suricata
detect-http-stat-msg.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 /**
25  * \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  * \author Victor Julien <victor@inliniac.net>
29  */
30 
31 #include "../suricata-common.h"
32 #include "../suricata.h"
33 #include "../flow-util.h"
34 #include "../flow.h"
35 #include "../app-layer-parser.h"
36 #include "../util-unittest.h"
37 #include "../util-unittest-helper.h"
38 #include "../app-layer.h"
39 #include "../app-layer-htp.h"
40 #include "../app-layer-protos.h"
41 #include "../detect-engine-build.h"
42 #include "../detect-engine-alert.h"
43 
44 static int DetectEngineHttpStatMsgTest01(void)
45 {
46  TcpSession ssn;
47  ThreadVars th_v;
48  DetectEngineThreadCtx *det_ctx = NULL;
49  Flow f;
50  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
51  "Host: www.openinfosecfoundation.org\r\n"
52  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
53  "Gecko/20091221 Firefox/3.5.7\r\n"
54  "\r\n";
55  uint32_t http_len1 = sizeof(http_buf1) - 1;
56  uint8_t http_buf2[] = "HTTP/1.0 200 message\r\n"
57  "Content-Type: text/html\r\n"
58  "Content-Length: 7\r\n"
59  "\r\n"
60  "message";
61  uint32_t http_len2 = sizeof(http_buf2) - 1;
62  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
63 
64  memset(&th_v, 0, sizeof(th_v));
65  StatsThreadInit(&th_v.stats);
66  memset(&f, 0, sizeof(f));
67  memset(&ssn, 0, sizeof(ssn));
68 
69  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
70  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
71 
72  FLOW_INITIALIZE(&f);
73  f.protoctx = (void *)&ssn;
74  f.proto = IPPROTO_TCP;
75  f.flags |= FLOW_IPV4;
76 
77  p1->flow = &f;
78  p1->flowflags |= FLOW_PKT_TOSERVER;
79  p1->flowflags |= FLOW_PKT_ESTABLISHED;
80  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
81  p2->flow = &f;
82  p2->flowflags |= FLOW_PKT_TOCLIENT;
83  p2->flowflags |= FLOW_PKT_ESTABLISHED;
84  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
85  f.alproto = ALPROTO_HTTP1;
86 
87  StreamTcpInitConfig(true);
88 
89  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
90  FAIL_IF_NULL(de_ctx);
91  de_ctx->flags |= DE_QUIET;
92 
93  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
94  "(msg:\"http stat msg test\"; "
95  "content:\"message\"; http_stat_msg; "
96  "sid:1;)");
97  FAIL_IF_NULL(s);
98 
99  SigGroupBuild(de_ctx);
100  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
101 
102  int r = AppLayerParserParse(
103  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
104  FAIL_IF(r != 0);
105 
106  HtpState *http_state = f.alstate;
107  FAIL_IF_NULL(http_state);
108 
109  /* do detect */
110  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
111  FAIL_IF(PacketAlertCheck(p1, 1));
112 
113  r = AppLayerParserParse(
114  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
115  FAIL_IF(r != 0);
116 
117  /* do detect */
118  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
119  FAIL_IF(!(PacketAlertCheck(p2, 1)));
120 
121  UTHFreePackets(&p1, 1);
122  UTHFreePackets(&p2, 1);
123  FLOW_DESTROY(&f);
124 
125  AppLayerParserThreadCtxFree(alp_tctx);
126  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
127  DetectEngineCtxFree(de_ctx);
128  StreamTcpFreeConfig(true);
129  StatsThreadCleanup(&th_v.stats);
130  PASS;
131 }
132 
133 static int DetectEngineHttpStatMsgTest02(void)
134 {
135  TcpSession ssn;
136  ThreadVars th_v;
137  DetectEngineThreadCtx *det_ctx = NULL;
138  Flow f;
139  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
140  "Host: www.openinfosecfoundation.org\r\n"
141  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
142  "Gecko/20091221 Firefox/3.5.7\r\n"
143  "\r\n";
144  uint32_t http_len1 = sizeof(http_buf1) - 1;
145  uint8_t http_buf2[] = "HTTP/1.0 200 xxxxABC\r\n"
146  "Content-Type: text/html\r\n"
147  "Content-Length: 7\r\n"
148  "\r\n"
149  "xxxxABC";
150  uint32_t http_len2 = sizeof(http_buf2) - 1;
151  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
152 
153  memset(&th_v, 0, sizeof(th_v));
154  StatsThreadInit(&th_v.stats);
155  memset(&f, 0, sizeof(f));
156  memset(&ssn, 0, sizeof(ssn));
157 
158  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
159 
160  FLOW_INITIALIZE(&f);
161  f.protoctx = (void *)&ssn;
162  f.proto = IPPROTO_TCP;
163  f.flags |= FLOW_IPV4;
164 
165  p1->flow = &f;
166  p1->flowflags |= FLOW_PKT_TOCLIENT;
167  p1->flowflags |= FLOW_PKT_ESTABLISHED;
168  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
169  f.alproto = ALPROTO_HTTP1;
170 
171  StreamTcpInitConfig(true);
172 
173  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
174  FAIL_IF_NULL(de_ctx);
175  de_ctx->flags |= DE_QUIET;
176 
177  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
178  "(msg:\"http stat msg test\"; "
179  "content:\"ABC\"; http_stat_msg; offset:4; "
180  "sid:1;)");
181  FAIL_IF_NULL(s);
182 
183  SigGroupBuild(de_ctx);
184  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
185 
186  int r = AppLayerParserParse(
187  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
188  FAIL_IF(r != 0);
189 
190  r = AppLayerParserParse(
191  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
192  FAIL_IF(r != 0);
193 
194  HtpState *http_state = f.alstate;
195  FAIL_IF_NULL(http_state);
196 
197  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
198  FAIL_IF(!(PacketAlertCheck(p1, 1)));
199 
200  UTHFreePackets(&p1, 1);
201  FLOW_DESTROY(&f);
202 
203  AppLayerParserThreadCtxFree(alp_tctx);
204  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
205  DetectEngineCtxFree(de_ctx);
206  StreamTcpFreeConfig(true);
207  StatsThreadCleanup(&th_v.stats);
208  PASS;
209 }
210 
211 static int DetectEngineHttpStatMsgTest03(void)
212 {
213  TcpSession ssn;
214  ThreadVars th_v;
215  DetectEngineThreadCtx *det_ctx = NULL;
216  Flow f;
217  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
218  "Host: www.openinfosecfoundation.org\r\n"
219  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
220  "Gecko/20091221 Firefox/3.5.7\r\n"
221  "\r\n";
222  uint32_t http_len1 = sizeof(http_buf1) - 1;
223  uint8_t http_buf2[] = "HTTP/1.0 200 1234567";
224  uint32_t http_len2 = sizeof(http_buf2) - 1;
225  uint8_t http_buf3[] = "8901234ABC\r\n"
226  "Content-Type: text/html\r\n"
227  "Content-Length: 17\r\n"
228  "\r\n"
229  "12345678901234ABC";
230  uint32_t http_len3 = sizeof(http_buf3) - 1;
231  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
232 
233  memset(&th_v, 0, sizeof(th_v));
234  StatsThreadInit(&th_v.stats);
235  memset(&f, 0, sizeof(f));
236  memset(&ssn, 0, sizeof(ssn));
