suricata
detect-http-stat-msg.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 /**
25  * \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  * \author Victor Julien <victor@inliniac.net>
29  */
30 
31 #include "../suricata-common.h"
32 #include "../suricata.h"
33 #include "../flow-util.h"
34 #include "../flow.h"
35 #include "../app-layer-parser.h"
36 #include "../util-unittest.h"
37 #include "../util-unittest-helper.h"
38 #include "../app-layer.h"
39 #include "../app-layer-htp.h"
40 #include "../app-layer-protos.h"
41 #include "../detect-engine-build.h"
42 #include "../detect-engine-alert.h"
43 
44 static int DetectEngineHttpStatMsgTest01(void)
45 {
46  TcpSession ssn;
47  ThreadVars th_v;
48  DetectEngineThreadCtx *det_ctx = NULL;
49  Flow f;
50  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
51  "Host: www.openinfosecfoundation.org\r\n"
52  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
53  "Gecko/20091221 Firefox/3.5.7\r\n"
54  "\r\n";
55  uint32_t http_len1 = sizeof(http_buf1) - 1;
56  uint8_t http_buf2[] = "HTTP/1.0 200 message\r\n"
57  "Content-Type: text/html\r\n"
58  "Content-Length: 7\r\n"
59  "\r\n"
60  "message";
61  uint32_t http_len2 = sizeof(http_buf2) - 1;
63 
64  memset(&th_v, 0, sizeof(th_v));
65  memset(&f, 0, sizeof(f));
66  memset(&ssn, 0, sizeof(ssn));
67 
68  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
69  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
70 
71  FLOW_INITIALIZE(&f);
72  f.protoctx = (void *)&ssn;
73  f.proto = IPPROTO_TCP;
74  f.flags |= FLOW_IPV4;
75 
76  p1->flow = &f;
80  p2->flow = &f;
85 
86  StreamTcpInitConfig(true);
87 
90  de_ctx->flags |= DE_QUIET;
91 
92  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
93  "(msg:\"http stat msg test\"; "
94  "content:\"message\"; http_stat_msg; "
95  "sid:1;)");
96  FAIL_IF_NULL(s);
97 
99  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
100 
101  int r = AppLayerParserParse(
102  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
103  FAIL_IF(r != 0);
104 
105  HtpState *http_state = f.alstate;
106  FAIL_IF_NULL(http_state);
107 
108  /* do detect */
109  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
110  FAIL_IF(PacketAlertCheck(p1, 1));
111 
113  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
114  FAIL_IF(r != 0);
115 
116  /* do detect */
117  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
118  FAIL_IF(!(PacketAlertCheck(p2, 1)));
119 
120  UTHFreePackets(&p1, 1);
121  UTHFreePackets(&p2, 1);
122  FLOW_DESTROY(&f);
123 
125  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
127  StreamTcpFreeConfig(true);
128  StatsThreadCleanup(&th_v);
129  PASS;
130 }
131 
132 static int DetectEngineHttpStatMsgTest02(void)
133 {
134  TcpSession ssn;
135  ThreadVars th_v;
136  DetectEngineThreadCtx *det_ctx = NULL;
137  Flow f;
138  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
139  "Host: www.openinfosecfoundation.org\r\n"
140  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
141  "Gecko/20091221 Firefox/3.5.7\r\n"
142  "\r\n";
143  uint32_t http_len1 = sizeof(http_buf1) - 1;
144  uint8_t http_buf2[] = "HTTP/1.0 200 xxxxABC\r\n"
145  "Content-Type: text/html\r\n"
146  "Content-Length: 7\r\n"
147  "\r\n"
148  "xxxxABC";
149  uint32_t http_len2 = sizeof(http_buf2) - 1;
151 
152  memset(&th_v, 0, sizeof(th_v));
153  memset(&f, 0, sizeof(f));
154  memset(&ssn, 0, sizeof(ssn));
155 
156  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
157 
158  FLOW_INITIALIZE(&f);
159  f.protoctx = (void *)&ssn;
160  f.proto = IPPROTO_TCP;
161  f.flags |= FLOW_IPV4;
162 
163  p1->flow = &f;
168 
169  StreamTcpInitConfig(true);
170 
173  de_ctx->flags |= DE_QUIET;
174 
175  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
176  "(msg:\"http stat msg test\"; "
177  "content:\"ABC\"; http_stat_msg; offset:4; "
178  "sid:1;)");
179  FAIL_IF_NULL(s);
180 
182  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
183 
184  int r = AppLayerParserParse(
185  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
186  FAIL_IF(r != 0);
187 
189  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
190  FAIL_IF(r != 0);
191 
192  HtpState *http_state = f.alstate;
193  FAIL_IF_NULL(http_state);
194 
195  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
196  FAIL_IF(!(PacketAlertCheck(p1, 1)));
197 
198  UTHFreePackets(&p1, 1);
199  FLOW_DESTROY(&f);
200 
202  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
204  StreamTcpFreeConfig(true);
205  StatsThreadCleanup(&th_v);
206  PASS;
207 }
208 
209 static int DetectEngineHttpStatMsgTest03(void)
210 {
211  TcpSession ssn;
212  ThreadVars th_v;
213  DetectEngineThreadCtx *det_ctx = NULL;
214  Flow f;
215  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
216  "Host: www.openinfosecfoundation.org\r\n"
217  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
218  "Gecko/20091221 Firefox/3.5.7\r\n"
219  "\r\n";
220  uint32_t http_len1 = sizeof(http_buf1) - 1;
221  uint8_t http_buf2[] = "HTTP/1.0 200 1234567";
222  uint32_t http_len2 = sizeof(http_buf2) - 1;
223  uint8_t http_buf3[] = "8901234ABC\r\n"
224  "Content-Type: text/html\r\n"
225  "Content-Length: 17\r\n"
226  "\r\n"
