24 #include "../suricata-common.h"
25 #include "../app-layer.h"
26 #include "../app-layer-parser.h"
27 #include "../app-layer-htp.h"
28 #include "../util-unittest.h"
29 #include "../util-unittest-helper.h"
32 #include "../flow-util.h"
34 #include "../detect-isdataat.h"
35 #include "../detect-engine-build.h"
36 #include "../detect-engine-alert.h"
39 static int UriTestSig01(
void)
44 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
45 "User-Agent: Mozilla/1.0\r\n"
46 "Cookie: hellocatch\r\n\r\n";
47 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
48 uint8_t http_buf2[] =
"POST /oneself HTTP/1.0\r\n"
49 "User-Agent: Mozilla/1.0\r\n"
50 "Cookie: hellocatch\r\n\r\n";
51 uint32_t http_buf2_len =
sizeof(http_buf2) - 1;
60 memset(&f, 0,
sizeof(
Flow));
67 f.
proto = IPPROTO_TCP;
85 "(msg:\"Test uricontent option\"; "
86 "uricontent:\"one\"; sid:1;)");
97 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
102 if (http_state == NULL) {
103 printf(
"no http state: ");
111 printf(
"sig 1 alerted, but it should not: ");
118 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
123 if (http_state == NULL) {
124 printf(
"no http state: ");
129 printf(
"sig 1 alerted, but it should not: ");
155 static int UriTestSig02(
void)
160 uint8_t http_buf1[] =
"POST /on HTTP/1.0\r\n"
161 "User-Agent: Mozilla/1.0\r\n"
162 "Cookie: hellocatch\r\n\r\n";
163 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
164 uint8_t http_buf2[] =
"POST /one HTTP/1.0\r\n"
165 "User-Agent: Mozilla/1.0\r\n"
166 "Cookie: hellocatch\r\n\r\n";
167 uint32_t http_buf2_len =
sizeof(http_buf2) - 1;
176 memset(&f, 0,
sizeof(
Flow));
183 f.
proto = IPPROTO_TCP;
201 "(msg:\"Test pcre /U option\"; "
202 "pcre:/one/U; sid:1;)");
213 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
218 if (http_state == NULL) {
219 printf(
"no http state: ");
227 printf(
"sig 1 alerted with payload2, but it should not: ");
234 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
239 if (http_state == NULL) {
240 printf(
"no http state: ");
248 printf(
"sig 1 didnt alert, but it should: ");
271 static int UriTestSig03(
void)
276 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
277 "User-Agent: Mozilla/1.0\r\n"
278 "Cookie: hellocatch\r\n\r\n";
279 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
280 uint8_t http_buf2[] =
"POST /oneself HTTP/1.0\r\n"
281 "User-Agent: Mozilla/1.0\r\n"
282 "Cookie: hellocatch\r\n\r\n";
283 uint32_t http_buf2_len =
sizeof(http_buf2) - 1;
292 memset(&f, 0,
sizeof(
Flow));
299 f.
proto = IPPROTO_TCP;
317 "(msg:\"Test pcre /U option\"; "
318 "pcre:/blah/U; sid:1;)");
329 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
334 if (http_state == NULL) {
335 printf(
"no http state: ");
343 printf(
"sig 1 alerted, but it should not: ");
350 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
355 if (http_state == NULL) {
356 printf(
"no http state: ");
364 printf(
"sig 1 alerted, but it should not: ");
387 static int UriTestSig04(
void)
392 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
393 "User-Agent: Mozilla/1.0\r\n"
394 "Cookie: hellocatch\r\n\r\n";
395 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
396 uint8_t http_buf2[] =
"POST /oneself HTTP/1.0\r\n"
397 "User-Agent: Mozilla/1.0\r\n"
398 "Cookie: hellocatch\r\n\r\n";
399 uint32_t http_buf2_len =
sizeof(http_buf2) - 1;
408 memset(&f, 0,
sizeof(
Flow));
415 f.
proto = IPPROTO_TCP;
433 "(msg:\"Test urilen option\"; "
434 "urilen:>20; sid:1;)");
445 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
450 if (http_state == NULL) {
451 printf(
"no http state: ");
459 printf(
"sig 1 alerted, but it should not: ");
466 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
471 if (http_state == NULL) {
472 printf(
"no http state: ");
480 printf(
"sig 1 alerted, but it should not: ");
503 static int UriTestSig05(
void)
508 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
509 "User-Agent: Mozilla/1.0\r\n"
510 "Cookie: hellocatch\r\n\r\n";
511 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
512 uint8_t http_buf2[] =
"POST /oneself HTTP/1.0\r\n"
513 "User-Agent: Mozilla/1.0\r\n"
514 "Cookie: hellocatch\r\n\r\n";
515 uint32_t http_buf2_len =
sizeof(http_buf2) - 1;
524 memset(&f, 0,
sizeof(
Flow));
531 f.
proto = IPPROTO_TCP;
549 "(msg:\"Test urilen option\"; "
550 "urilen:>4; sid:1;)");
561 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
566 if (http_state == NULL) {
567 printf(
"no http state: ");
575 printf(
"sig 1 alerted, but it should not: ");
582 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
587 if (http_state == NULL) {
588 printf(
"no http state: ");
596 printf(
"sig 1 didnt alert with payload2, but it should: ");
619 static int UriTestSig06(
void)
624 uint8_t http_buf1[] =
"POST /oneoneoneone HTTP/1.0\r\n"
625 "User-Agent: Mozilla/1.0\r\n"
626 "Cookie: hellocatch\r\n\r\n";
627 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
628 uint8_t http_buf2[] =
"POST /oneself HTTP/1.0\r\n"
629 "User-Agent: Mozilla/1.0\r\n"
630 "Cookie: hellocatch\r\n\r\n";
631 uint32_t http_buf2_len =
sizeof(http_buf2) - 1;
640 memset(&f, 0,
sizeof(
Flow));
647 f.
proto = IPPROTO_TCP;
665 "(msg:\"Test pcre /U option\"; "
666 "pcre:/(oneself)+/U; sid:1;)");
677 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
682 if (http_state == NULL) {
683 printf(
"no http state: ");
691 printf(
"sig 1 alerted, but it should not: ");
698 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
703 if (http_state == NULL) {
704 printf(
"no http state: ");
712 printf(
"sig 1 didnt alert on payload2, but it should: ");
735 static int UriTestSig07(
void)
740 uint8_t http_buf1[] =
"POST /oneoneoneone HTTP/1.0\r\n"
741 "User-Agent: Mozilla/1.0\r\n"
742 "Cookie: hellocatch\r\n\r\n";
743 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
744 uint8_t http_buf2[] =
"POST /oneoneself HTTP/1.0\r\n"
745 "User-Agent: Mozilla/1.0\r\n"
746 "Cookie: hellocatch\r\n\r\n";
747 uint32_t http_buf2_len =
sizeof(http_buf2) - 1;
756 memset(&f, 0,
sizeof(
Flow));
763 f.
proto = IPPROTO_TCP;
781 "(msg:\"Test pcre /U option with urilen \"; "
782 "pcre:/(one){2,}(self)?/U; urilen:3<>20; sid:1;)");
793 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
798 if (http_state == NULL) {
799 printf(
"no http state: ");
807 printf(
"sig 1 didnt alert, but it should: ");
814 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
819 if (http_state == NULL) {
820 printf(
"no http state: ");
828 printf(
"sig 1 didnt alert with payload2, but it should: ");
851 static int UriTestSig08(
void)
856 uint8_t http_buf1[] =
"POST /oneoneoneone HTTP/1.0\r\n"
857 "User-Agent: Mozilla/1.0\r\n"
858 "Cookie: hellocatch\r\n\r\n";
859 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
860 uint8_t http_buf2[] =
"POST /oneoneself HTTP/1.0\r\n"
861 "User-Agent: Mozilla/1.0\r\n"
862 "Cookie: hellocatch\r\n\r\n";
863 uint32_t http_buf2_len =
sizeof(http_buf2) - 1;
872 memset(&f, 0,
sizeof(
Flow));
879 f.
