suricata
detect-http-stat-msg.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 /**
25  * \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  * \author Victor Julien <victor@inliniac.net>
29  */
30 
31 #include "../suricata-common.h"
32 #include "../suricata.h"
33 #include "../flow-util.h"
34 #include "../flow.h"
35 #include "../app-layer-parser.h"
36 #include "../util-unittest.h"
37 #include "../util-unittest-helper.h"
38 #include "../app-layer.h"
39 #include "../app-layer-htp.h"
40 #include "../app-layer-protos.h"
41 #include "../detect-engine-build.h"
42 #include "../detect-engine-alert.h"
43 
44 static int DetectEngineHttpStatMsgTest01(void)
45  {
46  TcpSession ssn;
47  Packet *p1 = NULL;
48  Packet *p2 = NULL;
49  ThreadVars th_v;
50  DetectEngineCtx *de_ctx = NULL;
51  DetectEngineThreadCtx *det_ctx = NULL;
52  HtpState *http_state = NULL;
53  Flow f;
54  uint8_t http_buf1[] =
55  "GET /index.html HTTP/1.0\r\n"
56  "Host: www.openinfosecfoundation.org\r\n"
57  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
58  "\r\n";
59  uint32_t http_len1 = sizeof(http_buf1) - 1;
60  uint8_t http_buf2[] =
61  "HTTP/1.0 200 message\r\n"
62  "Content-Type: text/html\r\n"
63  "Content-Length: 7\r\n"
64  "\r\n"
65  "message";
66  uint32_t http_len2 = sizeof(http_buf2) - 1;
67  int result = 0;
69 
70  memset(&th_v, 0, sizeof(th_v));
71  memset(&f, 0, sizeof(f));
72  memset(&ssn, 0, sizeof(ssn));
73 
74  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
75  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
76 
77  FLOW_INITIALIZE(&f);
78  f.protoctx = (void *)&ssn;
79  f.proto = IPPROTO_TCP;
80  f.flags |= FLOW_IPV4;
81 
82  p1->flow = &f;
86  p2->flow = &f;
91 
92  StreamTcpInitConfig(true);
93 
95  if (de_ctx == NULL)
96  goto end;
97 
98  de_ctx->flags |= DE_QUIET;
99 
100  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
101  "(msg:\"http stat msg test\"; "
102  "content:\"message\"; http_stat_msg; "
103  "sid:1;)");
104  if (de_ctx->sig_list == NULL)
105  goto end;
106 
108  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
109 
110  int r = AppLayerParserParse(
111  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
112  if (r != 0) {
113  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
114  result = 0;
115  goto end;
116  }
117 
118  http_state = f.alstate;
119  if (http_state == NULL) {
120  printf("no http state: \n");
121  result = 0;
122  goto end;
123  }
124 
125  /* do detect */
126  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
127 
128  if ((PacketAlertCheck(p1, 1))) {
129  printf("sid 1 matched but shouldn't have\n");
130  goto end;
131  }
132 
134  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
135  if (r != 0) {
136  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
137  result = 0;
138  goto end;
139  }
140 
141  /* do detect */
142  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
143 
144  if (!(PacketAlertCheck(p2, 1))) {
145  printf("sid 1 didn't match but should have");
146  goto end;
147  }
148 
149  result = 1;
150 
151 end:
152  if (alp_tctx != NULL)
154  if (de_ctx != NULL)
156 
157  StreamTcpFreeConfig(true);
158  FLOW_DESTROY(&f);
159  UTHFreePackets(&p1, 1);
160  UTHFreePackets(&p2, 1);
161  return result;
162 }
163 
164 static int DetectEngineHttpStatMsgTest02(void)
165 {
166  TcpSession ssn;
167  Packet *p1 = NULL;
168  ThreadVars th_v;
169  DetectEngineCtx *de_ctx = NULL;
170  DetectEngineThreadCtx *det_ctx = NULL;
171  HtpState *http_state = NULL;
172  Flow f;
173  uint8_t http_buf1[] =
174  "GET /index.html HTTP/1.0\r\n"
175  "Host: www.openinfosecfoundation.org\r\n"
176  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
177  "\r\n";
178  uint32_t http_len1 = sizeof(http_buf1) - 1;
179  uint8_t http_buf2[] =
180  "HTTP/1.0 200 xxxxABC\r\n"
181  "Content-Type: text/html\r\n"
182  "Content-Length: 7\r\n"
183  "\r\n"
184  "xxxxABC";
185  uint32_t http_len2 = sizeof(http_buf2) - 1;
186  int result = 0;
188 
189  memset(&th_v, 0, sizeof(th_v));
190  memset(&f, 0, sizeof(f));
191  memset(&ssn, 0, sizeof(ssn));
192 
193  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
194 
195  FLOW_INITIALIZE(&f);
196  f.protoctx = (void *)&ssn;
197  f.proto = IPPROTO_TCP;
198  f.flags |= FLOW_IPV4;
199 
200  p1->flow = &f;
205 
206  StreamTcpInitConfig(true);
207 
209  if (de_ctx == NULL)
210  goto end;
211 
212  de_ctx->flags |= DE_QUIET;
213 
214  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
215  "(msg:\"http stat msg test\"; "
216  "content:\"ABC\"; http_stat_msg; offset:4; "
217  "sid:1;)");
218  if (de_ctx->sig_list == NULL)
219  goto end;
220 
222  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
223 
224  int r = AppLayerParserParse(
225  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
226  if (r != 0) {
227  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
228  result = 0;
229  goto end;
230  }
231 
233  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
234  if (r != 0) {
235  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
236  result = 0;
237  goto end;
238  }
239 
240  http_state = f.alstate;
241  if (http_state == NULL) {
242  printf("no http state: \n");
243  result = 0;
244  goto end;
245  }
246 
247  /* do detect */
248  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
249 
250  if (!(PacketAlertCheck(p1, 1))) {
251  printf("sid 1 didn't match but should have\n");
252  goto end;
253  }
254 
255  result = 1;
256 
257 end:
258  if (alp_tctx != NULL)
260  if (de_ctx != NULL)
262 
263  StreamTcpFreeConfig(true);
264  FLOW_DESTROY(&f);
265  UTHFreePackets(&p1, 1);
266  return result;
267 }
268 
269 static int DetectEngineHttpStatMsgTest03(void)
270 {
271  TcpSession ssn;
272  Packet *p1 = NULL;
273  Packet *p2 = NULL;
274  ThreadVars th_v;
275  DetectEngineCtx *de_ctx = NULL;
276  DetectEngineThreadCtx *det_ctx = NULL;
277  HtpState *http_state = NULL;
278  Flow f;
279  int result = 0;
280  uint8_t http_buf1[] =
281  "GET /index.html HTTP/1.0\r\n"
282  "Host: www.openinfosecfoundation.org\r\n"
283  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
284  "\r\n";
285  uint32_t http_len1 = sizeof(http_buf1) - 1;
286  uint8_t http_buf2[] =
287  "HTTP/1.0 200 1234567";
288  uint32_t http_len2 = sizeof(http_buf2) - 1;
289  uint8_t http_buf3[] =
290  "8901234ABC\r\n"
291  "Content-Type: text/html\r\n"
292  "Content-Length: 17\r\n"
293  "\r\n"
294  "12345678901234ABC";
295  uint32_t http_len3 = sizeof(http_buf3) - 1;
297 
298  memset(&th_v, 0, sizeof(th_v));
299  memset(&f, 0, sizeof(f));
300  memset(&ssn, 0, sizeof(ssn));
301 
302  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
303  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
304 
305  FLOW_INITIALIZE(&f);
306  f.protoctx = (void *)&ssn;
307  f.proto = IPPROTO_TCP;
308  f.flags |= FLOW_IPV4;
