suricata
detect-http-stat-code.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 /**
25  * \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  * \author Victor Julien <victor@inliniac.net>
29  */
30 
31 #include "../suricata-common.h"
32 #include "../suricata.h"
33 #include "../flow-util.h"
34 #include "../flow.h"
35 #include "../app-layer-parser.h"
36 #include "../util-unittest.h"
37 #include "../util-unittest-helper.h"
38 #include "../app-layer.h"
39 #include "../app-layer-htp.h"
40 #include "../app-layer-protos.h"
41 #include "../detect-engine-build.h"
42 #include "../detect-engine-alert.h"
43 
44 static int DetectEngineHttpStatCodeTest01(void)
45 {
46  TcpSession ssn;
47  Packet *p1 = NULL;
48  Packet *p2 = NULL;
49  ThreadVars th_v;
50  DetectEngineCtx *de_ctx = NULL;
51  DetectEngineThreadCtx *det_ctx = NULL;
52  HtpState *http_state = NULL;
53  Flow f;
54  uint8_t http_buf1[] =
55  "GET /index.html HTTP/1.0\r\n"
56  "Host: www.openinfosecfoundation.org\r\n"
57  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
58  "\r\n";
59  uint32_t http_len1 = sizeof(http_buf1) - 1;
60  uint8_t http_buf2[] =
61  "HTTP/1.0 200 message\r\n"
62  "Content-Type: text/html\r\n"
63  "Content-Length: 7\r\n"
64  "\r\n"
65  "message";
66  uint32_t http_len2 = sizeof(http_buf2) - 1;
67  int result = 0;
69 
70  memset(&th_v, 0, sizeof(th_v));
71  memset(&f, 0, sizeof(f));
72  memset(&ssn, 0, sizeof(ssn));
73 
74  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
75  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
76 
77  FLOW_INITIALIZE(&f);
78  f.protoctx = (void *)&ssn;
79  f.proto = IPPROTO_TCP;
80  f.flags |= FLOW_IPV4;
81 
82  p1->flow = &f;
86  p2->flow = &f;
91 
92  StreamTcpInitConfig(true);
93 
95  if (de_ctx == NULL)
96  goto end;
97 
98  de_ctx->flags |= DE_QUIET;
99 
100  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
101  "(msg:\"http stat code test\"; "
102  "content:\"200\"; http_stat_code; "
103  "sid:1;)");
104  if (de_ctx->sig_list == NULL)
105  goto end;
106 
108  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
109 
110  int r = AppLayerParserParse(
111  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
112  if (r != 0) {
113  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
114  result = 0;
115  goto end;
116  }
117 
118  http_state = f.alstate;
119  if (http_state == NULL) {
120  printf("no http state: \n");
121  result = 0;
122  goto end;
123  }
124 
125  /* do detect */
126  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
127 
128  if ((PacketAlertCheck(p1, 1))) {
129  printf("sid 1 matched but shouldn't have\n");
130  goto end;
131  }
132 
134  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
135  if (r != 0) {
136  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
137  result = 0;
138  goto end;
139  }
140 
141  /* do detect */
142  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
143 
144  if (!(PacketAlertCheck(p2, 1))) {
145  printf("sid 1 didn't match but should have");
146  goto end;
147  }
148 
149  result = 1;
150 
151 end:
152  if (alp_tctx != NULL)
154  if (de_ctx != NULL)
156 
157  StreamTcpFreeConfig(true);
158  FLOW_DESTROY(&f);
159  UTHFreePackets(&p1, 1);
160  UTHFreePackets(&p2, 1);
161  return result;
162 }
163 
164 static int DetectEngineHttpStatCodeTest02(void)
165 {
166  TcpSession ssn;
167  Packet *p1 = NULL;
168  ThreadVars th_v;
169  DetectEngineCtx *de_ctx = NULL;
170  DetectEngineThreadCtx *det_ctx = NULL;
171  HtpState *http_state = NULL;
172  Flow f;
173  uint8_t http_buf1[] =
174  "GET /index.html HTTP/1.0\r\n"
175  "Host: www.openinfosecfoundation.org\r\n"
176  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
177  "\r\n";
178  uint32_t http_len1 = sizeof(http_buf1) - 1;
179  uint8_t http_buf2[] =
180  "HTTP/1.0 2000123 xxxxABC\r\n"
181  "Content-Type: text/html\r\n"
182  "Content-Length: 7\r\n"
183  "\r\n"
184  "xxxxABC";
185  uint32_t http_len2 = sizeof(http_buf2) - 1;
186  int result = 0;
188 
189  memset(&th_v, 0, sizeof(th_v));
190  memset(&f, 0, sizeof(f));
191  memset(&ssn, 0, sizeof(ssn));
192 
193  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
194 
195  FLOW_INITIALIZE(&f);
196  f.protoctx = (void *)&ssn;
197  f.proto = IPPROTO_TCP;
198  f.flags |= FLOW_IPV4;
199 
200  p1->flow = &f;
205 
206  StreamTcpInitConfig(true);
207 
209  if (de_ctx == NULL)
210  goto end;
211 
212  de_ctx->flags |= DE_QUIET;
213 
214  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
215  "(msg:\"http stat code test\"; "
216  "content:\"123\"; http_stat_code; offset:4; "
217  "sid:1;)");
218  if (de_ctx->sig_list == NULL)
219  goto end;
220 
222  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
223 
224  int r = AppLayerParserParse(
225  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
226  if (r != 0) {
227  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
228  result = 0;
229  goto end;
230  }
231 
233  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
234  if (r != 0) {
235  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
236  result = 0;
237  goto end;
238  }
239 
240  http_state = f.alstate;
241  if (http_state == NULL) {
242  printf("no http state: \n");
243  result = 0;
244  goto end;
245  }
246 
247  /* do detect */
248  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
249 
250  if (!(PacketAlertCheck(p1, 1))) {
251  printf("sid 1 didn't match but should have\n");
252  goto end;
253  }
254 
255  result = 1;
256 
257 end:
258  if (alp_tctx != NULL)
260  if (de_ctx != NULL)
262 
263  StreamTcpFreeConfig(true);
264  FLOW_DESTROY(&f);
265  UTHFreePackets(&p1, 1);
266  return result;
267 }
268 
269 static int DetectEngineHttpStatCodeTest03(void)
270 {
271  TcpSession ssn;
272  Packet *p1 = NULL;
273  Packet *p2 = NULL;
274  ThreadVars th_v;
275  DetectEngineCtx *de_ctx = NULL;
276  DetectEngineThreadCtx *det_ctx = NULL;
277  HtpState *http_state = NULL;
278  Flow f;
279  int result = 0;
280  uint8_t http_buf1[] =
281  "GET /index.html HTTP/1.0\r\n"
282  "Host: www.openinfosecfoundation.org\r\n"
283  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
284  "\r\n";
285  uint32_t http_len1 = sizeof(http_buf1) - 1;
286  uint8_t http_buf2[] =
287  "HTTP/1.0 123";
288  uint32_t http_len2 = sizeof(http_buf2) - 1;
289  uint8_t http_buf3[] =
290  "456789\r\n"
291  "Content-Type: text/html\r\n"
292  "Content-Length: 17\r\n"
293  "\r\n"
294  "12345678901234ABC";
295  uint32_t http_len3 = sizeof(http_buf3) - 1;
297 
298  memset(&th_v, 0, sizeof(th_v));
299  memset(&f, 0, sizeof(f));
300  memset(&ssn, 0, sizeof(ssn));
301 
302  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
303  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
304 
305  FLOW_INITIALIZE(&f);
306  f.protoctx = (void *)&ssn;
307  f.proto = IPPROTO_TCP;
308  f.flags |= FLOW_IPV4;
309 
310  p1->flow = &f;
314  p2->flow = &f;
319 
320  StreamTcpInitConfig(true);
321 
323  if (de_ctx == NULL)
324  goto end;
325 
326  de_ctx->flags |= DE_QUIET;
327 
328  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
329  "(msg:\"http stat code test\"; "
330  "content:\"789\"; http_stat_code; offset:5; "
331  "sid:1;)");
332  if (de_ctx->sig_list == NULL)
333  goto end;