227  "12345678901234ABC";
228  uint32_t http_len3 = sizeof(http_buf3) - 1;
230 
231  memset(&th_v, 0, sizeof(th_v));
232  memset(&f, 0, sizeof(f));
233  memset(&ssn, 0, sizeof(ssn));
234 
235  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
236  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
237 
238  FLOW_INITIALIZE(&f);
239  f.protoctx = (void *)&ssn;
240  f.proto = IPPROTO_TCP;
241  f.flags |= FLOW_IPV4;
242 
243  p1->flow = &f;
247  p2->flow = &f;
252 
253  StreamTcpInitConfig(true);
254 
257  de_ctx->flags |= DE_QUIET;
258 
259  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
260  "(msg:\"http stat msg test\"; "
261  "content:\"ABC\"; http_stat_msg; offset:14; "
262  "sid:1;)");
263  FAIL_IF_NULL(s);
264 
266  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
267 
268  int r = AppLayerParserParse(
269  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
270  FAIL_IF_NOT(r == 0);
271 
272  HtpState *http_state = f.alstate;
273  FAIL_IF_NULL(http_state);
274 
275  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
276  FAIL_IF(PacketAlertCheck(p1, 1));
277 
279  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
280  FAIL_IF_NOT(r == 0);
281 
283  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf3, http_len3);
284  FAIL_IF_NOT(r == 0);
285 
286  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
287  FAIL_IF(!(PacketAlertCheck(p2, 1)));
288 
289  UTHFreePackets(&p1, 1);
290  UTHFreePackets(&p2, 1);
291  FLOW_DESTROY(&f);
293  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
295  StreamTcpFreeConfig(true);
296  StatsThreadCleanup(&th_v);
297  PASS;
298 }
299 
300 static int DetectEngineHttpStatMsgTest04(void)
301 {
302  TcpSession ssn;
303  ThreadVars th_v;
304  DetectEngineThreadCtx *det_ctx = NULL;
305  Flow f;
306  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
307  "Host: www.openinfosecfoundation.org\r\n"
308  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
309  "Gecko/20091221 Firefox/3.5.7\r\n"
310  "\r\n";
311  uint32_t http_len1 = sizeof(http_buf1) - 1;
312  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
313  "Content-Type: text/html\r\n"
314  "Content-Length: 6\r\n"
315  "\r\n"
316  "abcdef";
317  uint32_t http_len2 = sizeof(http_buf2) - 1;
319 
320  memset(&th_v, 0, sizeof(th_v));
321  memset(&f, 0, sizeof(f));
322  memset(&ssn, 0, sizeof(ssn));
323 
324  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
325  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
326 
327  FLOW_INITIALIZE(&f);
328  f.protoctx = (void *)&ssn;
329  f.proto = IPPROTO_TCP;
330  f.flags |= FLOW_IPV4;
331 
332  p1->flow = &f;
336  p2->flow = &f;
341 
342  StreamTcpInitConfig(true);
343 
346  de_ctx->flags |= DE_QUIET;
347 
348  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
349  "(msg:\"http stat msg test\"; "
350  "content:!\"abc\"; http_stat_msg; offset:3; "
351  "sid:1;)");
352  FAIL_IF_NULL(s);
353 
355  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
356 
357  int r = AppLayerParserParse(
358  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
359  FAIL_IF_NOT(r == 0);
360 
361  HtpState *http_state = f.alstate;
362  FAIL_IF_NULL(http_state);
363 
364  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
365  FAIL_IF(PacketAlertCheck(p1, 1));
366 
368  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
369  FAIL_IF_NOT(r == 0);
370 
371  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
372  FAIL_IF(!PacketAlertCheck(p2, 1));
373 
374  UTHFreePackets(&p1, 1);
375  UTHFreePackets(&p2, 1);
376  FLOW_DESTROY(&f);
378  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
380  StreamTcpFreeConfig(true);
381  StatsThreadCleanup(&th_v);
382  PASS;
383 }
384 
385 static int DetectEngineHttpStatMsgTest05(void)
386 {
387  TcpSession ssn;
388  ThreadVars th_v;
389  DetectEngineThreadCtx *det_ctx = NULL;
390  Flow f;
391  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
392  "Host: www.openinfosecfoundation.org\r\n"
393  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
394  "Gecko/20091221 Firefox/3.5.7\r\n"
395  "\r\n";
396  uint32_t http_len1 = sizeof(http_buf1) - 1;
397  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
398  "Content-Type: text/html\r\n"
399  "Content-Length: 6\r\n"
400  "\r\n"
401  "abcdef";
402  uint32_t http_len2 = sizeof(http_buf2) - 1;
404 
405  memset(&th_v, 0, sizeof(th_v));
406  memset(&f, 0, sizeof(f));
407  memset(&ssn, 0, sizeof(ssn));
408 
409  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
410  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
411 
412  FLOW_INITIALIZE(&f);
413  f.protoctx = (void *)&ssn;
414  f.proto = IPPROTO_TCP;
415  f.flags |= FLOW_IPV4;
416 
417  p1->flow = &f;
421  p2->flow = &f;
426 
427  StreamTcpInitConfig(true);
428 
431  de_ctx->flags |= DE_QUIET;
432 
433  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
434  "(msg:\"http stat msg test\"; "
435  "content:\"abc\"; http_stat_msg; depth:3; "
436  "sid:1;)");
437  FAIL_IF_NULL(s);
438 
440  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
441 
442  int r = AppLayerParserParse(
443  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
444  FAIL_IF_NOT(r == 0);