309 
310  p1->flow = &f;
314  p2->flow = &f;
319 
320  StreamTcpInitConfig(true);
321 
323  if (de_ctx == NULL)
324  goto end;
325 
326  de_ctx->flags |= DE_QUIET;
327 
328  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
329  "(msg:\"http stat msg test\"; "
330  "content:\"ABC\"; http_stat_msg; offset:14; "
331  "sid:1;)");
332  if (de_ctx->sig_list == NULL)
333  goto end;
334 
336  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
337 
338  int r = AppLayerParserParse(
339  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
340  if (r != 0) {
341  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
342  result = 0;
343  goto end;
344  }
345 
346  http_state = f.alstate;
347  if (http_state == NULL) {
348  printf("no http state: \n");
349  result = 0;
350  goto end;
351  }
352 
353  /* do detect */
354  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
355 
356  if (PacketAlertCheck(p1, 1)) {
357  printf("sid 1 matched but shouldn't have\n");
358  goto end;
359  }
360 
362  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
363  if (r != 0) {
364  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
365  result = 0;
366  goto end;
367  }
368 
370  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf3, http_len3);
371  if (r != 0) {
372  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
373  result = 0;
374  goto end;
375  }
376 
377  /* do detect */
378  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
379 
380  if (!(PacketAlertCheck(p2, 1))) {
381  printf("sid 1 didn't match but should have");
382  goto end;
383  }
384 
385  result = 1;
386 
387 end:
388  if (alp_tctx != NULL)
390  if (de_ctx != NULL)
392 
393  StreamTcpFreeConfig(true);
394  FLOW_DESTROY(&f);
395  UTHFreePackets(&p1, 1);
396  UTHFreePackets(&p2, 1);
397  return result;
398 }
399 
400 static int DetectEngineHttpStatMsgTest04(void)
401 {
402  TcpSession ssn;
403  Packet *p1 = NULL;
404  Packet *p2 = NULL;
405  ThreadVars th_v;
406  DetectEngineCtx *de_ctx = NULL;
407  DetectEngineThreadCtx *det_ctx = NULL;
408  HtpState *http_state = NULL;
409  Flow f;
410  uint8_t http_buf1[] =
411  "GET /index.html HTTP/1.0\r\n"
412  "Host: www.openinfosecfoundation.org\r\n"
413  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
414  "\r\n";
415  uint32_t http_len1 = sizeof(http_buf1) - 1;
416  uint8_t http_buf2[] =
417  "HTTP/1.0 200 abcdef\r\n"
418  "Content-Type: text/html\r\n"
419  "Content-Length: 6\r\n"
420  "\r\n"
421  "abcdef";
422  uint32_t http_len2 = sizeof(http_buf2) - 1;
423  int result = 0;
425 
426  memset(&th_v, 0, sizeof(th_v));
427  memset(&f, 0, sizeof(f));
428  memset(&ssn, 0, sizeof(ssn));
429 
430  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
431  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
432 
433  FLOW_INITIALIZE(&f);
434  f.protoctx = (void *)&ssn;
435  f.proto = IPPROTO_TCP;
436  f.flags |= FLOW_IPV4;
437 
438  p1->flow = &f;
442  p2->flow = &f;
447 
448  StreamTcpInitConfig(true);
449 
451  if (de_ctx == NULL)
452  goto end;
453 
454  de_ctx->flags |= DE_QUIET;
455 
456  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
457  "(msg:\"http stat msg test\"; "
458  "content:!\"abc\"; http_stat_msg; offset:3; "
459  "sid:1;)");
460  if (de_ctx->sig_list == NULL)
461  goto end;
462 
464  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
465 
466  int r = AppLayerParserParse(
467  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
468  if (r != 0) {
469  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
470  result = 0;
471  goto end;
472  }
473 
474  http_state = f.alstate;
475  if (http_state == NULL) {
476  printf("no http state: \n");
477  result = 0;
478  goto end;
479  }
480 
481  /* do detect */
482  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
483 
484  if (PacketAlertCheck(p1, 1)) {
485  printf("sid 1 matched but shouldn't have: ");
486  goto end;
487  }
488 
490  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
491  if (r != 0) {
492  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
493  result = 0;
494  goto end;
495  }
496 
497  /* do detect */
498  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
499 
500  if (!PacketAlertCheck(p2, 1)) {
501  printf("sid 1 didn't match but should have: ");
502  goto end;
503  }
504 
505  result = 1;
506 
507 end:
508  if (alp_tctx != NULL)
510  if (de_ctx != NULL)
512 
513  StreamTcpFreeConfig(true);
514  FLOW_DESTROY(&f);
515  UTHFreePackets(&p1, 1);
516  UTHFreePackets(&p2, 1);
517  return result;
518 }
519 
520 static int DetectEngineHttpStatMsgTest05(void)
521 {
522  TcpSession ssn;
523  Packet *p1 = NULL;
524  Packet *p2 = NULL;
525  ThreadVars th_v;
526  DetectEngineCtx *de_ctx = NULL;
527  DetectEngineThreadCtx *det_ctx = NULL;
528  HtpState *http_state = NULL;
529  Flow f;
530  uint8_t http_buf1[] =
531  "GET /index.html HTTP/1.0\r\n"
532  "Host: www.openinfosecfoundation.org\r\n"
533  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
534  "\r\n";
535  uint32_t http_len1 = sizeof(http_buf1) - 1;
536  uint8_t http_buf2[] =
537  "HTTP/1.0 200 abcdef\r\n"
538  "Content-Type: text/html\r\n"
539  "Content-Length: 6\r\n"
540  "\r\n"
541  "abcdef";
542  uint32_t http_len2 = sizeof(http_buf2) - 1;
543  int result = 0;
545 
546  memset(&th_v, 0, sizeof(th_v));
547  memset(&f, 0, sizeof(f));
548  memset(&ssn, 0, sizeof(ssn));
549 
550  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
551  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
552 
553  FLOW_INITIALIZE(&f);
554  f.protoctx = (void *)&ssn;
555  f.proto = IPPROTO_TCP;
556  f.flags |= FLOW_IPV4;
557 
558  p1->flow = &f;
562  p2->flow = &f;
567 
568  StreamTcpInitConfig(true);
569 
571  if (de_ctx == NULL)
572  goto end;
573 
574  de_ctx->flags |= DE_QUIET;
575 
576  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
577  "(msg:\"http stat msg test\"; "
578  "content:\"abc\"; http_stat_msg; depth:3; "
579  "sid:1;)");
580  if (de_ctx->sig_list == NULL)
581  goto end;
582 
584  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
585 
586  int r = AppLayerParserParse(
587  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
588  if (r != 0) {
589  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
590  result = 0;
591  goto end;
592  }
593 
594  http_state = f.alstate;
595  if (http_state == NULL) {
596  printf("no http state: \n");
597  result = 0;
598  goto end;
599  }
600 
601  /* do detect */
602  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
603 
604  if (PacketAlertCheck(p1, 1)) {
605  printf("sid 1 matched but shouldn't have: ");
606  goto end;
607  }
608 
610  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
611  if (r != 0) {
612  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
613  result = 0;
614  goto end;
615  }
616 
617  /* do detect */