334 
336  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
337 
338  int r = AppLayerParserParse(
339  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
340  if (r != 0) {
341  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
342  result = 0;
343  goto end;
344  }
345 
346  http_state = f.alstate;
347  if (http_state == NULL) {
348  printf("no http state: \n");
349  result = 0;
350  goto end;
351  }
352 
353  /* do detect */
354  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
355 
356  if (PacketAlertCheck(p1, 1)) {
357  printf("sid 1 matched but shouldn't have\n");
358  goto end;
359  }
360 
362  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
363  if (r != 0) {
364  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
365  result = 0;
366  goto end;
367  }
368 
370  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf3, http_len3);
371  if (r != 0) {
372  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
373  result = 0;
374  goto end;
375  }
376 
377  /* do detect */
378  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
379 
380  if (!(PacketAlertCheck(p2, 1))) {
381  printf("sid 1 didn't match but should have");
382  goto end;
383  }
384 
385  result = 1;
386 
387 end:
388  if (alp_tctx != NULL)
390  if (de_ctx != NULL)
392 
393  StreamTcpFreeConfig(true);
394  FLOW_DESTROY(&f);
395  UTHFreePackets(&p1, 1);
396  UTHFreePackets(&p2, 1);
397  return result;
398 }
399 
400 static int DetectEngineHttpStatCodeTest04(void)
401 {
402  TcpSession ssn;
403  Packet *p1 = NULL;
404  Packet *p2 = NULL;
405  ThreadVars th_v;
406  DetectEngineCtx *de_ctx = NULL;
407  DetectEngineThreadCtx *det_ctx = NULL;
408  HtpState *http_state = NULL;
409  Flow f;
410  uint8_t http_buf1[] =
411  "GET /index.html HTTP/1.0\r\n"
412  "Host: www.openinfosecfoundation.org\r\n"
413  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
414  "\r\n";
415  uint32_t http_len1 = sizeof(http_buf1) - 1;
416  uint8_t http_buf2[] =
417  "HTTP/1.0 200123 abcdef\r\n"
418  "Content-Type: text/html\r\n"
419  "Content-Length: 6\r\n"
420  "\r\n"
421  "abcdef";
422  uint32_t http_len2 = sizeof(http_buf2) - 1;
423  int result = 0;
425 
426  memset(&th_v, 0, sizeof(th_v));
427  memset(&f, 0, sizeof(f));
428  memset(&ssn, 0, sizeof(ssn));
429 
430  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
431  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
432 
433  FLOW_INITIALIZE(&f);
434  f.protoctx = (void *)&ssn;
435  f.proto = IPPROTO_TCP;
436  f.flags |= FLOW_IPV4;
437 
438  p1->flow = &f;
442  p2->flow = &f;
447 
448  StreamTcpInitConfig(true);
449 
451  if (de_ctx == NULL)
452  goto end;
453 
454  de_ctx->flags |= DE_QUIET;
455 
456  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
457  "(msg:\"http stat code test\"; "
458  "content:!\"200\"; http_stat_code; offset:3; "
459  "sid:1;)");
460  if (de_ctx->sig_list == NULL)
461  goto end;
462 
464  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
465 
466  int r = AppLayerParserParse(
467  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
468  if (r != 0) {
469  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
470  result = 0;
471  goto end;
472  }
473 
474  http_state = f.alstate;
475  if (http_state == NULL) {
476  printf("no http state: \n");
477  result = 0;
478  goto end;
479  }
480 
481  /* do detect */
482  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
483 
484  if (PacketAlertCheck(p1, 1)) {
485  printf("sid 1 matched but shouldn't have: ");
486  goto end;
487  }
488 
490  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
491  if (r != 0) {
492  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
493  result = 0;
494  goto end;
495  }
496 
497  /* do detect */
498  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
499 
500  if (!PacketAlertCheck(p2, 1)) {
501  printf("sid 1 didn't match but should have: ");
502  goto end;
503  }
504 
505  result = 1;
506 
507 end:
508  if (alp_tctx != NULL)
510  if (de_ctx != NULL)
512 
513  StreamTcpFreeConfig(true);
514  FLOW_DESTROY(&f);
515  UTHFreePackets(&p1, 1);
516  UTHFreePackets(&p2, 1);
517  return result;
518 }
519 
520 static int DetectEngineHttpStatCodeTest05(void)
521 {
522  TcpSession ssn;
523  Packet *p1 = NULL;
524  Packet *p2 = NULL;
525  ThreadVars th_v;
526  DetectEngineCtx *de_ctx = NULL;
527  DetectEngineThreadCtx *det_ctx = NULL;
528  HtpState *http_state = NULL;
529  Flow f;
530  uint8_t http_buf1[] =
531  "GET /index.html HTTP/1.0\r\n"
532  "Host: www.openinfosecfoundation.org\r\n"
533  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
534  "\r\n";
535  uint32_t http_len1 = sizeof(http_buf1) - 1;
536  uint8_t http_buf2[] =
537  "HTTP/1.0 200123 abcdef\r\n"
538  "Content-Type: text/html\r\n"
539  "Content-Length: 6\r\n"
540  "\r\n"
541  "abcdef";
542  uint32_t http_len2 = sizeof(http_buf2) - 1;
543  int result = 0;
545 
546  memset(&th_v, 0, sizeof(th_v));
547  memset(&f, 0, sizeof(f));
548  memset(&ssn, 0, sizeof(ssn));
549 
550  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
551  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
552 
553  FLOW_INITIALIZE(&f);
554  f.protoctx = (void *)&ssn;
555  f.proto = IPPROTO_TCP;
556  f.flags |= FLOW_IPV4;
557 
558  p1->flow = &f;
562  p2->flow = &f;
567 
568  StreamTcpInitConfig(true);
569 
571  if (de_ctx == NULL)
572  goto end;
573 
574  de_ctx->flags |= DE_QUIET;
575 
576  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
577  "(msg:\"http stat code test\"; "
578  "content:\"200\"; http_stat_code; depth:3; "
579  "sid:1;)");
580  if (de_ctx->sig_list == NULL)
581  goto end;
582 
584  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
585 
586  int r = AppLayerParserParse(
587  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
588  if (r != 0) {
589  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
590  result = 0;
591  goto end;
592  }
593 
594  http_state = f.alstate;
595  if (http_state == NULL) {
596  printf("no http state: \n");
597  result = 0;
598  goto end;
599  }
600 
601  /* do detect */
602  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
603 
604  if (PacketAlertCheck(p1, 1)) {
605  printf("sid 1 matched but shouldn't have: ");
606  goto end;
607  }
608 
610  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
611  if (r != 0) {
612  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
613  result = 0;
614  goto end;
615  }
616 
617  /* do detect */
618  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
619 
620  if (!PacketAlertCheck(p2, 1)) {
621  printf("sid 1 didn't match but should have: ");
622  goto end;
623  }
624 
625  result = 1;
626 
627 end:
628  if (alp_tctx != NULL)
630  if (de_ctx != NULL)
632 
633  StreamTcpFreeConfig(true);
634  FLOW_DESTROY(&f);
635  UTHFreePackets(&p1, 1);
636  UTHFreePackets(&p2, 1);
637  return result;
638 }
639 
640 static int DetectEngineHttpStatCodeTest06(void)
641 {
642  TcpSession ssn;
643  Packet *p1 = NULL;
644  Packet *p2 = NULL;
645  ThreadVars th_v;
646  DetectEngineCtx *de_ctx = NULL;
647  DetectEngineThreadCtx *det_ctx = NULL;
648  HtpState *http_state = NULL;
649  Flow f;
650  uint8_t http_buf1[] =
651  "GET /index.html HTTP/1.0\r\n"
