929  }
2930 
2931  result = 1;
2932 end:
2933  if (alp_tctx != NULL)
2935  if (det_ctx != NULL) {
2936  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2937  }
2938  if (de_ctx != NULL) {
2940  }
2941 
2942  StreamTcpFreeConfig(true);
2943  FLOW_DESTROY(&f);
2944  UTHFreePacket(p);
2945  return result;
2946 }
2947 
2948 static int DetectHttpServerBodyFileDataTest10(void)
2949 {
2950  int result = 0;
2951  Signature *s = NULL;
2952  DetectEngineThreadCtx *det_ctx = NULL;
2953  ThreadVars th_v;
2954  Flow f;
2955  TcpSession ssn;
2956  Packet *p = NULL;
2957  uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
2958  "User-Agent: Mozilla/1.0\r\n"
2959  "Host: www.openinfosecfoundation.org\r\n"
2960  "Connection: keep-alive\r\n"
2961  "Cookie: dummy1\r\n\r\n";
2962  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2963  uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
2964  "Content-Type: text/html\r\n"
2965  "Content-Length: 3\r\n"
2966  "\r\n"
2967  "one";
2968  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2969  uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
2970  "User-Agent: Firefox/1.0\r\n"
2971  "Host: www.openinfosecfoundation.org\r\n"
2972  "Connection: keep-alive\r\n"
2973  "Cookie: dummy2\r\n\r\n";
2974  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
2975  uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
2976  "Content-Type: text/html\r\n"
2977  "Content-Length: 3\r\n"
2978  "\r\n"
2979  "two";
2980  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
2982 
2983  memset(&th_v, 0, sizeof(th_v));
2984  memset(&f, 0, sizeof(f));
2985  memset(&ssn, 0, sizeof(ssn));
2986 
2987  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2988 
2989  FLOW_INITIALIZE(&f);
2990  f.protoctx = (void *)&ssn;
2991  f.proto = IPPROTO_TCP;
2992  f.flags |= FLOW_IPV4;
2993 
2994  p->flow = &f;
2998  f.alproto = ALPROTO_HTTP1;
2999 
3000  StreamTcpInitConfig(true);
3001 
3003  if (de_ctx == NULL) {
3004  goto end;
3005  }
3006 
3007  de_ctx->flags |= DE_QUIET;
3008 
3009  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; file_data; content:\"one\"; sid:1; rev:1;)");
3010  if (s == NULL) {
3011  printf("sig parse failed: ");
3012  goto end;
3013  }
3014  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; file_data; content:\"two\"; sid:2; rev:1;)");
3015  if (s == NULL) {
3016  printf("sig2 parse failed: ");
3017  goto end;
3018  }
3019 
3021  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3022 
3023  int r = AppLayerParserParse(
3024  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
3025  if (r != 0) {
3026  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3027  goto end;
3028  }
3029 
3030  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
3031  if (r != 0) {
3032  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
3033  goto end;
3034  }
3035 
3036  /* do detect */
3037  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3038  if (!(PacketAlertCheck(p, 1))) {
3039  printf("sig 1 didn't alert (tx 1): ");
3040  goto end;
3041  }
3042  p->alerts.cnt = 0;
3043 
3044  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
3045  if (r != 0) {
3046  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
3047  goto end;
3048  }
3049 
3050  r = AppLayerParserParse(
3051  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
3052  if (r != 0) {
3053  printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
3054  goto end;
3055  }
3056 
3057  /* do detect */
3058  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3059  if ((PacketAlertCheck(p, 1))) {
3060  printf("sig 1 alerted (tx 2): ");
3061  goto end;
3062  }
3063  if (!(PacketAlertCheck(p, 2))) {
3064  printf("sig 2 didn't alert (tx 2): ");
3065  goto end;
3066  }
3067  p->alerts.cnt = 0;
3068 
3069  HtpState *htp_state = f.alstate;
3070  if (htp_state == NULL) {
3071  printf("no http state: ");
3072  goto end;
3073  }
3074 
3075  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
3076  printf("The http app layer doesn't have 2 transactions, but it should: ");
3077  goto end;
3078  }
3079 
3080  result = 1;
3081 end:
3082  if (alp_tctx != NULL)
3084  if (det_ctx != NULL) {
3085  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3086  }
3087  if (de_ctx != NULL) {
3089  }
3090 
3091  StreamTcpFreeConfig(true);
3092  FLOW_DESTROY(&f);
3093  UTHFreePacket(p);
3094  return result;
3095 }
3096 
3098 {
3099  UtRegisterTest("DetectHttpServerBodyParserTest01", DetectHttpServerBodyParserTest01);
3100  UtRegisterTest("DetectHttpServerBodyParserTest02", DetectHttpServerBodyParserTest02);
3101 
3102  UtRegisterTest("DetectHttpServerBodyTest06", DetectHttpServerBodyTest06);
3103  UtRegisterTest("DetectHttpServerBodyTest07", DetectHttpServerBodyTest07);
3104  UtRegisterTest("DetectHttpServerBodyTest08", DetectHttpServerBodyTest08);
3105  UtRegisterTest("DetectHttpServerBodyTest09", DetectHttpServerBodyTest09);
3106  UtRegisterTest("DetectHttpServerBodyTest10", DetectHttpServerBodyTest10);
3107  UtRegisterTest("DetectHttpServerBodyTest11", DetectHttpServerBodyTest11);
3108  UtRegisterTest("DetectHttpServerBodyTest12", DetectHttpServerBodyTest12);
3109  UtRegisterTest("DetectHttpServerBodyTest13", DetectHttpServerBodyTest13);
3110  UtRegisterTest("DetectHttpServerBodyTest14", DetectHttpServerBodyTest14);