618  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
619 
620  if (!PacketAlertCheck(p2, 1)) {
621  printf("sid 1 didn't match but should have: ");
622  goto end;
623  }
624 
625  result = 1;
626 
627 end:
628  if (alp_tctx != NULL)
630  if (de_ctx != NULL)
632 
633  StreamTcpFreeConfig(true);
634  FLOW_DESTROY(&f);
635  UTHFreePackets(&p1, 1);
636  UTHFreePackets(&p2, 1);
637  return result;
638 }
639 
640 static int DetectEngineHttpStatMsgTest06(void)
641 {
642  TcpSession ssn;
643  Packet *p1 = NULL;
644  Packet *p2 = NULL;
645  ThreadVars th_v;
646  DetectEngineCtx *de_ctx = NULL;
647  DetectEngineThreadCtx *det_ctx = NULL;
648  HtpState *http_state = NULL;
649  Flow f;
650  uint8_t http_buf1[] =
651  "GET /index.html HTTP/1.0\r\n"
652  "Host: www.openinfosecfoundation.org\r\n"
653  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
654  "\r\n";
655  uint32_t http_len1 = sizeof(http_buf1) - 1;
656  uint8_t http_buf2[] =
657  "HTTP/1.0 200 abcdef\r\n"
658  "Content-Type: text/html\r\n"
659  "Content-Length: 6\r\n"
660  "\r\n"
661  "abcdef";
662  uint32_t http_len2 = sizeof(http_buf2) - 1;
663  int result = 0;
665 
666  memset(&th_v, 0, sizeof(th_v));
667  memset(&f, 0, sizeof(f));
668  memset(&ssn, 0, sizeof(ssn));
669 
670  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
671  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
672 
673  FLOW_INITIALIZE(&f);
674  f.protoctx = (void *)&ssn;
675  f.proto = IPPROTO_TCP;
676  f.flags |= FLOW_IPV4;
677 
678  p1->flow = &f;
682  p2->flow = &f;
687 
688  StreamTcpInitConfig(true);
689 
691  if (de_ctx == NULL)
692  goto end;
693 
694  de_ctx->flags |= DE_QUIET;
695 
696  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
697  "(msg:\"http stat msg test\"; "
698  "content:!\"def\"; http_stat_msg; depth:3; "
699  "sid:1;)");
700  if (de_ctx->sig_list == NULL)
701  goto end;
702 
704  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
705 
706  int r = AppLayerParserParse(
707  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
708  if (r != 0) {
709  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
710  result = 0;
711  goto end;
712  }
713 
714  http_state = f.alstate;
715  if (http_state == NULL) {
716  printf("no http state: \n");
717  result = 0;
718  goto end;
719  }
720 
721  /* do detect */
722  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
723 
724  if (PacketAlertCheck(p1, 1)) {
725  printf("sid 1 matched but shouldn't have: ");
726  goto end;
727  }
728 
730  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
731  if (r != 0) {
732  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
733  result = 0;
734  goto end;
735  }
736 
737  /* do detect */
738  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
739 
740  if (!PacketAlertCheck(p2, 1)) {
741  printf("sid 1 didn't match but should have: ");
742  goto end;
743  }
744 
745  result = 1;
746 
747 end:
748  if (alp_tctx != NULL)
750  if (de_ctx != NULL)
752 
753  StreamTcpFreeConfig(true);
754  FLOW_DESTROY(&f);
755  UTHFreePackets(&p1, 1);
756  UTHFreePackets(&p2, 1);
757  return result;
758 }
759 
760 static int DetectEngineHttpStatMsgTest07(void)
761 {
762  TcpSession ssn;
763  Packet *p1 = NULL;
764  Packet *p2 = NULL;
765  ThreadVars th_v;
766  DetectEngineCtx *de_ctx = NULL;
767  DetectEngineThreadCtx *det_ctx = NULL;
768  HtpState *http_state = NULL;
769  Flow f;
770  uint8_t http_buf1[] =
771  "GET /index.html HTTP/1.0\r\n"
772  "Host: www.openinfosecfoundation.org\r\n"
773  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
774  "\r\n";
775  uint32_t http_len1 = sizeof(http_buf1) - 1;
776  uint8_t http_buf2[] =
777  "HTTP/1.0 200 abcdef\r\n"
778  "Content-Type: text/html\r\n"
779  "Content-Length: 6\r\n"
780  "\r\n"
781  "abcdef";
782  uint32_t http_len2 = sizeof(http_buf2) - 1;
783  int result = 0;
785 
786  memset(&th_v, 0, sizeof(th_v));
787  memset(&f, 0, sizeof(f));
788  memset(&ssn, 0, sizeof(ssn));
789 
790  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
791  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
792 
793  FLOW_INITIALIZE(&f);
794  f.protoctx = (void *)&ssn;
795  f.proto = IPPROTO_TCP;
796  f.flags |= FLOW_IPV4;
797 
798  p1->flow = &f;
802  p2->flow = &f;
807 
808  StreamTcpInitConfig(true);
809 
811  if (de_ctx == NULL)
812  goto end;
813 
814  de_ctx->flags |= DE_QUIET;
815 
816  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
817  "(msg:\"http stat msg test\"; "
818  "content:!\"def\"; http_stat_msg; offset:3; "
819  "sid:1;)");
820  if (de_ctx->sig_list == NULL)
821  goto end;
822 
824  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
825 
826  int r = AppLayerParserParse(
827  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
828  if (r != 0) {
829  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
830  result = 0;
831  goto end;
832  }
833 
834  http_state = f.alstate;
835  if (http_state == NULL) {
836  printf("no http state: \n");
837  result = 0;
838  goto end;
839  }
840 
841  /* do detect */
842  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
843 
844  if (PacketAlertCheck(p1, 1)) {
845  printf("sid 1 matched but shouldn't have: ");
846  goto end;
847  }
848 
850  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
851  if (r != 0) {
852  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
853  result = 0;
854  goto end;
855  }
856 
857  /* do detect */
858  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
859 
860  if (PacketAlertCheck(p2, 1)) {
861  printf("sid 1 matched but shouldn't have: ");
862  goto end;
863  }
864 
865  result = 1;
866 
867 end:
868  if (alp_tctx != NULL)
870  if (de_ctx != NULL)
872 
873  StreamTcpFreeConfig(true);
874  FLOW_DESTROY(&f);
875  UTHFreePackets(&p1, 1);
876  UTHFreePackets(&p2, 1);
877  return result;
878 }
879 
880 static int DetectEngineHttpStatMsgTest08(void)
881 {
882  TcpSession ssn;
883  Packet *p1 = NULL;
884  Packet *p2 = NULL;
885  ThreadVars th_v;
886  DetectEngineCtx *de_ctx = NULL;
887  DetectEngineThreadCtx *det_ctx = NULL;
888  HtpState *http_state = NULL;
889  Flow f;
890  uint8_t http_buf1[] =
891  "GET /index.html HTTP/1.0\r\n"
892  "Host: www.openinfosecfoundation.org\r\n"
893  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
894  "\r\n";
895  uint32_t http_len1 = sizeof(http_buf1) - 1;
896  uint8_t http_buf2[] =
897  "HTTP/1.0 200 abcdef\r\n"
898  "Content-Type: text/html\r\n"
899  "Content-Length: 6\r\n"
900  "\r\n"
901  "abcdef";
902  uint32_t http_len2 = sizeof(http_buf2) - 1;
903  int result = 0;
905 
906  memset(&th_v, 0, sizeof(th_v));
907  memset(&f, 0, sizeof(f));
908  memset(&ssn, 0, sizeof(ssn));
909 
910  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
911  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
912 
913  FLOW_INITIALIZE(&f);
