Go to the documentation of this file.
31 #include "../suricata-common.h"
32 #include "../suricata.h"
33 #include "../flow-util.h"
35 #include "../app-layer-parser.h"
36 #include "../util-unittest.h"
37 #include "../util-unittest-helper.h"
38 #include "../app-layer.h"
39 #include "../app-layer-htp.h"
40 #include "../app-layer-protos.h"
42 static int DetectEngineHttpStatCodeTest01(
void)
53 "GET /index.html HTTP/1.0\r\n"
54 "Host: www.openinfosecfoundation.org\r\n"
55 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
57 uint32_t http_len1 =
sizeof(http_buf1) - 1;
59 "HTTP/1.0 200 message\r\n"
60 "Content-Type: text/html\r\n"
61 "Content-Length: 7\r\n"
64 uint32_t http_len2 =
sizeof(http_buf2) - 1;
68 memset(&th_v, 0,
sizeof(th_v));
69 memset(&f, 0,
sizeof(f));
70 memset(&ssn, 0,
sizeof(ssn));
77 f.
proto = IPPROTO_TCP;
99 "(msg:\"http stat code test\"; "
100 "content:\"200\"; http_stat_code; "
112 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
120 if (http_state == NULL) {
121 printf(
"no http state: \n");
130 printf(
"sid 1 matched but shouldn't have\n");
138 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
149 printf(
"sid 1 didn't match but should have");
168 static int DetectEngineHttpStatCodeTest02(
void)
177 uint8_t http_buf1[] =
178 "GET /index.html HTTP/1.0\r\n"
179 "Host: www.openinfosecfoundation.org\r\n"
180 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
182 uint32_t http_len1 =
sizeof(http_buf1) - 1;
183 uint8_t http_buf2[] =
184 "HTTP/1.0 2000123 xxxxABC\r\n"
185 "Content-Type: text/html\r\n"
186 "Content-Length: 7\r\n"
189 uint32_t http_len2 =
sizeof(http_buf2) - 1;
193 memset(&th_v, 0,
sizeof(th_v));
194 memset(&f, 0,
sizeof(f));
195 memset(&ssn, 0,
sizeof(ssn));
201 f.
proto = IPPROTO_TCP;
219 "(msg:\"http stat code test\"; "
220 "content:\"123\"; http_stat_code; offset:4; "
232 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
243 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
251 if (http_state == NULL) {
252 printf(
"no http state: \n");
261 printf(
"sid 1 didn't match but should have\n");
279 static int DetectEngineHttpStatCodeTest03(
void)
290 uint8_t http_buf1[] =
291 "GET /index.html HTTP/1.0\r\n"
292 "Host: www.openinfosecfoundation.org\r\n"
293 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
295 uint32_t http_len1 =
sizeof(http_buf1) - 1;
296 uint8_t http_buf2[] =
298 uint32_t http_len2 =
sizeof(http_buf2) - 1;
299 uint8_t http_buf3[] =
301 "Content-Type: text/html\r\n"
302 "Content-Length: 17\r\n"
305 uint32_t http_len3 =
sizeof(http_buf3) - 1;
308 memset(&th_v, 0,
sizeof(th_v));
309 memset(&f, 0,
sizeof(f));
310 memset(&ssn, 0,
sizeof(ssn));
317 f.
proto = IPPROTO_TCP;
339 "(msg:\"http stat code test\"; "
340 "content:\"789\"; http_stat_code; offset:5; "
352 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
360 if (http_state == NULL) {
361 printf(
"no http state: \n");
370 printf(
"sid 1 matched but shouldn't have\n");
378 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
389 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
400 printf(
"sid 1 didn't match but should have");
419 static int DetectEngineHttpStatCodeTest04(
void)
429 uint8_t http_buf1[] =
430 "GET /index.html HTTP/1.0\r\n"
431 "Host: www.openinfosecfoundation.org\r\n"
432 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
434 uint32_t http_len1 =
sizeof(http_buf1) - 1;
435 uint8_t http_buf2[] =
436 "HTTP/1.0 200123 abcdef\r\n"
437 "Content-Type: text/html\r\n"
438 "Content-Length: 6\r\n"
441 uint32_t http_len2 =
sizeof(http_buf2) - 1;
445 memset(&th_v, 0,
sizeof(th_v));
446 memset(&f, 0,
sizeof(f));
447 memset(&ssn, 0,
sizeof(ssn));
454 f.