proto = IPPROTO_TCP;
897 "(msg:\"Test pcre /U option with urilen\"; "
898 "pcre:/(blabla){2,}(self)?/U; urilen:3<>20; sid:1;)");
909 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
914 if (http_state == NULL) {
915 printf(
"no http state: ");
923 printf(
"sig 1 alerted, but it should not: ");
930 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
935 if (http_state == NULL) {
936 printf(
"no http state: ");
944 printf(
"sig 1 alerted, but it should not: ");
967 static int UriTestSig09(
void)
972 uint8_t http_buf1[] =
"POST /oneoneoneone HTTP/1.0\r\n"
973 "User-Agent: Mozilla/1.0\r\n"
974 "Cookie: hellocatch\r\n\r\n";
975 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
976 uint8_t http_buf2[] =
"POST /oneoneself HTTP/1.0\r\n"
977 "User-Agent: Mozilla/1.0\r\n"
978 "Cookie: hellocatch\r\n\r\n";
979 uint32_t http_buf2_len =
sizeof(http_buf2) - 1;
988 memset(&f, 0,
sizeof(
Flow));
995 f.
proto = IPPROTO_TCP;
1013 "(msg:\"Test pcre /U option with urilen \"; "
1014 "pcre:/(one){2,}(self)?/U; urilen:<2; sid:1;)");
1025 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1030 if (http_state == NULL) {
1031 printf(
"no http state: ");
1039 printf(
"sig 1 alerted, but it should not: ");
1046 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1051 if (http_state == NULL) {
1052 printf(
"no http state: ");
1060 printf(
"sig 1 alerted, but it should not: ");
1069 if (det_ctx != NULL)
1083 static int UriTestSig12(
void)
1088 uint8_t http_buf1[] =
"POST /oneoneoneone HTTP/1.0\r\n"
1089 "User-Agent: Mozilla/1.0\r\n"
1090 "Cookie: hellocatch\r\n\r\n";
1091 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
1092 uint8_t http_buf2[] =
"POST /oneoneself HTTP/1.0\r\n"
1093 "User-Agent: Mozilla/1.0\r\n"
1094 "Cookie: hellocatch\r\n\r\n";
1095 uint32_t http_buf2_len =
sizeof(http_buf2) - 1;
1104 memset(&f, 0,
sizeof(
Flow));
1111 f.
proto = IPPROTO_TCP;
1129 "(msg:\"Test pcre /U, uricontent and urilen option\"; "
1130 "uricontent:\"one\"; "
1131 "pcre:/(one)+self/U; urilen:>2; sid:1;)");
1142 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1147 if (http_state == NULL) {
1148 printf(
"no http state: ");
1156 printf(
"sig 1 alerted, but it should not: ");
1163 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1168 if (http_state == NULL) {
1169 printf(
"no http state: ");
1177 printf(
"sig 1 didnt alert with payload2, but it should: ");
1186 if (det_ctx != NULL)
1200 static int UriTestSig13(
void)
1205 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
1206 "User-Agent: Mozilla/1.0\r\n"
1207 "Cookie: hellocatch\r\n\r\n";
1208 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
1209 uint8_t http_buf2[] =
"POST /oneself HTTP/1.0\r\n"
1210 "User-Agent: Mozilla/1.0\r\n"
1211 "Cookie: hellocatch\r\n\r\n";
1212 uint32_t http_buf2_len =
sizeof(http_buf2) - 1;
1221 memset(&f, 0,
sizeof(
Flow));
1228 f.
proto = IPPROTO_TCP;
1246 "(msg:\"Test urilen option\"; "
1247 "urilen:>2; uricontent:\"one\"; sid:1;)");
1258 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1263 if (http_state == NULL) {
1264 printf(
"no http state: ");
1272 printf(
"sig 1 didnt alert with pkt, but it should: ");
1279 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1284 if (http_state == NULL) {
1285 printf(
"no http state: ");
1294 printf(
"sig 1 didnt alert with payload2, but it should: ");
1303 if (det_ctx != NULL)
1317 static int UriTestSig14(
void)
1322 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
1323 "User-Agent: Mozilla/1.0\r\n"
1324 "Cookie: hellocatch\r\n\r\n";
1325 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
1326 uint8_t http_buf2[] =
"POST /oneself HTTP/1.0\r\n"
1327 "User-Agent: Mozilla/1.0\r\n"
1328 "Cookie: hellocatch\r\n\r\n";
1329 uint32_t http_buf2_len =
sizeof(http_buf2) - 1;
1338 memset(&f, 0,
sizeof(
Flow));
1345 f.
proto = IPPROTO_TCP;
1363 "(msg:\"Test uricontent option\"; "
1364 "uricontent:\"one\"; pcre:/one(self)?/U;sid:1;)");
1375 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1380 if (http_state == NULL) {
1381 printf(
"no http state: ");
1389 printf(
"sig 1 didnt alert with pkt, but it should: ");
1396 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1401 if (http_state == NULL) {
1402 printf(
"no http state: ");
1411 printf(
"sig 1 didnt alert with payload2, but it should: ");
1420 if (det_ctx != NULL)
1434 static int UriTestSig15(
void)
1439 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
1440 "User-Agent: Mozilla/1.0\r\n"
1441 "Cookie: hellocatch\r\n\r\n";
1442 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
1443 uint8_t http_buf2[] =
"POST /oneself HTTP/1.0\r\n"
1444 "User-Agent: Mozilla/1.0\r\n"
1445 "Cookie: hellocatch\r\n\r\n";
1446 uint32_t http_buf2_len =
sizeof(http_buf2) - 1;
1455 memset(&f, 0,
sizeof(
Flow));
1462 f.
proto = IPPROTO_TCP;
1480 "(msg:\"Test uricontent option\"; "
1481 "uricontent:\"one\"; pcre:/^\\/one(self)?$/U;sid:1;)");
1492 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1497 if (http_state == NULL) {
1498 printf(
"no http state: ");
1506 printf(
"sig 1 didnt alert with pkt, but it should: ");
1513 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1518 if (http_state == NULL) {
1519 printf(
"no http state: ");
1528 printf(
"sig 1 didnt alert with payload2, but it should: ");
1537 if (det_ctx != NULL)
1551 static int UriTestSig16(
void)
1554 uint8_t http_buf1[] =
"POST /search?q=123&aq=7123abcee HTTP/1.0\r\n"
1555 "User-Agent: Mozilla/1.0/\r\n"
1556 "Host: 1.2.3.4\r\n\r\n";
1557 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
1558 uint8_t http_buf2[] =
"POST /search?q=123&aq=7123abcee HTTP/1.0\r\n"
1559 "User-Agent: Mozilla/1.0\r\n"
1560 "Cookie: hellocatch\r\n\r\n";
1561 uint32_t http_buf2_len =
sizeof(http_buf2) - 1;
1577 f->
proto = IPPROTO_TCP;
1592 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"drop tcp any any -> any any (flow:to_server,established; uricontent:\"/search?q=\"; pcre:\"/^\\/search\\?q=[0-9]{1,3}(&aq=7(\\?[0-9a-f]{8})?)?/U\"; pcre:\"/\\x0d\\x0aHost\\: \\d+\\.\\d+\\.\\d+\\.\\d+\\x0d\\x0a/\"; sid:2009024; rev:9;)");
1641 static int UriTestSig17(
void)
1644 uint8_t *http_buf = (uint8_t *)
"POST /now_this_is_is_big_big_string_now HTTP/1.0\r\n"
1645 "User-Agent: Mozilla/1.0\r\n";
1646 uint32_t http_buf_len = strlen((
char *)http_buf);
1656 memset(&f, 0,
sizeof(
Flow));
1663 f.