914  f.protoctx = (void *)&ssn;
915  f.proto = IPPROTO_TCP;
916  f.flags |= FLOW_IPV4;
917 
918  p1->flow = &f;
922  p2->flow = &f;
927 
928  StreamTcpInitConfig(true);
929 
931  if (de_ctx == NULL)
932  goto end;
933 
934  de_ctx->flags |= DE_QUIET;
935 
936  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
937  "(msg:\"http stat msg test\"; "
938  "content:!\"abc\"; http_stat_msg; depth:3; "
939  "sid:1;)");
940  if (de_ctx->sig_list == NULL)
941  goto end;
942 
944  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
945 
946  int r = AppLayerParserParse(
947  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
948  if (r != 0) {
949  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
950  result = 0;
951  goto end;
952  }
953 
954  http_state = f.alstate;
955  if (http_state == NULL) {
956  printf("no http state: \n");
957  result = 0;
958  goto end;
959  }
960 
961  /* do detect */
962  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
963 
964  if (PacketAlertCheck(p1, 1)) {
965  printf("sid 1 matched but shouldn't have: ");
966  goto end;
967  }
968 
970  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
971  if (r != 0) {
972  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
973  result = 0;
974  goto end;
975  }
976 
977  /* do detect */
978  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
979 
980  if (PacketAlertCheck(p2, 1)) {
981  printf("sid 1 matched but shouldn't have: ");
982  goto end;
983  }
984 
985  result = 1;
986 
987 end:
988  if (alp_tctx != NULL)
990  if (de_ctx != NULL)
992 
993  StreamTcpFreeConfig(true);
994  FLOW_DESTROY(&f);
995  UTHFreePackets(&p1, 1);
996  UTHFreePackets(&p2, 1);
997  return result;
998 }
999 
1000 static int DetectEngineHttpStatMsgTest09(void)
1001 {
1002  TcpSession ssn;
1003  Packet *p1 = NULL;
1004  Packet *p2 = NULL;
1005  ThreadVars th_v;
1006  DetectEngineCtx *de_ctx = NULL;
1007  DetectEngineThreadCtx *det_ctx = NULL;
1008  HtpState *http_state = NULL;
1009  Flow f;
1010  uint8_t http_buf1[] =
1011  "GET /index.html HTTP/1.0\r\n"
1012  "Host: www.openinfosecfoundation.org\r\n"
1013  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1014  "\r\n";
1015  uint32_t http_len1 = sizeof(http_buf1) - 1;
1016  uint8_t http_buf2[] =
1017  "HTTP/1.0 200 abcdef\r\n"
1018  "Content-Type: text/html\r\n"
1019  "Content-Length: 6\r\n"
1020  "\r\n"
1021  "abcdef";
1022  uint32_t http_len2 = sizeof(http_buf2) - 1;
1023  int result = 0;
1025 
1026  memset(&th_v, 0, sizeof(th_v));
1027  memset(&f, 0, sizeof(f));
1028  memset(&ssn, 0, sizeof(ssn));
1029 
1030  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1031  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1032 
1033  FLOW_INITIALIZE(&f);
1034  f.protoctx = (void *)&ssn;
1035  f.proto = IPPROTO_TCP;
1036  f.flags |= FLOW_IPV4;
1037 
1038  p1->flow = &f;
1042  p2->flow = &f;
1046  f.alproto = ALPROTO_HTTP1;
1047 
1048  StreamTcpInitConfig(true);
1049 
1051  if (de_ctx == NULL)
1052  goto end;
1053 
1054  de_ctx->flags |= DE_QUIET;
1055 
1056  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1057  "(msg:\"http stat msg test\"; "
1058  "content:\"abc\"; http_stat_msg; depth:3; "
1059  "content:\"def\"; http_stat_msg; within:3; "
1060  "sid:1;)");
1061  if (de_ctx->sig_list == NULL)
1062  goto end;
1063 
1065  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1066 
1067  int r = AppLayerParserParse(
1068  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1069  if (r != 0) {
1070  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1071  result = 0;
1072  goto end;
1073  }
1074 
1075  http_state = f.alstate;
1076  if (http_state == NULL) {
1077  printf("no http state: \n");
1078  result = 0;
1079  goto end;
1080  }
1081 
1082  /* do detect */
1083  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1084 
1085  if (PacketAlertCheck(p1, 1)) {
1086  printf("sid 1 matched but shouldn't have: ");
1087  goto end;
1088  }
1089 
1090  r = AppLayerParserParse(
1091  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1092  if (r != 0) {
1093  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1094  result = 0;
1095  goto end;
1096  }
1097 
1098  /* do detect */
1099  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1100 
1101  if (!PacketAlertCheck(p2, 1)) {
1102  printf("sid 1 didn't match but should have: ");
1103  goto end;
1104  }
1105 
1106  result = 1;
1107 
1108 end:
1109  if (alp_tctx != NULL)
1111  if (de_ctx != NULL)
1113 
1114  StreamTcpFreeConfig(true);
1115  FLOW_DESTROY(&f);
1116  UTHFreePackets(&p1, 1);
1117  UTHFreePackets(&p2, 1);
1118  return result;
1119 }
1120 
1121 static int DetectEngineHttpStatMsgTest10(void)
1122 {
1123  TcpSession ssn;
1124  Packet *p1 = NULL;
1125  Packet *p2 = NULL;
1126  ThreadVars th_v;
1127  DetectEngineCtx *de_ctx = NULL;
1128  DetectEngineThreadCtx *det_ctx = NULL;
1129  HtpState *http_state = NULL;
1130  Flow f;
1131  uint8_t http_buf1[] =
1132  "GET /index.html HTTP/1.0\r\n"
1133  "Host: www.openinfosecfoundation.org\r\n"
1134  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1135  "\r\n";
1136  uint32_t http_len1 = sizeof(http_buf1) - 1;
1137  uint8_t http_buf2[] =
1138  "HTTP/1.0 200 abcdef\r\n"
1139  "Content-Type: text/html\r\n"
1140  "Content-Length: 6\r\n"
1141  "\r\n"
1142  "abcdef";
1143  uint32_t http_len2 = sizeof(http_buf2) - 1;
1144  int result = 0;
1146 
1147  memset(&th_v, 0, sizeof(th_v));
1148  memset(&f, 0, sizeof(f));
1149  memset(&ssn, 0, sizeof(ssn));
1150 
1151  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1152  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1153 
1154  FLOW_INITIALIZE(&f);
1155  f.protoctx = (void *)&ssn;
1156  f.proto = IPPROTO_TCP;
1157  f.flags |= FLOW_IPV4;
1158 
1159  p1->flow = &f;
1163  p2->flow = &f;
1167  f.alproto = ALPROTO_HTTP1;
1168 
1169  StreamTcpInitConfig(true);
1170 
1172  if (de_ctx == NULL)
1173  goto end;
1174 
1175  de_ctx->flags |= DE_QUIET;
1176 
1177  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1178  "(msg:\"http stat msg test\"; "
1179  "content:\"abc\"; http_stat_msg; depth:3; "
1180  "content:!\"xyz\"; http_stat_msg; within:3; "
1181  "sid:1;)");
1182  if (de_ctx->sig_list == NULL)
1183  goto end;
1184 
1186  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1187 
1188  int r = AppLayerParserParse(
1189  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1190  if (r != 0) {
1191  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1192  result = 0;
1193  goto end;
1194  }
1195 
1196  http_state = f.alstate;
1197  if (http_state == NULL) {
1198  printf("no http state: \n");
1199  result = 0;
1200  goto end;
1201  }
1202 
1203  /* do detect */
1204  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1205 
1206  if (PacketAlertCheck(p1, 1)) {
1207  printf("sid 1 matched but shouldn't have: ");
