31 #include "../suricata-common.h"
32 #include "../suricata.h"
33 #include "../flow-util.h"
35 #include "../app-layer-parser.h"
36 #include "../util-unittest.h"
37 #include "../util-unittest-helper.h"
38 #include "../app-layer.h"
39 #include "../app-layer-htp.h"
40 #include "../app-layer-protos.h"
41 #include "../detect-engine-build.h"
42 #include "../detect-engine-alert.h"
44 static int DetectEngineHttpStatMsgTest01(
void)
50 uint8_t http_buf1[] =
"GET /index.html HTTP/1.0\r\n"
51 "Host: www.openinfosecfoundation.org\r\n"
52 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
53 "Gecko/20091221 Firefox/3.5.7\r\n"
55 uint32_t http_len1 =
sizeof(http_buf1) - 1;
56 uint8_t http_buf2[] =
"HTTP/1.0 200 message\r\n"
57 "Content-Type: text/html\r\n"
58 "Content-Length: 7\r\n"
61 uint32_t http_len2 =
sizeof(http_buf2) - 1;
64 memset(&th_v, 0,
sizeof(th_v));
65 memset(&f, 0,
sizeof(f));
66 memset(&ssn, 0,
sizeof(ssn));
73 f.
proto = IPPROTO_TCP;
93 "(msg:\"http stat msg test\"; "
94 "content:\"message\"; http_stat_msg; "
132 static int DetectEngineHttpStatMsgTest02(
void)
138 uint8_t http_buf1[] =
"GET /index.html HTTP/1.0\r\n"
139 "Host: www.openinfosecfoundation.org\r\n"
140 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
141 "Gecko/20091221 Firefox/3.5.7\r\n"
143 uint32_t http_len1 =
sizeof(http_buf1) - 1;
144 uint8_t http_buf2[] =
"HTTP/1.0 200 xxxxABC\r\n"
145 "Content-Type: text/html\r\n"
146 "Content-Length: 7\r\n"
149 uint32_t http_len2 =
sizeof(http_buf2) - 1;
152 memset(&th_v, 0,
sizeof(th_v));
153 memset(&f, 0,
sizeof(f));
154 memset(&ssn, 0,
sizeof(ssn));
160 f.
proto = IPPROTO_TCP;
176 "(msg:\"http stat msg test\"; "
177 "content:\"ABC\"; http_stat_msg; offset:4; "
209 static int DetectEngineHttpStatMsgTest03(
void)
215 uint8_t http_buf1[] =
"GET /index.html HTTP/1.0\r\n"
216 "Host: www.openinfosecfoundation.org\r\n"
217 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
218 "Gecko/20091221 Firefox/3.5.7\r\n"
220 uint32_t http_len1 =
sizeof(http_buf1) - 1;
221 uint8_t http_buf2[] =
"HTTP/1.0 200 1234567";
222 uint32_t http_len2 =
sizeof(http_buf2) - 1;
223 uint8_t http_buf3[] =
"8901234ABC\r\n"
224 "Content-Type: text/html\r\n"
225 "Content-Length: 17\r\n"
228 uint32_t http_len3 =
sizeof(http_buf3) - 1;
231 memset(&th_v, 0,
sizeof(th_v));
232 memset(&f, 0,
sizeof(f));
233 memset(&ssn, 0,
sizeof(ssn));
240 f.
proto = IPPROTO_TCP;
260 "(msg:\"http stat msg test\"; "
261 "content:\"ABC\"; http_stat_msg; offset:14; "
300 static int DetectEngineHttpStatMsgTest04(
void)
306 uint8_t http_buf1[] =
"GET /index.html HTTP/1.0\r\n"
307 "Host: www.openinfosecfoundation.org\r\n"
308 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
309 "Gecko/20091221 Firefox/3.5.7\r\n"
311 uint32_t http_len1 =
sizeof(http_buf1) - 1;
312 uint8_t http_buf2[] =
"HTTP/1.0 200 abcdef\r\n"
313 "Content-Type: text/html\r\n"
314 "Content-Length: 6\r\n"
317 uint32_t http_len2 =
sizeof(http_buf2) - 1;
320 memset(&th_v, 0,
sizeof(th_v));
321 memset(&f, 0,
sizeof(f));
322 memset(&ssn, 0,
sizeof(ssn));
329 f.