652  "Host: www.openinfosecfoundation.org\r\n"
653  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
654  "\r\n";
655  uint32_t http_len1 = sizeof(http_buf1) - 1;
656  uint8_t http_buf2[] =
657  "HTTP/1.0 200123 abcdef\r\n"
658  "Content-Type: text/html\r\n"
659  "Content-Length: 6\r\n"
660  "\r\n"
661  "abcdef";
662  uint32_t http_len2 = sizeof(http_buf2) - 1;
663  int result = 0;
665 
666  memset(&th_v, 0, sizeof(th_v));
667  memset(&f, 0, sizeof(f));
668  memset(&ssn, 0, sizeof(ssn));
669 
670  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
671  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
672 
673  FLOW_INITIALIZE(&f);
674  f.protoctx = (void *)&ssn;
675  f.proto = IPPROTO_TCP;
676  f.flags |= FLOW_IPV4;
677 
678  p1->flow = &f;
682  p2->flow = &f;
687 
688  StreamTcpInitConfig(true);
689 
691  if (de_ctx == NULL)
692  goto end;
693 
694  de_ctx->flags |= DE_QUIET;
695 
696  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
697  "(msg:\"http stat code test\"; "
698  "content:!\"123\"; http_stat_code; depth:3; "
699  "sid:1;)");
700  if (de_ctx->sig_list == NULL)
701  goto end;
702 
704  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
705 
706  int r = AppLayerParserParse(
707  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
708  if (r != 0) {
709  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
710  result = 0;
711  goto end;
712  }
713 
714  http_state = f.alstate;
715  if (http_state == NULL) {
716  printf("no http state: \n");
717  result = 0;
718  goto end;
719  }
720 
721  /* do detect */
722  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
723 
724  if (PacketAlertCheck(p1, 1)) {
725  printf("sid 1 matched but shouldn't have: ");
726  goto end;
727  }
728 
730  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
731  if (r != 0) {
732  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
733  result = 0;
734  goto end;
735  }
736 
737  /* do detect */
738  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
739 
740  if (!PacketAlertCheck(p2, 1)) {
741  printf("sid 1 didn't match but should have: ");
742  goto end;
743  }
744 
745  result = 1;
746 
747 end:
748  if (alp_tctx != NULL)
750  if (de_ctx != NULL)
752 
753  StreamTcpFreeConfig(true);
754  FLOW_DESTROY(&f);
755  UTHFreePackets(&p1, 1);
756  UTHFreePackets(&p2, 1);
757  return result;
758 }
759 
760 static int DetectEngineHttpStatCodeTest07(void)
761 {
762  TcpSession ssn;
763  Packet *p1 = NULL;
764  Packet *p2 = NULL;
765  ThreadVars th_v;
766  DetectEngineCtx *de_ctx = NULL;
767  DetectEngineThreadCtx *det_ctx = NULL;
768  HtpState *http_state = NULL;
769  Flow f;
770  uint8_t http_buf1[] =
771  "GET /index.html HTTP/1.0\r\n"
772  "Host: www.openinfosecfoundation.org\r\n"
773  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
774  "\r\n";
775  uint32_t http_len1 = sizeof(http_buf1) - 1;
776  uint8_t http_buf2[] =
777  "HTTP/1.0 200123 abcdef\r\n"
778  "Content-Type: text/html\r\n"
779  "Content-Length: 6\r\n"
780  "\r\n"
781  "abcdef";
782  uint32_t http_len2 = sizeof(http_buf2) - 1;
783  int result = 0;
785 
786  memset(&th_v, 0, sizeof(th_v));
787  memset(&f, 0, sizeof(f));
788  memset(&ssn, 0, sizeof(ssn));
789 
790  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
791  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
792 
793  FLOW_INITIALIZE(&f);
794  f.protoctx = (void *)&ssn;
795  f.proto = IPPROTO_TCP;
796  f.flags |= FLOW_IPV4;
797 
798  p1->flow = &f;
802  p2->flow = &f;
807 
808  StreamTcpInitConfig(true);
809 
811  if (de_ctx == NULL)
812  goto end;
813 
814  de_ctx->flags |= DE_QUIET;
815 
816  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
817  "(msg:\"http stat code test\"; "
818  "content:!\"123\"; http_stat_code; offset:3; "
819  "sid:1;)");
820  if (de_ctx->sig_list == NULL)
821  goto end;
822 
824  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
825 
826  int r = AppLayerParserParse(
827  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
828  if (r != 0) {
829  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
830  result = 0;
831  goto end;
832  }
833 
834  http_state = f.alstate;
835  if (http_state == NULL) {
836  printf("no http state: \n");
837  result = 0;
838  goto end;
839  }
840 
841  /* do detect */
842  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
843 
844  if (PacketAlertCheck(p1, 1)) {
845  printf("sid 1 matched but shouldn't have: ");
846  goto end;
847  }
848 
850  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
851  if (r != 0) {
852  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
853  result = 0;
854  goto end;
855  }
856 
857  /* do detect */
858  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
859 
860  if (PacketAlertCheck(p2, 1)) {
861  printf("sid 1 matched but shouldn't have: ");
862  goto end;
863  }
864 
865  result = 1;
866 
867 end:
868  if (alp_tctx != NULL)
870  if (de_ctx != NULL)
872 
873  StreamTcpFreeConfig(true);
874  FLOW_DESTROY(&f);
875  UTHFreePackets(&p1, 1);
876  UTHFreePackets(&p2, 1);
877  return result;
878 }
879 
880 static int DetectEngineHttpStatCodeTest08(void)
881 {
882  TcpSession ssn;
883  Packet *p1 = NULL;
884  Packet *p2 = NULL;
885  ThreadVars th_v;
886  DetectEngineCtx *de_ctx = NULL;
887  DetectEngineThreadCtx *det_ctx = NULL;
888  HtpState *http_state = NULL;
889  Flow f;
890  uint8_t http_buf1[] =
891  "GET /index.html HTTP/1.0\r\n"
892  "Host: www.openinfosecfoundation.org\r\n"
893  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
894  "\r\n";
895  uint32_t http_len1 = sizeof(http_buf1) - 1;
896  uint8_t http_buf2[] =
897  "HTTP/1.0 200123 abcdef\r\n"
898  "Content-Type: text/html\r\n"
899  "Content-Length: 6\r\n"
900  "\r\n"
901  "abcdef";
902  uint32_t http_len2 = sizeof(http_buf2) - 1;
903  int result = 0;
905 
906  memset(&th_v, 0, sizeof(th_v));
907  memset(&f, 0, sizeof(f));
908  memset(&ssn, 0, sizeof(ssn));
909 
910  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
911  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
912 
913  FLOW_INITIALIZE(&f);
914  f.protoctx = (void *)&ssn;
915  f.proto = IPPROTO_TCP;
916  f.flags |= FLOW_IPV4;
917 
918  p1->flow = &f;
922  p2->flow = &f;
927 
928  StreamTcpInitConfig(true);
929 
931  if (de_ctx == NULL)
932  goto end;
933 
934  de_ctx->flags |= DE_QUIET;
935 
936  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
937  "(msg:\"http stat code test\"; "
938  "content:!\"200\"; http_stat_code; depth:3; "
939  "sid:1;)");
940  if (de_ctx->sig_list == NULL)
941  goto end;
942 
944  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
945 
946  int r = AppLayerParserParse(
947  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
948  if (r != 0) {
949  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
950  result = 0;
951  goto end;
952  }
953 
954  http_state = f.alstate;
955  if (http_state == NULL) {
956  printf("no http state: \n");
957  result = 0;
958  goto end;
959  }
960 
961  /* do detect */
962  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
963 
964  if (PacketAlertCheck(p1, 1)) {
965  printf("sid 1 matched but shouldn't have: ");
966  goto end;
967  }
968 
970  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