proto = IPPROTO_TCP;
1681 "(msg:\"test multiple relative uricontents\"; "
1682 "uricontent:\"this\"; uricontent:\"is\"; within:6; "
1683 "uricontent:\"big\"; within:8; "
1684 "uricontent:\"string\"; within:8; sid:1;)");
1695 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1700 if (http_state == NULL) {
1701 printf(
"no http state: ");
1709 printf(
"sig 1 alerted, but it should not: ");
1718 if (det_ctx != NULL)
1734 static int UriTestSig18(
void)
1737 uint8_t *http_buf = (uint8_t *)
"POST /now_this_is_is_is_big_big_big_string_now HTTP/1.0\r\n"
1738 "User-Agent: Mozilla/1.0\r\n";
1739 uint32_t http_buf_len = strlen((
char *)http_buf);
1749 memset(&f, 0,
sizeof(
Flow));
1756 f.
proto = IPPROTO_TCP;
1774 "(msg:\"test multiple relative uricontents\"; "
1775 "uricontent:\"this\"; uricontent:\"is\"; within:9; "
1776 "uricontent:\"big\"; within:12; "
1777 "uricontent:\"string\"; within:8; sid:1;)");
1788 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1793 if (http_state == NULL) {
1794 printf(
"no http state: ");
1802 printf(
"sig 1 alerted, but it should not: ");
1811 if (det_ctx != NULL)
1827 static int UriTestSig19(
void)
1830 uint8_t *http_buf = (uint8_t *)
"POST /this_this_now_is_is_____big_string_now HTTP/1.0\r\n"
1831 "User-Agent: Mozilla/1.0\r\n";
1832 uint32_t http_buf_len = strlen((
char *)http_buf);
1842 memset(&f, 0,
sizeof(
Flow));
1849 f.
proto = IPPROTO_TCP;
1867 "(msg:\"test multiple relative uricontents\"; "
1868 "uricontent:\"now\"; uricontent:\"this\"; "
1869 "uricontent:\"is\"; within:12; "
1870 "uricontent:\"big\"; within:8; "
1871 "uricontent:\"string\"; within:8; sid:1;)");
1882 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1887 if (http_state == NULL) {
1888 printf(
"no http state: ");
1896 printf(
"sig 1 alerted, but it should not: ");
1905 if (det_ctx != NULL)
1921 static int UriTestSig20(
void)
1924 uint8_t *http_buf = (uint8_t *)
"POST /_________thus_thus_is_a_big HTTP/1.0\r\n"
1925 "User-Agent: Mozilla/1.0\r\n";
1926 uint32_t http_buf_len = strlen((
char *)http_buf);
1936 memset(&f, 0,
sizeof(
Flow));
1943 f.
proto = IPPROTO_TCP;
1961 "(msg:\"test multiple relative uricontents\"; "
1962 "uricontent:\"thus\"; offset:8; "
1963 "uricontent:\"is\"; within:6; "
1964 "uricontent:\"big\"; within:8; sid:1;)");
1975 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
1980 if (http_state == NULL) {
1981 printf(
"no http state: ");
1989 printf(
"sig 1 alerted, but it should not: ");
1998 if (det_ctx != NULL)
2014 static int UriTestSig21(
void)
2017 uint8_t *http_buf = (uint8_t *)
"POST /we_need_to_fix_this_and_yes_fix_this_now HTTP/1.0\r\n"
2018 "User-Agent: Mozilla/1.0\r\n";
2019 uint32_t http_buf_len = strlen((
char *)http_buf);
2029 memset(&f, 0,
sizeof(
Flow));
2036 f.
proto = IPPROTO_TCP;
2054 "(msg:\"test multiple relative uricontents\"; "
2055 "uricontent:\"fix\"; uricontent:\"this\"; within:6; "
2056 "uricontent:!\"and\"; distance:0; sid:1;)");
2067 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2072 if (http_state == NULL) {
2073 printf(
"no http state: ");
2081 printf(
"sig 1 alerted, but it should not: ");
2090 if (det_ctx != NULL)
2106 static int UriTestSig22(
void)
2109 uint8_t *http_buf = (uint8_t *)
"POST /this_is_a_super_duper_"
2110 "nova_in_super_nova_now HTTP/1.0\r\n"
2111 "User-Agent: Mozilla/1.0\r\n";
2112 uint32_t http_buf_len = strlen((
char *)http_buf);
2122 memset(&f, 0,
sizeof(
Flow));
2129 f.
proto = IPPROTO_TCP;
2147 "(msg:\"test multiple relative uricontents\"; "
2148 "pcre:/super/U; uricontent:\"nova\"; within:7; sid:1;)");
2159 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2164 if (http_state == NULL) {
2165 printf(
"no http state: ");
2173 printf(
"sig 1 didn't alert, but it should have: ");
2182 if (det_ctx != NULL)
2198 static int UriTestSig23(
void)
2201 uint8_t *http_buf = (uint8_t *)
"POST /we_need_to_fix_this_and_yes_fix_this_now HTTP/1.0\r\n"
2202 "User-Agent: Mozilla/1.0\r\n";
2203 uint32_t http_buf_len = strlen((
char *)http_buf);
2213 memset(&f, 0,
sizeof(
Flow));
2220 f.
proto = IPPROTO_TCP;
2238 "(msg:\"test multiple relative uricontents\"; "
2239 "uricontent:!\"fix_this_now\"; sid:1;)");
2250 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2255 if (http_state == NULL) {
2256 printf(
"no http state: ");
2264 printf(
"sig 1 alerted, but it should not: ");
2273 if (det_ctx != NULL)
2289 static int UriTestSig24(
void)
2292 uint8_t *http_buf = (uint8_t *)
"POST /we_need_to_fix_this_and_yes_fix_this_now HTTP/1.0\r\n"
2293 "User-Agent: Mozilla/1.0\r\n";
2294 uint32_t http_buf_len = strlen((
char *)http_buf);
2304 memset(&f, 0,
sizeof(
Flow));
2311 f.
proto = IPPROTO_TCP;
2329 "(msg:\"test multiple relative uricontents\"; "
2330 "uricontent:\"we_need_to\"; uricontent:!\"fix_this_now\"; sid:1;)");
2341 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2346 if (http_state == NULL) {
2347 printf(
"no http state: ");
2355 printf(
"sig 1 alerted, but it should not: ");
2364 if (det_ctx != NULL)
2380 static int UriTestSig25(
void)
2383 uint8_t *http_buf = (uint8_t *)
"POST /normalized%20uri "
2384 "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
2385 uint32_t http_buf_len = strlen((
char *)http_buf);
2395 memset(&f, 0,
sizeof(
Flow));
2402 f.
proto = IPPROTO_TCP;
2420 "(msg:\"test multiple relative uricontents\"; "
2421 "pcre:/normalized/U; uricontent:\"normalized uri\"; sid:1;)");
2432 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2437 if (http_state == NULL) {
2438 printf(
"no http state: ");
2446 printf(
"sig 1 didn't alert, but it should have: ");
2455 if (det_ctx != NULL)
2471 static int UriTestSig26(
void)
2474 uint8_t *http_buf = (uint8_t *)
"POST /we_need_to_fix_this_and_yes_fix_this_now HTTP/1.0\r\n"
2475 "User-Agent: Mozilla/1.0\r\n";
2476 uint32_t http_buf_len = strlen((
char *)http_buf);
2486 memset(&f, 0,
sizeof(
Flow));
2493 f.
proto = IPPROTO_TCP;
2511 "(msg:\"test multiple relative uricontents\"; "
2512 "uricontent:\"fix_this\"; isdataat:4,relative; sid:1;)");
2523 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2528 if (http_state == NULL) {
2529 printf(
"no http state: ");
2537 printf(
"sig 1 didn't alert, but it should have: ");
2546 if (det_ctx != NULL)
2562 static int UriTestSig27(
void)
2564 uint8_t *http_buf = (uint8_t *)
"POST /we_need_to_fix_this_and_yes_fix_this_now HTTP/1.0\r\n"
2565 "User-Agent: Mozilla/1.0\r\n";
2566 uint32_t http_buf_len = strlen((
char *)http_buf);
2575 memset(&f, 0,
sizeof(
Flow));
2583 f.