proto = IPPROTO_TCP;
476 "(msg:\"http stat code test\"; "
477 "content:!\"200\"; http_stat_code; offset:3; "
489 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
497 if (http_state == NULL) {
498 printf(
"no http state: \n");
507 printf(
"sid 1 matched but shouldn't have: ");
515 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
526 printf(
"sid 1 didn't match but should have: ");
545 static int DetectEngineHttpStatCodeTest05(
void)
555 uint8_t http_buf1[] =
556 "GET /index.html HTTP/1.0\r\n"
557 "Host: www.openinfosecfoundation.org\r\n"
558 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
560 uint32_t http_len1 =
sizeof(http_buf1) - 1;
561 uint8_t http_buf2[] =
562 "HTTP/1.0 200123 abcdef\r\n"
563 "Content-Type: text/html\r\n"
564 "Content-Length: 6\r\n"
567 uint32_t http_len2 =
sizeof(http_buf2) - 1;
571 memset(&th_v, 0,
sizeof(th_v));
572 memset(&f, 0,
sizeof(f));
573 memset(&ssn, 0,
sizeof(ssn));
580 f.
proto = IPPROTO_TCP;
602 "(msg:\"http stat code test\"; "
603 "content:\"200\"; http_stat_code; depth:3; "
615 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
623 if (http_state == NULL) {
624 printf(
"no http state: \n");
633 printf(
"sid 1 matched but shouldn't have: ");
641 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
652 printf(
"sid 1 didn't match but should have: ");
671 static int DetectEngineHttpStatCodeTest06(
void)
681 uint8_t http_buf1[] =
682 "GET /index.html HTTP/1.0\r\n"
683 "Host: www.openinfosecfoundation.org\r\n"
684 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
686 uint32_t http_len1 =
sizeof(http_buf1) - 1;
687 uint8_t http_buf2[] =
688 "HTTP/1.0 200123 abcdef\r\n"
689 "Content-Type: text/html\r\n"
690 "Content-Length: 6\r\n"
693 uint32_t http_len2 =
sizeof(http_buf2) - 1;
697 memset(&th_v, 0,
sizeof(th_v));
698 memset(&f, 0,
sizeof(f));
699 memset(&ssn, 0,
sizeof(ssn));
706 f.
proto = IPPROTO_TCP;
728 "(msg:\"http stat code test\"; "
729 "content:!\"123\"; http_stat_code; depth:3; "
741 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
749 if (http_state == NULL) {
750 printf(
"no http state: \n");
759 printf(
"sid 1 matched but shouldn't have: ");
767 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
778 printf(
"sid 1 didn't match but should have: ");
797 static int DetectEngineHttpStatCodeTest07(
void)
807 uint8_t http_buf1[] =
808 "GET /index.html HTTP/1.0\r\n"
809 "Host: www.openinfosecfoundation.org\r\n"
810 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
812 uint32_t http_len1 =
sizeof(http_buf1) - 1;
813 uint8_t http_buf2[] =
814 "HTTP/1.0 200123 abcdef\r\n"
815 "Content-Type: text/html\r\n"
816 "Content-Length: 6\r\n"
819 uint32_t http_len2 =
sizeof(http_buf2) - 1;
823 memset(&th_v, 0,
sizeof(th_v));
824 memset(&f, 0,
sizeof(f));
825 memset(&ssn, 0,
sizeof(ssn));
832 f.
proto = IPPROTO_TCP;
854 "(msg:\"http stat code test\"; "
855 "content:!\"123\"; http_stat_code; offset:3; "
867 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
875 if (http_state == NULL) {
876 printf(
"no http state: \n");
885 printf(
"sid 1 matched but shouldn't have: ");
893 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
904 printf(
"sid 1 matched but shouldn't have: ");
923 static int DetectEngineHttpStatCodeTest08(
void)
933 uint8_t http_buf1[] =
934 "GET /index.html HTTP/1.0\r\n"
935 "Host: www.openinfosecfoundation.org\r\n"
936 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
938 uint32_t http_len1 =
sizeof(http_buf1) - 1;
939 uint8_t http_buf2[] =
940 "HTTP/1.0 200123 abcdef\r\n"
941 "Content-Type: text/html\r\n"
942 "Content-Length: 6\r\n"
945 uint32_t http_len2 =
sizeof(http_buf2) - 1;
949 memset(&th_v, 0,
sizeof(th_v));
950 memset(&f, 0,
sizeof(f));
951 memset(&ssn, 0,
sizeof(ssn));
958 f.