proto = IPPROTO_TCP;
349 "(msg:\"http stat msg test\"; "
350 "content:!\"abc\"; http_stat_msg; offset:3; "
385 static int DetectEngineHttpStatMsgTest05(
void)
391 uint8_t http_buf1[] =
"GET /index.html HTTP/1.0\r\n"
392 "Host: www.openinfosecfoundation.org\r\n"
393 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
394 "Gecko/20091221 Firefox/3.5.7\r\n"
396 uint32_t http_len1 =
sizeof(http_buf1) - 1;
397 uint8_t http_buf2[] =
"HTTP/1.0 200 abcdef\r\n"
398 "Content-Type: text/html\r\n"
399 "Content-Length: 6\r\n"
402 uint32_t http_len2 =
sizeof(http_buf2) - 1;
405 memset(&th_v, 0,
sizeof(th_v));
406 memset(&f, 0,
sizeof(f));
407 memset(&ssn, 0,
sizeof(ssn));
414 f.
proto = IPPROTO_TCP;
434 "(msg:\"http stat msg test\"; "
435 "content:\"abc\"; http_stat_msg; depth:3; "
470 static int DetectEngineHttpStatMsgTest06(
void)
476 uint8_t http_buf1[] =
"GET /index.html HTTP/1.0\r\n"
477 "Host: www.openinfosecfoundation.org\r\n"
478 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
479 "Gecko/20091221 Firefox/3.5.7\r\n"
481 uint32_t http_len1 =
sizeof(http_buf1) - 1;
482 uint8_t http_buf2[] =
"HTTP/1.0 200 abcdef\r\n"
483 "Content-Type: text/html\r\n"
484 "Content-Length: 6\r\n"
487 uint32_t http_len2 =
sizeof(http_buf2) - 1;
490 memset(&th_v, 0,
sizeof(th_v));
491 memset(&f, 0,
sizeof(f));
492 memset(&ssn, 0,
sizeof(ssn));
499 f.
proto = IPPROTO_TCP;
519 "(msg:\"http stat msg test\"; "
520 "content:!\"def\"; http_stat_msg; depth:3; "
555 static int DetectEngineHttpStatMsgTest07(
void)
561 uint8_t http_buf1[] =
"GET /index.html HTTP/1.0\r\n"
562 "Host: www.openinfosecfoundation.org\r\n"
563 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
564 "Gecko/20091221 Firefox/3.5.7\r\n"
566 uint32_t http_len1 =
sizeof(http_buf1) - 1;
567 uint8_t http_buf2[] =
"HTTP/1.0 200 abcdef\r\n"
568 "Content-Type: text/html\r\n"
569 "Content-Length: 6\r\n"
572 uint32_t http_len2 =
sizeof(http_buf2) - 1;
575 memset(&th_v, 0,
sizeof(th_v));
576 memset(&f, 0,
sizeof(f));
577 memset(&ssn, 0,
sizeof(ssn));
584 f.
proto = IPPROTO_TCP;
604 "(msg:\"http stat msg test\"; "
605 "content:!\"def\"; http_stat_msg; offset:3; "
640 static int DetectEngineHttpStatMsgTest08(
void)
646 uint8_t http_buf1[] =
"GET /index.html HTTP/1.0\r\n"
647 "Host: www.openinfosecfoundation.org\r\n"
648 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
649 "Gecko/20091221 Firefox/3.5.7\r\n"
651 uint32_t http_len1 =
sizeof(http_buf1) - 1;
652 uint8_t http_buf2[] =
"HTTP/1.0 200 abcdef\r\n"
653 "Content-Type: text/html\r\n"
654 "Content-Length: 6\r\n"
657 uint32_t http_len2 =
sizeof(http_buf2) - 1;
660 memset(&th_v, 0,
sizeof(th_v));
661 memset(&f, 0,
sizeof(f));
662 memset(&ssn, 0,
sizeof(ssn));
669 f.