445 
446  HtpState *http_state = f.alstate;
447  FAIL_IF_NULL(http_state);
448 
449  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
450  FAIL_IF(PacketAlertCheck(p1, 1));
451 
453  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
454  FAIL_IF_NOT(r == 0);
455 
456  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
457  FAIL_IF(!PacketAlertCheck(p2, 1));
458 
459  UTHFreePackets(&p1, 1);
460  UTHFreePackets(&p2, 1);
461  FLOW_DESTROY(&f);
463  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
465  StreamTcpFreeConfig(true);
466  StatsThreadCleanup(&th_v);
467  PASS;
468 }
469 
470 static int DetectEngineHttpStatMsgTest06(void)
471 {
472  TcpSession ssn;
473  ThreadVars th_v;
474  DetectEngineThreadCtx *det_ctx = NULL;
475  Flow f;
476  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
477  "Host: www.openinfosecfoundation.org\r\n"
478  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
479  "Gecko/20091221 Firefox/3.5.7\r\n"
480  "\r\n";
481  uint32_t http_len1 = sizeof(http_buf1) - 1;
482  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
483  "Content-Type: text/html\r\n"
484  "Content-Length: 6\r\n"
485  "\r\n"
486  "abcdef";
487  uint32_t http_len2 = sizeof(http_buf2) - 1;
489 
490  memset(&th_v, 0, sizeof(th_v));
491  memset(&f, 0, sizeof(f));
492  memset(&ssn, 0, sizeof(ssn));
493 
494  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
495  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
496 
497  FLOW_INITIALIZE(&f);
498  f.protoctx = (void *)&ssn;
499  f.proto = IPPROTO_TCP;
500  f.flags |= FLOW_IPV4;
501 
502  p1->flow = &f;
506  p2->flow = &f;
511 
512  StreamTcpInitConfig(true);
513 
516  de_ctx->flags |= DE_QUIET;
517 
518  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
519  "(msg:\"http stat msg test\"; "
520  "content:!\"def\"; http_stat_msg; depth:3; "
521  "sid:1;)");
522  FAIL_IF_NULL(s);
523 
525  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
526 
527  int r = AppLayerParserParse(
528  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
529  FAIL_IF_NOT(r == 0);
530 
531  HtpState *http_state = f.alstate;
532  FAIL_IF_NULL(http_state);
533 
534  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
535  FAIL_IF(PacketAlertCheck(p1, 1));
536 
538  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
539  FAIL_IF_NOT(r == 0);
540 
541  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
542  FAIL_IF(!PacketAlertCheck(p2, 1));
543 
544  UTHFreePackets(&p1, 1);
545  UTHFreePackets(&p2, 1);
546  FLOW_DESTROY(&f);
548  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
550  StreamTcpFreeConfig(true);
551  StatsThreadCleanup(&th_v);
552  PASS;
553 }
554 
555 static int DetectEngineHttpStatMsgTest07(void)
556 {
557  TcpSession ssn;
558  ThreadVars th_v;
559  DetectEngineThreadCtx *det_ctx = NULL;
560  Flow f;
561  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
562  "Host: www.openinfosecfoundation.org\r\n"
563  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
564  "Gecko/20091221 Firefox/3.5.7\r\n"
565  "\r\n";
566  uint32_t http_len1 = sizeof(http_buf1) - 1;
567  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
568  "Content-Type: text/html\r\n"
569  "Content-Length: 6\r\n"
570  "\r\n"
571  "abcdef";
572  uint32_t http_len2 = sizeof(http_buf2) - 1;
574 
575  memset(&th_v, 0, sizeof(th_v));
576  memset(&f, 0, sizeof(f));
577  memset(&ssn, 0, sizeof(ssn));
578 
579  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
580  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
581 
582  FLOW_INITIALIZE(&f);
583  f.protoctx = (void *)&ssn;
584  f.proto = IPPROTO_TCP;
585  f.flags |= FLOW_IPV4;
586 
587  p1->flow = &f;
591  p2->flow = &f;
596 
597  StreamTcpInitConfig(true);
598 
601  de_ctx->flags |= DE_QUIET;
602 
603  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
604  "(msg:\"http stat msg test\"; "
605  "content:!\"def\"; http_stat_msg; offset:3; "
606  "sid:1;)");
607  FAIL_IF_NULL(s);
608 
610  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
611 
612  int r = AppLayerParserParse(
613  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
614  FAIL_IF_NOT(r == 0);
615 
616  HtpState *http_state = f.alstate;
617  FAIL_IF_NULL(http_state);
618 
619  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
620  FAIL_IF(PacketAlertCheck(p1, 1));
621 
623  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
624  FAIL_IF_NOT(r == 0);
625 
626  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
627  FAIL_IF(PacketAlertCheck(p2, 1));
628 
629  UTHFreePackets(&p1, 1);
630  UTHFreePackets(&p2, 1);
631  FLOW_DESTROY(&f);
633  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
635  StreamTcpFreeConfig(true);
636  StatsThreadCleanup(&th_v);
637  PASS;
638 }
639 
640 static int DetectEngineHttpStatMsgTest08(void)
641 {
642  TcpSession ssn;
643  ThreadVars th_v;
644  DetectEngineThreadCtx *det_ctx = NULL;
645  Flow f;
646  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
647  "Host: www.openinfosecfoundation.org\r\n"
648  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
649  "Gecko/20091221 Firefox/3.5.7\r\n"
650  "\r\n";
651  uint32_t http_len1 = sizeof(http_buf1) - 1;