971  if (r != 0) {
972  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
973  result = 0;
974  goto end;
975  }
976 
977  /* do detect */
978  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
979 
980  if (PacketAlertCheck(p2, 1)) {
981  printf("sid 1 matched but shouldn't have: ");
982  goto end;
983  }
984 
985  result = 1;
986 
987 end:
988  if (alp_tctx != NULL)
990  if (de_ctx != NULL)
992 
993  StreamTcpFreeConfig(true);
994  FLOW_DESTROY(&f);
995  UTHFreePackets(&p1, 1);
996  UTHFreePackets(&p2, 1);
997  return result;
998 }
999 
1000 static int DetectEngineHttpStatCodeTest09(void)
1001 {
1002  TcpSession ssn;
1003  Packet *p1 = NULL;
1004  Packet *p2 = NULL;
1005  ThreadVars th_v;
1006  DetectEngineCtx *de_ctx = NULL;
1007  DetectEngineThreadCtx *det_ctx = NULL;
1008  HtpState *http_state = NULL;
1009  Flow f;
1010  uint8_t http_buf1[] =
1011  "GET /index.html HTTP/1.0\r\n"
1012  "Host: www.openinfosecfoundation.org\r\n"
1013  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1014  "\r\n";
1015  uint32_t http_len1 = sizeof(http_buf1) - 1;
1016  uint8_t http_buf2[] =
1017  "HTTP/1.0 200123 abcdef\r\n"
1018  "Content-Type: text/html\r\n"
1019  "Content-Length: 6\r\n"
1020  "\r\n"
1021  "abcdef";
1022  uint32_t http_len2 = sizeof(http_buf2) - 1;
1023  int result = 0;
1025 
1026  memset(&th_v, 0, sizeof(th_v));
1027  memset(&f, 0, sizeof(f));
1028  memset(&ssn, 0, sizeof(ssn));
1029 
1030  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1031  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1032 
1033  FLOW_INITIALIZE(&f);
1034  f.protoctx = (void *)&ssn;
1035  f.proto = IPPROTO_TCP;
1036  f.flags |= FLOW_IPV4;
1037 
1038  p1->flow = &f;
1042  p2->flow = &f;
1046  f.alproto = ALPROTO_HTTP1;
1047 
1048  StreamTcpInitConfig(true);
1049 
1051  if (de_ctx == NULL)
1052  goto end;
1053 
1054  de_ctx->flags |= DE_QUIET;
1055 
1056  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1057  "(msg:\"http stat code test\"; "
1058  "content:\"200\"; http_stat_code; depth:3; "
1059  "content:\"123\"; http_stat_code; within:3; "
1060  "sid:1;)");
1061  if (de_ctx->sig_list == NULL)
1062  goto end;
1063 
1065  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1066 
1067  int r = AppLayerParserParse(
1068  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1069  if (r != 0) {
1070  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1071  result = 0;
1072  goto end;
1073  }
1074 
1075  http_state = f.alstate;
1076  if (http_state == NULL) {
1077  printf("no http state: \n");
1078  result = 0;
1079  goto end;
1080  }
1081 
1082  /* do detect */
1083  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1084 
1085  if (PacketAlertCheck(p1, 1)) {
1086  printf("sid 1 matched but shouldn't have: ");
1087  goto end;
1088  }
1089 
1090  r = AppLayerParserParse(
1091  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1092  if (r != 0) {
1093  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1094  result = 0;
1095  goto end;
1096  }
1097 
1098  /* do detect */
1099  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1100 
1101  if (!PacketAlertCheck(p2, 1)) {
1102  printf("sid 1 didn't match but should have: ");
1103  goto end;
1104  }
1105 
1106  result = 1;
1107 
1108 end:
1109  if (alp_tctx != NULL)
1111  if (de_ctx != NULL)
1113 
1114  StreamTcpFreeConfig(true);
1115  FLOW_DESTROY(&f);
1116  UTHFreePackets(&p1, 1);
1117  UTHFreePackets(&p2, 1);
1118  return result;
1119 }
1120 
1121 static int DetectEngineHttpStatCodeTest10(void)
1122 {
1123  TcpSession ssn;
1124  Packet *p1 = NULL;
1125  Packet *p2 = NULL;
1126  ThreadVars th_v;
1127  DetectEngineCtx *de_ctx = NULL;
1128  DetectEngineThreadCtx *det_ctx = NULL;
1129  HtpState *http_state = NULL;
1130  Flow f;
1131  uint8_t http_buf1[] =
1132  "GET /index.html HTTP/1.0\r\n"
1133  "Host: www.openinfosecfoundation.org\r\n"
1134  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1135  "\r\n";
1136  uint32_t http_len1 = sizeof(http_buf1) - 1;
1137  uint8_t http_buf2[] =
1138  "HTTP/1.0 200123 abcdef\r\n"
1139  "Content-Type: text/html\r\n"
1140  "Content-Length: 6\r\n"
1141  "\r\n"
1142  "abcdef";
1143  uint32_t http_len2 = sizeof(http_buf2) - 1;
1144  int result = 0;
1146 
1147  memset(&th_v, 0, sizeof(th_v));
1148  memset(&f, 0, sizeof(f));
1149  memset(&ssn, 0, sizeof(ssn));
1150 
1151  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1152  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1153 
1154  FLOW_INITIALIZE(&f);
1155  f.protoctx = (void *)&ssn;
1156  f.proto = IPPROTO_TCP;
1157  f.flags |= FLOW_IPV4;
1158 
1159  p1->flow = &f;
1163  p2->flow = &f;
1167  f.alproto = ALPROTO_HTTP1;
1168 
1169  StreamTcpInitConfig(true);
1170 
1172  if (de_ctx == NULL)
1173  goto end;
1174 
1175  de_ctx->flags |= DE_QUIET;
1176 
1177  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1178  "(msg:\"http stat code test\"; "
1179  "content:\"200\"; http_stat_code; depth:3; "
1180  "content:!\"124\"; http_stat_code; within:3; "
1181  "sid:1;)");
1182  if (de_ctx->sig_list == NULL)
1183  goto end;
1184 
1186  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1187 
1188  int r = AppLayerParserParse(
1189  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1190  if (r != 0) {
1191  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1192  result = 0;
1193  goto end;
1194  }
1195 
1196  http_state = f.alstate;
1197  if (http_state == NULL) {
1198  printf("no http state: \n");
1199  result = 0;
1200  goto end;
1201  }
1202 
1203  /* do detect */
1204  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1205 
1206  if (PacketAlertCheck(p1, 1)) {
1207  printf("sid 1 matched but shouldn't have: ");
1208  goto end;
1209  }
1210 
1211  r = AppLayerParserParse(
1212  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1213  if (r != 0) {
1214  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1215  result = 0;
1216  goto end;
1217  }
1218 
1219  /* do detect */
1220  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1221 
1222  if (!PacketAlertCheck(p2, 1)) {
1223  printf("sid 1 didn't match but should have: ");
1224  goto end;
1225  }
1226 
1227  result = 1;
1228 
1229 end:
1230  if (alp_tctx != NULL)
1232  if (de_ctx != NULL)
1234 
1235  StreamTcpFreeConfig(true);
1236  FLOW_DESTROY(&f);
1237  UTHFreePackets(&p1, 1);
1238  UTHFreePackets(&p2, 1);
1239  return result;
1240 }
1241 
1242 static int DetectEngineHttpStatCodeTest11(void)
1243 {
1244  TcpSession ssn;
1245  Packet *p1 = NULL;
1246  Packet *p2 = NULL;
1247  ThreadVars th_v;
1248  DetectEngineCtx *de_ctx = NULL;
1249  DetectEngineThreadCtx *det_ctx = NULL;
1250  HtpState *http_state = NULL;
1251  Flow f;
1252  uint8_t http_buf1[] =
1253  "GET /index.html HTTP/1.0\r\n"
1254  "Host: www.openinfosecfoundation.org\r\n"
1255  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1256  "\r\n";
1257  uint32_t http_len1 = sizeof(http_buf1) - 1;
1258  uint8_t http_buf2[] =
1259  "HTTP/1.0 200123 abcdef\r\n"
1260  "Content-Type: text/html\r\n"
1261  "Content-Length: 6\r\n"
1262  "\r\n"
1263  "abcdef";
1264  uint32_t http_len2 = sizeof(http_buf2) - 1;
1265  int result = 0;
1267 
1268  memset(&th_v, 0, sizeof(th_v));