proto = IPPROTO_TCP;
980 "(msg:\"http stat code test\"; "
981 "content:!\"200\"; http_stat_code; depth:3; "
993 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1001 if (http_state == NULL) {
1002 printf(
"no http state: \n");
1011 printf(
"sid 1 matched but shouldn't have: ");
1019 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
1030 printf(
"sid 1 matched but shouldn't have: ");
1049 static int DetectEngineHttpStatCodeTest09(
void)
1059 uint8_t http_buf1[] =
1060 "GET /index.html HTTP/1.0\r\n"
1061 "Host: www.openinfosecfoundation.org\r\n"
1062 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1064 uint32_t http_len1 =
sizeof(http_buf1) - 1;
1065 uint8_t http_buf2[] =
1066 "HTTP/1.0 200123 abcdef\r\n"
1067 "Content-Type: text/html\r\n"
1068 "Content-Length: 6\r\n"
1071 uint32_t http_len2 =
sizeof(http_buf2) - 1;
1075 memset(&th_v, 0,
sizeof(th_v));
1076 memset(&f, 0,
sizeof(f));
1077 memset(&ssn, 0,
sizeof(ssn));
1084 f.
proto = IPPROTO_TCP;
1106 "(msg:\"http stat code test\"; "
1107 "content:\"200\"; http_stat_code; depth:3; "
1108 "content:\"123\"; http_stat_code; within:3; "
1120 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1128 if (http_state == NULL) {
1129 printf(
"no http state: \n");
1138 printf(
"sid 1 matched but shouldn't have: ");
1146 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
1157 printf(
"sid 1 didn't match but should have: ");
1176 static int DetectEngineHttpStatCodeTest10(
void)
1186 uint8_t http_buf1[] =
1187 "GET /index.html HTTP/1.0\r\n"
1188 "Host: www.openinfosecfoundation.org\r\n"
1189 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1191 uint32_t http_len1 =
sizeof(http_buf1) - 1;
1192 uint8_t http_buf2[] =
1193 "HTTP/1.0 200123 abcdef\r\n"
1194 "Content-Type: text/html\r\n"
1195 "Content-Length: 6\r\n"
1198 uint32_t http_len2 =
sizeof(http_buf2) - 1;
1202 memset(&th_v, 0,
sizeof(th_v));
1203 memset(&f, 0,
sizeof(f));
1204 memset(&ssn, 0,
sizeof(ssn));
1211 f.
proto = IPPROTO_TCP;
1233 "(msg:\"http stat code test\"; "
1234 "content:\"200\"; http_stat_code; depth:3; "
1235 "content:!\"124\"; http_stat_code; within:3; "
1247 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1255 if (http_state == NULL) {
1256 printf(
"no http state: \n");
1265 printf(
"sid 1 matched but shouldn't have: ");
1273 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
1284 printf(
"sid 1 didn't match but should have: ");
1303 static int DetectEngineHttpStatCodeTest11(
void)
1313 uint8_t http_buf1[] =
1314 "GET /index.html HTTP/1.0\r\n"
1315 "Host: www.openinfosecfoundation.org\r\n"
1316 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1318 uint32_t http_len1 =
sizeof(http_buf1) - 1;
1319 uint8_t http_buf2[] =
1320 "HTTP/1.0 200123 abcdef\r\n"
1321 "Content-Type: text/html\r\n"
1322 "Content-Length: 6\r\n"
1325 uint32_t http_len2 =
sizeof(http_buf2) - 1;
1329 memset(&th_v, 0,
sizeof(th_v));
1330 memset(&f, 0,
sizeof(f));
1331 memset(&ssn, 0,
sizeof(ssn));
1338 f.