237 
238  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
239  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
240 
241  FLOW_INITIALIZE(&f);
242  f.protoctx = (void *)&ssn;
243  f.proto = IPPROTO_TCP;
244  f.flags |= FLOW_IPV4;
245 
246  p1->flow = &f;
247  p1->flowflags |= FLOW_PKT_TOSERVER;
248  p1->flowflags |= FLOW_PKT_ESTABLISHED;
249  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
250  p2->flow = &f;
251  p2->flowflags |= FLOW_PKT_TOCLIENT;
252  p2->flowflags |= FLOW_PKT_ESTABLISHED;
253  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
254  f.alproto = ALPROTO_HTTP1;
255 
256  StreamTcpInitConfig(true);
257 
258  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
259  FAIL_IF_NULL(de_ctx);
260  de_ctx->flags |= DE_QUIET;
261 
262  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
263  "(msg:\"http stat msg test\"; "
264  "content:\"ABC\"; http_stat_msg; offset:14; "
265  "sid:1;)");
266  FAIL_IF_NULL(s);
267 
268  SigGroupBuild(de_ctx);
269  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
270 
271  int r = AppLayerParserParse(
272  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
273  FAIL_IF_NOT(r == 0);
274 
275  HtpState *http_state = f.alstate;
276  FAIL_IF_NULL(http_state);
277 
278  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
279  FAIL_IF(PacketAlertCheck(p1, 1));
280 
281  r = AppLayerParserParse(
282  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
283  FAIL_IF_NOT(r == 0);
284 
285  r = AppLayerParserParse(
286  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf3, http_len3);
287  FAIL_IF_NOT(r == 0);
288 
289  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
290  FAIL_IF(!(PacketAlertCheck(p2, 1)));
291 
292  UTHFreePackets(&p1, 1);
293  UTHFreePackets(&p2, 1);
294  FLOW_DESTROY(&f);
295  AppLayerParserThreadCtxFree(alp_tctx);
296  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
297  DetectEngineCtxFree(de_ctx);
298  StreamTcpFreeConfig(true);
299  StatsThreadCleanup(&th_v.stats);
300  PASS;
301 }
302 
303 static int DetectEngineHttpStatMsgTest04(void)
304 {
305  TcpSession ssn;
306  ThreadVars th_v;
307  DetectEngineThreadCtx *det_ctx = NULL;
308  Flow f;
309  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
310  "Host: www.openinfosecfoundation.org\r\n"
311  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
312  "Gecko/20091221 Firefox/3.5.7\r\n"
313  "\r\n";
314  uint32_t http_len1 = sizeof(http_buf1) - 1;
315  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
316  "Content-Type: text/html\r\n"
317  "Content-Length: 6\r\n"
318  "\r\n"
319  "abcdef";
320  uint32_t http_len2 = sizeof(http_buf2) - 1;
321  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
322 
323  memset(&th_v, 0, sizeof(th_v));
324  StatsThreadInit(&th_v.stats);
325  memset(&f, 0, sizeof(f));
326  memset(&ssn, 0, sizeof(ssn));
327 
328  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
329  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
330 
331  FLOW_INITIALIZE(&f);
332  f.protoctx = (void *)&ssn;
333  f.proto = IPPROTO_TCP;
334  f.flags |= FLOW_IPV4;
335 
336  p1->flow = &f;
337  p1->flowflags |= FLOW_PKT_TOSERVER;
338  p1->flowflags |= FLOW_PKT_ESTABLISHED;
339  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
340  p2->flow = &f;
341  p2->flowflags |= FLOW_PKT_TOCLIENT;
342  p2->flowflags |= FLOW_PKT_ESTABLISHED;
343  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
344  f.alproto = ALPROTO_HTTP1;
345 
346  StreamTcpInitConfig(true);
347 
348  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
349  FAIL_IF_NULL(de_ctx);
350  de_ctx->flags |= DE_QUIET;
351 
352  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
353  "(msg:\"http stat msg test\"; "
354  "content:!\"abc\"; http_stat_msg; offset:3; "
355  "sid:1;)");
356  FAIL_IF_NULL(s);
357 
358  SigGroupBuild(de_ctx);
359  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
360 
361  int r = AppLayerParserParse(
362  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
363  FAIL_IF_NOT(r == 0);
364 
365  HtpState *http_state = f.alstate;
366  FAIL_IF_NULL(http_state);
367 
368  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
369  FAIL_IF(PacketAlertCheck(p1, 1));
370 
371  r = AppLayerParserParse(
372  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
373  FAIL_IF_NOT(r == 0);
374 
375  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
376  FAIL_IF(!PacketAlertCheck(p2, 1));
377 
378  UTHFreePackets(&p1, 1);
379  UTHFreePackets(&p2, 1);
380  FLOW_DESTROY(&f);
381  AppLayerParserThreadCtxFree(alp_tctx);
382  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
383  DetectEngineCtxFree(de_ctx);
384  StreamTcpFreeConfig(true);
385  StatsThreadCleanup(&th_v.stats);
386  PASS;
387 }
388 
389 static int DetectEngineHttpStatMsgTest05(void)
390 {
391  TcpSession ssn;
392  ThreadVars th_v;
393  DetectEngineThreadCtx *det_ctx = NULL;
394  Flow f;
395  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
396  "Host: www.openinfosecfoundation.org\r\n"
397  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
398  "Gecko/20091221 Firefox/3.5.7\r\n"
399  "\r\n";
400  uint32_t http_len1 = sizeof(http_buf1) - 1;
401  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
402  "Content-Type: text/html\r\n"
403  "Content-Length: 6\r\n"
404  "\r\n"
405  "abcdef";
406  uint32_t http_len2 = sizeof(http_buf2) - 1;
407  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
408 
409  memset(&th_v, 0, sizeof(th_v));
410  StatsThreadInit(&th_v.stats);
411  memset(&f, 0, sizeof(f));
412  memset(&ssn, 0, sizeof(ssn));
413 
414  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
415  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
416 
417  FLOW_INITIALIZE(&f);
418  f.protoctx = (void *)&ssn;
419  f.proto = IPPROTO_TCP;
420  f.flags |= FLOW_IPV4;
421 
422  p1->flow = &f;
423  p1->flowflags |= FLOW_PKT_TOSERVER;
424  p1->flowflags |= FLOW_PKT_ESTABLISHED;
425  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
426  p2->flow = &f;
427  p2->flowflags |= FLOW_PKT_TOCLIENT;
428  p2->flowflags |= FLOW_PKT_ESTABLISHED;
429  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
430  f.alproto = ALPROTO_HTTP1;
431 
432  StreamTcpInitConfig(true);
433 
434  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
435  FAIL_IF_NULL(de_ctx);
436  de_ctx->flags |= DE_QUIET;
437 
438  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
439  "(msg:\"http stat msg test\"; "
440  "content:\"abc\"; http_stat_msg; depth:3; "
441  "sid:1;)");
442  FAIL_IF_NULL(s);
443 
444  SigGroupBuild(de_ctx);