1269  memset(&f, 0, sizeof(f));
1270  memset(&ssn, 0, sizeof(ssn));
1271 
1272  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1273  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1274 
1275  FLOW_INITIALIZE(&f);
1276  f.protoctx = (void *)&ssn;
1277  f.proto = IPPROTO_TCP;
1278  f.flags |= FLOW_IPV4;
1279 
1280  p1->flow = &f;
1284  p2->flow = &f;
1288  f.alproto = ALPROTO_HTTP1;
1289 
1290  StreamTcpInitConfig(true);
1291 
1293  if (de_ctx == NULL)
1294  goto end;
1295 
1296  de_ctx->flags |= DE_QUIET;
1297 
1298  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1299  "(msg:\"http stat code test\"; "
1300  "content:\"200\"; http_stat_code; depth:3; "
1301  "content:\"124\"; http_stat_code; within:3; "
1302  "sid:1;)");
1303  if (de_ctx->sig_list == NULL)
1304  goto end;
1305 
1307  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1308 
1309  int r = AppLayerParserParse(
1310  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1311  if (r != 0) {
1312  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1313  result = 0;
1314  goto end;
1315  }
1316 
1317  http_state = f.alstate;
1318  if (http_state == NULL) {
1319  printf("no http state: \n");
1320  result = 0;
1321  goto end;
1322  }
1323 
1324  /* do detect */
1325  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1326 
1327  if (PacketAlertCheck(p1, 1)) {
1328  printf("sid 1 matched but shouldn't have: ");
1329  goto end;
1330  }
1331 
1332  r = AppLayerParserParse(
1333  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1334  if (r != 0) {
1335  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1336  result = 0;
1337  goto end;
1338  }
1339 
1340  /* do detect */
1341  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1342 
1343  if (PacketAlertCheck(p2, 1)) {
1344  printf("sid 1 did match but should not have: ");
1345  goto end;
1346  }
1347 
1348  result = 1;
1349 
1350 end:
1351  if (alp_tctx != NULL)
1353  if (de_ctx != NULL)
1355 
1356  StreamTcpFreeConfig(true);
1357  FLOW_DESTROY(&f);
1358  UTHFreePackets(&p1, 1);
1359  UTHFreePackets(&p2, 1);
1360  return result;
1361 }
1362 
1363 static int DetectEngineHttpStatCodeTest12(void)
1364 {
1365  TcpSession ssn;
1366  Packet *p1 = NULL;
1367  Packet *p2 = NULL;
1368  ThreadVars th_v;
1369  DetectEngineCtx *de_ctx = NULL;
1370  DetectEngineThreadCtx *det_ctx = NULL;
1371  HtpState *http_state = NULL;
1372  Flow f;
1373  uint8_t http_buf1[] =
1374  "GET /index.html HTTP/1.0\r\n"
1375  "Host: www.openinfosecfoundation.org\r\n"
1376  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1377  "\r\n";
1378  uint32_t http_len1 = sizeof(http_buf1) - 1;
1379  uint8_t http_buf2[] =
1380  "HTTP/1.0 200123 abcdef\r\n"
1381  "Content-Type: text/html\r\n"
1382  "Content-Length: 6\r\n"
1383  "\r\n"
1384  "abcdef";
1385  uint32_t http_len2 = sizeof(http_buf2) - 1;
1386  int result = 0;
1388 
1389  memset(&th_v, 0, sizeof(th_v));
1390  memset(&f, 0, sizeof(f));
1391  memset(&ssn, 0, sizeof(ssn));
1392 
1393  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1394  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1395 
1396  FLOW_INITIALIZE(&f);
1397  f.protoctx = (void *)&ssn;
1398  f.proto = IPPROTO_TCP;
1399  f.flags |= FLOW_IPV4;
1400 
1401  p1->flow = &f;
1405  p2->flow = &f;
1409  f.alproto = ALPROTO_HTTP1;
1410 
1411  StreamTcpInitConfig(true);
1412 
1414  if (de_ctx == NULL)
1415  goto end;
1416 
1417  de_ctx->flags |= DE_QUIET;
1418 
1419  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1420  "(msg:\"http stat code test\"; "
1421  "content:\"20\"; http_stat_code; depth:2; "
1422  "content:\"23\"; http_stat_code; distance:2; "
1423  "sid:1;)");
1424  if (de_ctx->sig_list == NULL)
1425  goto end;
1426 
1428  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1429 
1430  int r = AppLayerParserParse(
1431  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1432  if (r != 0) {
1433  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1434  result = 0;
1435  goto end;
1436  }
1437 
1438  http_state = f.alstate;
1439  if (http_state == NULL) {
1440  printf("no http state: \n");
1441  result = 0;
1442  goto end;
1443  }
1444 
1445  /* do detect */
1446  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1447 
1448  if (PacketAlertCheck(p1, 1)) {
1449  printf("sid 1 matched but shouldn't have: ");
1450  goto end;
1451  }
1452 
1453  r = AppLayerParserParse(
1454  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1455  if (r != 0) {
1456  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1457  result = 0;
1458  goto end;
1459  }
1460 
1461  /* do detect */
1462  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1463 
1464  if (!PacketAlertCheck(p2, 1)) {
1465  printf("sid 1 did not match but should have: ");
1466  goto end;
1467  }
1468 
1469  result = 1;
1470 
1471 end:
1472  if (alp_tctx != NULL)
1474  if (de_ctx != NULL)
1476 
1477  StreamTcpFreeConfig(true);
1478  FLOW_DESTROY(&f);
1479  UTHFreePackets(&p1, 1);
1480  UTHFreePackets(&p2, 1);
1481  return result;
1482 }
1483 
1484 static int DetectEngineHttpStatCodeTest13(void)
1485 {
1486  TcpSession ssn;
1487  Packet *p1 = NULL;
1488  Packet *p2 = NULL;
1489  ThreadVars th_v;
1490  DetectEngineCtx *de_ctx = NULL;
1491  DetectEngineThreadCtx *det_ctx = NULL;
1492  HtpState *http_state = NULL;
1493  Flow f;
1494  uint8_t http_buf1[] =
1495  "GET /index.html HTTP/1.0\r\n"
1496  "Host: www.openinfosecfoundation.org\r\n"
1497  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1498  "\r\n";
1499  uint32_t http_len1 = sizeof(http_buf1) - 1;
1500  uint8_t http_buf2[] =
1501  "HTTP/1.0 200123 abcdef\r\n"
1502  "Content-Type: text/html\r\n"
1503  "Content-Length: 6\r\n"
1504  "\r\n"
1505  "abcdef";
1506  uint32_t http_len2 = sizeof(http_buf2) - 1;
1507  int result = 0;
1509 
1510  memset(&th_v, 0, sizeof(th_v));
1511  memset(&f, 0, sizeof(f));
1512  memset(&ssn, 0, sizeof(ssn));
1513 
1514  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1515  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1516 
1517  FLOW_INITIALIZE(&f);
1518  f.protoctx = (void *)&ssn;
1519  f.proto = IPPROTO_TCP;
1520  f.flags |= FLOW_IPV4;
1521 
1522  p1->flow = &f;
1526  p2->flow = &f;
1530  f.alproto = ALPROTO_HTTP1;
1531 
1532  StreamTcpInitConfig(true);
1533 
1535  if (de_ctx == NULL)
1536  goto end;
1537 
1538  de_ctx->flags |= DE_QUIET;
1539 
1540  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1541  "(msg:\"http stat code test\"; "
1542  "content:\"20\"; http_stat_code; depth:3; "
1543  "content:!\"25\"; http_stat_code; distance:2; "
1544  "sid:1;)");
1545  if (de_ctx->sig_list == NULL)
1546  goto end;
1547 
1549  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1550 
1551  int r = AppLayerParserParse(
1552  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1553  if (r != 0) {
1554  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1555  result = 0;
1556  goto end;
1557  }
1558 
1559  http_state = f.alstate;
1560  if (http_state == NULL) {
1561  printf("no http state: \n");
1562  result = 0;
1563  goto end;
1564  }
1565 
1566  /* do detect */
1567  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1568 
1569  if (PacketAlertCheck(p1, 1)) {