proto = IPPROTO_TCP;
1360 "(msg:\"http stat code test\"; "
1361 "content:\"200\"; http_stat_code; depth:3; "
1362 "content:\"124\"; http_stat_code; within:3; "
1374 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1382 if (http_state == NULL) {
1383 printf(
"no http state: \n");
1392 printf(
"sid 1 matched but shouldn't have: ");
1400 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
1411 printf(
"sid 1 did match but should not have: ");
1430 static int DetectEngineHttpStatCodeTest12(
void)
1440 uint8_t http_buf1[] =
1441 "GET /index.html HTTP/1.0\r\n"
1442 "Host: www.openinfosecfoundation.org\r\n"
1443 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1445 uint32_t http_len1 =
sizeof(http_buf1) - 1;
1446 uint8_t http_buf2[] =
1447 "HTTP/1.0 200123 abcdef\r\n"
1448 "Content-Type: text/html\r\n"
1449 "Content-Length: 6\r\n"
1452 uint32_t http_len2 =
sizeof(http_buf2) - 1;
1456 memset(&th_v, 0,
sizeof(th_v));
1457 memset(&f, 0,
sizeof(f));
1458 memset(&ssn, 0,
sizeof(ssn));
1465 f.
proto = IPPROTO_TCP;
1487 "(msg:\"http stat code test\"; "
1488 "content:\"20\"; http_stat_code; depth:2; "
1489 "content:\"23\"; http_stat_code; distance:2; "
1501 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1509 if (http_state == NULL) {
1510 printf(
"no http state: \n");
1519 printf(
"sid 1 matched but shouldn't have: ");
1527 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
1538 printf(
"sid 1 did not match but should have: ");
1557 static int DetectEngineHttpStatCodeTest13(
void)
1567 uint8_t http_buf1[] =
1568 "GET /index.html HTTP/1.0\r\n"
1569 "Host: www.openinfosecfoundation.org\r\n"
1570 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1572 uint32_t http_len1 =
sizeof(http_buf1) - 1;
1573 uint8_t http_buf2[] =
1574 "HTTP/1.0 200123 abcdef\r\n"
1575 "Content-Type: text/html\r\n"
1576 "Content-Length: 6\r\n"
1579 uint32_t http_len2 =
sizeof(http_buf2) - 1;
1583 memset(&th_v, 0,
sizeof(th_v));
1584 memset(&f, 0,
sizeof(f));
1585 memset(&ssn, 0,
sizeof(ssn));
1592 f.
proto = IPPROTO_TCP;
1614 "(msg:\"http stat code test\"; "
1615 "content:\"20\"; http_stat_code; depth:3; "
1616 "content:!\"25\"; http_stat_code; distance:2; "
1628 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1636 if (http_state == NULL) {
1637 printf(
"no http state: \n");
1646 printf(
"sid 1 matched but shouldn't have: ");
1654 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
1665 printf(
"sid 1 did not match but should have: ");
1684 static int DetectEngineHttpStatCodeTest14(
void)
1694 uint8_t http_buf1[] =
1695 "GET /index.html HTTP/1.0\r\n"
1696 "Host: www.openinfosecfoundation.org\r\n"
1697 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1699 uint32_t http_len1 =
sizeof(http_buf1) - 1;
1700 uint8_t http_buf2[] =
1701 "HTTP/1.0 200123 abcdef\r\n"
1702 "Content-Type: text/html\r\n"
1703 "Content-Length: 6\r\n"
1706 uint32_t http_len2 =
sizeof(http_buf2) - 1;
1710 memset(&th_v, 0,
sizeof(th_v));
1711 memset(&f, 0,
sizeof(f));
1712 memset(&ssn, 0,
sizeof(ssn));
1719 f.
proto = IPPROTO_TCP;
1741 "(msg:\"http stat code test\"; "
1743 "content:\"23\"; http_stat_code; distance:2; "
1755 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1763 if (http_state == NULL) {
1764 printf(
"no http state: \n");
1773 printf(
"sid 1 matched but shouldn't have: ");
1781 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
1792 printf(
"sid 1 did not match but should have: ");
1811 static int DetectEngineHttpStatCodeTest15(
void)
1821 uint8_t http_buf1[] =
1822 "GET /index.html HTTP/1.0\r\n"
1823 "Host: www.openinfosecfoundation.org\r\n"
1824 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1826 uint32_t http_len1 =
sizeof(http_buf1) - 1;
1827 uint8_t http_buf2[] =
1828 "HTTP/1.0 200123 abcdef\r\n"
1829 "Content-Type: text/html\r\n"
1830 "Content-Length: 6\r\n"
1833 uint32_t http_len2 =
sizeof(http_buf2) - 1;
1837 memset(&th_v, 0,
sizeof(th_v));
1838 memset(&f, 0,
sizeof(f));
1839 memset(&ssn, 0,
sizeof(ssn));
1846 f.