445  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
446 
447  int r = AppLayerParserParse(
448  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
449  FAIL_IF_NOT(r == 0);
450 
451  HtpState *http_state = f.alstate;
452  FAIL_IF_NULL(http_state);
453 
454  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
455  FAIL_IF(PacketAlertCheck(p1, 1));
456 
457  r = AppLayerParserParse(
458  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
459  FAIL_IF_NOT(r == 0);
460 
461  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
462  FAIL_IF(!PacketAlertCheck(p2, 1));
463 
464  UTHFreePackets(&p1, 1);
465  UTHFreePackets(&p2, 1);
466  FLOW_DESTROY(&f);
467  AppLayerParserThreadCtxFree(alp_tctx);
468  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
469  DetectEngineCtxFree(de_ctx);
470  StreamTcpFreeConfig(true);
471  StatsThreadCleanup(&th_v.stats);
472  PASS;
473 }
474 
475 static int DetectEngineHttpStatMsgTest06(void)
476 {
477  TcpSession ssn;
478  ThreadVars th_v;
479  DetectEngineThreadCtx *det_ctx = NULL;
480  Flow f;
481  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
482  "Host: www.openinfosecfoundation.org\r\n"
483  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
484  "Gecko/20091221 Firefox/3.5.7\r\n"
485  "\r\n";
486  uint32_t http_len1 = sizeof(http_buf1) - 1;
487  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
488  "Content-Type: text/html\r\n"
489  "Content-Length: 6\r\n"
490  "\r\n"
491  "abcdef";
492  uint32_t http_len2 = sizeof(http_buf2) - 1;
493  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
494 
495  memset(&th_v, 0, sizeof(th_v));
496  StatsThreadInit(&th_v.stats);
497  memset(&f, 0, sizeof(f));
498  memset(&ssn, 0, sizeof(ssn));
499 
500  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
501  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
502 
503  FLOW_INITIALIZE(&f);
504  f.protoctx = (void *)&ssn;
505  f.proto = IPPROTO_TCP;
506  f.flags |= FLOW_IPV4;
507 
508  p1->flow = &f;
509  p1->flowflags |= FLOW_PKT_TOSERVER;
510  p1->flowflags |= FLOW_PKT_ESTABLISHED;
511  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
512  p2->flow = &f;
513  p2->flowflags |= FLOW_PKT_TOCLIENT;
514  p2->flowflags |= FLOW_PKT_ESTABLISHED;
515  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
516  f.alproto = ALPROTO_HTTP1;
517 
518  StreamTcpInitConfig(true);
519 
520  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
521  FAIL_IF_NULL(de_ctx);
522  de_ctx->flags |= DE_QUIET;
523 
524  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
525  "(msg:\"http stat msg test\"; "
526  "content:!\"def\"; http_stat_msg; depth:3; "
527  "sid:1;)");
528  FAIL_IF_NULL(s);
529 
530  SigGroupBuild(de_ctx);
531  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
532 
533  int r = AppLayerParserParse(
534  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
535  FAIL_IF_NOT(r == 0);
536 
537  HtpState *http_state = f.alstate;
538  FAIL_IF_NULL(http_state);
539 
540  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
541  FAIL_IF(PacketAlertCheck(p1, 1));
542 
543  r = AppLayerParserParse(
544  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
545  FAIL_IF_NOT(r == 0);
546 
547  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
548  FAIL_IF(!PacketAlertCheck(p2, 1));
549 
550  UTHFreePackets(&p1, 1);
551  UTHFreePackets(&p2, 1);
552  FLOW_DESTROY(&f);
553  AppLayerParserThreadCtxFree(alp_tctx);
554  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
555  DetectEngineCtxFree(de_ctx);
556  StreamTcpFreeConfig(true);
557  StatsThreadCleanup(&th_v.stats);
558  PASS;
559 }
560 
561 static int DetectEngineHttpStatMsgTest07(void)
562 {
563  TcpSession ssn;
564  ThreadVars th_v;
565  DetectEngineThreadCtx *det_ctx = NULL;
566  Flow f;
567  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
568  "Host: www.openinfosecfoundation.org\r\n"
569  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
570  "Gecko/20091221 Firefox/3.5.7\r\n"
571  "\r\n";
572  uint32_t http_len1 = sizeof(http_buf1) - 1;
573  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
574  "Content-Type: text/html\r\n"
575  "Content-Length: 6\r\n"
576  "\r\n"
577  "abcdef";
578  uint32_t http_len2 = sizeof(http_buf2) - 1;
579  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
580 
581  memset(&th_v, 0, sizeof(th_v));
582  StatsThreadInit(&th_v.stats);
583  memset(&f, 0, sizeof(f));
584  memset(&ssn, 0, sizeof(ssn));
585 
586  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
587  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
588 
589  FLOW_INITIALIZE(&f);
590  f.protoctx = (void *)&ssn;
591  f.proto = IPPROTO_TCP;
592  f.flags |= FLOW_IPV4;
593 
594  p1->flow = &f;
595  p1->flowflags |= FLOW_PKT_TOSERVER;
596  p1->flowflags |= FLOW_PKT_ESTABLISHED;
597  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
598  p2->flow = &f;
599  p2->flowflags |= FLOW_PKT_TOCLIENT;
600  p2->flowflags |= FLOW_PKT_ESTABLISHED;
601  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
602  f.alproto = ALPROTO_HTTP1;
603 
604  StreamTcpInitConfig(true);
605 
606  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
607  FAIL_IF_NULL(de_ctx);
608  de_ctx->flags |= DE_QUIET;
609 
610  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
611  "(msg:\"http stat msg test\"; "
612  "content:!\"def\"; http_stat_msg; offset:3; "
613  "sid:1;)");
614  FAIL_IF_NULL(s);
615 
616  SigGroupBuild(de_ctx);
617  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
618 
619  int r = AppLayerParserParse(
620  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
621  FAIL_IF_NOT(r == 0);
622 
623  HtpState *http_state = f.alstate;
624  FAIL_IF_NULL(http_state);
625 
626  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
627  FAIL_IF(PacketAlertCheck(p1, 1));
628 
629  r = AppLayerParserParse(
630  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
631  FAIL_IF_NOT(r == 0);
632 
633  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
634  FAIL_IF(PacketAlertCheck(p2, 1));
635 
636  UTHFreePackets(&p1, 1);
637  UTHFreePackets(&p2, 1);
638  FLOW_DESTROY(&f);
639  AppLayerParserThreadCtxFree(alp_tctx);
640  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
641  DetectEngineCtxFree(de_ctx);
642  StreamTcpFreeConfig(true);
643  StatsThreadCleanup(&th_v.stats);
644  PASS;
645 }
646 
647 static int DetectEngineHttpStatMsgTest08(void)
648 {
649  TcpSession ssn;
650  ThreadVars th_v;
651  DetectEngineThreadCtx *det_ctx = NULL;
652  Flow f;
653  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