1208  goto end;
1209  }
1210 
1211  r = AppLayerParserParse(
1212  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1213  if (r != 0) {
1214  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1215  result = 0;
1216  goto end;
1217  }
1218 
1219  /* do detect */
1220  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1221 
1222  if (!PacketAlertCheck(p2, 1)) {
1223  printf("sid 1 didn't match but should have: ");
1224  goto end;
1225  }
1226 
1227  result = 1;
1228 
1229 end:
1230  if (alp_tctx != NULL)
1232  if (de_ctx != NULL)
1234 
1235  StreamTcpFreeConfig(true);
1236  FLOW_DESTROY(&f);
1237  UTHFreePackets(&p1, 1);
1238  UTHFreePackets(&p2, 1);
1239  return result;
1240 }
1241 
1242 static int DetectEngineHttpStatMsgTest11(void)
1243 {
1244  TcpSession ssn;
1245  Packet *p1 = NULL;
1246  Packet *p2 = NULL;
1247  ThreadVars th_v;
1248  DetectEngineCtx *de_ctx = NULL;
1249  DetectEngineThreadCtx *det_ctx = NULL;
1250  HtpState *http_state = NULL;
1251  Flow f;
1252  uint8_t http_buf1[] =
1253  "GET /index.html HTTP/1.0\r\n"
1254  "Host: www.openinfosecfoundation.org\r\n"
1255  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1256  "\r\n";
1257  uint32_t http_len1 = sizeof(http_buf1) - 1;
1258  uint8_t http_buf2[] =
1259  "HTTP/1.0 200 abcdef\r\n"
1260  "Content-Type: text/html\r\n"
1261  "Content-Length: 6\r\n"
1262  "\r\n"
1263  "abcdef";
1264  uint32_t http_len2 = sizeof(http_buf2) - 1;
1265  int result = 0;
1267 
1268  memset(&th_v, 0, sizeof(th_v));
1269  memset(&f, 0, sizeof(f));
1270  memset(&ssn, 0, sizeof(ssn));
1271 
1272  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1273  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1274 
1275  FLOW_INITIALIZE(&f);
1276  f.protoctx = (void *)&ssn;
1277  f.proto = IPPROTO_TCP;
1278  f.flags |= FLOW_IPV4;
1279 
1280  p1->flow = &f;
1284  p2->flow = &f;
1288  f.alproto = ALPROTO_HTTP1;
1289 
1290  StreamTcpInitConfig(true);
1291 
1293  if (de_ctx == NULL)
1294  goto end;
1295 
1296  de_ctx->flags |= DE_QUIET;
1297 
1298  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1299  "(msg:\"http stat msg test\"; "
1300  "content:\"abc\"; http_stat_msg; depth:3; "
1301  "content:\"xyz\"; http_stat_msg; within:3; "
1302  "sid:1;)");
1303  if (de_ctx->sig_list == NULL)
1304  goto end;
1305 
1307  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1308 
1309  int r = AppLayerParserParse(
1310  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1311  if (r != 0) {
1312  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1313  result = 0;
1314  goto end;
1315  }
1316 
1317  http_state = f.alstate;
1318  if (http_state == NULL) {
1319  printf("no http state: \n");
1320  result = 0;
1321  goto end;
1322  }
1323 
1324  /* do detect */
1325  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1326 
1327  if (PacketAlertCheck(p1, 1)) {
1328  printf("sid 1 matched but shouldn't have: ");
1329  goto end;
1330  }
1331 
1332  r = AppLayerParserParse(
1333  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1334  if (r != 0) {
1335  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1336  result = 0;
1337  goto end;
1338  }
1339 
1340  /* do detect */
1341  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1342 
1343  if (PacketAlertCheck(p2, 1)) {
1344  printf("sid 1 did match but should not have: ");
1345  goto end;
1346  }
1347 
1348  result = 1;
1349 
1350 end:
1351  if (alp_tctx != NULL)
1353  if (de_ctx != NULL)
1355 
1356  StreamTcpFreeConfig(true);
1357  FLOW_DESTROY(&f);
1358  UTHFreePackets(&p1, 1);
1359  UTHFreePackets(&p2, 1);
1360  return result;
1361 }
1362 
1363 static int DetectEngineHttpStatMsgTest12(void)
1364 {
1365  TcpSession ssn;
1366  Packet *p1 = NULL;
1367  Packet *p2 = NULL;
1368  ThreadVars th_v;
1369  DetectEngineCtx *de_ctx = NULL;
1370  DetectEngineThreadCtx *det_ctx = NULL;
1371  HtpState *http_state = NULL;
1372  Flow f;
1373  uint8_t http_buf1[] =
1374  "GET /index.html HTTP/1.0\r\n"
1375  "Host: www.openinfosecfoundation.org\r\n"
1376  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1377  "\r\n";
1378  uint32_t http_len1 = sizeof(http_buf1) - 1;
1379  uint8_t http_buf2[] =
1380  "HTTP/1.0 200 abcdef\r\n"
1381  "Content-Type: text/html\r\n"
1382  "Content-Length: 6\r\n"
1383  "\r\n"
1384  "abcdef";
1385  uint32_t http_len2 = sizeof(http_buf2) - 1;
1386  int result = 0;
1388 
1389  memset(&th_v, 0, sizeof(th_v));
1390  memset(&f, 0, sizeof(f));
1391  memset(&ssn, 0, sizeof(ssn));
1392 
1393  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1394  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1395 
1396  FLOW_INITIALIZE(&f);
1397  f.protoctx = (void *)&ssn;
1398  f.proto = IPPROTO_TCP;
1399  f.flags |= FLOW_IPV4;
1400 
1401  p1->flow = &f;
1405  p2->flow = &f;
1409  f.alproto = ALPROTO_HTTP1;
1410 
1411  StreamTcpInitConfig(true);
1412 
1414  if (de_ctx == NULL)
1415  goto end;
1416 
1417  de_ctx->flags |= DE_QUIET;
1418 
1419  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1420  "(msg:\"http stat msg test\"; "
1421  "content:\"ab\"; http_stat_msg; depth:2; "
1422  "content:\"ef\"; http_stat_msg; distance:2; "
1423  "sid:1;)");
1424  if (de_ctx->sig_list == NULL)
1425  goto end;
1426 
1428  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1429 
1430  int r = AppLayerParserParse(
1431  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1432  if (r != 0) {
1433  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1434  result = 0;
1435  goto end;
1436  }
1437 
1438  http_state = f.alstate;
1439  if (http_state == NULL) {
1440  printf("no http state: \n");
1441  result = 0;
1442  goto end;
1443  }
1444 
1445  /* do detect */
1446  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1447 
1448  if (PacketAlertCheck(p1, 1)) {
1449  printf("sid 1 matched but shouldn't have: ");
1450  goto end;
1451  }
1452 
1453  r = AppLayerParserParse(
1454  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1455  if (r != 0) {
1456  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1457  result = 0;
1458  goto end;
1459  }
1460 
1461  /* do detect */
1462  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1463 
1464  if (!PacketAlertCheck(p2, 1)) {
1465  printf("sid 1 did not match but should have: ");
1466  goto end;
1467  }
1468 
1469  result = 1;
1470 
1471 end:
1472  if (alp_tctx != NULL)
1474  if (de_ctx != NULL)
1476 
1477  StreamTcpFreeConfig(true);
1478  FLOW_DESTROY(&f);
1479  UTHFreePackets(&p1, 1);
1480  UTHFreePackets(&p2, 1);
1481  return result;
1482 }
1483 
1484 static int DetectEngineHttpStatMsgTest13(void)
1485 {
1486  TcpSession ssn;
1487  Packet *p1 = NULL;
1488  Packet *p2 = NULL;
1489  ThreadVars th_v;
1490  DetectEngineCtx *de_ctx = NULL;
1491  DetectEngineThreadCtx *det_ctx = NULL;
1492  HtpState *http_state = NULL;