proto = IPPROTO_TCP;
2599 "alert tcp any any -> any any ("
2600 "uricontent:\"fix_this\"; isdataat:!10,relative; sid:1;)");
2626 static int UriTestSig28(
void)
2629 uint8_t *http_buf = (uint8_t *)
"POST /this_b5ig_string_now_in_http HTTP/1.0\r\n"
2630 "User-Agent: Mozilla/1.0\r\n";
2631 uint32_t http_buf_len = strlen((
char *)http_buf);
2641 memset(&f, 0,
sizeof(
Flow));
2648 f.
proto = IPPROTO_TCP;
2666 "alert tcp any any -> any any (msg:\"dummy\"; "
2667 "uricontent:\"this\"; "
2668 "byte_extract:1,2,one,string,dec,relative; "
2669 "uricontent:\"ring\"; distance:one; sid:1;)");
2680 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2685 if (http_state == NULL) {
2686 printf(
"no http state: ");
2694 printf(
"sig 1 didn't alert, but should have: ");
2703 if (det_ctx != NULL)
2716 static int UriTestSig29(
void)
2719 uint8_t *http_buf = (uint8_t *)
"POST /this_b5ig_string_now_in_http HTTP/1.0\r\n"
2720 "User-Agent: Mozilla/1.0\r\n";
2721 uint32_t http_buf_len = strlen((
char *)http_buf);
2731 memset(&f, 0,
sizeof(
Flow));
2738 f.
proto = IPPROTO_TCP;
2756 "alert tcp any any -> any any (msg:\"dummy\"; "
2757 "uricontent:\"this\"; "
2758 "byte_extract:1,2,one,string,dec,relative; "
2759 "uricontent:\"ring\"; distance:one; sid:1;)");
2770 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2775 if (http_state == NULL) {
2776 printf(
"no http state: ");
2784 printf(
"sig 1 didn't alert, but should have: ");
2793 if (det_ctx != NULL)
2806 static int UriTestSig30(
void)
2809 uint8_t *http_buf = (uint8_t *)
"POST /this_b5ig_string_now_in_http HTTP/1.0\r\n"
2810 "User-Agent: Mozilla/1.0\r\n";
2811 uint32_t http_buf_len = strlen((
char *)http_buf);
2821 memset(&f, 0,
sizeof(
Flow));
2828 f.
proto = IPPROTO_TCP;
2846 "alert tcp any any -> any any (msg:\"dummy\"; "
2847 "uricontent:\"this\"; "
2848 "byte_extract:1,2,one,string,dec,relative; "
2849 "uricontent:\"_b5ig\"; offset:one; sid:1;)");
2860 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2865 if (http_state == NULL) {
2866 printf(
"no http state: ");
2874 printf(
"sig 1 didn't alert, but should have: ");
2883 if (det_ctx != NULL)
2896 static int UriTestSig31(
void)
2899 uint8_t *http_buf = (uint8_t *)
"POST /this_b5ig_string_now_in_http HTTP/1.0\r\n"
2900 "User-Agent: Mozilla/1.0\r\n";
2901 uint32_t http_buf_len = strlen((
char *)http_buf);
2911 memset(&f, 0,
sizeof(
Flow));
2918 f.
proto = IPPROTO_TCP;
2936 "alert tcp any any -> any any (msg:\"dummy\"; "
2937 "uricontent:\"this\"; "
2938 "byte_extract:1,2,one,string,dec,relative; "
2939 "uricontent:\"his\"; depth:one; sid:1;)");
2950 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
2955 if (http_state == NULL) {
2956 printf(
"no http state: ");
2964 printf(
"sig 1 didn't alert, but should have: ");
2973 if (det_ctx != NULL)
2986 static int UriTestSig32(
void)
2989 uint8_t *http_buf = (uint8_t *)
"POST /this_b5ig_string_now_in_http HTTP/1.0\r\n"
2990 "User-Agent: Mozilla/1.0\r\n";
2991 uint32_t http_buf_len = strlen((
char *)http_buf);
3001 memset(&f, 0,
sizeof(
Flow));
3008 f.
proto = IPPROTO_TCP;
3026 "alert tcp any any -> any any (msg:\"dummy\"; "
3027 "uricontent:\"this\"; "
3028 "byte_extract:1,2,one,string,dec,relative; "
3029 "uricontent:\"g_st\"; within:one; sid:1;)");
3040 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3045 if (http_state == NULL) {
3046 printf(
"no http state: ");
3054 printf(
"sig 1 didn't alert, but should have: ");
3063 if (det_ctx != NULL)
3076 static int UriTestSig33(
void)
3079 uint8_t *http_buf = (uint8_t *)
"POST /normalized%20uri "
3080 "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
3081 uint32_t http_buf_len = strlen((
char *)http_buf);
3091 memset(&f, 0,
sizeof(
Flow));
3098 f.
proto = IPPROTO_TCP;
3116 "(msg:\"test multiple relative uricontents\"; "
3117 "urilen:15; sid:1;)");
3128 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3133 if (http_state == NULL) {
3134 printf(
"no http state: ");
3142 printf(
"sig 1 didn't alert, but it should have: ");
3151 if (det_ctx != NULL)
3164 static int UriTestSig34(
void)
3167 uint8_t *http_buf = (uint8_t *)
"POST /normalized%20uri "
3168 "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
3169 uint32_t http_buf_len = strlen((
char *)http_buf);
3179 memset(&f, 0,
sizeof(
Flow));
3186 f.
proto = IPPROTO_TCP;
3204 "(msg:\"test multiple relative uricontents\"; "
3205 "urilen:15, norm; sid:1;)");
3216 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3221 if (http_state == NULL) {
3222 printf(
"no http state: ");
3230 printf(
"sig 1 didn't alert, but it should have: ");
3239 if (det_ctx != NULL)
3252 static int UriTestSig35(
void)
3255 uint8_t *http_buf = (uint8_t *)
"POST /normalized%20uri "
3256 "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
3257 uint32_t http_buf_len = strlen((
char *)http_buf);
3267 memset(&f, 0,
sizeof(
Flow));
3274 f.
proto = IPPROTO_TCP;
3292 "(msg:\"test multiple relative uricontents\"; "
3293 "urilen:16; sid:1;)");
3304 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3309 if (http_state == NULL) {
3310 printf(
"no http state: ");
3318 printf(
"sig 1 alerted, but it shouldn't have: ");
3327 if (det_ctx != NULL)
3340 static int UriTestSig36(
void)
3343 uint8_t *http_buf = (uint8_t *)
"POST /normalized%20uri "
3344 "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
3345 uint32_t http_buf_len = strlen((
char *)http_buf);
3355 memset(&f, 0,
sizeof(
Flow));
3362 f.
proto = IPPROTO_TCP;
3380 "(msg:\"test multiple relative uricontents\"; "
3381 "urilen:16, norm; sid:1;)");
3392 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3397 if (http_state == NULL) {
3398 printf(
"no http state: ");
3406 printf(
"sig 1 alerted, but it shouldn't have: ");
3415 if (det_ctx != NULL)
3428 static int UriTestSig37(
void)
3431 uint8_t *http_buf = (uint8_t *)
"POST /normalized%20uri "
3432 "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
3433 uint32_t http_buf_len = strlen((
char *)http_buf);
3443 memset(&f, 0,
sizeof(
Flow));
3450 f.
proto = IPPROTO_TCP;
3468 "(msg:\"test multiple relative uricontents\"; "
3469 "urilen:17, raw; sid:1;)");
3480 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3485 if (http_state == NULL) {
3486 printf(
"no http state: ");
3494 printf(
"sig 1 didn't alert, but it should have: ");
3503 if (det_ctx != NULL)
3516 static int UriTestSig38(
void)
3519 uint8_t *http_buf = (uint8_t *)
"POST /normalized%20uri "
3520 "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
3521 uint32_t http_buf_len = strlen((
char *)http_buf);
3531 memset(&f, 0,
sizeof(
Flow));
3538 f.