652  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
653  "Content-Type: text/html\r\n"
654  "Content-Length: 6\r\n"
655  "\r\n"
656  "abcdef";
657  uint32_t http_len2 = sizeof(http_buf2) - 1;
659 
660  memset(&th_v, 0, sizeof(th_v));
661  memset(&f, 0, sizeof(f));
662  memset(&ssn, 0, sizeof(ssn));
663 
664  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
665  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
666 
667  FLOW_INITIALIZE(&f);
668  f.protoctx = (void *)&ssn;
669  f.proto = IPPROTO_TCP;
670  f.flags |= FLOW_IPV4;
671 
672  p1->flow = &f;
676  p2->flow = &f;
681 
682  StreamTcpInitConfig(true);
683 
686  de_ctx->flags |= DE_QUIET;
687 
688  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
689  "(msg:\"http stat msg test\"; "
690  "content:!\"abc\"; http_stat_msg; depth:3; "
691  "sid:1;)");
692  FAIL_IF_NULL(s);
693 
695  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
696 
697  int r = AppLayerParserParse(
698  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
699  FAIL_IF_NOT(r == 0);
700 
701  HtpState *http_state = f.alstate;
702  FAIL_IF_NULL(http_state);
703 
704  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
705  FAIL_IF(PacketAlertCheck(p1, 1));
706 
708  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
709  FAIL_IF_NOT(r == 0);
710 
711  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
712  FAIL_IF(PacketAlertCheck(p2, 1));
713 
714  UTHFreePackets(&p1, 1);
715  UTHFreePackets(&p2, 1);
716  FLOW_DESTROY(&f);
718  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
720  StreamTcpFreeConfig(true);
721  StatsThreadCleanup(&th_v);
722  PASS;
723 }
724 
725 static int DetectEngineHttpStatMsgTest09(void)
726 {
727  TcpSession ssn;
728  ThreadVars th_v;
729  DetectEngineThreadCtx *det_ctx = NULL;
730  Flow f;
731  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
732  "Host: www.openinfosecfoundation.org\r\n"
733  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
734  "Gecko/20091221 Firefox/3.5.7\r\n"
735  "\r\n";
736  uint32_t http_len1 = sizeof(http_buf1) - 1;
737  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
738  "Content-Type: text/html\r\n"
739  "Content-Length: 6\r\n"
740  "\r\n"
741  "abcdef";
742  uint32_t http_len2 = sizeof(http_buf2) - 1;
744 
745  memset(&th_v, 0, sizeof(th_v));
746  memset(&f, 0, sizeof(f));
747  memset(&ssn, 0, sizeof(ssn));
748 
749  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
750  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
751 
752  FLOW_INITIALIZE(&f);
753  f.protoctx = (void *)&ssn;
754  f.proto = IPPROTO_TCP;
755  f.flags |= FLOW_IPV4;
756 
757  p1->flow = &f;
761  p2->flow = &f;
766 
767  StreamTcpInitConfig(true);
768 
771  de_ctx->flags |= DE_QUIET;
772 
773  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
774  "(msg:\"http stat msg test\"; "
775  "content:\"abc\"; http_stat_msg; depth:3; "
776  "content:\"def\"; http_stat_msg; within:3; "
777  "sid:1;)");
778  FAIL_IF_NULL(s);
779 
781  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
782 
783  int r = AppLayerParserParse(
784  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
785  FAIL_IF_NOT(r == 0);
786 
787  HtpState *http_state = f.alstate;
788  FAIL_IF_NULL(http_state);
789 
790  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
791  FAIL_IF(PacketAlertCheck(p1, 1));
792 
794  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
795  FAIL_IF_NOT(r == 0);
796 
797  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
798  FAIL_IF(!PacketAlertCheck(p2, 1));
799 
800  UTHFreePackets(&p1, 1);
801  UTHFreePackets(&p2, 1);
802  FLOW_DESTROY(&f);
804  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
806  StreamTcpFreeConfig(true);
807  StatsThreadCleanup(&th_v);
808  PASS;
809 }
810 
811 static int DetectEngineHttpStatMsgTest10(void)
812 {
813  TcpSession ssn;
814  ThreadVars th_v;
815  DetectEngineThreadCtx *det_ctx = NULL;
816  Flow f;
817  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
818  "Host: www.openinfosecfoundation.org\r\n"
819  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
820  "Gecko/20091221 Firefox/3.5.7\r\n"
821  "\r\n";
822  uint32_t http_len1 = sizeof(http_buf1) - 1;
823  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
824  "Content-Type: text/html\r\n"
825  "Content-Length: 6\r\n"
826  "\r\n"
827  "abcdef";
828  uint32_t http_len2 = sizeof(http_buf2) - 1;
830 
831  memset(&th_v, 0, sizeof(th_v));
832  memset(&f, 0, sizeof(f));
833  memset(&ssn, 0, sizeof(ssn));
834 
835  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
836  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
837 
838  FLOW_INITIALIZE(&f);
839  f.protoctx = (void *)&ssn;
840  f.proto = IPPROTO_TCP;
841  f.flags |= FLOW_IPV4;
842 
843  p1->flow = &f;
847  p2->flow = &f;
852 
853  StreamTcpInitConfig(true);
854 
857  de_ctx->flags |= DE_QUIET;
858 
859  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
860  "(msg:\"http stat msg test\"; "
861  "content:\"abc\"; http_stat_msg; depth:3; "
862  "content:!\"xyz\"; http_stat_msg; within:3; "
863  "sid:1;)");
864  FAIL_IF_NULL(s);
865 
867  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
868 