654  "Host: www.openinfosecfoundation.org\r\n"
655  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
656  "Gecko/20091221 Firefox/3.5.7\r\n"
657  "\r\n";
658  uint32_t http_len1 = sizeof(http_buf1) - 1;
659  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
660  "Content-Type: text/html\r\n"
661  "Content-Length: 6\r\n"
662  "\r\n"
663  "abcdef";
664  uint32_t http_len2 = sizeof(http_buf2) - 1;
665  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
666 
667  memset(&th_v, 0, sizeof(th_v));
668  StatsThreadInit(&th_v.stats);
669  memset(&f, 0, sizeof(f));
670  memset(&ssn, 0, sizeof(ssn));
671 
672  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
673  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
674 
675  FLOW_INITIALIZE(&f);
676  f.protoctx = (void *)&ssn;
677  f.proto = IPPROTO_TCP;
678  f.flags |= FLOW_IPV4;
679 
680  p1->flow = &f;
681  p1->flowflags |= FLOW_PKT_TOSERVER;
682  p1->flowflags |= FLOW_PKT_ESTABLISHED;
683  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
684  p2->flow = &f;
685  p2->flowflags |= FLOW_PKT_TOCLIENT;
686  p2->flowflags |= FLOW_PKT_ESTABLISHED;
687  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
688  f.alproto = ALPROTO_HTTP1;
689 
690  StreamTcpInitConfig(true);
691 
692  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
693  FAIL_IF_NULL(de_ctx);
694  de_ctx->flags |= DE_QUIET;
695 
696  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
697  "(msg:\"http stat msg test\"; "
698  "content:!\"abc\"; http_stat_msg; depth:3; "
699  "sid:1;)");
700  FAIL_IF_NULL(s);
701 
702  SigGroupBuild(de_ctx);
703  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
704 
705  int r = AppLayerParserParse(
706  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
707  FAIL_IF_NOT(r == 0);
708 
709  HtpState *http_state = f.alstate;
710  FAIL_IF_NULL(http_state);
711 
712  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
713  FAIL_IF(PacketAlertCheck(p1, 1));
714 
715  r = AppLayerParserParse(
716  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
717  FAIL_IF_NOT(r == 0);
718 
719  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
720  FAIL_IF(PacketAlertCheck(p2, 1));
721 
722  UTHFreePackets(&p1, 1);
723  UTHFreePackets(&p2, 1);
724  FLOW_DESTROY(&f);
725  AppLayerParserThreadCtxFree(alp_tctx);
726  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
727  DetectEngineCtxFree(de_ctx);
728  StreamTcpFreeConfig(true);
729  StatsThreadCleanup(&th_v.stats);
730  PASS;
731 }
732 
733 static int DetectEngineHttpStatMsgTest09(void)
734 {
735  TcpSession ssn;
736  ThreadVars th_v;
737  DetectEngineThreadCtx *det_ctx = NULL;
738  Flow f;
739  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
740  "Host: www.openinfosecfoundation.org\r\n"
741  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
742  "Gecko/20091221 Firefox/3.5.7\r\n"
743  "\r\n";
744  uint32_t http_len1 = sizeof(http_buf1) - 1;
745  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
746  "Content-Type: text/html\r\n"
747  "Content-Length: 6\r\n"
748  "\r\n"
749  "abcdef";
750  uint32_t http_len2 = sizeof(http_buf2) - 1;
751  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
752 
753  memset(&th_v, 0, sizeof(th_v));
754  StatsThreadInit(&th_v.stats);
755  memset(&f, 0, sizeof(f));
756  memset(&ssn, 0, sizeof(ssn));
757 
758  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
759  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
760 
761  FLOW_INITIALIZE(&f);
762  f.protoctx = (void *)&ssn;
763  f.proto = IPPROTO_TCP;
764  f.flags |= FLOW_IPV4;
765 
766  p1->flow = &f;
767  p1->flowflags |= FLOW_PKT_TOSERVER;
768  p1->flowflags |= FLOW_PKT_ESTABLISHED;
769  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
770  p2->flow = &f;
771  p2->flowflags |= FLOW_PKT_TOCLIENT;
772  p2->flowflags |= FLOW_PKT_ESTABLISHED;
773  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
774  f.alproto = ALPROTO_HTTP1;
775 
776  StreamTcpInitConfig(true);
777 
778  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
779  FAIL_IF_NULL(de_ctx);
780  de_ctx->flags |= DE_QUIET;
781 
782  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
783  "(msg:\"http stat msg test\"; "
784  "content:\"abc\"; http_stat_msg; depth:3; "
785  "content:\"def\"; http_stat_msg; within:3; "
786  "sid:1;)");
787  FAIL_IF_NULL(s);
788 
789  SigGroupBuild(de_ctx);
790  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
791 
792  int r = AppLayerParserParse(
793  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
794  FAIL_IF_NOT(r == 0);
795 
796  HtpState *http_state = f.alstate;
797  FAIL_IF_NULL(http_state);
798 
799  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
800  FAIL_IF(PacketAlertCheck(p1, 1));
801 
802  r = AppLayerParserParse(
803  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
804  FAIL_IF_NOT(r == 0);
805 
806  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
807  FAIL_IF(!PacketAlertCheck(p2, 1));
808 
809  UTHFreePackets(&p1, 1);
810  UTHFreePackets(&p2, 1);
811  FLOW_DESTROY(&f);
812  AppLayerParserThreadCtxFree(alp_tctx);
813  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
814  DetectEngineCtxFree(de_ctx);
815  StreamTcpFreeConfig(true);
816  StatsThreadCleanup(&th_v.stats);
817  PASS;
818 }
819 
820 static int DetectEngineHttpStatMsgTest10(void)
821 {
822  TcpSession ssn;
823  ThreadVars th_v;
824  DetectEngineThreadCtx *det_ctx = NULL;
825  Flow f;
826  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
827  "Host: www.openinfosecfoundation.org\r\n"
828  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
829  "Gecko/20091221 Firefox/3.5.7\r\n"
830  "\r\n";
831  uint32_t http_len1 = sizeof(http_buf1) - 1;
832  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
833  "Content-Type: text/html\r\n"
834  "Content-Length: 6\r\n"
835  "\r\n"
836  "abcdef";
837  uint32_t http_len2 = sizeof(http_buf2) - 1;
838  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
839 
840  memset(&th_v, 0, sizeof(th_v));
841  StatsThreadInit(&th_v.stats);
842  memset(&f, 0, sizeof(f));
843  memset(&ssn, 0, sizeof(ssn));
844 
845  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
846  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
847 
848  FLOW_INITIALIZE(&f);
849  f.protoctx = (void *)&ssn;
850  f.proto = IPPROTO_TCP;
851  f.flags |= FLOW_IPV4;
852 
853  p1->flow = &f;
854  p1->flowflags |= FLOW_PKT_TOSERVER;
855  p1->flowflags |= FLOW_PKT_ESTABLISHED;
856  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
857  p2->flow = &f;
858  p2->flowflags |= FLOW_PKT_TOCLIENT;
859  p2->flowflags |= FLOW_PKT_ESTABLISHED;
