suricata
detect-http-uri.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /** \file
19  *
20  * \author Victor Julien <victor@inliniac.net>
21  * \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com>
22  */
23 
24 #include "../suricata-common.h"
25 #include "../app-layer.h"
26 #include "../app-layer-parser.h"
27 #include "../app-layer-htp.h"
28 #include "../util-unittest.h"
29 #include "../util-unittest-helper.h"
30 
31 #include "../flow.h"
32 #include "../flow-util.h"
33 
34 #include "../detect-isdataat.h"
35 
36 /** \test Test a simple uricontent option */
37 static int UriTestSig01(void)
38 {
39  int result = 0;
40  Flow f;
41  HtpState *http_state = NULL;
42  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
43  "User-Agent: Mozilla/1.0\r\n"
44  "Cookie: hellocatch\r\n\r\n";
45  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
46  uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
47  "User-Agent: Mozilla/1.0\r\n"
48  "Cookie: hellocatch\r\n\r\n";
49  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
50  TcpSession ssn;
51  Packet *p = NULL;
52  Signature *s = NULL;
53  ThreadVars tv;
54  DetectEngineThreadCtx *det_ctx = NULL;
56 
57  memset(&tv, 0, sizeof(ThreadVars));
58  memset(&f, 0, sizeof(Flow));
59  memset(&ssn, 0, sizeof(TcpSession));
60 
61  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
62 
63  FLOW_INITIALIZE(&f);
64  f.protoctx = (void *)&ssn;
65  f.proto = IPPROTO_TCP;
66  f.flags |= FLOW_IPV4;
67 
68  p->flow = &f;
73 
74  StreamTcpInitConfig(true);
75 
77  if (de_ctx == NULL) {
78  goto end;
79  }
80  de_ctx->flags |= DE_QUIET;
81 
82  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
83  "(msg:\"Test uricontent option\"; "
84  "uricontent:\"one\"; sid:1;)");
85  if (s == NULL) {
86  goto end;
87  }
88 
90  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
91 
92  int r = AppLayerParserParse(
93  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
94  if (r != 0) {
95  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
96  goto end;
97  }
98 
99  http_state = f.alstate;
100  if (http_state == NULL) {
101  printf("no http state: ");
102  goto end;
103  }
104 
105  /* do detect */
106  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
107 
108  if (!PacketAlertCheck(p, 1)) {
109  printf("sig 1 alerted, but it should not: ");
110  goto end;
111  }
112 
114  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
115  if (r != 0) {
116  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
117  goto end;
118  }
119 
120  http_state = f.alstate;
121  if (http_state == NULL) {
122  printf("no http state: ");
123  goto end;
124  }
125 
126  if (!PacketAlertCheck(p, 1)) {
127  printf("sig 1 alerted, but it should not: ");
128  goto end;
129  }
130 
131  /* do detect */
132  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
133 
134  result = 1;
135 
136 end:
137  if (alp_tctx != NULL)
139  if (det_ctx != NULL)
140  DetectEngineThreadCtxDeinit(&tv, det_ctx);
141  if (de_ctx != NULL)
143  if (de_ctx != NULL)
145 
146  StreamTcpFreeConfig(true);
147  FLOW_DESTROY(&f);
148  UTHFreePacket(p);
149  return result;
150 }
151 
152 /** \test Test the pcre /U option */
153 static int UriTestSig02(void)
154 {
155  int result = 0;
156  Flow f;
157  HtpState *http_state = NULL;
158  uint8_t http_buf1[] = "POST /on HTTP/1.0\r\n"
159  "User-Agent: Mozilla/1.0\r\n"
160  "Cookie: hellocatch\r\n\r\n";
161  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
162  uint8_t http_buf2[] = "POST /one HTTP/1.0\r\n"
163  "User-Agent: Mozilla/1.0\r\n"
164  "Cookie: hellocatch\r\n\r\n";
165  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
166  TcpSession ssn;
167  Packet *p = NULL;
168  Signature *s = NULL;
169  ThreadVars tv;
170  DetectEngineThreadCtx *det_ctx = NULL;
172 
173  memset(&tv, 0, sizeof(ThreadVars));
174  memset(&f, 0, sizeof(Flow));
175  memset(&ssn, 0, sizeof(TcpSession));
176 
177  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
178 
179  FLOW_INITIALIZE(&f);
180  f.protoctx = (void *)&ssn;
181  f.proto = IPPROTO_TCP;
182  f.flags |= FLOW_IPV4;
183 
184  p->flow = &f;
189 
190  StreamTcpInitConfig(true);
191 
193  if (de_ctx == NULL) {
194  goto end;
195  }
196  de_ctx->flags |= DE_QUIET;
197 
198  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
199  "(msg:\"Test pcre /U option\"; "
200  "pcre:/one/U; sid:1;)");
201  if (s == NULL) {