869  int r = AppLayerParserParse(
870  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
871  FAIL_IF_NOT(r == 0);
872 
873  HtpState *http_state = f.alstate;
874  FAIL_IF_NULL(http_state);
875 
876  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
877  FAIL_IF(PacketAlertCheck(p1, 1));
878 
880  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
881  FAIL_IF_NOT(r == 0);
882 
883  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
884  FAIL_IF(!PacketAlertCheck(p2, 1));
885 
886  UTHFreePackets(&p1, 1);
887  UTHFreePackets(&p2, 1);
888  FLOW_DESTROY(&f);
890  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
892  StreamTcpFreeConfig(true);
893  StatsThreadCleanup(&th_v);
894  PASS;
895 }
896 
897 static int DetectEngineHttpStatMsgTest11(void)
898 {
899  TcpSession ssn;
900  ThreadVars th_v;
901  DetectEngineThreadCtx *det_ctx = NULL;
902  Flow f;
903  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
904  "Host: www.openinfosecfoundation.org\r\n"
905  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
906  "Gecko/20091221 Firefox/3.5.7\r\n"
907  "\r\n";
908  uint32_t http_len1 = sizeof(http_buf1) - 1;
909  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
910  "Content-Type: text/html\r\n"
911  "Content-Length: 6\r\n"
912  "\r\n"
913  "abcdef";
914  uint32_t http_len2 = sizeof(http_buf2) - 1;
916 
917  memset(&th_v, 0, sizeof(th_v));
918  memset(&f, 0, sizeof(f));
919  memset(&ssn, 0, sizeof(ssn));
920 
921  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
922  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
923 
924  FLOW_INITIALIZE(&f);
925  f.protoctx = (void *)&ssn;
926  f.proto = IPPROTO_TCP;
927  f.flags |= FLOW_IPV4;
928 
929  p1->flow = &f;
933  p2->flow = &f;
938 
939  StreamTcpInitConfig(true);
940 
943  de_ctx->flags |= DE_QUIET;
944 
945  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
946  "(msg:\"http stat msg test\"; "
947  "content:\"abc\"; http_stat_msg; depth:3; "
948  "content:\"xyz\"; http_stat_msg; within:3; "
949  "sid:1;)");
950  FAIL_IF_NULL(s);
951 
953  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
954 
955  int r = AppLayerParserParse(
956  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
957  FAIL_IF_NOT(r == 0);
958 
959  HtpState *http_state = f.alstate;
960  FAIL_IF_NULL(http_state);
961 
962  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
963  FAIL_IF(PacketAlertCheck(p1, 1));
964 
966  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
967  FAIL_IF_NOT(r == 0);
968 
969  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
970  FAIL_IF(PacketAlertCheck(p2, 1));
971 
972  UTHFreePackets(&p1, 1);
973  UTHFreePackets(&p2, 1);
974  FLOW_DESTROY(&f);
976  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
978  StreamTcpFreeConfig(true);
979  StatsThreadCleanup(&th_v);
980  PASS;
981 }
982 
983 static int DetectEngineHttpStatMsgTest12(void)
984 {
985  TcpSession ssn;
986  ThreadVars th_v;
987  DetectEngineThreadCtx *det_ctx = NULL;
988  Flow f;
989  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
990  "Host: www.openinfosecfoundation.org\r\n"
991  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
992  "Gecko/20091221 Firefox/3.5.7\r\n"
993  "\r\n";
994  uint32_t http_len1 = sizeof(http_buf1) - 1;
995  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
996  "Content-Type: text/html\r\n"
997  "Content-Length: 6\r\n"
998  "\r\n"
999  "abcdef";
1000  uint32_t http_len2 = sizeof(http_buf2) - 1;
1002 
1003  memset(&th_v, 0, sizeof(th_v));
1004  memset(&f, 0, sizeof(f));
1005  memset(&ssn, 0, sizeof(ssn));
1006 
1007  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1008  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1009 
1010  FLOW_INITIALIZE(&f);
1011  f.protoctx = (void *)&ssn;
1012  f.proto = IPPROTO_TCP;
1013  f.flags |= FLOW_IPV4;
1014 
1015  p1->flow = &f;
1019  p2->flow = &f;
1023  f.alproto = ALPROTO_HTTP1;
1024 
1025  StreamTcpInitConfig(true);
1026 
1029  de_ctx->flags |= DE_QUIET;
1030 
1031  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1032  "(msg:\"http stat msg test\"; "
1033  "content:\"ab\"; http_stat_msg; depth:2; "
1034  "content:\"ef\"; http_stat_msg; distance:2; "
1035  "sid:1;)");
1036  FAIL_IF_NULL(s);
1037 
1039  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1040 
1041  int r = AppLayerParserParse(
1042  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1043  FAIL_IF_NOT(r == 0);
1044 
1045  HtpState *http_state = f.alstate;
1046  FAIL_IF_NULL(http_state);
1047 
1048  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1049  FAIL_IF(PacketAlertCheck(p1, 1));
1050 
1051  r = AppLayerParserParse(
1052  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1053  FAIL_IF_NOT(r == 0);
1054 
1055  /* do detect */
1056  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1057  FAIL_IF(!PacketAlertCheck(p2, 1));
1058 
1059  UTHFreePackets(&p1, 1);
1060  UTHFreePackets(&p2, 1);
1061  FLOW_DESTROY(&f);
1063  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1065  StreamTcpFreeConfig(true);
1066  StatsThreadCleanup(&th_v);
1067  PASS;
1068 }
1069 
1070 static int DetectEngineHttpStatMsgTest13(void)
1071 {
1072  TcpSession ssn;