1493  Flow f;
1494  uint8_t http_buf1[] =
1495  "GET /index.html HTTP/1.0\r\n"
1496  "Host: www.openinfosecfoundation.org\r\n"
1497  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1498  "\r\n";
1499  uint32_t http_len1 = sizeof(http_buf1) - 1;
1500  uint8_t http_buf2[] =
1501  "HTTP/1.0 200 abcdef\r\n"
1502  "Content-Type: text/html\r\n"
1503  "Content-Length: 6\r\n"
1504  "\r\n"
1505  "abcdef";
1506  uint32_t http_len2 = sizeof(http_buf2) - 1;
1507  int result = 0;
1509 
1510  memset(&th_v, 0, sizeof(th_v));
1511  memset(&f, 0, sizeof(f));
1512  memset(&ssn, 0, sizeof(ssn));
1513 
1514  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1515  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1516 
1517  FLOW_INITIALIZE(&f);
1518  f.protoctx = (void *)&ssn;
1519  f.proto = IPPROTO_TCP;
1520  f.flags |= FLOW_IPV4;
1521 
1522  p1->flow = &f;
1526  p2->flow = &f;
1530  f.alproto = ALPROTO_HTTP1;
1531 
1532  StreamTcpInitConfig(true);
1533 
1535  if (de_ctx == NULL)
1536  goto end;
1537 
1538  de_ctx->flags |= DE_QUIET;
1539 
1540  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1541  "(msg:\"http stat msg test\"; "
1542  "content:\"ab\"; http_stat_msg; depth:3; "
1543  "content:!\"yz\"; http_stat_msg; distance:2; "
1544  "sid:1;)");
1545  if (de_ctx->sig_list == NULL)
1546  goto end;
1547 
1549  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1550 
1551  int r = AppLayerParserParse(
1552  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1553  if (r != 0) {
1554  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1555  result = 0;
1556  goto end;
1557  }
1558 
1559  http_state = f.alstate;
1560  if (http_state == NULL) {
1561  printf("no http state: \n");
1562  result = 0;
1563  goto end;
1564  }
1565 
1566  /* do detect */
1567  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1568 
1569  if (PacketAlertCheck(p1, 1)) {
1570  printf("sid 1 matched but shouldn't have: ");
1571  goto end;
1572  }
1573 
1574  r = AppLayerParserParse(
1575  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1576  if (r != 0) {
1577  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1578  result = 0;
1579  goto end;
1580  }
1581 
1582  /* do detect */
1583  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1584 
1585  if (!PacketAlertCheck(p2, 1)) {
1586  printf("sid 1 did not match but should have: ");
1587  goto end;
1588  }
1589 
1590  result = 1;
1591 
1592 end:
1593  if (alp_tctx != NULL)
1595  if (de_ctx != NULL)
1597 
1598  StreamTcpFreeConfig(true);
1599  FLOW_DESTROY(&f);
1600  UTHFreePackets(&p1, 1);
1601  UTHFreePackets(&p2, 1);
1602  return result;
1603 }
1604 
1605 static int DetectEngineHttpStatMsgTest14(void)
1606 {
1607  TcpSession ssn;
1608  Packet *p1 = NULL;
1609  Packet *p2 = NULL;
1610  ThreadVars th_v;
1611  DetectEngineCtx *de_ctx = NULL;
1612  DetectEngineThreadCtx *det_ctx = NULL;
1613  HtpState *http_state = NULL;
1614  Flow f;
1615  uint8_t http_buf1[] =
1616  "GET /index.html HTTP/1.0\r\n"
1617  "Host: www.openinfosecfoundation.org\r\n"
1618  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1619  "\r\n";
1620  uint32_t http_len1 = sizeof(http_buf1) - 1;
1621  uint8_t http_buf2[] =
1622  "HTTP/1.0 200 abcdef\r\n"
1623  "Content-Type: text/html\r\n"
1624  "Content-Length: 6\r\n"
1625  "\r\n"
1626  "abcdef";
1627  uint32_t http_len2 = sizeof(http_buf2) - 1;
1628  int result = 0;
1630 
1631  memset(&th_v, 0, sizeof(th_v));
1632  memset(&f, 0, sizeof(f));
1633  memset(&ssn, 0, sizeof(ssn));
1634 
1635  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1636  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1637 
1638  FLOW_INITIALIZE(&f);
1639  f.protoctx = (void *)&ssn;
1640  f.proto = IPPROTO_TCP;
1641  f.flags |= FLOW_IPV4;
1642 
1643  p1->flow = &f;
1647  p2->flow = &f;
1651  f.alproto = ALPROTO_HTTP1;
1652 
1653  StreamTcpInitConfig(true);
1654 
1656  if (de_ctx == NULL)
1657  goto end;
1658 
1659  de_ctx->flags |= DE_QUIET;
1660 
1661  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1662  "(msg:\"http stat msg test\"; "
1663  "pcre:/ab/Y; "
1664  "content:\"ef\"; http_stat_msg; distance:2; "
1665  "sid:1;)");
1666  if (de_ctx->sig_list == NULL)
1667  goto end;
1668 
1670  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1671 
1672  int r = AppLayerParserParse(
1673  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1674  if (r != 0) {
1675  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1676  result = 0;
1677  goto end;
1678  }
1679 
1680  http_state = f.alstate;
1681  if (http_state == NULL) {
1682  printf("no http state: \n");
1683  result = 0;
1684  goto end;
1685  }
1686 
1687  /* do detect */
1688  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1689 
1690  if (PacketAlertCheck(p1, 1)) {
1691  printf("sid 1 matched but shouldn't have: ");
1692  goto end;
1693  }
1694 
1695  r = AppLayerParserParse(
1696  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1697  if (r != 0) {
1698  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1699  result = 0;
1700  goto end;
1701  }
1702 
1703  /* do detect */
1704  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1705 
1706  if (!PacketAlertCheck(p2, 1)) {
1707  printf("sid 1 did not match but should have: ");
1708  goto end;
1709  }
1710 
1711  result = 1;
1712 
1713 end:
1714  if (alp_tctx != NULL)
1716  if (de_ctx != NULL)
1718 
1719  StreamTcpFreeConfig(true);
1720  FLOW_DESTROY(&f);
1721  UTHFreePackets(&p1, 1);
1722  UTHFreePackets(&p2, 1);
1723  return result;
1724 }
1725 
1726 static int DetectEngineHttpStatMsgTest15(void)
1727 {
1728  TcpSession ssn;
1729  Packet *p1 = NULL;
1730  Packet *p2 = NULL;
1731  ThreadVars th_v;
1732  DetectEngineCtx *de_ctx = NULL;
1733  DetectEngineThreadCtx *det_ctx = NULL;
1734  HtpState *http_state = NULL;
1735  Flow f;
1736  uint8_t http_buf1[] =
1737  "GET /index.html HTTP/1.0\r\n"
1738  "Host: www.openinfosecfoundation.org\r\n"
1739  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1740  "\r\n";
1741  uint32_t http_len1 = sizeof(http_buf1) - 1;
1742  uint8_t http_buf2[] =
1743  "HTTP/1.0 200 abcdef\r\n"
1744  "Content-Type: text/html\r\n"
1745  "Content-Length: 6\r\n"
1746  "\r\n"
1747  "abcdef";
1748  uint32_t http_len2 = sizeof(http_buf2) - 1;
1749  int result = 0;
1751 
1752  memset(&th_v, 0, sizeof(th_v));
1753  memset(&f, 0, sizeof(f));
1754  memset(&ssn, 0, sizeof(ssn));
1755 
1756  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1757  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1758 
1759  FLOW_INITIALIZE(&f);
1760  f.protoctx = (void *)&ssn;
1761  f.proto = IPPROTO_TCP;
1762  f.flags |= FLOW_IPV4;
1763 
1764  p1->flow = &f;
1768  p2->flow = &f;
1772  f.alproto = ALPROTO_HTTP1;
1773 
1774  StreamTcpInitConfig(true);
1775 
1777  if (de_ctx == NULL)
1778  goto end;
1779 