860  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
861  f.alproto = ALPROTO_HTTP1;
862 
863  StreamTcpInitConfig(true);
864 
865  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
866  FAIL_IF_NULL(de_ctx);
867  de_ctx->flags |= DE_QUIET;
868 
869  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
870  "(msg:\"http stat msg test\"; "
871  "content:\"abc\"; http_stat_msg; depth:3; "
872  "content:!\"xyz\"; http_stat_msg; within:3; "
873  "sid:1;)");
874  FAIL_IF_NULL(s);
875 
876  SigGroupBuild(de_ctx);
877  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
878 
879  int r = AppLayerParserParse(
880  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
881  FAIL_IF_NOT(r == 0);
882 
883  HtpState *http_state = f.alstate;
884  FAIL_IF_NULL(http_state);
885 
886  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
887  FAIL_IF(PacketAlertCheck(p1, 1));
888 
889  r = AppLayerParserParse(
890  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
891  FAIL_IF_NOT(r == 0);
892 
893  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
894  FAIL_IF(!PacketAlertCheck(p2, 1));
895 
896  UTHFreePackets(&p1, 1);
897  UTHFreePackets(&p2, 1);
898  FLOW_DESTROY(&f);
899  AppLayerParserThreadCtxFree(alp_tctx);
900  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
901  DetectEngineCtxFree(de_ctx);
902  StreamTcpFreeConfig(true);
903  StatsThreadCleanup(&th_v.stats);
904  PASS;
905 }
906 
907 static int DetectEngineHttpStatMsgTest11(void)
908 {
909  TcpSession ssn;
910  ThreadVars th_v;
911  DetectEngineThreadCtx *det_ctx = NULL;
912  Flow f;
913  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
914  "Host: www.openinfosecfoundation.org\r\n"
915  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
916  "Gecko/20091221 Firefox/3.5.7\r\n"
917  "\r\n";
918  uint32_t http_len1 = sizeof(http_buf1) - 1;
919  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
920  "Content-Type: text/html\r\n"
921  "Content-Length: 6\r\n"
922  "\r\n"
923  "abcdef";
924  uint32_t http_len2 = sizeof(http_buf2) - 1;
925  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
926 
927  memset(&th_v, 0, sizeof(th_v));
928  StatsThreadInit(&th_v.stats);
929  memset(&f, 0, sizeof(f));
930  memset(&ssn, 0, sizeof(ssn));
931 
932  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
933  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
934 
935  FLOW_INITIALIZE(&f);
936  f.protoctx = (void *)&ssn;
937  f.proto = IPPROTO_TCP;
938  f.flags |= FLOW_IPV4;
939 
940  p1->flow = &f;
941  p1->flowflags |= FLOW_PKT_TOSERVER;
942  p1->flowflags |= FLOW_PKT_ESTABLISHED;
943  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
944  p2->flow = &f;
945  p2->flowflags |= FLOW_PKT_TOCLIENT;
946  p2->flowflags |= FLOW_PKT_ESTABLISHED;
947  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
948  f.alproto = ALPROTO_HTTP1;
949 
950  StreamTcpInitConfig(true);
951 
952  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
953  FAIL_IF_NULL(de_ctx);
954  de_ctx->flags |= DE_QUIET;
955 
956  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
957  "(msg:\"http stat msg test\"; "
958  "content:\"abc\"; http_stat_msg; depth:3; "
959  "content:\"xyz\"; http_stat_msg; within:3; "
960  "sid:1;)");
961  FAIL_IF_NULL(s);
962 
963  SigGroupBuild(de_ctx);
964  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
965 
966  int r = AppLayerParserParse(
967  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
968  FAIL_IF_NOT(r == 0);
969 
970  HtpState *http_state = f.alstate;
971  FAIL_IF_NULL(http_state);
972 
973  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
974  FAIL_IF(PacketAlertCheck(p1, 1));
975 
976  r = AppLayerParserParse(
977  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
978  FAIL_IF_NOT(r == 0);
979 
980  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
981  FAIL_IF(PacketAlertCheck(p2, 1));
982 
983  UTHFreePackets(&p1, 1);
984  UTHFreePackets(&p2, 1);
985  FLOW_DESTROY(&f);
986  AppLayerParserThreadCtxFree(alp_tctx);
987  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
988  DetectEngineCtxFree(de_ctx);
989  StreamTcpFreeConfig(true);
990  StatsThreadCleanup(&th_v.stats);
991  PASS;
992 }
993 
994 static int DetectEngineHttpStatMsgTest12(void)
995 {
996  TcpSession ssn;
997  ThreadVars th_v;
998  DetectEngineThreadCtx *det_ctx = NULL;
999  Flow f;
1000  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
1001  "Host: www.openinfosecfoundation.org\r\n"
1002  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1003  "Gecko/20091221 Firefox/3.5.7\r\n"
1004  "\r\n";
1005  uint32_t http_len1 = sizeof(http_buf1) - 1;
1006  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
1007  "Content-Type: text/html\r\n"
1008  "Content-Length: 6\r\n"
1009  "\r\n"
1010  "abcdef";
1011  uint32_t http_len2 = sizeof(http_buf2) - 1;
1012  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1013 
1014  memset(&th_v, 0, sizeof(th_v));
1015  StatsThreadInit(&th_v.stats);
1016  memset(&f, 0, sizeof(f));
1017  memset(&ssn, 0, sizeof(ssn));
1018 
1019  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1020  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1021 
1022  FLOW_INITIALIZE(&f);
1023  f.protoctx = (void *)&ssn;
1024  f.proto = IPPROTO_TCP;
1025  f.flags |= FLOW_IPV4;
1026 
1027  p1->flow = &f;
1028  p1->flowflags |= FLOW_PKT_TOSERVER;
1029  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1030  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1031  p2->flow = &f;
1032  p2->flowflags |= FLOW_PKT_TOCLIENT;
1033  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1034  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1035  f.alproto = ALPROTO_HTTP1;
1036 
1037  StreamTcpInitConfig(true);
1038 
1039  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1040  FAIL_IF_NULL(de_ctx);
1041  de_ctx->flags |= DE_QUIET;
1042 
1043  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1044  "(msg:\"http stat msg test\"; "
1045  "content:\"ab\"; http_stat_msg; depth:2; "
1046  "content:\"ef\"; http_stat_msg; distance:2; "
1047  "sid:1;)");
1048  FAIL_IF_NULL(s);
1049 
1050  SigGroupBuild(de_ctx);
1051  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1052 
1053  int r = AppLayerParserParse(
1054  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1055  FAIL_IF_NOT(r == 0);
1056 
1057  HtpState *http_state = f.alstate;
1058  FAIL_IF_NULL(http_state);
1059 
1060  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1061  FAIL_IF(PacketAlertCheck(p1, 1));
1062 
1063  r = AppLayerParserParse(