proto = IPPROTO_TCP;
3556 "(msg:\"test multiple relative uricontents\"; "
3557 "urilen:18, raw; sid:1;)");
3568 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3573 if (http_state == NULL) {
3574 printf(
"no http state: ");
3582 printf(
"sig 1 alerted, but it shouldn't have: ");
3591 if (det_ctx != NULL)
3604 static int DetectHttpUriIsdataatParseTest(
void)
3611 "content:\"one\"; http_uri; "
3612 "isdataat:!4,relative; sid:1;)");
3628 static int DetectEngineHttpRawUriTest01(
void)
3638 uint8_t http1_buf[] =
3640 uint8_t http2_buf[] =
3641 "/./d.html HTTP/1.1\r\n"
3642 "Host: www.openinfosecfoundation.org\r\n"
3643 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3644 "Content-Type: text/html\r\n"
3645 "Content-Length: 46\r\n"
3647 "This is dummy body1"
3648 "This is dummy message body2";
3649 uint32_t http1_len =
sizeof(http1_buf) - 1;
3650 uint32_t http2_len =
sizeof(http2_buf) - 1;
3654 memset(&th_v, 0,
sizeof(th_v));
3655 memset(&f, 0,
sizeof(f));
3656 memset(&ssn, 0,
sizeof(ssn));
3663 f.
proto = IPPROTO_TCP;
3685 "(msg:\"http raw uri test\"; "
3686 "content:\"../c/./d\"; http_raw_uri; "
3697 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3703 if (http_state == NULL) {
3704 printf(
"no http state: \n");
3713 printf(
"sid 1 matched but shouldn't have\n");
3720 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
3729 printf(
"sid 1 didn't match but should have");
3752 static int DetectEngineHttpRawUriTest02(
void)
3762 uint8_t http1_buf[] =
3763 "GET /../a/b/../c/./d.html HTTP/1.0\r\n"
3764 "Host: www.openinfosecfoundation.org\r\n"
3765 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3766 "Content-Type: text/html\r\n"
3767 "Content-Length: 19\r\n"
3769 "This is dummy body1";
3770 uint32_t http1_len =
sizeof(http1_buf) - 1;
3774 memset(&th_v, 0,
sizeof(th_v));
3775 memset(&f, 0,
sizeof(f));
3776 memset(&ssn, 0,
sizeof(ssn));
3783 f.
proto = IPPROTO_TCP;
3805 "(msg:\"http raw uri test\"; "
3806 "content:\"/c/./d\"; http_raw_uri; offset:5; "
3817 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3823 if (http_state == NULL) {
3824 printf(
"no http state: \n");
3833 printf(
"sid 1 didn't match but should have\n");
3856 static int DetectEngineHttpRawUriTest03(
void)
3866 uint8_t http1_buf[] =
3868 uint8_t http2_buf[] =
3869 "c/./d.html HTTP/1.0\r\n"
3870 "Host: www.openinfosecfoundation.org\r\n"
3871 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3872 "Content-Type: text/html\r\n"
3873 "Content-Length: 46\r\n"
3875 "This is dummy body1"
3876 "This is dummy message body2";
3877 uint32_t http1_len =
sizeof(http1_buf) - 1;
3878 uint32_t http2_len =
sizeof(http2_buf) - 1;
3882 memset(&th_v, 0,
sizeof(th_v));
3883 memset(&f, 0,
sizeof(f));
3884 memset(&ssn, 0,
sizeof(ssn));
3891 f.
proto = IPPROTO_TCP;
3913 "(msg:\"http raw uri test\"; "
3914 "content:\"/a/b\"; http_raw_uri; offset:10; "
3925 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3931 if (http_state == NULL) {
3932 printf(
"no http state: \n");
3941 printf(
"sid 1 matched but shouldn't have\n");
3948 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
3957 printf(
"sid 1 didn't match but should have");
3980 static int DetectEngineHttpRawUriTest04(
void)
3990 uint8_t http1_buf[] =
3992 uint8_t http2_buf[] =
3993 "c/./d.html HTTP/1.0\r\n"
3994 "Host: www.openinfosecfoundation.org\r\n"
3995 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3996 "Content-Type: text/html\r\n"
3997 "Content-Length: 46\r\n"
3999 "This is dummy body1"
4000 "This is dummy message body2";
4001 uint32_t http1_len =
sizeof(http1_buf) - 1;
4002 uint32_t http2_len =
sizeof(http2_buf) - 1;
4006 memset(&th_v, 0,
sizeof(th_v));
4007 memset(&f, 0,
sizeof(f));
4008 memset(&ssn, 0,
sizeof(ssn));
4015 f.
proto = IPPROTO_TCP;
4037 "(msg:\"http raw uri test\"; "
4038 "content:!\"/a/b\"; http_raw_uri; offset:10; "
4049 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
4055 if (http_state == NULL) {
4056 printf(
"no http state: \n");
4065 printf(
"sid 1 matched but shouldn't have\n");
4072 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
4081 printf(
"sid 1 didn't match but should have");
4104 static int DetectEngineHttpRawUriTest05(
void)
4114 uint8_t http1_buf[] =
4116 uint8_t http2_buf[] =
4117 "../c/./d.html HTTP/1.0\r\n"
4118 "Host: www.openinfosecfoundation.org\r\n"
4119 "Content-Type: text/html\r\n"
4120 "Content-Length: 46\r\n"
4122 "This is dummy body1"
4123 "This is dummy message body2";
4124 uint32_t http1_len =
sizeof(http1_buf) - 1;
4125 uint32_t http2_len =
sizeof(http2_buf) - 1;
4129 memset(&th_v, 0,
sizeof(th_v));
4130 memset(&f, 0,
sizeof(f));
4131 memset(&ssn, 0,
sizeof(ssn));
4138 f.
proto = IPPROTO_TCP;
4160 "(msg:\"http raw uri test\"; "
4161 "content:\"a/b\"; http_raw_uri; depth:10; "
4172 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
4178 if (http_state == NULL) {
4179 printf(
"no http state: \n");
4188 printf(
"sid 1 matched but shouldn't have\n");
4195 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
4204 printf(
"sid 1 didn't match but should have");
4227 static int DetectEngineHttpRawUriTest06(
void)
4237 uint8_t http1_buf[] =
4239 uint8_t http2_buf[] =
4240 "../c/./d.html HTTP/1.0\r\n"
4241 "Host: www.openinfosecfoundation.org\r\n"
4242 "Content-Type: text/html\r\n"
4243 "Content-Length: 46\r\n"
4245 "This is dummy body1"
4246 "This is dummy message body2";
4247 uint32_t http1_len =
sizeof(http1_buf) - 1;
4248 uint32_t http2_len =
sizeof(http2_buf) - 1;
4252 memset(&th_v, 0,
sizeof(th_v));
4253 memset(&f, 0,
sizeof(f));
4254 memset(&ssn, 0,
sizeof(ssn));
4261 f.
proto = IPPROTO_TCP;
4283 "(msg:\"http raw uri test\"; "
4284 "content:!\"/a/b\"; http_raw_uri; depth:25; "
4295 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
4301 if (http_state == NULL) {
4302 printf(
"no http state: \n");
4311 printf(
"sid 1 matched but shouldn't have\n");
4318 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
4327 printf(
"sid 1 matched but shouldn't have");
4350 static int DetectEngineHttpRawUriTest07(
void)
4360 uint8_t http1_buf[] =
4362 uint8_t http2_buf[] =
4363 "../c/./d.html HTTP/1.0\r\n"
4364 "Host: www.openinfosecfoundation.org\r\n"
4365 "Content-Type: text/html\r\n"
4366 "Content-Length: 46\r\n"
4368 "This is dummy body1"
4369 "This is dummy message body2";
4370 uint32_t http1_len =
sizeof(http1_buf) - 1;
4371 uint32_t http2_len =
sizeof(http2_buf) - 1;
4375 memset(&th_v, 0,
sizeof(th_v));
4376 memset(&f, 0,
sizeof(f));
4377 memset(&ssn, 0,
sizeof(ssn));
4384 f.