proto = IPPROTO_TCP;
689 "(msg:\"http stat msg test\"; "
690 "content:!\"abc\"; http_stat_msg; depth:3; "
725 static int DetectEngineHttpStatMsgTest09(
void)
731 uint8_t http_buf1[] =
"GET /index.html HTTP/1.0\r\n"
732 "Host: www.openinfosecfoundation.org\r\n"
733 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
734 "Gecko/20091221 Firefox/3.5.7\r\n"
736 uint32_t http_len1 =
sizeof(http_buf1) - 1;
737 uint8_t http_buf2[] =
"HTTP/1.0 200 abcdef\r\n"
738 "Content-Type: text/html\r\n"
739 "Content-Length: 6\r\n"
742 uint32_t http_len2 =
sizeof(http_buf2) - 1;
745 memset(&th_v, 0,
sizeof(th_v));
746 memset(&f, 0,
sizeof(f));
747 memset(&ssn, 0,
sizeof(ssn));
754 f.
proto = IPPROTO_TCP;
774 "(msg:\"http stat msg test\"; "
775 "content:\"abc\"; http_stat_msg; depth:3; "
776 "content:\"def\"; http_stat_msg; within:3; "
811 static int DetectEngineHttpStatMsgTest10(
void)
817 uint8_t http_buf1[] =
"GET /index.html HTTP/1.0\r\n"
818 "Host: www.openinfosecfoundation.org\r\n"
819 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
820 "Gecko/20091221 Firefox/3.5.7\r\n"
822 uint32_t http_len1 =
sizeof(http_buf1) - 1;
823 uint8_t http_buf2[] =
"HTTP/1.0 200 abcdef\r\n"
824 "Content-Type: text/html\r\n"
825 "Content-Length: 6\r\n"
828 uint32_t http_len2 =
sizeof(http_buf2) - 1;
831 memset(&th_v, 0,
sizeof(th_v));
832 memset(&f, 0,
sizeof(f));
833 memset(&ssn, 0,
sizeof(ssn));
840 f.
proto = IPPROTO_TCP;
860 "(msg:\"http stat msg test\"; "
861 "content:\"abc\"; http_stat_msg; depth:3; "
862 "content:!\"xyz\"; http_stat_msg; within:3; "
897 static int DetectEngineHttpStatMsgTest11(
void)
903 uint8_t http_buf1[] =
"GET /index.html HTTP/1.0\r\n"
904 "Host: www.openinfosecfoundation.org\r\n"
905 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
906 "Gecko/20091221 Firefox/3.5.7\r\n"
908 uint32_t http_len1 =
sizeof(http_buf1) - 1;
909 uint8_t http_buf2[] =
"HTTP/1.0 200 abcdef\r\n"
910 "Content-Type: text/html\r\n"
911 "Content-Length: 6\r\n"
914 uint32_t http_len2 =
sizeof(http_buf2) - 1;
917 memset(&th_v, 0,
sizeof(th_v));
918 memset(&f, 0,
sizeof(f));
919 memset(&ssn, 0,
sizeof(ssn));
926 f.
proto = IPPROTO_TCP;
946 "(msg:\"http stat msg test\"; "
947 "content:\"abc\"; http_stat_msg; depth:3; "
948 "content:\"xyz\"; http_stat_msg; within:3; "
983 static int DetectEngineHttpStatMsgTest12(
void)
989 uint8_t http_buf1[] =
"GET /index.html HTTP/1.0\r\n"
990 "Host: www.openinfosecfoundation.org\r\n"
991 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
992 "Gecko/20091221 Firefox/3.5.7\r\n"
994 uint32_t http_len1 =
sizeof(http_buf1) - 1;
995 uint8_t http_buf2[] =
"HTTP/1.0 200 abcdef\r\n"
996 "Content-Type: text/html\r\n"
997 "Content-Length: 6\r\n"
1000 uint32_t http_len2 =
sizeof(http_buf2) - 1;
1003 memset(&th_v, 0,
sizeof(th_v));
1004 memset(&f, 0,
sizeof(f));
1005 memset(&ssn, 0,
sizeof(ssn));
1012 f.