1064  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1065  FAIL_IF_NOT(r == 0);
1066 
1067  /* do detect */
1068  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1069  FAIL_IF(!PacketAlertCheck(p2, 1));
1070 
1071  UTHFreePackets(&p1, 1);
1072  UTHFreePackets(&p2, 1);
1073  FLOW_DESTROY(&f);
1074  AppLayerParserThreadCtxFree(alp_tctx);
1075  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1076  DetectEngineCtxFree(de_ctx);
1077  StreamTcpFreeConfig(true);
1078  StatsThreadCleanup(&th_v.stats);
1079  PASS;
1080 }
1081 
1082 static int DetectEngineHttpStatMsgTest13(void)
1083 {
1084  TcpSession ssn;
1085  ThreadVars th_v;
1086  DetectEngineThreadCtx *det_ctx = NULL;
1087  Flow f;
1088  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
1089  "Host: www.openinfosecfoundation.org\r\n"
1090  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1091  "Gecko/20091221 Firefox/3.5.7\r\n"
1092  "\r\n";
1093  uint32_t http_len1 = sizeof(http_buf1) - 1;
1094  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
1095  "Content-Type: text/html\r\n"
1096  "Content-Length: 6\r\n"
1097  "\r\n"
1098  "abcdef";
1099  uint32_t http_len2 = sizeof(http_buf2) - 1;
1100  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1101 
1102  memset(&th_v, 0, sizeof(th_v));
1103  StatsThreadInit(&th_v.stats);
1104  memset(&f, 0, sizeof(f));
1105  memset(&ssn, 0, sizeof(ssn));
1106 
1107  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1108  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1109 
1110  FLOW_INITIALIZE(&f);
1111  f.protoctx = (void *)&ssn;
1112  f.proto = IPPROTO_TCP;
1113  f.flags |= FLOW_IPV4;
1114 
1115  p1->flow = &f;
1116  p1->flowflags |= FLOW_PKT_TOSERVER;
1117  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1118  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1119  p2->flow = &f;
1120  p2->flowflags |= FLOW_PKT_TOCLIENT;
1121  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1122  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1123  f.alproto = ALPROTO_HTTP1;
1124 
1125  StreamTcpInitConfig(true);
1126 
1127  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1128  FAIL_IF_NULL(de_ctx);
1129  de_ctx->flags |= DE_QUIET;
1130 
1131  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1132  "(msg:\"http stat msg test\"; "
1133  "content:\"ab\"; http_stat_msg; depth:3; "
1134  "content:!\"yz\"; http_stat_msg; distance:2; "
1135  "sid:1;)");
1136  FAIL_IF_NULL(s);
1137 
1138  SigGroupBuild(de_ctx);
1139  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1140 
1141  int r = AppLayerParserParse(
1142  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1143  FAIL_IF_NOT(r == 0);
1144 
1145  HtpState *http_state = f.alstate;
1146  FAIL_IF_NULL(http_state);
1147 
1148  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1149  FAIL_IF(PacketAlertCheck(p1, 1));
1150 
1151  r = AppLayerParserParse(
1152  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1153  FAIL_IF_NOT(r == 0);
1154 
1155  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1156  FAIL_IF(!PacketAlertCheck(p2, 1));
1157 
1158  UTHFreePackets(&p1, 1);
1159  UTHFreePackets(&p2, 1);
1160  FLOW_DESTROY(&f);
1161  AppLayerParserThreadCtxFree(alp_tctx);
1162  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1163  DetectEngineCtxFree(de_ctx);
1164  StreamTcpFreeConfig(true);
1165  StatsThreadCleanup(&th_v.stats);
1166  PASS;
1167 }
1168 
1169 static int DetectEngineHttpStatMsgTest14(void)
1170 {
1171  TcpSession ssn;
1172  ThreadVars th_v;
1173  DetectEngineThreadCtx *det_ctx = NULL;
1174  Flow f;
1175  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
1176  "Host: www.openinfosecfoundation.org\r\n"
1177  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1178  "Gecko/20091221 Firefox/3.5.7\r\n"
1179  "\r\n";
1180  uint32_t http_len1 = sizeof(http_buf1) - 1;
1181  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
1182  "Content-Type: text/html\r\n"
1183  "Content-Length: 6\r\n"
1184  "\r\n"
1185  "abcdef";
1186  uint32_t http_len2 = sizeof(http_buf2) - 1;
1187  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1188 
1189  memset(&th_v, 0, sizeof(th_v));
1190  StatsThreadInit(&th_v.stats);
1191  memset(&f, 0, sizeof(f));
1192  memset(&ssn, 0, sizeof(ssn));
1193 
1194  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1195  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1196 
1197  FLOW_INITIALIZE(&f);
1198  f.protoctx = (void *)&ssn;
1199  f.proto = IPPROTO_TCP;
1200  f.flags |= FLOW_IPV4;
1201 
1202  p1->flow = &f;
1203  p1->flowflags |= FLOW_PKT_TOSERVER;
1204  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1205  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1206  p2->flow = &f;
1207  p2->flowflags |= FLOW_PKT_TOCLIENT;
1208  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1209  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1210  f.alproto = ALPROTO_HTTP1;
1211 
1212  StreamTcpInitConfig(true);
1213 
1214  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1215  FAIL_IF_NULL(de_ctx);
1216  de_ctx->flags |= DE_QUIET;
1217 
1218  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1219  "(msg:\"http stat msg test\"; "
1220  "pcre:/ab/Y; "
1221  "content:\"ef\"; http_stat_msg; distance:2; "
1222  "sid:1;)");
1223  FAIL_IF_NULL(s);
1224 
1225  SigGroupBuild(de_ctx);
1226  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1227 
1228  int r = AppLayerParserParse(
1229  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1230  FAIL_IF_NOT(r == 0);
1231 
1232  HtpState *http_state = f.alstate;
1233  FAIL_IF_NULL(http_state);
1234 
1235  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1236  FAIL_IF(PacketAlertCheck(p1, 1));
1237 
1238  r = AppLayerParserParse(
1239  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1240  FAIL_IF_NOT(r == 0);
1241 
1242  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1243  FAIL_IF(!PacketAlertCheck(p2, 1));
1244 
1245  UTHFreePackets(&p1, 1);
1246  UTHFreePackets(&p2, 1);
1247  FLOW_DESTROY(&f);
1248  AppLayerParserThreadCtxFree(alp_tctx);
1249  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1250  DetectEngineCtxFree(de_ctx);
1251  StreamTcpFreeConfig(true);
1252  StatsThreadCleanup(&th_v.stats);
1253  PASS;
1254 }
1255 
1256 static int DetectEngineHttpStatMsgTest15(void)
1257 {
1258  TcpSession ssn;
1259  ThreadVars th_v;
1260  DetectEngineThreadCtx *det_ctx = NULL;
1261  Flow f;
1262  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
1263  "Host: www.openinfosecfoundation.org\r\n"
1264  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1265  "Gecko/20091221 Firefox/3.5.7\r\n"