proto = IPPROTO_TCP;
4406 "(msg:\"http raw uri test\"; "
4407 "content:!\"/c/./d\"; http_raw_uri; depth:12; "
4418 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
4424 if (http_state == NULL) {
4425 printf(
"no http state: \n");
4434 printf(
"sid 1 matched but shouldn't have\n");
4441 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
4450 printf(
"sid 1 didn't match but should have");
4473 static int DetectEngineHttpRawUriTest08(
void)
4483 uint8_t http1_buf[] =
4485 uint8_t http2_buf[] =
4486 "b/../c/./d.html HTTP/1.0\r\n"
4487 "Host: www.openinfosecfoundation.org\r\n"
4488 "Content-Type: text/html\r\n"
4489 "Content-Length: 46\r\n"
4491 "This is dummy body1"
4492 "This is dummy message body2";
4493 uint32_t http1_len =
sizeof(http1_buf) - 1;
4494 uint32_t http2_len =
sizeof(http2_buf) - 1;
4498 memset(&th_v, 0,
sizeof(th_v));
4499 memset(&f, 0,
sizeof(f));
4500 memset(&ssn, 0,
sizeof(ssn));
4507 f.
proto = IPPROTO_TCP;
4529 "(msg:\"http raw uri test\"; "
4530 "content:!\"/c/./d\"; http_raw_uri; depth:18; "
4541 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
4547 if (http_state == NULL) {
4548 printf(
"no http state: \n");
4557 printf(
"sid 1 matched but shouldn't have\n");
4564 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
4573 printf(
"sid 1 matched but shouldn't have");
4596 static int DetectEngineHttpRawUriTest09(
void)
4606 uint8_t http1_buf[] =
4608 uint8_t http2_buf[] =
4609 "/b/../c/./d.html HTTP/1.0\r\n"
4610 "Host: www.openinfosecfoundation.org\r\n"
4611 "Content-Type: text/html\r\n"
4612 "Content-Length: 46\r\n"
4614 "This is dummy body1"
4615 "This is dummy message body2";
4616 uint32_t http1_len =
sizeof(http1_buf) - 1;
4617 uint32_t http2_len =
sizeof(http2_buf) - 1;
4621 memset(&th_v, 0,
sizeof(th_v));
4622 memset(&f, 0,
sizeof(f));
4623 memset(&ssn, 0,
sizeof(ssn));
4630 f.
proto = IPPROTO_TCP;
4652 "(msg:\"http raw uri test\"; "
4653 "content:\"/a\"; http_raw_uri; "
4654 "content:\"./c/.\"; http_raw_uri; within:9; "
4665 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
4671 if (http_state == NULL) {
4672 printf(
"no http state: \n");
4681 printf(
"sid 1 matched but shouldn't have\n");
4688 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
4697 printf(
"sid 1 didn't match but should have");
4720 static int DetectEngineHttpRawUriTest10(
void)
4730 uint8_t http1_buf[] =
4732 uint8_t http2_buf[] =
4733 "/b/../c/./d.html HTTP/1.0\r\n"
4734 "Host: www.openinfosecfoundation.org\r\n"
4735 "Content-Type: text/html\r\n"
4736 "Content-Length: 46\r\n"
4738 "This is dummy body1"
4739 "This is dummy message body2";
4740 uint32_t http1_len =
sizeof(http1_buf) - 1;
4741 uint32_t http2_len =
sizeof(http2_buf) - 1;
4745 memset(&th_v, 0,
sizeof(th_v));
4746 memset(&f, 0,
sizeof(f));
4747 memset(&ssn, 0,
sizeof(ssn));
4754 f.
proto = IPPROTO_TCP;
4776 "(msg:\"http raw uri test\"; "
4777 "content:\"/a\"; http_raw_uri; "
4778 "content:!\"boom\"; http_raw_uri; within:5; "
4789 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
4795 if (http_state == NULL) {
4796 printf(
"no http state: \n");
4805 printf(
"sid 1 matched but shouldn't have\n");
4812 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
4821 printf(
"sid 1 didn't match but should have");
4844 static int DetectEngineHttpRawUriTest11(
void)
4854 uint8_t http1_buf[] =
4856 uint8_t http2_buf[] =
4857 "/b/../c/./d.html HTTP/1.0\r\n"
4858 "Host: www.openinfosecfoundation.org\r\n"
4859 "Content-Type: text/html\r\n"
4860 "Content-Length: 46\r\n"
4862 "This is dummy body1"
4863 "This is dummy message body2";
4864 uint32_t http1_len =
sizeof(http1_buf) - 1;
4865 uint32_t http2_len =
sizeof(http2_buf) - 1;
4869 memset(&th_v, 0,
sizeof(th_v));
4870 memset(&f, 0,
sizeof(f));
4871 memset(&ssn, 0,
sizeof(ssn));
4878 f.
proto = IPPROTO_TCP;
4900 "(msg:\"http raw uri test\"; "
4901 "content:\"./a\"; http_raw_uri; "
4902 "content:\"boom\"; http_raw_uri; within:5; "
4913 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
4919 if (http_state == NULL) {
4920 printf(
"no http state: \n");
4929 printf(
"sid 1 matched but shouldn't have\n");
4936 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
4945 printf(
"sid 1 matched but shouldn't have");
4968 static int DetectEngineHttpRawUriTest12(
void)
4978 uint8_t http1_buf[] =
4980 uint8_t http2_buf[] =
4981 "/b/../c/./d.html HTTP/1.0\r\n"
4982 "Host: www.openinfosecfoundation.org\r\n"
4983 "Content-Type: text/html\r\n"
4984 "Content-Length: 46\r\n"
4986 "This is dummy body1"
4987 "This is dummy message body2";
4988 uint32_t http1_len =
sizeof(http1_buf) - 1;
4989 uint32_t http2_len =
sizeof(http2_buf) - 1;
4993 memset(&th_v, 0,
sizeof(th_v));
4994 memset(&f, 0,
sizeof(f));
4995 memset(&ssn, 0,
sizeof(ssn));
5002 f.
proto = IPPROTO_TCP;
5024 "(msg:\"http raw uri test\"; "
5025 "content:\"./a\"; http_raw_uri; "
5026 "content:!\"/b/..\"; http_raw_uri; within:5; "
5037 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5043 if (http_state == NULL) {
5044 printf(
"no http state: \n");
5053 printf(
"sid 1 matched but shouldn't have\n");
5060 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
5069 printf(
"sid 1 matched but shouldn't have");
5092 static int DetectEngineHttpRawUriTest13(
void)
5102 uint8_t http1_buf[] =
5104 uint8_t http2_buf[] =
5105 "/b/../c/./d.html HTTP/1.0\r\n"
5106 "Host: www.openinfosecfoundation.org\r\n"
5107 "Content-Type: text/html\r\n"
5108 "Content-Length: 46\r\n"
5110 "This is dummy body1"
5111 "This is dummy message body2";
5112 uint32_t http1_len =
sizeof(http1_buf) - 1;
5113 uint32_t http2_len =
sizeof(http2_buf) - 1;
5117 memset(&th_v, 0,
sizeof(th_v));
5118 memset(&f, 0,
sizeof(f));
5119 memset(&ssn, 0,
sizeof(ssn));
5126 f.