1780  de_ctx->flags |= DE_QUIET;
1781 
1782  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1783  "(msg:\"http stat msg test\"; "
1784  "pcre:/abc/Y; "
1785  "content:!\"xyz\"; http_stat_msg; distance:0; within:3; "
1786  "sid:1;)");
1787  if (de_ctx->sig_list == NULL)
1788  goto end;
1789 
1791  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1792 
1793  int r = AppLayerParserParse(
1794  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1795  if (r != 0) {
1796  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1797  result = 0;
1798  goto end;
1799  }
1800 
1801  http_state = f.alstate;
1802  if (http_state == NULL) {
1803  printf("no http state: \n");
1804  result = 0;
1805  goto end;
1806  }
1807 
1808  /* do detect */
1809  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1810 
1811  if (PacketAlertCheck(p1, 1)) {
1812  printf("sid 1 matched but shouldn't have: ");
1813  goto end;
1814  }
1815 
1816  r = AppLayerParserParse(
1817  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1818  if (r != 0) {
1819  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1820  result = 0;
1821  goto end;
1822  }
1823 
1824  /* do detect */
1825  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1826 
1827  if (!PacketAlertCheck(p2, 1)) {
1828  printf("sid 1 did not match but should have: ");
1829  goto end;
1830  }
1831 
1832  result = 1;
1833 
1834 end:
1835  if (alp_tctx != NULL)
1837  if (de_ctx != NULL)
1839 
1840  StreamTcpFreeConfig(true);
1841  FLOW_DESTROY(&f);
1842  UTHFreePackets(&p1, 1);
1843  UTHFreePackets(&p2, 1);
1844  return result;
1845 }
1846 
1847 /** \test Check the signature working to alert when http_stat_msg is matched . */
1848 static int DetectHttpStatMsgSigTest01(void)
1849 {
1850  int result = 0;
1851  Flow f;
1852  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1853  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1854  uint8_t httpbuf2[] = "HTTP/1.0 200 OK\r\n\r\n";
1855  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1856  TcpSession ssn;
1857  Packet *p = NULL;
1858  Signature *s = NULL;
1859  ThreadVars th_v;
1860  DetectEngineThreadCtx *det_ctx = NULL;
1861  HtpState *http_state = NULL;
1863 
1864  memset(&th_v, 0, sizeof(th_v));
1865  memset(&f, 0, sizeof(f));
1866  memset(&ssn, 0, sizeof(ssn));
1867 
1868  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1869 
1870  FLOW_INITIALIZE(&f);
1871  f.protoctx = (void *)&ssn;
1872  f.proto = IPPROTO_TCP;
1873  f.flags |= FLOW_IPV4;
1874 
1875  p->flow = &f;
1879  f.alproto = ALPROTO_HTTP1;
1880 
1881  StreamTcpInitConfig(true);
1882 
1884  if (de_ctx == NULL) {
1885  goto end;
1886  }
1887 
1888  de_ctx->flags |= DE_QUIET;
1889 
1890  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
1891  "\"HTTP status message\"; content:\"OK\"; "
1892  "http_stat_msg; sid:1;)");
1893  if (s == NULL) {
1894  goto end;
1895  }
1896 
1897  s->next = SigInit(de_ctx,"alert http any any -> any any (msg:\"HTTP "
1898  "Status message nocase\"; content:\"ok\"; nocase; "
1899  "http_stat_msg; sid:2;)");
1900  if (s->next == NULL) {
1901  goto end;
1902  }
1903 
1905  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1906 
1907  int r = AppLayerParserParse(
1908  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1909  if (r != 0) {
1910  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1911  result = 0;
1912  goto end;
1913  }
1914 
1915  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
1916  if (r != 0) {
1917  printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r);
1918  result = 0;
1919  goto end;
1920  }
1921 
1922  http_state = f.alstate;
1923  if (http_state == NULL) {
1924  printf("no http state: ");
1925  result = 0;
1926  goto end;
1927  }
1928 
1929  /* do detect */
1930  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1931 
1932  if (!(PacketAlertCheck(p, 1))) {
1933  printf("sid 1 didn't match but should have: ");
1934  goto end;
1935  }
1936  if (!(PacketAlertCheck(p, 2))) {
1937  printf("sid 2 didn't match but should have: ");
1938  goto end;
1939  }
1940 
1941  result = 1;
1942 end:
1943  if (alp_tctx != NULL)
1945  if (det_ctx != NULL) {
1946  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1947  }
1948  if (de_ctx != NULL) {
1950  }
1951 
1952  StreamTcpFreeConfig(true);
1953 
1954  UTHFreePackets(&p, 1);
1955  return result;
1956 }
1957 
1958 /** \test Check the signature working to alert when http_stat_msg is not matched . */
1959 static int DetectHttpStatMsgSigTest02(void)
1960 {
1961  int result = 0;
1962  Flow f;
1963  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1964  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1965  uint8_t httpbuf2[] = "HTTP/1.0 200 OK\r\n\r\n";
1966  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1967  TcpSession ssn;
1968  Packet *p = NULL;
1969  Signature *s = NULL;
1970  ThreadVars th_v;
1971  DetectEngineThreadCtx *det_ctx = NULL;
1972  HtpState *http_state = NULL;
1974 
1975  memset(&th_v, 0, sizeof(th_v));
1976  memset(&f, 0, sizeof(f));
1977  memset(&ssn, 0, sizeof(ssn));
1978 
1979  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1980 
1981  FLOW_INITIALIZE(&f);
1982  f.protoctx = (void *)&ssn;
1983  f.proto = IPPROTO_TCP;
1984  f.flags |= FLOW_IPV4;
1985 
1986  p->flow = &f;
1990  f.alproto = ALPROTO_HTTP1;
1991 
1992  StreamTcpInitConfig(true);
1993 
1995  if (de_ctx == NULL) {
1996  goto end;
1997  }
1998 
1999  de_ctx->flags |= DE_QUIET;
2000 
2001  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2002  "\"HTTP status message\"; content:\"no\"; "
2003  "http_stat_msg; sid:1;)");
2004  if (s == NULL) {
2005  goto end;
2006  }
2007 
2009  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2010 
2011  int r = AppLayerParserParse(
2012  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2013  if (r != 0) {
2014  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2015  result = 0;
2016  goto end;
2017  }
2018 
2019  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2020  if (r != 0) {
2021  printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r);
2022  result = 0;
2023  goto end;
2024  }
2025 
2026  http_state = f.alstate;
2027  if (http_state == NULL) {
2028  printf("no http state: ");
2029  result = 0;
2030  goto end;
2031  }
2032 
2033  /* do detect */
2034  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2035 
2036  if (PacketAlertCheck(p, 1)) {
2037  printf("sid 1 matched but shouldn't: ");
2038  goto end;
2039  }
2040 
2041  result = 1;
2042 end:
2043  if (alp_tctx != NULL)
2045  if (det_ctx != NULL) {
2046  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2047  }
2048  if (de_ctx != NULL) {
2050  }
2051 
2052  StreamTcpFreeConfig(true);
2053 
2054  UTHFreePackets(&p, 1);
2055  return result;
2056 }
2057 