1073  ThreadVars th_v;
1074  DetectEngineThreadCtx *det_ctx = NULL;
1075  Flow f;
1076  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
1077  "Host: www.openinfosecfoundation.org\r\n"
1078  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1079  "Gecko/20091221 Firefox/3.5.7\r\n"
1080  "\r\n";
1081  uint32_t http_len1 = sizeof(http_buf1) - 1;
1082  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
1083  "Content-Type: text/html\r\n"
1084  "Content-Length: 6\r\n"
1085  "\r\n"
1086  "abcdef";
1087  uint32_t http_len2 = sizeof(http_buf2) - 1;
1089 
1090  memset(&th_v, 0, sizeof(th_v));
1091  memset(&f, 0, sizeof(f));
1092  memset(&ssn, 0, sizeof(ssn));
1093 
1094  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1095  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1096 
1097  FLOW_INITIALIZE(&f);
1098  f.protoctx = (void *)&ssn;
1099  f.proto = IPPROTO_TCP;
1100  f.flags |= FLOW_IPV4;
1101 
1102  p1->flow = &f;
1106  p2->flow = &f;
1110  f.alproto = ALPROTO_HTTP1;
1111 
1112  StreamTcpInitConfig(true);
1113 
1116  de_ctx->flags |= DE_QUIET;
1117 
1118  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1119  "(msg:\"http stat msg test\"; "
1120  "content:\"ab\"; http_stat_msg; depth:3; "
1121  "content:!\"yz\"; http_stat_msg; distance:2; "
1122  "sid:1;)");
1123  FAIL_IF_NULL(s);
1124 
1126  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1127 
1128  int r = AppLayerParserParse(
1129  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1130  FAIL_IF_NOT(r == 0);
1131 
1132  HtpState *http_state = f.alstate;
1133  FAIL_IF_NULL(http_state);
1134 
1135  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1136  FAIL_IF(PacketAlertCheck(p1, 1));
1137 
1138  r = AppLayerParserParse(
1139  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1140  FAIL_IF_NOT(r == 0);
1141 
1142  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1143  FAIL_IF(!PacketAlertCheck(p2, 1));
1144 
1145  UTHFreePackets(&p1, 1);
1146  UTHFreePackets(&p2, 1);
1147  FLOW_DESTROY(&f);
1149  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1151  StreamTcpFreeConfig(true);
1152  StatsThreadCleanup(&th_v);
1153  PASS;
1154 }
1155 
1156 static int DetectEngineHttpStatMsgTest14(void)
1157 {
1158  TcpSession ssn;
1159  ThreadVars th_v;
1160  DetectEngineThreadCtx *det_ctx = NULL;
1161  Flow f;
1162  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
1163  "Host: www.openinfosecfoundation.org\r\n"
1164  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1165  "Gecko/20091221 Firefox/3.5.7\r\n"
1166  "\r\n";
1167  uint32_t http_len1 = sizeof(http_buf1) - 1;
1168  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
1169  "Content-Type: text/html\r\n"
1170  "Content-Length: 6\r\n"
1171  "\r\n"
1172  "abcdef";
1173  uint32_t http_len2 = sizeof(http_buf2) - 1;
1175 
1176  memset(&th_v, 0, sizeof(th_v));
1177  memset(&f, 0, sizeof(f));
1178  memset(&ssn, 0, sizeof(ssn));
1179 
1180  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1181  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1182 
1183  FLOW_INITIALIZE(&f);
1184  f.protoctx = (void *)&ssn;
1185  f.proto = IPPROTO_TCP;
1186  f.flags |= FLOW_IPV4;
1187 
1188  p1->flow = &f;
1192  p2->flow = &f;
1196  f.alproto = ALPROTO_HTTP1;
1197 
1198  StreamTcpInitConfig(true);
1199 
1202  de_ctx->flags |= DE_QUIET;
1203 
1204  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1205  "(msg:\"http stat msg test\"; "
1206  "pcre:/ab/Y; "
1207  "content:\"ef\"; http_stat_msg; distance:2; "
1208  "sid:1;)");
1209  FAIL_IF_NULL(s);
1210 
1212  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1213 
1214  int r = AppLayerParserParse(
1215  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1216  FAIL_IF_NOT(r == 0);
1217 
1218  HtpState *http_state = f.alstate;
1219  FAIL_IF_NULL(http_state);
1220 
1221  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1222  FAIL_IF(PacketAlertCheck(p1, 1));
1223 
1224  r = AppLayerParserParse(
1225  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1226  FAIL_IF_NOT(r == 0);
1227 
1228  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1229  FAIL_IF(!PacketAlertCheck(p2, 1));
1230 
1231  UTHFreePackets(&p1, 1);
1232  UTHFreePackets(&p2, 1);
1233  FLOW_DESTROY(&f);
1235  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1237  StreamTcpFreeConfig(true);
1238  StatsThreadCleanup(&th_v);
1239  PASS;
1240 }
1241 
1242 static int DetectEngineHttpStatMsgTest15(void)
1243 {
1244  TcpSession ssn;
1245  ThreadVars th_v;
1246  DetectEngineThreadCtx *det_ctx = NULL;
1247  Flow f;
1248  uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
1249  "Host: www.openinfosecfoundation.org\r\n"
1250  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1251  "Gecko/20091221 Firefox/3.5.7\r\n"
1252  "\r\n";
1253  uint32_t http_len1 = sizeof(http_buf1) - 1;
1254  uint8_t http_buf2[] = "HTTP/1.0 200 abcdef\r\n"
1255  "Content-Type: text/html\r\n"
1256  "Content-Length: 6\r\n"
1257  "\r\n"
1258  "abcdef";
1259  uint32_t http_len2 = sizeof(http_buf2) - 1;
1261 
1262  memset(&th_v, 0, sizeof(th_v));
1263  memset(&f, 0, sizeof(f));
1264  memset(&ssn, 0, sizeof(ssn));
1265 