202  goto end;
203  }
204 
206  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
207 
208  int r = AppLayerParserParse(
209  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
210  if (r != 0) {
211  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
212  goto end;
213  }
214 
215  http_state = f.alstate;
216  if (http_state == NULL) {
217  printf("no http state: ");
218  goto end;
219  }
220 
221  /* do detect */
222  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
223 
224  if (PacketAlertCheck(p, 1)) {
225  printf("sig 1 alerted with payload2, but it should not: ");
226  goto end;
227  }
228 
230  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
231  if (r != 0) {
232  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
233  goto end;
234  }
235 
236  http_state = f.alstate;
237  if (http_state == NULL) {
238  printf("no http state: ");
239  goto end;
240  }
241 
242  /* do detect */
243  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
244 
245  if (!PacketAlertCheck(p, 1)) {
246  printf("sig 1 didnt alert, but it should: ");
247  goto end;
248  }
249 
250  result = 1;
251 
252 end:
253  if (alp_tctx != NULL)
255  if (det_ctx != NULL)
256  DetectEngineThreadCtxDeinit(&tv, det_ctx);
257  if (de_ctx != NULL)
259  if (de_ctx != NULL)
261 
262  StreamTcpFreeConfig(true);
263  FLOW_DESTROY(&f);
264  UTHFreePacket(p);
265  return result;
266 }
267 
268 /** \test Test the pcre /U option */
269 static int UriTestSig03(void)
270 {
271  int result = 0;
272  Flow f;
273  HtpState *http_state = NULL;
274  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
275  "User-Agent: Mozilla/1.0\r\n"
276  "Cookie: hellocatch\r\n\r\n";
277  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
278  uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
279  "User-Agent: Mozilla/1.0\r\n"
280  "Cookie: hellocatch\r\n\r\n";
281  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
282  TcpSession ssn;
283  Packet *p = NULL;
284  Signature *s = NULL;
285  ThreadVars tv;
286  DetectEngineThreadCtx *det_ctx = NULL;
288 
289  memset(&tv, 0, sizeof(ThreadVars));
290  memset(&f, 0, sizeof(Flow));
291  memset(&ssn, 0, sizeof(TcpSession));
292 
293  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
294 
295  FLOW_INITIALIZE(&f);
296  f.protoctx = (void *)&ssn;
297  f.proto = IPPROTO_TCP;
298  f.flags |= FLOW_IPV4;
299 
300  p->flow = &f;
305 
306  StreamTcpInitConfig(true);
307 
309  if (de_ctx == NULL) {
310  goto end;
311  }
312  de_ctx->flags |= DE_QUIET;
313 
314  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
315  "(msg:\"Test pcre /U option\"; "
316  "pcre:/blah/U; sid:1;)");
317  if (s == NULL) {
318  goto end;
319  }
320 
322  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
323 
324  int r = AppLayerParserParse(
325  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
326  if (r != 0) {
327  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
328  goto end;
329  }
330 
331  http_state = f.alstate;
332  if (http_state == NULL) {
333  printf("no http state: ");
334  goto end;
335  }
336 
337  /* do detect */
338  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
339 
340  if (PacketAlertCheck(p, 1)) {
341  printf("sig 1 alerted, but it should not: ");
342  goto end;
343  }
344 
346  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
347  if (r != 0) {
348  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
349  goto end;
350  }
351 
352  http_state = f.alstate;
353  if (http_state == NULL) {
354  printf("no http state: ");
355  goto end;
356  }
357 
358  /* do detect */
359  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
360 
361  if (PacketAlertCheck(p, 1)) {
362  printf("sig 1 alerted, but it should not: ");
363  goto end;
364  }
365 
366  result = 1;
367 
368 end:
369  if (alp_tctx != NULL)
371  if (det_ctx != NULL)
372  DetectEngineThreadCtxDeinit(&tv, det_ctx);
373  if (de_ctx != NULL)
375  if (de_ctx != NULL)
377 
378  StreamTcpFreeConfig(true);
379  FLOW_DESTROY(&f);
380  UTHFreePacket(p);
381  return result;
382 }
383 
384 /** \test Test the urilen option */
385 static int UriTestSig04(void)
386 {
387  int result = 0;
388  Flow f;
389  HtpState *http_state = NULL;
390  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
391  "User-Agent: Mozilla/1.0\r\n"
392  "Cookie: hellocatch\r\n\r\n";
393  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