1266  "\r\n";
1267  uint32_t http_len1 = sizeof(http_buf1) - 1;
1268  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
1269  "Content-Type: text/html\r\n"
1270  "Content-Length: 6\r\n"
1271  "\r\n"
1272  "abcdef";
1273  uint32_t http_len2 = sizeof(http_buf2) - 1;
1274  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1275 
1276  memset(&th_v, 0, sizeof(th_v));
1277  StatsThreadInit(&th_v.stats);
1278  memset(&f, 0, sizeof(f));
1279  memset(&ssn, 0, sizeof(ssn));
1280 
1281  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1282  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1283 
1284  FLOW_INITIALIZE(&f);
1285  f.protoctx = (void *)&ssn;
1286  f.proto = IPPROTO_TCP;
1287  f.flags |= FLOW_IPV4;
1288 
1289  p1->flow = &f;
1290  p1->flowflags |= FLOW_PKT_TOSERVER;
1291  p1->flowflags |= FLOW_PKT_ESTABLISHED;
1292  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1293  p2->flow = &f;
1294  p2->flowflags |= FLOW_PKT_TOCLIENT;
1295  p2->flowflags |= FLOW_PKT_ESTABLISHED;
1296  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1297  f.alproto = ALPROTO_HTTP1;
1298 
1299  StreamTcpInitConfig(true);
1300 
1301  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1302  FAIL_IF_NULL(de_ctx);
1303  de_ctx->flags |= DE_QUIET;
1304 
1305  Signature *s =
1306  DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1307  "(msg:\"http stat msg test\"; "
1308  "pcre:/abc/Y; "
1309  "content:!\"xyz\"; http_stat_msg; distance:0; within:3; "
1310  "sid:1;)");
1311  FAIL_IF_NULL(s);
1312 
1313  SigGroupBuild(de_ctx);
1314  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1315 
1316  int r = AppLayerParserParse(
1317  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1318  FAIL_IF_NOT(r == 0);
1319 
1320  HtpState *http_state = f.alstate;
1321  FAIL_IF_NULL(http_state);
1322 
1323  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1324  FAIL_IF(PacketAlertCheck(p1, 1));
1325 
1326  r = AppLayerParserParse(
1327  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1328  FAIL_IF_NOT(r == 0);
1329 
1330  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1331  FAIL_IF(!PacketAlertCheck(p2, 1));
1332 
1333  UTHFreePackets(&p1, 1);
1334  UTHFreePackets(&p2, 1);
1335  FLOW_DESTROY(&f);
1336  AppLayerParserThreadCtxFree(alp_tctx);
1337  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1338  DetectEngineCtxFree(de_ctx);
1339  StreamTcpFreeConfig(true);
1340  StatsThreadCleanup(&th_v.stats);
1341  PASS;
1342 }
1343 
1344 /** \test Check the signature working to alert when http_stat_msg is matched . */
1345 static int DetectHttpStatMsgSigTest01(void)
1346 {
1347  Flow f;
1348  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1349  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1350  uint8_t httpbuf2[] = "HTTP/1.0 200 OK\r\n\r\n";
1351  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1352  TcpSession ssn;
1353  ThreadVars th_v;
1354  DetectEngineThreadCtx *det_ctx = NULL;
1355  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1356 
1357  memset(&th_v, 0, sizeof(th_v));
1358  StatsThreadInit(&th_v.stats);
1359  memset(&f, 0, sizeof(f));
1360  memset(&ssn, 0, sizeof(ssn));
1361 
1362  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1363 
1364  FLOW_INITIALIZE(&f);
1365  f.protoctx = (void *)&ssn;
1366  f.proto = IPPROTO_TCP;
1367  f.flags |= FLOW_IPV4;
1368 
1369  p->flow = &f;
1370  p->flowflags |= FLOW_PKT_TOCLIENT;
1371  p->flowflags |= FLOW_PKT_ESTABLISHED;
1372  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1373  f.alproto = ALPROTO_HTTP1;
1374 
1375  StreamTcpInitConfig(true);
1376 
1377  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1378  FAIL_IF_NULL(de_ctx);
1379  de_ctx->flags |= DE_QUIET;
1380 
1381  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1382  "\"HTTP status message\"; content:\"OK\"; "
1383  "http_stat_msg; sid:1;)");
1384  FAIL_IF_NULL(s);
1385 
1386  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:\"HTTP "
1387  "Status message nocase\"; content:\"ok\"; nocase; "
1388  "http_stat_msg; sid:2;)");
1389  FAIL_IF_NULL(s);
1390 
1391  SigGroupBuild(de_ctx);
1392  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1393 
1394  int r = AppLayerParserParse(
1395  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1396  FAIL_IF_NOT(r == 0);
1397 
1398  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
1399  FAIL_IF_NOT(r == 0);
1400 
1401  HtpState *http_state = f.alstate;
1402  FAIL_IF_NULL(http_state);
1403 
1404  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1405  FAIL_IF(!(PacketAlertCheck(p, 1)));
1406  FAIL_IF(!(PacketAlertCheck(p, 2)));
1407 
1408  UTHFreePackets(&p, 1);
1409  FLOW_DESTROY(&f);
1410  AppLayerParserThreadCtxFree(alp_tctx);
1411  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1412  DetectEngineCtxFree(de_ctx);
1413  StreamTcpFreeConfig(true);
1414  StatsThreadCleanup(&th_v.stats);
1415  PASS;
1416 }
1417 
1418 /** \test Check the signature working to alert when http_stat_msg is not matched . */
1419 static int DetectHttpStatMsgSigTest02(void)
1420 {
1421  Flow f;
1422  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1423  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1424  uint8_t httpbuf2[] = "HTTP/1.0 200 OK\r\n\r\n";
1425  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1426  TcpSession ssn;
1427  ThreadVars th_v;
1428  DetectEngineThreadCtx *det_ctx = NULL;
1429  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1430 
1431  memset(&th_v, 0, sizeof(th_v));
1432  StatsThreadInit(&th_v.stats);
1433  memset(&f, 0, sizeof(f));
1434  memset(&ssn, 0, sizeof(ssn));
1435 
1436  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1437 
1438  FLOW_INITIALIZE(&f);
1439  f.protoctx = (void *)&ssn;
1440  f.proto = IPPROTO_TCP;
1441  f.flags |= FLOW_IPV4;
1442 
1443  p->flow = &f;
1444  p->flowflags |= FLOW_PKT_TOCLIENT;
1445  p->flowflags |= FLOW_PKT_ESTABLISHED;
1446  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1447  f.alproto = ALPROTO_HTTP1;
1448 
1449  StreamTcpInitConfig(true);
1450 
1451  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1452  FAIL_IF_NULL(de_ctx);
1453  de_ctx->flags |= DE_QUIET;
1454 
1455  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1456  "\"HTTP status message\"; content:\"no\"; "
1457  "http_stat_msg; sid:1;)");
1458  FAIL_IF_NULL(s);
1459 
1460  SigGroupBuild(de_ctx);
1461  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1462 
1463  int r = AppLayerParserParse(
1464  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1465  FAIL_IF_NOT(r == 0);