1266  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1267  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1268 
1269  FLOW_INITIALIZE(&f);
1270  f.protoctx = (void *)&ssn;
1271  f.proto = IPPROTO_TCP;
1272  f.flags |= FLOW_IPV4;
1273 
1274  p1->flow = &f;
1278  p2->flow = &f;
1282  f.alproto = ALPROTO_HTTP1;
1283 
1284  StreamTcpInitConfig(true);
1285 
1288  de_ctx->flags |= DE_QUIET;
1289 
1290  Signature *s =
1291  DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1292  "(msg:\"http stat msg test\"; "
1293  "pcre:/abc/Y; "
1294  "content:!\"xyz\"; http_stat_msg; distance:0; within:3; "
1295  "sid:1;)");
1296  FAIL_IF_NULL(s);
1297 
1299  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1300 
1301  int r = AppLayerParserParse(
1302  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1303  FAIL_IF_NOT(r == 0);
1304 
1305  HtpState *http_state = f.alstate;
1306  FAIL_IF_NULL(http_state);
1307 
1308  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1309  FAIL_IF(PacketAlertCheck(p1, 1));
1310 
1311  r = AppLayerParserParse(
1312  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1313  FAIL_IF_NOT(r == 0);
1314 
1315  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1316  FAIL_IF(!PacketAlertCheck(p2, 1));
1317 
1318  UTHFreePackets(&p1, 1);
1319  UTHFreePackets(&p2, 1);
1320  FLOW_DESTROY(&f);
1322  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1324  StreamTcpFreeConfig(true);
1325  StatsThreadCleanup(&th_v);
1326  PASS;
1327 }
1328 
1329 /** \test Check the signature working to alert when http_stat_msg is matched . */
1330 static int DetectHttpStatMsgSigTest01(void)
1331 {
1332  Flow f;
1333  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1334  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1335  uint8_t httpbuf2[] = "HTTP/1.0 200 OK\r\n\r\n";
1336  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1337  TcpSession ssn;
1338  ThreadVars th_v;
1339  DetectEngineThreadCtx *det_ctx = NULL;
1341 
1342  memset(&th_v, 0, sizeof(th_v));
1343  memset(&f, 0, sizeof(f));
1344  memset(&ssn, 0, sizeof(ssn));
1345 
1346  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1347 
1348  FLOW_INITIALIZE(&f);
1349  f.protoctx = (void *)&ssn;
1350  f.proto = IPPROTO_TCP;
1351  f.flags |= FLOW_IPV4;
1352 
1353  p->flow = &f;
1357  f.alproto = ALPROTO_HTTP1;
1358 
1359  StreamTcpInitConfig(true);
1360 
1363  de_ctx->flags |= DE_QUIET;
1364 
1365  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1366  "\"HTTP status message\"; content:\"OK\"; "
1367  "http_stat_msg; sid:1;)");
1368  FAIL_IF_NULL(s);
1369 
1370  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:\"HTTP "
1371  "Status message nocase\"; content:\"ok\"; nocase; "
1372  "http_stat_msg; sid:2;)");
1373  FAIL_IF_NULL(s);
1374 
1376  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1377 
1378  int r = AppLayerParserParse(
1379  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1380  FAIL_IF_NOT(r == 0);
1381 
1382  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
1383  FAIL_IF_NOT(r == 0);
1384 
1385  HtpState *http_state = f.alstate;
1386  FAIL_IF_NULL(http_state);
1387 
1388  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1389  FAIL_IF(!(PacketAlertCheck(p, 1)));
1390  FAIL_IF(!(PacketAlertCheck(p, 2)));
1391 
1392  UTHFreePackets(&p, 1);
1393  FLOW_DESTROY(&f);
1395  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1397  StreamTcpFreeConfig(true);
1398  StatsThreadCleanup(&th_v);
1399  PASS;
1400 }
1401 
1402 /** \test Check the signature working to alert when http_stat_msg is not matched . */
1403 static int DetectHttpStatMsgSigTest02(void)
1404 {
1405  Flow f;
1406  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1407  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1408  uint8_t httpbuf2[] = "HTTP/1.0 200 OK\r\n\r\n";
1409  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1410  TcpSession ssn;
1411  ThreadVars th_v;
1412  DetectEngineThreadCtx *det_ctx = NULL;
1414 
1415  memset(&th_v, 0, sizeof(th_v));
1416  memset(&f, 0, sizeof(f));
1417  memset(&ssn, 0, sizeof(ssn));
1418 
1419  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1420 
1421  FLOW_INITIALIZE(&f);
1422  f.protoctx = (void *)&ssn;
1423  f.proto = IPPROTO_TCP;
1424  f.flags |= FLOW_IPV4;
1425 
1426  p->flow = &f;
1430  f.alproto = ALPROTO_HTTP1;
1431 
1432  StreamTcpInitConfig(true);
1433 
1436  de_ctx->flags |= DE_QUIET;
1437 
1438  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1439  "\"HTTP status message\"; content:\"no\"; "
1440  "http_stat_msg; sid:1;)");
1441  FAIL_IF_NULL(s);
1442 
1444  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1445 
1446  int r = AppLayerParserParse(
1447  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1448  FAIL_IF_NOT(r == 0);
1449 
1450  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
1451  FAIL_IF_NOT(r == 0);
1452 
1453  HtpState *http_state = f.alstate;
1454  FAIL_IF_NULL(http_state);
1455 
1456  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1457  FAIL_IF(PacketAlertCheck(p, 1));
1458 
1459  UTHFreePackets(&p, 1);
1460  FLOW_DESTROY(&f);
1462  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1464  StreamTcpFreeConfig(true);