proto = IPPROTO_TCP;
1868 "(msg:\"http stat code test\"; "
1870 "content:!\"124\"; http_stat_code; distance:0; within:3; "
1882 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1890 if (http_state == NULL) {
1891 printf(
"no http state: \n");
1900 printf(
"sid 1 matched but shouldn't have: ");
1908 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
1919 printf(
"sid 1 did not match but should have: ");
1943 static int DetectHttpStatCodeTest01(
void)
1949 printf(
"DetectEngineCtxInit failed: ");
1955 "(msg:\"Testing http_stat_code\"; http_stat_code; sid:1;)");
1957 printf(
"sid 1 parse failed to error out: ");
1962 "(msg:\"Testing http_stat_code\"; content:\"|FF F1|\";"
1963 " rawbytes; http_stat_code; sid:2;)");
1965 printf(
"sid 2 parse failed to error out: ");
1970 "(msg:\"Testing http_stat_code\"; content:\"100\";"
1971 "fast_pattern; http_stat_code; sid:3;)");
1973 printf(
"sid 3 parse failed: ");
1993 static int DetectHttpStatCodeTest02(
void)
2004 "(msg:\"Testing http_stat_code\"; content:\"one\"; "
2005 "http_stat_code; content:\"200\"; http_stat_code; "
2006 "content:\"two hundred\"; nocase; http_stat_code; "
2009 printf(
"sig parse failed: ");
2016 printf(
"no sigmatch(es): ");
2021 while (sm != NULL) {
2025 printf(
"expected DETECT_CONTENT for http_stat_code, got %d: ", sm->
type);
2044 static int DetectHttpStatCodeSigTest01(
void)
2048 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
2049 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2050 uint8_t httpbuf2[] =
"HTTP/1.0 200 OK\r\n\r\n";
2051 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
2060 memset(&th_v, 0,
sizeof(th_v));
2061 memset(&f, 0,
sizeof(f));
2062 memset(&ssn, 0,
sizeof(ssn));
2068 f.
proto = IPPROTO_TCP;
2081 printf(
"DetectEngineCtxInit failed: ");
2088 "\"HTTP status code\"; content:\"200\"; http_stat_code; sid:1;)");
2090 printf(
"sig parse failed: ");
2101 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2108 printf(
"toclient chunk 1 returned %" PRId32
", expected 0: ", r);
2115 if (http_state == NULL) {
2116 printf(
"no http state: ");
2124 printf(
"sid 1 didn't match but should have: ");
2132 if (det_ctx != NULL) {
2146 static int DetectHttpStatCodeSigTest02(
void)
2150 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
2151 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2152 uint8_t httpbuf2[] =
"HTTP/1.0 200 OK\r\n\r\n";
2153 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
2162 memset(&th_v, 0,
sizeof(th_v));
2163 memset(&f, 0,
sizeof(f));
2164 memset(&ssn, 0,
sizeof(ssn));
2170 f.
proto = IPPROTO_TCP;
2189 "\"HTTP status code\"; content:\"no\"; "
2190 "http_stat_code; sid:1;)");
2196 "Status code\"; content:\"100\";"
2197 "http_stat_code; sid:2;)");
2198 if (s->
next == NULL) {
2209 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2217 printf(
"toclient chunk 1 returned %" PRId32
", expected 0: ", r);
2225 if (http_state == NULL) {
2226 printf(
"no http state: ");
2235 printf(
"sid 1 matched but shouldn't: ");
2239 printf(
"sid 2 match but shouldn't have: ");
2247 if (det_ctx != NULL) {
2262 static int DetectHttpStatCodeSigTest03(
void)
2266 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
2267 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2268 uint8_t httpbuf2[] =
"HTTP/1.0 FAIL OK\r\n\r\n";
2269 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
2278 memset(&th_v, 0,
sizeof(th_v));
2279 memset(&f, 0,
sizeof(f));
2280 memset(&ssn, 0,
sizeof(ssn));
2286 f.