1570  printf("sid 1 matched but shouldn't have: ");
1571  goto end;
1572  }
1573 
1574  r = AppLayerParserParse(
1575  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1576  if (r != 0) {
1577  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1578  result = 0;
1579  goto end;
1580  }
1581 
1582  /* do detect */
1583  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1584 
1585  if (!PacketAlertCheck(p2, 1)) {
1586  printf("sid 1 did not match but should have: ");
1587  goto end;
1588  }
1589 
1590  result = 1;
1591 
1592 end:
1593  if (alp_tctx != NULL)
1595  if (de_ctx != NULL)
1597 
1598  StreamTcpFreeConfig(true);
1599  FLOW_DESTROY(&f);
1600  UTHFreePackets(&p1, 1);
1601  UTHFreePackets(&p2, 1);
1602  return result;
1603 }
1604 
1605 static int DetectEngineHttpStatCodeTest14(void)
1606 {
1607  TcpSession ssn;
1608  Packet *p1 = NULL;
1609  Packet *p2 = NULL;
1610  ThreadVars th_v;
1611  DetectEngineCtx *de_ctx = NULL;
1612  DetectEngineThreadCtx *det_ctx = NULL;
1613  HtpState *http_state = NULL;
1614  Flow f;
1615  uint8_t http_buf1[] =
1616  "GET /index.html HTTP/1.0\r\n"
1617  "Host: www.openinfosecfoundation.org\r\n"
1618  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1619  "\r\n";
1620  uint32_t http_len1 = sizeof(http_buf1) - 1;
1621  uint8_t http_buf2[] =
1622  "HTTP/1.0 200123 abcdef\r\n"
1623  "Content-Type: text/html\r\n"
1624  "Content-Length: 6\r\n"
1625  "\r\n"
1626  "abcdef";
1627  uint32_t http_len2 = sizeof(http_buf2) - 1;
1628  int result = 0;
1630 
1631  memset(&th_v, 0, sizeof(th_v));
1632  memset(&f, 0, sizeof(f));
1633  memset(&ssn, 0, sizeof(ssn));
1634 
1635  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1636  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1637 
1638  FLOW_INITIALIZE(&f);
1639  f.protoctx = (void *)&ssn;
1640  f.proto = IPPROTO_TCP;
1641  f.flags |= FLOW_IPV4;
1642 
1643  p1->flow = &f;
1647  p2->flow = &f;
1651  f.alproto = ALPROTO_HTTP1;
1652 
1653  StreamTcpInitConfig(true);
1654 
1656  if (de_ctx == NULL)
1657  goto end;
1658 
1659  de_ctx->flags |= DE_QUIET;
1660 
1661  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1662  "(msg:\"http stat code test\"; "
1663  "pcre:/20/S; "
1664  "content:\"23\"; http_stat_code; distance:2; "
1665  "sid:1;)");
1666  if (de_ctx->sig_list == NULL)
1667  goto end;
1668 
1670  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1671 
1672  int r = AppLayerParserParse(
1673  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1674  if (r != 0) {
1675  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1676  result = 0;
1677  goto end;
1678  }
1679 
1680  http_state = f.alstate;
1681  if (http_state == NULL) {
1682  printf("no http state: \n");
1683  result = 0;
1684  goto end;
1685  }
1686 
1687  /* do detect */
1688  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1689 
1690  if (PacketAlertCheck(p1, 1)) {
1691  printf("sid 1 matched but shouldn't have: ");
1692  goto end;
1693  }
1694 
1695  r = AppLayerParserParse(
1696  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1697  if (r != 0) {
1698  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1699  result = 0;
1700  goto end;
1701  }
1702 
1703  /* do detect */
1704  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1705 
1706  if (!PacketAlertCheck(p2, 1)) {
1707  printf("sid 1 did not match but should have: ");
1708  goto end;
1709  }
1710 
1711  result = 1;
1712 
1713 end:
1714  if (alp_tctx != NULL)
1716  if (de_ctx != NULL)
1718 
1719  StreamTcpFreeConfig(true);
1720  FLOW_DESTROY(&f);
1721  UTHFreePackets(&p1, 1);
1722  UTHFreePackets(&p2, 1);
1723  return result;
1724 }
1725 
1726 static int DetectEngineHttpStatCodeTest15(void)
1727 {
1728  TcpSession ssn;
1729  Packet *p1 = NULL;
1730  Packet *p2 = NULL;
1731  ThreadVars th_v;
1732  DetectEngineCtx *de_ctx = NULL;
1733  DetectEngineThreadCtx *det_ctx = NULL;
1734  HtpState *http_state = NULL;
1735  Flow f;
1736  uint8_t http_buf1[] =
1737  "GET /index.html HTTP/1.0\r\n"
1738  "Host: www.openinfosecfoundation.org\r\n"
1739  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1740  "\r\n";
1741  uint32_t http_len1 = sizeof(http_buf1) - 1;
1742  uint8_t http_buf2[] =
1743  "HTTP/1.0 200123 abcdef\r\n"
1744  "Content-Type: text/html\r\n"
1745  "Content-Length: 6\r\n"
1746  "\r\n"
1747  "abcdef";
1748  uint32_t http_len2 = sizeof(http_buf2) - 1;
1749  int result = 0;
1751 
1752  memset(&th_v, 0, sizeof(th_v));
1753  memset(&f, 0, sizeof(f));
1754  memset(&ssn, 0, sizeof(ssn));
1755 
1756  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1757  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1758 
1759  FLOW_INITIALIZE(&f);
1760  f.protoctx = (void *)&ssn;
1761  f.proto = IPPROTO_TCP;
1762  f.flags |= FLOW_IPV4;
1763 
1764  p1->flow = &f;
1768  p2->flow = &f;
1772  f.alproto = ALPROTO_HTTP1;
1773 
1774  StreamTcpInitConfig(true);
1775 
1777  if (de_ctx == NULL)
1778  goto end;
1779 
1780  de_ctx->flags |= DE_QUIET;
1781 
1782  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1783  "(msg:\"http stat code test\"; "
1784  "pcre:/200/S; "
1785  "content:!\"124\"; http_stat_code; distance:0; within:3; "
1786  "sid:1;)");
1787  if (de_ctx->sig_list == NULL)
1788  goto end;
1789 
1791  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1792 
1793  int r = AppLayerParserParse(
1794  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1795  if (r != 0) {
1796  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1797  result = 0;
1798  goto end;
1799  }
1800 
1801  http_state = f.alstate;
1802  if (http_state == NULL) {
1803  printf("no http state: \n");
1804  result = 0;
1805  goto end;
1806  }
1807 
1808  /* do detect */
1809  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1810 
1811  if (PacketAlertCheck(p1, 1)) {
1812  printf("sid 1 matched but shouldn't have: ");
1813  goto end;
1814  }
1815 
1816  r = AppLayerParserParse(
1817  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1818  if (r != 0) {
1819  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1820  result = 0;
1821  goto end;
1822  }
1823 
1824  /* do detect */
1825  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1826 
1827  if (!PacketAlertCheck(p2, 1)) {
1828  printf("sid 1 did not match but should have: ");
1829  goto end;
1830  }
1831 
1832  result = 1;
1833 
1834 end:
1835  if (alp_tctx != NULL)
1837  if (de_ctx != NULL)
1839 
1840  StreamTcpFreeConfig(true);
1841  FLOW_DESTROY(&f);
1842  UTHFreePackets(&p1, 1);
1843  UTHFreePackets(&p2, 1);
1844  return result;
1845 }
1846 
1847 /** \test Check the signature working to alert when http_stat_code is matched . */
1848 static int DetectHttpStatCodeSigTest01(void)
1849 {
1850  int result = 0;
1851  Flow f;
1852  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1853  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1854  uint8_t httpbuf2[] = "HTTP/1.0 200 OK\r\n\r\n";
1855  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1856  TcpSession ssn;
1857  Packet *p = NULL;
1858  Signature *s = NULL;
1859  ThreadVars th_v;
1860  DetectEngineThreadCtx *det_ctx = NULL;
1861  HtpState *http_state = NULL;
1863 
1864  memset(&th_v, 0, sizeof(th_v));
1865  memset(&f, 0, sizeof(f));