proto = IPPROTO_TCP;
1032 "(msg:\"http stat msg test\"; "
1033 "content:\"ab\"; http_stat_msg; depth:2; "
1034 "content:\"ef\"; http_stat_msg; distance:2; "
1070 static int DetectEngineHttpStatMsgTest13(
void)
1076 uint8_t http_buf1[] =
"GET /index.html HTTP/1.0\r\n"
1077 "Host: www.openinfosecfoundation.org\r\n"
1078 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1079 "Gecko/20091221 Firefox/3.5.7\r\n"
1081 uint32_t http_len1 =
sizeof(http_buf1) - 1;
1082 uint8_t http_buf2[] =
"HTTP/1.0 200 abcdef\r\n"
1083 "Content-Type: text/html\r\n"
1084 "Content-Length: 6\r\n"
1087 uint32_t http_len2 =
sizeof(http_buf2) - 1;
1090 memset(&th_v, 0,
sizeof(th_v));
1091 memset(&f, 0,
sizeof(f));
1092 memset(&ssn, 0,
sizeof(ssn));
1099 f.
proto = IPPROTO_TCP;
1119 "(msg:\"http stat msg test\"; "
1120 "content:\"ab\"; http_stat_msg; depth:3; "
1121 "content:!\"yz\"; http_stat_msg; distance:2; "
1156 static int DetectEngineHttpStatMsgTest14(
void)
1162 uint8_t http_buf1[] =
"GET /index.html HTTP/1.0\r\n"
1163 "Host: www.openinfosecfoundation.org\r\n"
1164 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1165 "Gecko/20091221 Firefox/3.5.7\r\n"
1167 uint32_t http_len1 =
sizeof(http_buf1) - 1;
1168 uint8_t http_buf2[] =
"HTTP/1.0 200 abcdef\r\n"
1169 "Content-Type: text/html\r\n"
1170 "Content-Length: 6\r\n"
1173 uint32_t http_len2 =
sizeof(http_buf2) - 1;
1176 memset(&th_v, 0,
sizeof(th_v));
1177 memset(&f, 0,
sizeof(f));
1178 memset(&ssn, 0,
sizeof(ssn));
1185 f.
proto = IPPROTO_TCP;
1205 "(msg:\"http stat msg test\"; "
1207 "content:\"ef\"; http_stat_msg; distance:2; "
1242 static int DetectEngineHttpStatMsgTest15(
void)
1248 uint8_t http_buf1[] =
"GET /index.html HTTP/1.0\r\n"
1249 "Host: www.openinfosecfoundation.org\r\n"
1250 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1251 "Gecko/20091221 Firefox/3.5.7\r\n"
1253 uint32_t http_len1 =
sizeof(http_buf1) - 1;
1254 uint8_t http_buf2[] =
"HTTP/1.0 200 abcdef\r\n"
1255 "Content-Type: text/html\r\n"
1256 "Content-Length: 6\r\n"
1259 uint32_t http_len2 =
sizeof(http_buf2) - 1;
1262 memset(&th_v, 0,
sizeof(th_v));
1263 memset(&f, 0,
sizeof(f));
1264 memset(&ssn, 0,
sizeof(ssn));
1271 f.
proto = IPPROTO_TCP;
1292 "(msg:\"http stat msg test\"; "
1294 "content:!\"xyz\"; http_stat_msg; distance:0; within:3; "
1330 static int DetectHttpStatMsgSigTest01(
void)
1333 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1334 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1335 uint8_t httpbuf2[] =
"HTTP/1.0 200 OK\r\n\r\n";
1336 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1342 memset(&th_v, 0,
sizeof(th_v));
1343 memset(&f, 0,
sizeof(f));
1344 memset(&ssn, 0,
sizeof(ssn));
1350 f.