394  uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
395  "User-Agent: Mozilla/1.0\r\n"
396  "Cookie: hellocatch\r\n\r\n";
397  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
398  TcpSession ssn;
399  Packet *p = NULL;
400  Signature *s = NULL;
401  ThreadVars tv;
402  DetectEngineThreadCtx *det_ctx = NULL;
404 
405  memset(&tv, 0, sizeof(ThreadVars));
406  memset(&f, 0, sizeof(Flow));
407  memset(&ssn, 0, sizeof(TcpSession));
408 
409  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
410 
411  FLOW_INITIALIZE(&f);
412  f.protoctx = (void *)&ssn;
413  f.proto = IPPROTO_TCP;
414  f.flags |= FLOW_IPV4;
415 
416  p->flow = &f;
421 
422  StreamTcpInitConfig(true);
423 
425  if (de_ctx == NULL) {
426  goto end;
427  }
428  de_ctx->flags |= DE_QUIET;
429 
430  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
431  "(msg:\"Test urilen option\"; "
432  "urilen:>20; sid:1;)");
433  if (s == NULL) {
434  goto end;
435  }
436 
438  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
439 
440  int r = AppLayerParserParse(
441  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
442  if (r != 0) {
443  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
444  goto end;
445  }
446 
447  http_state = f.alstate;
448  if (http_state == NULL) {
449  printf("no http state: ");
450  goto end;
451  }
452 
453  /* do detect */
454  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
455 
456  if (PacketAlertCheck(p, 1)) {
457  printf("sig 1 alerted, but it should not: ");
458  goto end;
459  }
460 
462  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
463  if (r != 0) {
464  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
465  goto end;
466  }
467 
468  http_state = f.alstate;
469  if (http_state == NULL) {
470  printf("no http state: ");
471  goto end;
472  }
473 
474  /* do detect */
475  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
476 
477  if (PacketAlertCheck(p, 1)) {
478  printf("sig 1 alerted, but it should not: ");
479  goto end;
480  }
481 
482  result = 1;
483 
484 end:
485  if (alp_tctx != NULL)
487  if (det_ctx != NULL)
488  DetectEngineThreadCtxDeinit(&tv, det_ctx);
489  if (de_ctx != NULL)
491  if (de_ctx != NULL)
493 
494  StreamTcpFreeConfig(true);
495  FLOW_DESTROY(&f);
496  UTHFreePacket(p);
497  return result;
498 }
499 
500 /** \test Test the urilen option */
501 static int UriTestSig05(void)
502 {
503  int result = 0;
504  Flow f;
505  HtpState *http_state = NULL;
506  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
507  "User-Agent: Mozilla/1.0\r\n"
508  "Cookie: hellocatch\r\n\r\n";
509  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
510  uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
511  "User-Agent: Mozilla/1.0\r\n"
512  "Cookie: hellocatch\r\n\r\n";
513  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
514  TcpSession ssn;
515  Packet *p = NULL;
516  Signature *s = NULL;
517  ThreadVars tv;
518  DetectEngineThreadCtx *det_ctx = NULL;
520 
521  memset(&tv, 0, sizeof(ThreadVars));
522  memset(&f, 0, sizeof(Flow));
523  memset(&ssn, 0, sizeof(TcpSession));
524 
525  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
526 
527  FLOW_INITIALIZE(&f);
528  f.protoctx = (void *)&ssn;
529  f.proto = IPPROTO_TCP;
530  f.flags |= FLOW_IPV4;
531 
532  p->flow = &f;
537 
538  StreamTcpInitConfig(true);
539 
541  if (de_ctx == NULL) {
542  goto end;
543  }
544  de_ctx->flags |= DE_QUIET;
545 
546  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
547  "(msg:\"Test urilen option\"; "
548  "urilen:>4; sid:1;)");
549  if (s == NULL) {
550  goto end;
551  }
552 
554  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
555 
556  int r = AppLayerParserParse(
557  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
558  if (r != 0) {
559  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
560  goto end;
561  }
562 
563  http_state = f.alstate;
564  if (http_state == NULL) {
565  printf("no http state: ");
566  goto end;
567  }
568 
569  /* do detect */
570  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
571 
572  if (PacketAlertCheck(p, 1)) {
573  printf("sig 1 alerted, but it should not: ");
574  goto end;
575  }
576 
578  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
579  if (r != 0) {
580  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
581  goto end;
582  }
583 
584  http_state = f.alstate;