proto = IPPROTO_TCP;
5148 "(msg:\"http raw uri test\"; "
5149 "content:\"./a\"; http_raw_uri; "
5150 "content:\"/c/.\"; http_raw_uri; distance:5; "
5161 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5167 if (http_state == NULL) {
5168 printf(
"no http state: \n");
5177 printf(
"sid 1 matched but shouldn't have\n");
5184 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
5193 printf(
"sid 1 didn't match but should have");
5216 static int DetectEngineHttpRawUriTest14(
void)
5226 uint8_t http1_buf[] =
5228 uint8_t http2_buf[] =
5229 "/b/../c/./d.html HTTP/1.0\r\n"
5230 "Host: www.openinfosecfoundation.org\r\n"
5231 "Content-Type: text/html\r\n"
5232 "Content-Length: 46\r\n"
5234 "This is dummy body1"
5235 "This is dummy message body2";
5236 uint32_t http1_len =
sizeof(http1_buf) - 1;
5237 uint32_t http2_len =
sizeof(http2_buf) - 1;
5241 memset(&th_v, 0,
sizeof(th_v));
5242 memset(&f, 0,
sizeof(f));
5243 memset(&ssn, 0,
sizeof(ssn));
5250 f.
proto = IPPROTO_TCP;
5272 "(msg:\"http raw uri test\"; "
5273 "content:\"./a\"; http_raw_uri; "
5274 "content:!\"b/..\"; http_raw_uri; distance:5; "
5285 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5291 if (http_state == NULL) {
5292 printf(
"no http state: \n");
5301 printf(
"sid 1 matched but shouldn't have\n");
5308 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
5317 printf(
"sid 1 didn't match but should have");
5340 static int DetectEngineHttpRawUriTest15(
void)
5350 uint8_t http1_buf[] =
5352 uint8_t http2_buf[] =
5353 "/b/../c/./d.html HTTP/1.0\r\n"
5354 "Host: www.openinfosecfoundation.org\r\n"
5355 "Content-Type: text/html\r\n"
5356 "Content-Length: 46\r\n"
5358 "This is dummy body1"
5359 "This is dummy message body2";
5360 uint32_t http1_len =
sizeof(http1_buf) - 1;
5361 uint32_t http2_len =
sizeof(http2_buf) - 1;
5365 memset(&th_v, 0,
sizeof(th_v));
5366 memset(&f, 0,
sizeof(f));
5367 memset(&ssn, 0,
sizeof(ssn));
5374 f.
proto = IPPROTO_TCP;
5396 "(msg:\"http raw uri test\"; "
5397 "content:\"./a\"; http_raw_uri; "
5398 "content:\"/c/\"; http_raw_uri; distance:7; "
5409 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5415 if (http_state == NULL) {
5416 printf(
"no http state: \n");
5425 printf(
"sid 1 matched but shouldn't have\n");
5432 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
5441 printf(
"sid 1 matched but shouldn't have");
5464 static int DetectEngineHttpRawUriTest16(
void)
5474 uint8_t http1_buf[] =
5476 uint8_t http2_buf[] =
5477 "/b/../c/./d.html HTTP/1.0\r\n"
5478 "Host: www.openinfosecfoundation.org\r\n"
5479 "Content-Type: text/html\r\n"
5480 "Content-Length: 46\r\n"
5482 "This is dummy body1"
5483 "This is dummy message body2";
5484 uint32_t http1_len =
sizeof(http1_buf) - 1;
5485 uint32_t http2_len =
sizeof(http2_buf) - 1;
5489 memset(&th_v, 0,
sizeof(th_v));
5490 memset(&f, 0,
sizeof(f));
5491 memset(&ssn, 0,
sizeof(ssn));
5498 f.
proto = IPPROTO_TCP;
5520 "(msg:\"http raw uri test\"; "
5521 "content:\"./a\"; http_raw_uri; "
5522 "content:!\"/c/\"; http_raw_uri; distance:4; "
5533 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5539 if (http_state == NULL) {
5540 printf(
"no http state: \n");
5549 printf(
"sid 1 matched but shouldn't have\n");
5556 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
5565 printf(
"sid 1 matched but shouldn't have");
5588 static int DetectEngineHttpRawUriTest21(
void)
5598 uint8_t http1_buf[] =
5600 uint8_t http2_buf[] =
5601 "/b/../c/./d.html HTTP/1.0\r\n"
5602 "Host: www.openinfosecfoundation.org\r\n"
5603 "Content-Type: text/html\r\n"
5604 "Content-Length: 46\r\n"
5606 "This is dummy body1"
5607 "This is dummy message body2";
5608 uint32_t http1_len =
sizeof(http1_buf) - 1;
5609 uint32_t http2_len =
sizeof(http2_buf) - 1;
5613 memset(&th_v, 0,
sizeof(th_v));
5614 memset(&f, 0,
sizeof(f));
5615 memset(&ssn, 0,
sizeof(ssn));
5622 f.
proto = IPPROTO_TCP;
5644 "(msg:\"http raw uri test\"; "
5646 "content:!\"/c/\"; http_raw_uri; within:5; "
5657 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5663 if (http_state == NULL) {
5664 printf(
"no http state: \n");
5673 printf(
"sid 1 matched but shouldn't have\n");
5680 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
5689 printf(
"sid 1 didn't match but shouldn't have");
5712 static int DetectEngineHttpRawUriTest22(
void)
5722 uint8_t http1_buf[] =
5724 uint8_t http2_buf[] =
5725 "/b/../c/./d.html HTTP/1.0\r\n"
5726 "Host: www.openinfosecfoundation.org\r\n"
5727 "Content-Type: text/html\r\n"
5728 "Content-Length: 46\r\n"
5730 "This is dummy body1"
5731 "This is dummy message body2";
5732 uint32_t http1_len =
sizeof(http1_buf) - 1;
5733 uint32_t http2_len =
sizeof(http2_buf) - 1;
5737 memset(&th_v, 0,
sizeof(th_v));
5738 memset(&f, 0,
sizeof(f));
5739 memset(&ssn, 0,
sizeof(ssn));
5746 f.
proto = IPPROTO_TCP;
5768 "(msg:\"http raw uri test\"; "
5770 "content:!\"/c/\"; within:5; http_raw_uri; "
5781 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5787 if (http_state == NULL) {
5788 printf(
"no http state: \n");
5797 printf(
"sid 1 matched but shouldn't have\n");
5804 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
5813 printf(
"sid 1 didn't match but shouldn't have");
5836 static int DetectEngineHttpRawUriTest23(
void)
5846 uint8_t http1_buf[] =
5848 uint8_t http2_buf[] =
5849 "/b/../c/./d.html HTTP/1.0\r\n"
5850 "Host: www.openinfosecfoundation.org\r\n"
5851 "Content-Type: text/html\r\n"
5852 "Content-Length: 46\r\n"
5854 "This is dummy body1"
5855 "This is dummy message body2";
5856 uint32_t http1_len =
sizeof(http1_buf) - 1;
5857 uint32_t http2_len =
sizeof(http2_buf) - 1;
5861 memset(&th_v, 0,
sizeof(th_v));
5862 memset(&f, 0,
sizeof(f));
5863 memset(&ssn, 0,
sizeof(ssn));
5870 f.
proto = IPPROTO_TCP;
5892 "(msg:\"http raw uri test\"; "
5894 "content:!\"/c/\"; distance:3; http_raw_uri; "
5905 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
5911 if (http_state == NULL) {
5912 printf(
"no http state: \n");
5921 printf(
"sid 1 matched but shouldn't have\n");
5928 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
5937 printf(
"sid 1 matched but shouldn't have");
5960 static int DetectEngineHttpRawUriTest24(
void)
5970 uint8_t http1_buf[] =
5972 uint8_t http2_buf[] =
5973 "/b/../c/./d.html HTTP/1.0\r\n"
5974 "Host: www.openinfosecfoundation.org\r\n"
5975 "Content-Type: text/html\r\n"
5976 "Content-Length: 46\r\n"
5978 "This is dummy body1"
5979 "This is dummy message body2";
5980 uint32_t http1_len =
sizeof(http1_buf) - 1;
5981 uint32_t http2_len =
sizeof(http2_buf) - 1;
5985 memset(&th_v, 0,
sizeof(th_v));
5986 memset(&f, 0,
sizeof(f));
5987 memset(&ssn, 0,
sizeof(ssn));
5994 f.