1866  memset(&ssn, 0, sizeof(ssn));
1867 
1868  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1869 
1870  FLOW_INITIALIZE(&f);
1871  f.protoctx = (void *)&ssn;
1872  f.proto = IPPROTO_TCP;
1873  f.flags |= FLOW_IPV4;
1874 
1875  p->flow = &f;
1879  f.alproto = ALPROTO_HTTP1;
1880 
1881  StreamTcpInitConfig(true);
1882 
1884  if (de_ctx == NULL) {
1885  printf("DetectEngineCtxInit failed: ");
1886  goto end;
1887  }
1888 
1889  de_ctx->flags |= DE_QUIET;
1890 
1891  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
1892  "\"HTTP status code\"; content:\"200\"; http_stat_code; sid:1;)");
1893  if (s == NULL) {
1894  printf("sig parse failed: ");
1895  goto end;
1896  }
1897 
1899  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1900 
1901  int r = AppLayerParserParse(
1902  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1903  if (r != 0) {
1904  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1905  goto end;
1906  }
1907 
1908  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
1909  if (r != 0) {
1910  printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r);
1911  goto end;
1912  }
1913 
1914  http_state = f.alstate;
1915  if (http_state == NULL) {
1916  printf("no http state: ");
1917  goto end;
1918  }
1919 
1920  /* do detect */
1921  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1922 
1923  if (!(PacketAlertCheck(p, 1))) {
1924  printf("sid 1 didn't match but should have: ");
1925  goto end;
1926  }
1927 
1928  result = 1;
1929 end:
1930  if (alp_tctx != NULL)
1932  if (det_ctx != NULL) {
1933  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1934  }
1935  if (de_ctx != NULL) {
1937  }
1938 
1939  StreamTcpFreeConfig(true);
1940 
1941  UTHFreePackets(&p, 1);
1942  return result;
1943 }
1944 
1945 /** \test Check the signature working to alert when http_stat_code is not matched . */
1946 static int DetectHttpStatCodeSigTest02(void)
1947 {
1948  int result = 0;
1949  Flow f;
1950  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1951  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1952  uint8_t httpbuf2[] = "HTTP/1.0 200 OK\r\n\r\n";
1953  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1954  TcpSession ssn;
1955  Packet *p = NULL;
1956  Signature *s = NULL;
1957  ThreadVars th_v;
1958  DetectEngineThreadCtx *det_ctx = NULL;
1959  HtpState *http_state = NULL;
1961 
1962  memset(&th_v, 0, sizeof(th_v));
1963  memset(&f, 0, sizeof(f));
1964  memset(&ssn, 0, sizeof(ssn));
1965 
1966  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1967 
1968  FLOW_INITIALIZE(&f);
1969  f.protoctx = (void *)&ssn;
1970  f.proto = IPPROTO_TCP;
1971  f.flags |= FLOW_IPV4;
1972 
1973  p->flow = &f;
1977  f.alproto = ALPROTO_HTTP1;
1978 
1979  StreamTcpInitConfig(true);
1980 
1982  if (de_ctx == NULL) {
1983  goto end;
1984  }
1985 
1986  de_ctx->flags |= DE_QUIET;
1987 
1988  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
1989  "\"HTTP status code\"; content:\"no\"; "
1990  "http_stat_code; sid:1;)");
1991  if (s == NULL) {
1992  goto end;
1993  }
1994 
1995  s->next = SigInit(de_ctx,"alert http any any -> any any (msg:\"HTTP "
1996  "Status code\"; content:\"100\";"
1997  "http_stat_code; sid:2;)");
1998  if (s->next == NULL) {
1999  goto end;
2000  }
2001 
2003  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2004 
2005  int r = AppLayerParserParse(
2006  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2007  if (r != 0) {
2008  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2009  result = 0;
2010  goto end;
2011  }
2012 
2013  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2014  if (r != 0) {
2015  printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r);
2016  result = 0;
2017  goto end;
2018  }
2019 
2020  http_state = f.alstate;
2021  if (http_state == NULL) {
2022  printf("no http state: ");
2023  result = 0;
2024  goto end;
2025  }
2026 
2027  /* do detect */
2028  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2029 
2030  if (PacketAlertCheck(p, 1)) {
2031  printf("sid 1 matched but shouldn't: ");
2032  goto end;
2033  }
2034  if ((PacketAlertCheck(p, 2))) {
2035  printf("sid 2 match but shouldn't have: ");
2036  goto end;
2037  }
2038 
2039  result = 1;
2040 end:
2041  if (alp_tctx != NULL)
2043  if (det_ctx != NULL) {
2044  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2045  }
2046  if (de_ctx != NULL) {
2048  }
2049 
2050  StreamTcpFreeConfig(true);
2051 
2052  UTHFreePackets(&p, 1);
2053  return result;
2054 }
2055 
2056 /** \test Check the signature working to alert when http_stat_code is matched for
2057  * for nocase or not */
2058 static int DetectHttpStatCodeSigTest03(void)
2059 {
2060  int result = 0;
2061  Flow f;
2062  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
2063  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2064  uint8_t httpbuf2[] = "HTTP/1.0 FAIL OK\r\n\r\n";
2065  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2066  TcpSession ssn;
2067  Packet *p = NULL;
2068  Signature *s = NULL;
2069  ThreadVars th_v;
2070  DetectEngineThreadCtx *det_ctx = NULL;
2071  HtpState *http_state = NULL;
2073 
2074  memset(&th_v, 0, sizeof(th_v));
2075  memset(&f, 0, sizeof(f));
2076  memset(&ssn, 0, sizeof(ssn));
2077 
2078  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2079 
2080  FLOW_INITIALIZE(&f);
2081  f.protoctx = (void *)&ssn;
2082  f.proto = IPPROTO_TCP;
2083  f.flags |= FLOW_IPV4;
2084 
2085  p->flow = &f;
2089  f.alproto = ALPROTO_HTTP1;
2090 
2091  StreamTcpInitConfig(true);
2092 
2094  if (de_ctx == NULL) {
2095  goto end;
2096  }
2097 
2098  de_ctx->flags |= DE_QUIET;
2099 
2100  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2101  "\"HTTP status code\"; content:\"FAIL\"; "
2102  "http_stat_code; sid:1;)");
2103  if (s == NULL) {
2104  goto end;
2105  }
2106 
2107  s->next = SigInit(de_ctx,"alert http any any -> any any (msg:\"HTTP "
2108  "Status code nocase\"; content:\"fail\"; nocase; "
2109  "http_stat_code; sid:2;)");
2110  if (s->next == NULL) {
2111  goto end;
2112  }
2113 
2115  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2116 
2117  int r = AppLayerParserParse(
2118  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2119  if (r != 0) {
2120  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2121  result = 0;
2122  goto end;
2123  }
2124 
2125  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2126  if (r != 0) {
2127  printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r);
2128  result = 0;
2129  goto end;
2130  }
2131 
2132  http_state = f.alstate;
2133  if (http_state == NULL) {
2134  printf("no http state: ");
2135  result = 0;
2136  goto end;
2137  }
2138 
2139  /* do detect */
2140  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2141 
2142  if (!(PacketAlertCheck(p, 1))) {
2143  printf("sid 1 didn't match but should have: ");
2144  goto end;
2145  }
2146  if (!(PacketAlertCheck(p, 2))) {
2147  printf("sid 2 didn't match but should have: ");
2148  goto end;
2149  }
2150 
2151  result = 1;
2152 end:
2153  if (alp_tctx != NULL)
2155  if (det_ctx != NULL) {
2156  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2157  }
2158  if (de_ctx != NULL) {
2160  }