3111  UtRegisterTest("DetectHttpServerBodyTest15", DetectHttpServerBodyTest15);
3112 
3113  UtRegisterTest("DetectHttpServerBodyFileDataTest01",
3114  DetectHttpServerBodyFileDataTest01);
3115  UtRegisterTest("DetectHttpServerBodyFileDataTest02",
3116  DetectHttpServerBodyFileDataTest02);
3117  UtRegisterTest("DetectHttpServerBodyFileDataTest03",
3118  DetectHttpServerBodyFileDataTest03);
3119  UtRegisterTest("DetectHttpServerBodyFileDataTest04",
3120  DetectHttpServerBodyFileDataTest04);
3121  UtRegisterTest("DetectHttpServerBodyFileDataTest05",
3122  DetectHttpServerBodyFileDataTest05);
3123  UtRegisterTest("DetectHttpServerBodyFileDataTest06",
3124  DetectHttpServerBodyFileDataTest06);
3125  UtRegisterTest("DetectHttpServerBodyFileDataTest07",
3126  DetectHttpServerBodyFileDataTest07);
3127  UtRegisterTest("DetectHttpServerBodyFileDataTest08",
3128  DetectHttpServerBodyFileDataTest08);
3129  UtRegisterTest("DetectHttpServerBodyFileDataTest09",
3130  DetectHttpServerBodyFileDataTest09);
3131  UtRegisterTest("DetectHttpServerBodyFileDataTest10",
3132  DetectHttpServerBodyFileDataTest10);
3133 
3134  UtRegisterTest("DetectEngineHttpServerBodyTest01",
3135  DetectEngineHttpServerBodyTest01);
3136  UtRegisterTest("DetectEngineHttpServerBodyTest02",
3137  DetectEngineHttpServerBodyTest02);
3138  UtRegisterTest("DetectEngineHttpServerBodyTest03",
3139  DetectEngineHttpServerBodyTest03);
3140  UtRegisterTest("DetectEngineHttpServerBodyTest04",
3141  DetectEngineHttpServerBodyTest04);
3142  UtRegisterTest("DetectEngineHttpServerBodyTest05",
3143  DetectEngineHttpServerBodyTest05);
3144  UtRegisterTest("DetectEngineHttpServerBodyTest06",
3145  DetectEngineHttpServerBodyTest06);
3146  UtRegisterTest("DetectEngineHttpServerBodyTest07",
3147  DetectEngineHttpServerBodyTest07);
3148  UtRegisterTest("DetectEngineHttpServerBodyTest08",
3149  DetectEngineHttpServerBodyTest08);
3150  UtRegisterTest("DetectEngineHttpServerBodyTest09",
3151  DetectEngineHttpServerBodyTest09);
3152  UtRegisterTest("DetectEngineHttpServerBodyTest10",
3153  DetectEngineHttpServerBodyTest10);
3154  UtRegisterTest("DetectEngineHttpServerBodyTest11",
3155  DetectEngineHttpServerBodyTest11);
3156  UtRegisterTest("DetectEngineHttpServerBodyTest12",
3157  DetectEngineHttpServerBodyTest12);
3158  UtRegisterTest("DetectEngineHttpServerBodyTest13",
3159  DetectEngineHttpServerBodyTest13);
3160  UtRegisterTest("DetectEngineHttpServerBodyTest14",
3161  DetectEngineHttpServerBodyTest14);
3162  UtRegisterTest("DetectEngineHttpServerBodyTest15",
3163  DetectEngineHttpServerBodyTest15);
3164  UtRegisterTest("DetectEngineHttpServerBodyTest16",
3165  DetectEngineHttpServerBodyTest16);
3166  UtRegisterTest("DetectEngineHttpServerBodyTest17",
3167  DetectEngineHttpServerBodyTest17);
3168  UtRegisterTest("DetectEngineHttpServerBodyTest18",
3169  DetectEngineHttpServerBodyTest18);
3170  UtRegisterTest("DetectEngineHttpServerBodyTest19",
3171  DetectEngineHttpServerBodyTest19);
3172  UtRegisterTest("DetectEngineHttpServerBodyTest20",
3173  DetectEngineHttpServerBodyTest20);
3174  UtRegisterTest("DetectEngineHttpServerBodyTest21",
3175  DetectEngineHttpServerBodyTest21);
3176  UtRegisterTest("DetectEngineHttpServerBodyTest22",
3177  DetectEngineHttpServerBodyTest22);
3178 
3179  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest01",
3180  DetectEngineHttpServerBodyFileDataTest01);
3181  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest02",
3182  DetectEngineHttpServerBodyFileDataTest02);
3183  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest03",
3184  DetectEngineHttpServerBodyFileDataTest03);
3185  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest04",
3186  DetectEngineHttpServerBodyFileDataTest04);
3187  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest05",
3188  DetectEngineHttpServerBodyFileDataTest05);
3189  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest06",
3190  DetectEngineHttpServerBodyFileDataTest06);
3191  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest07",
3192  DetectEngineHttpServerBodyFileDataTest07);
3193  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest08",
3194  DetectEngineHttpServerBodyFileDataTest08);
3195  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest09",
3196  DetectEngineHttpServerBodyFileDataTest09);
3197  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest10",
3198  DetectEngineHttpServerBodyFileDataTest10);
3199  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest11",
3200  DetectEngineHttpServerBodyFileDataTest11);
3201  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest12",
3202  DetectEngineHttpServerBodyFileDataTest12);
3203  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest13",
3204  DetectEngineHttpServerBodyFileDataTest13);
3205  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest14",
3206  DetectEngineHttpServerBodyFileDataTest14);
3207  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest15",
3208  DetectEngineHttpServerBodyFileDataTest15);
3209  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest16",
3210  DetectEngineHttpServerBodyFileDataTest16);
3211  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest17",
3212  DetectEngineHttpServerBodyFileDataTest17);
3213  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest18",
3214  DetectEngineHttpServerBodyFileDataTest18);