proto = IPPROTO_TCP;
6016 "(msg:\"http raw uri test\"; "
6018 "content:!\"/c/\"; distance:10; http_raw_uri; "
6029 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6035 if (http_state == NULL) {
6036 printf(
"no http state: \n");
6045 printf(
"sid 1 matched but shouldn't have\n");
6052 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
6061 printf(
"sid 1 didn't match but should have");
6084 static int DetectEngineHttpRawUriTest25(
void)
6094 uint8_t http1_buf[] =
6096 uint8_t http2_buf[] =
6097 "/b/../c/./d.html HTTP/1.0\r\n"
6098 "Host: www.openinfosecfoundation.org\r\n"
6099 "Content-Type: text/html\r\n"
6100 "Content-Length: 46\r\n"
6102 "This is dummy body1"
6103 "This is dummy message body2";
6104 uint32_t http1_len =
sizeof(http1_buf) - 1;
6105 uint32_t http2_len =
sizeof(http2_buf) - 1;
6109 memset(&th_v, 0,
sizeof(th_v));
6110 memset(&f, 0,
sizeof(f));
6111 memset(&ssn, 0,
sizeof(ssn));
6118 f.
proto = IPPROTO_TCP;
6140 "(msg:\"http raw uri test\"; "
6142 "content:\"/c/\"; within:10; http_raw_uri; "
6153 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6159 if (http_state == NULL) {
6160 printf(
"no http state: \n");
6169 printf(
"sid 1 matched but shouldn't have\n");
6176 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
6185 printf(
"sid 1 didn't match but should have");
6208 static int DetectEngineHttpRawUriTest26(
void)
6218 uint8_t http1_buf[] =
6220 uint8_t http2_buf[] =
6221 "/b/../c/./d.html HTTP/1.0\r\n"
6222 "Host: www.openinfosecfoundation.org\r\n"
6223 "Content-Type: text/html\r\n"
6224 "Content-Length: 46\r\n"
6226 "This is dummy body1"
6227 "This is dummy message body2";
6228 uint32_t http1_len =
sizeof(http1_buf) - 1;
6229 uint32_t http2_len =
sizeof(http2_buf) - 1;
6233 memset(&th_v, 0,
sizeof(th_v));
6234 memset(&f, 0,
sizeof(f));
6235 memset(&ssn, 0,
sizeof(ssn));
6242 f.
proto = IPPROTO_TCP;
6264 "(msg:\"http raw uri test\"; "
6266 "content:\"/c/\"; within:5; http_raw_uri; "
6277 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6283 if (http_state == NULL) {
6284 printf(
"no http state: \n");
6293 printf(
"sid 1 matched but shouldn't have\n");
6300 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
6309 printf(
"sid 1 matched but shouldn't have");
6332 static int DetectEngineHttpRawUriTest27(
void)
6342 uint8_t http1_buf[] =
6344 uint8_t http2_buf[] =
6345 "/b/../c/./d.html HTTP/1.0\r\n"
6346 "Host: www.openinfosecfoundation.org\r\n"
6347 "Content-Type: text/html\r\n"
6348 "Content-Length: 46\r\n"
6350 "This is dummy body1"
6351 "This is dummy message body2";
6352 uint32_t http1_len =
sizeof(http1_buf) - 1;
6353 uint32_t http2_len =
sizeof(http2_buf) - 1;
6357 memset(&th_v, 0,
sizeof(th_v));
6358 memset(&f, 0,
sizeof(f));
6359 memset(&ssn, 0,
sizeof(ssn));
6366 f.
proto = IPPROTO_TCP;
6388 "(msg:\"http raw uri test\"; "
6390 "content:\"/c/\"; distance:5; http_raw_uri; "
6401 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6407 if (http_state == NULL) {
6408 printf(
"no http state: \n");
6417 printf(
"sid 1 matched but shouldn't have\n");
6424 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
6433 printf(
"sid 1 didn't match but should have");
6456 static int DetectEngineHttpRawUriTest28(
void)
6466 uint8_t http1_buf[] =
6468 uint8_t http2_buf[] =
6469 "/b/../c/./d.html HTTP/1.0\r\n"
6470 "Host: www.openinfosecfoundation.org\r\n"
6471 "Content-Type: text/html\r\n"
6472 "Content-Length: 46\r\n"
6474 "This is dummy body1"
6475 "This is dummy message body2";
6476 uint32_t http1_len =
sizeof(http1_buf) - 1;
6477 uint32_t http2_len =
sizeof(http2_buf) - 1;
6481 memset(&th_v, 0,
sizeof(th_v));
6482 memset(&f, 0,
sizeof(f));
6483 memset(&ssn, 0,
sizeof(ssn));
6490 f.
proto = IPPROTO_TCP;
6512 "(msg:\"http raw uri test\"; "
6514 "content:\"/c/\"; distance:10; http_raw_uri; "
6525 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6531 if (http_state == NULL) {
6532 printf(
"no http state: \n");
6541 printf(
"sid 1 matched but shouldn't have\n");
6548 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: \n", r);
6557 printf(
"sid 1 matched but shouldn't have");
6583 static int DetectEngineHttpRawUriTest29(
void)
6586 uint8_t *http_buf = (uint8_t *)
"POST /../a/b/../c/./d.html HTTP/1.0\r\n"
6587 "User-Agent: Mozilla/1.0\r\n";
6588 uint32_t http_buf_len = strlen((
char *)http_buf);
6598 memset(&f, 0,
sizeof(
Flow));
6605 f.
proto = IPPROTO_TCP;
6623 "(msg:\"test multiple relative raw uri contents\"; "
6624 "content:\"/c/\"; http_raw_uri; "
6625 "isdataat:4,relative; sid:1;)");
6636 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6641 if (http_state == NULL) {
6642 printf(
"no http state: ");
6650 printf(
"sig 1 didn't alert, but it should have: ");
6659 if (det_ctx != NULL)
6675 static int DetectEngineHttpRawUriTest30(
void)
6678 uint8_t *http_buf = (uint8_t *)
"POST /../a/b/../c/./d.html HTTP/1.0\r\n"
6679 "User-Agent: Mozilla/1.0\r\n";
6680 uint32_t http_buf_len = strlen((
char *)http_buf);
6690 memset(&f, 0,
sizeof(
Flow));
6697 f.
proto = IPPROTO_TCP;
6715 "(msg:\"test multiple relative raw uri contents\"; "
6716 "uricontent:\"/c/\"; isdataat:!10,relative; sid:1;)");
6727 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
6732 if (http_state == NULL) {
6733 printf(
"no http state: ");
6741 printf(
"sig 1 didn't alert, but it should have: ");
6750 if (det_ctx != NULL)
6766 static void DetectHttpUriRegisterTests (
void)
6807 DetectHttpUriIsdataatParseTest);
6810 DetectEngineHttpRawUriTest01);
6812 DetectEngineHttpRawUriTest02);
6814 DetectEngineHttpRawUriTest03);
6816 DetectEngineHttpRawUriTest04);
6818 DetectEngineHttpRawUriTest05);
6820 DetectEngineHttpRawUriTest06);
6822 DetectEngineHttpRawUriTest07);
6824 DetectEngineHttpRawUriTest08);
6826 DetectEngineHttpRawUriTest09);
6828 DetectEngineHttpRawUriTest10);
6830 DetectEngineHttpRawUriTest11);
6832 DetectEngineHttpRawUriTest12);
6834 DetectEngineHttpRawUriTest13);
6836 DetectEngineHttpRawUriTest14);
6838 DetectEngineHttpRawUriTest15);
6840 DetectEngineHttpRawUriTest16);
6842 DetectEngineHttpRawUriTest21);
6844 DetectEngineHttpRawUriTest22);
6846 DetectEngineHttpRawUriTest23);
6848 DetectEngineHttpRawUriTest24);
6850 DetectEngineHttpRawUriTest25);
6852 DetectEngineHttpRawUriTest26);
6854 DetectEngineHttpRawUriTest27);
6856 DetectEngineHttpRawUriTest28);
6858 DetectEngineHttpRawUriTest29);
6860 DetectEngineHttpRawUriTest30);
1.8.18