proto = IPPROTO_TCP;
2305 "\"HTTP status code\"; content:\"FAIL\"; "
2306 "http_stat_code; sid:1;)");
2312 "Status code nocase\"; content:\"fail\"; nocase; "
2313 "http_stat_code; sid:2;)");
2314 if (s->
next == NULL) {
2325 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2333 printf(
"toclient chunk 1 returned %" PRId32
", expected 0: ", r);
2341 if (http_state == NULL) {
2342 printf(
"no http state: ");
2351 printf(
"sid 1 didn't match but should have: ");
2355 printf(
"sid 2 didn't match but should have: ");
2363 if (det_ctx != NULL) {
2378 static int DetectHttpStatCodeSigTest04(
void)
2382 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
2383 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2384 uint8_t httpbuf2[] =
"HTTP/1.0 200 OK\r\n\r\n";
2385 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
2394 memset(&th_v, 0,
sizeof(th_v));
2395 memset(&f, 0,
sizeof(f));
2396 memset(&ssn, 0,
sizeof(ssn));
2402 f.
proto = IPPROTO_TCP;
2421 "\"HTTP status code\"; content:\"200\"; "
2422 "http_stat_code; sid:1;)");
2428 "Status code negation\"; content:!\"100\"; nocase; "
2429 "http_stat_code; sid:2;)");
2430 if (s->
next == NULL) {
2441 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2449 printf(
"toclient chunk 1 returned %" PRId32
", expected 0: ", r);
2457 if (http_state == NULL) {
2458 printf(
"no http state: ");
2467 printf(
"sid 1 didn't match but should have: ");
2471 printf(
"sid 2 didn't match but should have: ");
2479 if (det_ctx != NULL) {
2498 DetectEngineHttpStatCodeTest01);
2500 DetectEngineHttpStatCodeTest02);
2502 DetectEngineHttpStatCodeTest03);
2504 DetectEngineHttpStatCodeTest04);
2506 DetectEngineHttpStatCodeTest05);
2508 DetectEngineHttpStatCodeTest06);
2510 DetectEngineHttpStatCodeTest07);
2512 DetectEngineHttpStatCodeTest08);
2514 DetectEngineHttpStatCodeTest09);
2516 DetectEngineHttpStatCodeTest10);
2518 DetectEngineHttpStatCodeTest11);
2520 DetectEngineHttpStatCodeTest12);
2522 DetectEngineHttpStatCodeTest13);
2524 DetectEngineHttpStatCodeTest14);
2526 DetectEngineHttpStatCodeTest15);
2528 UtRegisterTest(
"DetectHttpStatCodeTest01", DetectHttpStatCodeTest01);
2529 UtRegisterTest(
"DetectHttpStatCodeTest02", DetectHttpStatCodeTest02);
2530 UtRegisterTest(
"DetectHttpStatCodeSigTest01", DetectHttpStatCodeSigTest01);
2531 UtRegisterTest(
"DetectHttpStatCodeSigTest02", DetectHttpStatCodeSigTest02);
2532 UtRegisterTest(
"DetectHttpStatCodeSigTest03", DetectHttpStatCodeSigTest03);
2533 UtRegisterTest(
"DetectHttpStatCodeSigTest04", DetectHttpStatCodeSigTest04);
#define DETECT_CONTENT_NOCASE
void DetectHttpStatCodeRegisterTests(void)
Register the UNITTESTS for the http_stat_code keyword.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
main detection engine ctx
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PKT_TOSERVER
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
#define FLOWLOCK_UNLOCK(fb)
#define FLOW_INITIALIZE(f)
AppLayerParserThreadCtx * alp_tctx
#define FLOWLOCK_WRLOCK(fb)
Per thread variable structure.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
void StreamTcpFreeConfig(char quiet)
#define FLOW_PKT_TOCLIENT
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
a single match condition for a signature
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
#define FLOW_PKT_ESTABLISHED
DetectEngineCtx * DetectEngineCtxInit(void)
#define DETECT_CONTENT_FAST_PATTERN
AppProto alproto
application level protocol
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.