proto = IPPROTO_TCP;
1366 "\"HTTP status message\"; content:\"OK\"; "
1367 "http_stat_msg; sid:1;)");
1371 "Status message nocase\"; content:\"ok\"; nocase; "
1372 "http_stat_msg; sid:2;)");
1403 static int DetectHttpStatMsgSigTest02(
void)
1406 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1407 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1408 uint8_t httpbuf2[] =
"HTTP/1.0 200 OK\r\n\r\n";
1409 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1415 memset(&th_v, 0,
sizeof(th_v));
1416 memset(&f, 0,
sizeof(f));
1417 memset(&ssn, 0,
sizeof(ssn));
1423 f.
proto = IPPROTO_TCP;
1439 "\"HTTP status message\"; content:\"no\"; "
1440 "http_stat_msg; sid:1;)");
1471 static int DetectHttpStatMsgSigTest03(
void)
1474 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1475 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1476 uint8_t httpbuf2[] =
"HTTP/1.0 200 OK\r\n\r\n";
1477 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1483 memset(&th_v, 0,
sizeof(th_v));
1484 memset(&f, 0,
sizeof(f));
1485 memset(&ssn, 0,
sizeof(ssn));
1491 f.
proto = IPPROTO_TCP;
1507 "\"HTTP status message\"; content:\"ok\"; "
1508 "nocase; http_stat_msg; sid:1;)");
1512 "Status message nocase\"; content:!\"Not\"; "
1513 "http_stat_msg; sid:2;)");
1549 UtRegisterTest(
"DetectHttpStatMsgSigTest01", DetectHttpStatMsgSigTest01);
1550 UtRegisterTest(
"DetectHttpStatMsgSigTest02", DetectHttpStatMsgSigTest02);
1551 UtRegisterTest(
"DetectHttpStatMsgSigTest03", DetectHttpStatMsgSigTest03);
1553 UtRegisterTest(
"DetectEngineHttpStatMsgTest01", DetectEngineHttpStatMsgTest01);
1554 UtRegisterTest(
"DetectEngineHttpStatMsgTest02", DetectEngineHttpStatMsgTest02);
1555 UtRegisterTest(
"DetectEngineHttpStatMsgTest03", DetectEngineHttpStatMsgTest03);
1556 UtRegisterTest(
"DetectEngineHttpStatMsgTest04", DetectEngineHttpStatMsgTest04);
1557 UtRegisterTest(
"DetectEngineHttpStatMsgTest05", DetectEngineHttpStatMsgTest05);
1558 UtRegisterTest(
"DetectEngineHttpStatMsgTest06", DetectEngineHttpStatMsgTest06);
1559 UtRegisterTest(
"DetectEngineHttpStatMsgTest07", DetectEngineHttpStatMsgTest07);
1560 UtRegisterTest(
"DetectEngineHttpStatMsgTest08", DetectEngineHttpStatMsgTest08);
1561 UtRegisterTest(
"DetectEngineHttpStatMsgTest09", DetectEngineHttpStatMsgTest09);
1562 UtRegisterTest(
"DetectEngineHttpStatMsgTest10", DetectEngineHttpStatMsgTest10);
1563 UtRegisterTest(
"DetectEngineHttpStatMsgTest11", DetectEngineHttpStatMsgTest11);
1564 UtRegisterTest(
"DetectEngineHttpStatMsgTest12", DetectEngineHttpStatMsgTest12);
1565 UtRegisterTest(
"DetectEngineHttpStatMsgTest13", DetectEngineHttpStatMsgTest13);
1566 UtRegisterTest(
"DetectEngineHttpStatMsgTest14", DetectEngineHttpStatMsgTest14);
1567 UtRegisterTest(
"DetectEngineHttpStatMsgTest15", DetectEngineHttpStatMsgTest15);