2161 
2162  StreamTcpFreeConfig(true);
2163 
2164  UTHFreePackets(&p, 1);
2165  return result;
2166 }
2167 
2168 /** \test Check the signature working to alert when http_stat_code is matched for
2169  * for negation or not */
2170 static int DetectHttpStatCodeSigTest04(void)
2171 {
2172  int result = 0;
2173  Flow f;
2174  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
2175  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2176  uint8_t httpbuf2[] = "HTTP/1.0 200 OK\r\n\r\n";
2177  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2178  TcpSession ssn;
2179  Packet *p = NULL;
2180  Signature *s = NULL;
2181  ThreadVars th_v;
2182  DetectEngineThreadCtx *det_ctx = NULL;
2183  HtpState *http_state = NULL;
2185 
2186  memset(&th_v, 0, sizeof(th_v));
2187  memset(&f, 0, sizeof(f));
2188  memset(&ssn, 0, sizeof(ssn));
2189 
2190  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2191 
2192  FLOW_INITIALIZE(&f);
2193  f.protoctx = (void *)&ssn;
2194  f.proto = IPPROTO_TCP;
2195  f.flags |= FLOW_IPV4;
2196 
2197  p->flow = &f;
2201  f.alproto = ALPROTO_HTTP1;
2202 
2203  StreamTcpInitConfig(true);
2204 
2206  if (de_ctx == NULL) {
2207  goto end;
2208  }
2209 
2210  de_ctx->flags |= DE_QUIET;
2211 
2212  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2213  "\"HTTP status code\"; content:\"200\"; "
2214  "http_stat_code; sid:1;)");
2215  if (s == NULL) {
2216  goto end;
2217  }
2218 
2219  s->next = SigInit(de_ctx,"alert http any any -> any any (msg:\"HTTP "
2220  "Status code negation\"; content:!\"100\"; nocase; "
2221  "http_stat_code; sid:2;)");
2222  if (s->next == NULL) {
2223  goto end;
2224  }
2225 
2227  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2228 
2229  int r = AppLayerParserParse(
2230  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2231  if (r != 0) {
2232  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2233  result = 0;
2234  goto end;
2235  }
2236 
2237  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2238  if (r != 0) {
2239  printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r);
2240  result = 0;
2241  goto end;
2242  }
2243 
2244  http_state = f.alstate;
2245  if (http_state == NULL) {
2246  printf("no http state: ");
2247  result = 0;
2248  goto end;
2249  }
2250 
2251  /* do detect */
2252  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2253 
2254  if (!(PacketAlertCheck(p, 1))) {
2255  printf("sid 1 didn't match but should have: ");
2256  goto end;
2257  }
2258  if (!(PacketAlertCheck(p, 2))) {
2259  printf("sid 2 didn't match but should have: ");
2260  goto end;
2261  }
2262 
2263  result = 1;
2264 end:
2265  if (alp_tctx != NULL)
2267  if (det_ctx != NULL) {
2268  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2269  }
2270  if (de_ctx != NULL) {
2272  }
2273 
2274  StreamTcpFreeConfig(true);
2275 
2276  UTHFreePackets(&p, 1);
2277  return result;
2278 }
2279 
2280 /**
2281  * \brief Register the UNITTESTS for the http_stat_code keyword
2282  */
2284 {
2285  UtRegisterTest("DetectEngineHttpStatCodeTest01",
2286  DetectEngineHttpStatCodeTest01);
2287  UtRegisterTest("DetectEngineHttpStatCodeTest02",
2288  DetectEngineHttpStatCodeTest02);
2289  UtRegisterTest("DetectEngineHttpStatCodeTest03",
2290  DetectEngineHttpStatCodeTest03);
2291  UtRegisterTest("DetectEngineHttpStatCodeTest04",
2292  DetectEngineHttpStatCodeTest04);
2293  UtRegisterTest("DetectEngineHttpStatCodeTest05",
2294  DetectEngineHttpStatCodeTest05);
2295  UtRegisterTest("DetectEngineHttpStatCodeTest06",
2296  DetectEngineHttpStatCodeTest06);
2297  UtRegisterTest("DetectEngineHttpStatCodeTest07",
2298  DetectEngineHttpStatCodeTest07);
2299  UtRegisterTest("DetectEngineHttpStatCodeTest08",
2300  DetectEngineHttpStatCodeTest08);
2301  UtRegisterTest("DetectEngineHttpStatCodeTest09",
2302  DetectEngineHttpStatCodeTest09);
2303  UtRegisterTest("DetectEngineHttpStatCodeTest10",
2304  DetectEngineHttpStatCodeTest10);
2305  UtRegisterTest("DetectEngineHttpStatCodeTest11",
2306  DetectEngineHttpStatCodeTest11);
2307  UtRegisterTest("DetectEngineHttpStatCodeTest12",
2308  DetectEngineHttpStatCodeTest12);
2309  UtRegisterTest("DetectEngineHttpStatCodeTest13",
2310  DetectEngineHttpStatCodeTest13);
2311  UtRegisterTest("DetectEngineHttpStatCodeTest14",
2312  DetectEngineHttpStatCodeTest14);
2313  UtRegisterTest("DetectEngineHttpStatCodeTest15",
2314  DetectEngineHttpStatCodeTest15);
2315 
2316  UtRegisterTest("DetectHttpStatCodeSigTest01", DetectHttpStatCodeSigTest01);
2317  UtRegisterTest("DetectHttpStatCodeSigTest02", DetectHttpStatCodeSigTest02);
2318  UtRegisterTest("DetectHttpStatCodeSigTest03", DetectHttpStatCodeSigTest03);
2319  UtRegisterTest("DetectHttpStatCodeSigTest04", DetectHttpStatCodeSigTest04);
2320 }
2321 
2322 /**
2323  * @}
2324  */
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1277
DetectHttpStatCodeRegisterTests
void DetectHttpStatCodeRegisterTests(void)
Register the UNITTESTS for the http_stat_code keyword.
Definition: detect-http-stat-code.c:2283
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_::proto
uint8_t proto
Definition: flow.h:378
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:519
Flow_
Flow data structure.
Definition: flow.h:356
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:848
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2588
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:306
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:228
DE_QUIET
#define DE_QUIET
Definition: detect.h:324
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:359
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1899
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:513
Flow_::protoctx
void * protoctx
Definition: flow.h:446
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:98
HtpState_
Definition: app-layer-htp.h:244
Signature_::next
struct Signature_ * next
Definition: detect.h:674
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:463
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1104
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2303
Packet_
Definition: decode.h:482
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:229
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2150
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:285
Packet_::flow
struct Flow_ * flow
Definition: decode.h:521
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3299
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:794
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1286
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3513
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:856
Flow_::alstate
void * alstate
Definition: flow.h:481
Flow_::flags
uint32_t flags
Definition: flow.h:426
Signature_
Signature container.
Definition: detect.h:602
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:230
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2549
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:850
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:59
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:455
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1274
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:450