3215 
3216  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest19",
3217  DetectEngineHttpServerBodyFileDataTest19);
3218  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest20",
3219  DetectEngineHttpServerBodyFileDataTest20);
3220  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest21",
3221  DetectEngineHttpServerBodyFileDataTest21);
3222  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest22",
3223  DetectEngineHttpServerBodyFileDataTest22);
3224  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest23",
3225  DetectEngineHttpServerBodyFileDataTest23);
3226  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest24",
3227  DetectEngineHttpServerBodyFileDataTest24);
3228  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest25",
3229  DetectEngineHttpServerBodyFileDataTest25);
3230  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest26",
3231  DetectEngineHttpServerBodyFileDataTest26);
3232  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest27",
3233  DetectEngineHttpServerBodyFileDataTest27);
3234  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest28",
3235  DetectEngineHttpServerBodyFileDataTest28);
3236  UtRegisterTest("DetectEngineHttpServerBodyFileDataTest29",
3237  DetectEngineHttpServerBodyFileDataTest29);
3238 }
TestSteps
Definition: detect-http-client-body.c:107
UTHParseSignature
int UTHParseSignature(const char *str, bool expect)
parser a sig and see if the expected result is correct
Definition: util-unittest-helper.c:890
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1277
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
TestSteps::direction
int direction
Definition: detect-http-client-body.c:110
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
TestSteps::input
const uint8_t * input
Definition: detect-http-client-body.c:108
Flow_::proto
uint8_t proto
Definition: flow.h:378
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:274
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:519
Flow_
Flow data structure.
Definition: flow.h:356
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:848
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2588
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:306
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:228
DE_QUIET
#define DE_QUIET
Definition: detect.h:324
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:359
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1899
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2609
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:513
Flow_::protoctx
void * protoctx
Definition: flow.h:446
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:98
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:603
HTPConfigure
void HTPConfigure(void)
Definition: app-layer-htp.c:2999
HtpState_
Definition: app-layer-htp.h:244
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:463
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
TestSteps::expect
int expect
Definition: detect-http-client-body.c:111
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
HtpConfigCreateBackup
void HtpConfigCreateBackup(void)
Definition: app-layer-htp.c:3320
DetectEngineThreadCtx_
Definition: detect.h:1104
EngineModeSetIDS
void EngineModeSetIDS(void)
Definition: suricata.c:248
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
EngineModeSetIPS
void EngineModeSetIPS(void)
Definition: suricata.c:243
ConfYamlLoadString
int ConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:522
Packet_
Definition: decode.h:482
ConfCreateContextBackup
void ConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition: conf.c:670
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:229
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2150
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:285
Packet_::flow
struct Flow_ * flow
Definition: decode.h:521
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3299
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:794
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1286
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3513
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
ConfRestoreContextBackup
void ConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition: conf.c:682
HtpConfigRestoreBackup
void HtpConfigRestoreBackup(void)
Definition: app-layer-htp.c:3327
ConfInit
void ConfInit(void)
Initialize the configuration system.
Definition: conf.c:120
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:467
Flow_::alstate
void * alstate
Definition: flow.h:481
Flow_::flags
uint32_t flags
Definition: flow.h:426
Signature_
Signature container.
Definition: detect.h:602
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:230
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2549
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:850
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:59
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:455
DetectHttpServerBodyRegisterTests
void DetectHttpServerBodyRegisterTests(void)
Definition: detect-http-server-body.c:3097
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1101
TestSteps::input_size
size_t input_size
Definition: detect-http-client-body.c:109
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1274
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:450