1466 
1467  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
1468  FAIL_IF_NOT(r == 0);
1469 
1470  HtpState *http_state = f.alstate;
1471  FAIL_IF_NULL(http_state);
1472 
1473  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1474  FAIL_IF(PacketAlertCheck(p, 1));
1475 
1476  UTHFreePackets(&p, 1);
1477  FLOW_DESTROY(&f);
1478  AppLayerParserThreadCtxFree(alp_tctx);
1479  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1480  DetectEngineCtxFree(de_ctx);
1481  StreamTcpFreeConfig(true);
1482  StatsThreadCleanup(&th_v.stats);
1483  PASS;
1484 }
1485 
1486 /** \test Check the signature working to alert when http_stat_msg is used with
1487  * negated content . */
1488 static int DetectHttpStatMsgSigTest03(void)
1489 {
1490  Flow f;
1491  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1492  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1493  uint8_t httpbuf2[] = "HTTP/1.0 200 OK\r\n\r\n";
1494  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1495  TcpSession ssn;
1496  ThreadVars th_v;
1497  DetectEngineThreadCtx *det_ctx = NULL;
1498  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1499 
1500  memset(&th_v, 0, sizeof(th_v));
1501  StatsThreadInit(&th_v.stats);
1502  memset(&f, 0, sizeof(f));
1503  memset(&ssn, 0, sizeof(ssn));
1504 
1505  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1506 
1507  FLOW_INITIALIZE(&f);
1508  f.protoctx = (void *)&ssn;
1509  f.proto = IPPROTO_TCP;
1510  f.flags |= FLOW_IPV4;
1511 
1512  p->flow = &f;
1513  p->flowflags |= FLOW_PKT_TOCLIENT;
1514  p->flowflags |= FLOW_PKT_ESTABLISHED;
1515  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1516  f.alproto = ALPROTO_HTTP1;
1517 
1518  StreamTcpInitConfig(true);
1519 
1520  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1521  FAIL_IF_NULL(de_ctx);
1522  de_ctx->flags |= DE_QUIET;
1523 
1524  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1525  "\"HTTP status message\"; content:\"ok\"; "
1526  "nocase; http_stat_msg; sid:1;)");
1527  FAIL_IF_NULL(s);
1528 
1529  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:\"HTTP "
1530  "Status message nocase\"; content:!\"Not\"; "
1531  "http_stat_msg; sid:2;)");
1532  FAIL_IF_NULL(s);
1533 
1534  SigGroupBuild(de_ctx);
1535  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1536 
1537  int r = AppLayerParserParse(
1538  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1539  FAIL_IF_NOT(r == 0);
1540 
1541  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
1542  FAIL_IF_NOT(r == 0);
1543 
1544  HtpState *http_state = f.alstate;
1545  FAIL_IF_NULL(http_state);
1546 
1547  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1548 
1549  FAIL_IF(!PacketAlertCheck(p, 1));
1550  FAIL_IF(!PacketAlertCheck(p, 2));
1551 
1552  UTHFreePackets(&p, 1);
1553  FLOW_DESTROY(&f);
1554  AppLayerParserThreadCtxFree(alp_tctx);
1555  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1556  DetectEngineCtxFree(de_ctx);
1557  StreamTcpFreeConfig(true);
1558  StatsThreadCleanup(&th_v.stats);
1559  PASS;
1560 }
1561 
1562 /**
1563  * \brief Register the UNITTESTS for the http_stat_msg keyword
1564  */
1565 void DetectHttpStatMsgRegisterTests(void)
1566 {
1567  UtRegisterTest("DetectHttpStatMsgSigTest01", DetectHttpStatMsgSigTest01);
1568  UtRegisterTest("DetectHttpStatMsgSigTest02", DetectHttpStatMsgSigTest02);
1569  UtRegisterTest("DetectHttpStatMsgSigTest03", DetectHttpStatMsgSigTest03);
1570 
1571  UtRegisterTest("DetectEngineHttpStatMsgTest01", DetectEngineHttpStatMsgTest01);
1572  UtRegisterTest("DetectEngineHttpStatMsgTest02", DetectEngineHttpStatMsgTest02);
1573  UtRegisterTest("DetectEngineHttpStatMsgTest03", DetectEngineHttpStatMsgTest03);
1574  UtRegisterTest("DetectEngineHttpStatMsgTest04", DetectEngineHttpStatMsgTest04);
1575  UtRegisterTest("DetectEngineHttpStatMsgTest05", DetectEngineHttpStatMsgTest05);
1576  UtRegisterTest("DetectEngineHttpStatMsgTest06", DetectEngineHttpStatMsgTest06);
1577  UtRegisterTest("DetectEngineHttpStatMsgTest07", DetectEngineHttpStatMsgTest07);
1578  UtRegisterTest("DetectEngineHttpStatMsgTest08", DetectEngineHttpStatMsgTest08);
1579  UtRegisterTest("DetectEngineHttpStatMsgTest09", DetectEngineHttpStatMsgTest09);
1580  UtRegisterTest("DetectEngineHttpStatMsgTest10", DetectEngineHttpStatMsgTest10);
1581  UtRegisterTest("DetectEngineHttpStatMsgTest11", DetectEngineHttpStatMsgTest11);
1582  UtRegisterTest("DetectEngineHttpStatMsgTest12", DetectEngineHttpStatMsgTest12);
1583  UtRegisterTest("DetectEngineHttpStatMsgTest13", DetectEngineHttpStatMsgTest13);
1584  UtRegisterTest("DetectEngineHttpStatMsgTest14", DetectEngineHttpStatMsgTest14);
1585  UtRegisterTest("DetectEngineHttpStatMsgTest15", DetectEngineHttpStatMsgTest15);
1586 }
1587 
1588 /**
1589  * @}
1590  */
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_::proto
uint8_t proto
Definition: flow.h:370
DetectHttpStatMsgRegisterTests
void DetectHttpStatMsgRegisterTests(void)
Register the UNITTESTS for the http_stat_msg keyword.
Definition: detect-http-stat-msg.c:1565
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
Flow_
Flow data structure.
Definition: flow.h:348
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:933
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2418
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3447
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
Flow_::protoctx
void * protoctx
Definition: flow.h:433
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
HtpState_
Definition: app-layer-htp.h:181
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:496
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:19
DetectEngineThreadCtx_
Definition: detect.h:1245
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:24
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3364
Packet_
Definition: decode.h:501
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2194
StatsThreadInit
void StatsThreadInit(StatsThreadContext *stats)
Definition: counters.c:1258
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:867
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1277
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3601
Flow_::alstate
void * alstate
Definition: flow.h:471
Flow_::flags
uint32_t flags
Definition: flow.h:413
Signature_
Signature container.
Definition: detect.h:668
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:935
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
StatsThreadCleanup
void StatsThreadCleanup(StatsThreadContext *stats)
Definition: counters.c:1354
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456