2058 /** \test Check the signature working to alert when http_stat_msg is used with
2059  * negated content . */
2060 static int DetectHttpStatMsgSigTest03(void)
2061 {
2062  int result = 0;
2063  Flow f;
2064  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
2065  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2066  uint8_t httpbuf2[] = "HTTP/1.0 200 OK\r\n\r\n";
2067  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2068  TcpSession ssn;
2069  Packet *p = NULL;
2070  Signature *s = NULL;
2071  ThreadVars th_v;
2072  DetectEngineThreadCtx *det_ctx = NULL;
2073  HtpState *http_state = NULL;
2075 
2076  memset(&th_v, 0, sizeof(th_v));
2077  memset(&f, 0, sizeof(f));
2078  memset(&ssn, 0, sizeof(ssn));
2079 
2080  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2081 
2082  FLOW_INITIALIZE(&f);
2083  f.protoctx = (void *)&ssn;
2084  f.proto = IPPROTO_TCP;
2085  f.flags |= FLOW_IPV4;
2086 
2087  p->flow = &f;
2091  f.alproto = ALPROTO_HTTP1;
2092 
2093  StreamTcpInitConfig(true);
2094 
2096  if (de_ctx == NULL) {
2097  goto end;
2098  }
2099 
2100  de_ctx->flags |= DE_QUIET;
2101 
2102  s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2103  "\"HTTP status message\"; content:\"ok\"; "
2104  "nocase; http_stat_msg; sid:1;)");
2105  if (s == NULL) {
2106  goto end;
2107  }
2108 
2109  s->next = SigInit(de_ctx,"alert http any any -> any any (msg:\"HTTP "
2110  "Status message nocase\"; content:!\"Not\"; "
2111  "http_stat_msg; sid:2;)");
2112  if (s->next == NULL) {
2113  goto end;
2114  }
2115 
2117  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2118 
2119  int r = AppLayerParserParse(
2120  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2121  if (r != 0) {
2122  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2123  result = 0;
2124  goto end;
2125  }
2126 
2127  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2128  if (r != 0) {
2129  printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r);
2130  result = 0;
2131  goto end;
2132  }
2133 
2134  http_state = f.alstate;
2135  if (http_state == NULL) {
2136  printf("no http state: ");
2137  result = 0;
2138  goto end;
2139  }
2140 
2141  /* do detect */
2142  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2143 
2144  if (! PacketAlertCheck(p, 1)) {
2145  printf("sid 1 didn't matched but should have: ");
2146  goto end;
2147  }
2148  if (! PacketAlertCheck(p, 2)) {
2149  printf("sid 2 didn't matched but should have: ");
2150  goto end;
2151  }
2152 
2153  result = 1;
2154 end:
2155  if (alp_tctx != NULL)
2157  if (det_ctx != NULL) {
2158  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2159  }
2160  if (de_ctx != NULL) {
2162  }
2163 
2164  StreamTcpFreeConfig(true);
2165 
2166  UTHFreePackets(&p, 1);
2167  return result;
2168 }
2169 
2170 /**
2171  * \brief Register the UNITTESTS for the http_stat_msg keyword
2172  */
2174 {
2175  UtRegisterTest("DetectHttpStatMsgSigTest01", DetectHttpStatMsgSigTest01);
2176  UtRegisterTest("DetectHttpStatMsgSigTest02", DetectHttpStatMsgSigTest02);
2177  UtRegisterTest("DetectHttpStatMsgSigTest03", DetectHttpStatMsgSigTest03);
2178 
2179  UtRegisterTest("DetectEngineHttpStatMsgTest01",
2180  DetectEngineHttpStatMsgTest01);
2181  UtRegisterTest("DetectEngineHttpStatMsgTest02",
2182  DetectEngineHttpStatMsgTest02);
2183  UtRegisterTest("DetectEngineHttpStatMsgTest03",
2184  DetectEngineHttpStatMsgTest03);
2185  UtRegisterTest("DetectEngineHttpStatMsgTest04",
2186  DetectEngineHttpStatMsgTest04);
2187  UtRegisterTest("DetectEngineHttpStatMsgTest05",
2188  DetectEngineHttpStatMsgTest05);
2189  UtRegisterTest("DetectEngineHttpStatMsgTest06",
2190  DetectEngineHttpStatMsgTest06);
2191  UtRegisterTest("DetectEngineHttpStatMsgTest07",
2192  DetectEngineHttpStatMsgTest07);
2193  UtRegisterTest("DetectEngineHttpStatMsgTest08",
2194  DetectEngineHttpStatMsgTest08);
2195  UtRegisterTest("DetectEngineHttpStatMsgTest09",
2196  DetectEngineHttpStatMsgTest09);
2197  UtRegisterTest("DetectEngineHttpStatMsgTest10",
2198  DetectEngineHttpStatMsgTest10);
2199  UtRegisterTest("DetectEngineHttpStatMsgTest11",
2200  DetectEngineHttpStatMsgTest11);
2201  UtRegisterTest("DetectEngineHttpStatMsgTest12",
2202  DetectEngineHttpStatMsgTest12);
2203  UtRegisterTest("DetectEngineHttpStatMsgTest13",
2204  DetectEngineHttpStatMsgTest13);
2205  UtRegisterTest("DetectEngineHttpStatMsgTest14",
2206  DetectEngineHttpStatMsgTest14);
2207  UtRegisterTest("DetectEngineHttpStatMsgTest15",
2208  DetectEngineHttpStatMsgTest15);
2209 }
2210 
2211 /**
2212  * @}
2213  */
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1022
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_::proto
uint8_t proto
Definition: flow.h:373
DetectHttpStatMsgRegisterTests
void DetectHttpStatMsgRegisterTests(void)
Register the UNITTESTS for the http_stat_msg keyword.
Definition: detect-http-stat-msg.c:2173
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:474
Flow_
Flow data structure.
Definition: flow.h:351
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:836
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2533
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:312
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
DE_QUIET
#define DE_QUIET
Definition: detect.h:321
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:340
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1884
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:468
Flow_::protoctx
void * protoctx
Definition: flow.h:441
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
HtpState_
Definition: app-layer-htp.h:244
Signature_::next
struct Signature_ * next
Definition: detect.h:665
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:463
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1092
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2314
Packet_
Definition: decode.h:437
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:224
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:291
Packet_::flow
struct Flow_ * flow
Definition: decode.h:476
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3244
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:794
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1292
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3454
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:844
Flow_::alstate
void * alstate
Definition: flow.h:476
Flow_::flags
uint32_t flags
Definition: flow.h:421
Signature_
Signature container.
Definition: detect.h:593
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:225
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2494
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:838
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:65
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1019
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:431