1465  StatsThreadCleanup(&th_v);
1466  PASS;
1467 }
1468 
1469 /** \test Check the signature working to alert when http_stat_msg is used with
1470  * negated content . */
1471 static int DetectHttpStatMsgSigTest03(void)
1472 {
1473  Flow f;
1474  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1475  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1476  uint8_t httpbuf2[] = "HTTP/1.0 200 OK\r\n\r\n";
1477  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1478  TcpSession ssn;
1479  ThreadVars th_v;
1480  DetectEngineThreadCtx *det_ctx = NULL;
1482 
1483  memset(&th_v, 0, sizeof(th_v));
1484  memset(&f, 0, sizeof(f));
1485  memset(&ssn, 0, sizeof(ssn));
1486 
1487  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1488 
1489  FLOW_INITIALIZE(&f);
1490  f.protoctx = (void *)&ssn;
1491  f.proto = IPPROTO_TCP;
1492  f.flags |= FLOW_IPV4;
1493 
1494  p->flow = &f;
1498  f.alproto = ALPROTO_HTTP1;
1499 
1500  StreamTcpInitConfig(true);
1501 
1504  de_ctx->flags |= DE_QUIET;
1505 
1506  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:"
1507  "\"HTTP status message\"; content:\"ok\"; "
1508  "nocase; http_stat_msg; sid:1;)");
1509  FAIL_IF_NULL(s);
1510 
1511  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:\"HTTP "
1512  "Status message nocase\"; content:!\"Not\"; "
1513  "http_stat_msg; sid:2;)");
1514  FAIL_IF_NULL(s);
1515 
1517  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1518 
1519  int r = AppLayerParserParse(
1520  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1521  FAIL_IF_NOT(r == 0);
1522 
1523  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
1524  FAIL_IF_NOT(r == 0);
1525 
1526  HtpState *http_state = f.alstate;
1527  FAIL_IF_NULL(http_state);
1528 
1529  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1530 
1531  FAIL_IF(!PacketAlertCheck(p, 1));
1532  FAIL_IF(!PacketAlertCheck(p, 2));
1533 
1534  UTHFreePackets(&p, 1);
1535  FLOW_DESTROY(&f);
1537  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1539  StreamTcpFreeConfig(true);
1540  StatsThreadCleanup(&th_v);
1541  PASS;
1542 }
1543 
1544 /**
1545  * \brief Register the UNITTESTS for the http_stat_msg keyword
1546  */
1548 {
1549  UtRegisterTest("DetectHttpStatMsgSigTest01", DetectHttpStatMsgSigTest01);
1550  UtRegisterTest("DetectHttpStatMsgSigTest02", DetectHttpStatMsgSigTest02);
1551  UtRegisterTest("DetectHttpStatMsgSigTest03", DetectHttpStatMsgSigTest03);
1552 
1553  UtRegisterTest("DetectEngineHttpStatMsgTest01", DetectEngineHttpStatMsgTest01);
1554  UtRegisterTest("DetectEngineHttpStatMsgTest02", DetectEngineHttpStatMsgTest02);
1555  UtRegisterTest("DetectEngineHttpStatMsgTest03", DetectEngineHttpStatMsgTest03);
1556  UtRegisterTest("DetectEngineHttpStatMsgTest04", DetectEngineHttpStatMsgTest04);
1557  UtRegisterTest("DetectEngineHttpStatMsgTest05", DetectEngineHttpStatMsgTest05);
1558  UtRegisterTest("DetectEngineHttpStatMsgTest06", DetectEngineHttpStatMsgTest06);
1559  UtRegisterTest("DetectEngineHttpStatMsgTest07", DetectEngineHttpStatMsgTest07);
1560  UtRegisterTest("DetectEngineHttpStatMsgTest08", DetectEngineHttpStatMsgTest08);
1561  UtRegisterTest("DetectEngineHttpStatMsgTest09", DetectEngineHttpStatMsgTest09);
1562  UtRegisterTest("DetectEngineHttpStatMsgTest10", DetectEngineHttpStatMsgTest10);
1563  UtRegisterTest("DetectEngineHttpStatMsgTest11", DetectEngineHttpStatMsgTest11);
1564  UtRegisterTest("DetectEngineHttpStatMsgTest12", DetectEngineHttpStatMsgTest12);
1565  UtRegisterTest("DetectEngineHttpStatMsgTest13", DetectEngineHttpStatMsgTest13);
1566  UtRegisterTest("DetectEngineHttpStatMsgTest14", DetectEngineHttpStatMsgTest14);
1567  UtRegisterTest("DetectEngineHttpStatMsgTest15", DetectEngineHttpStatMsgTest15);
1568 }
1569 
1570 /**
1571  * @}
1572  */
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_::proto
uint8_t proto
Definition: flow.h:370
DetectHttpStatMsgRegisterTests
void DetectHttpStatMsgRegisterTests(void)
Register the UNITTESTS for the http_stat_msg keyword.
Definition: detect-http-stat-msg.c:1547
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
Flow_
Flow data structure.
Definition: flow.h:348
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2633
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2416
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3439
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
Flow_::protoctx
void * protoctx
Definition: flow.h:433
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
HtpState_
Definition: app-layer-htp.h:181
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3360
Packet_
Definition: decode.h:501
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2185
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1291
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3592
Flow_::alstate
void * alstate
Definition: flow.h:471
Flow_::flags
uint32_t flags
Definition: flow.h:413
Signature_
Signature container.
Definition: detect.h:668
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2594
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
StatsThreadCleanup
void StatsThreadCleanup(ThreadVars *tv)
Definition: counters.c:1324
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456