585  if (http_state == NULL) {
586  printf("no http state: ");
587  goto end;
588  }
589 
590  /* do detect */
591  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
592 
593  if (!PacketAlertCheck(p, 1)) {
594  printf("sig 1 didnt alert with payload2, but it should: ");
595  goto end;
596  }
597 
598  result = 1;
599 
600 end:
601  if (alp_tctx != NULL)
603  if (det_ctx != NULL)
604  DetectEngineThreadCtxDeinit(&tv, det_ctx);
605  if (de_ctx != NULL)
607  if (de_ctx != NULL)
609 
610  StreamTcpFreeConfig(true);
611  FLOW_DESTROY(&f);
612  UTHFreePacket(p);
613  return result;
614 }
615 
616 /** \test Test the pcre /U option */
617 static int UriTestSig06(void)
618 {
619  int result = 0;
620  Flow f;
621  HtpState *http_state = NULL;
622  uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
623  "User-Agent: Mozilla/1.0\r\n"
624  "Cookie: hellocatch\r\n\r\n";
625  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
626  uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
627  "User-Agent: Mozilla/1.0\r\n"
628  "Cookie: hellocatch\r\n\r\n";
629  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
630  TcpSession ssn;
631  Packet *p = NULL;
632  Signature *s = NULL;
633  ThreadVars tv;
634  DetectEngineThreadCtx *det_ctx = NULL;
636 
637  memset(&tv, 0, sizeof(ThreadVars));
638  memset(&f, 0, sizeof(Flow));
639  memset(&ssn, 0, sizeof(TcpSession));
640 
641  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
642 
643  FLOW_INITIALIZE(&f);
644  f.protoctx = (void *)&ssn;
645  f.proto = IPPROTO_TCP;
646  f.flags |= FLOW_IPV4;
647 
648  p->flow = &f;
653 
654  StreamTcpInitConfig(true);
655 
657  if (de_ctx == NULL) {
658  goto end;
659  }
660  de_ctx->flags |= DE_QUIET;
661 
662  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
663  "(msg:\"Test pcre /U option\"; "
664  "pcre:/(oneself)+/U; sid:1;)");
665  if (s == NULL) {
666  goto end;
667  }
668 
670  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
671 
672  int r = AppLayerParserParse(
673  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
674  if (r != 0) {
675  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
676  goto end;
677  }
678 
679  http_state = f.alstate;
680  if (http_state == NULL) {
681  printf("no http state: ");
682  goto end;
683  }
684 
685  /* do detect */
686  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
687 
688  if (PacketAlertCheck(p, 1)) {
689  printf("sig 1 alerted, but it should not: ");
690  goto end;
691  }
692 
694  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
695  if (r != 0) {
696  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
697  goto end;
698  }
699 
700  http_state = f.alstate;
701  if (http_state == NULL) {
702  printf("no http state: ");
703  goto end;
704  }
705 
706  /* do detect */
707  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
708 
709  if (!PacketAlertCheck(p, 1)) {
710  printf("sig 1 didnt alert on payload2, but it should: ");
711  goto end;
712  }
713 
714  result = 1;
715 
716 end:
717  if (alp_tctx != NULL)
719  if (det_ctx != NULL)
720  DetectEngineThreadCtxDeinit(&tv, det_ctx);
721  if (de_ctx != NULL)
723  if (de_ctx != NULL)
725 
726  StreamTcpFreeConfig(true);
727  FLOW_DESTROY(&f);
728  UTHFreePacket(p);
729  return result;
730 }
731 
732 /** \test Test the pcre /U option in combination with urilen */
733 static int UriTestSig07(void)
734 {
735  int result = 0;
736  Flow f;
737  HtpState *http_state = NULL;
738  uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
739  "User-Agent: Mozilla/1.0\r\n"
740  "Cookie: hellocatch\r\n\r\n";
741  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
742  uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
743  "User-Agent: Mozilla/1.0\r\n"
744  "Cookie: hellocatch\r\n\r\n";
745  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
746  TcpSession ssn;
747  Packet *p = NULL;
748  Signature *s = NULL;
749  ThreadVars tv;
750  DetectEngineThreadCtx *det_ctx = NULL;
752 
753  memset(&tv, 0, sizeof(ThreadVars));
754  memset(&f, 0, sizeof(Flow));
755  memset(&ssn, 0, sizeof(TcpSession));
756 
757  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
758 
759  FLOW_INITIALIZE(&f);
760  f.protoctx = (void *)&ssn;
761  f.proto = IPPROTO_TCP;
762  f.flags |= FLOW_IPV4;
763 
764  p->flow = &f;
769 
770  StreamTcpInitConfig(true);
771 
773  if (de_ctx == NULL) {
774  goto end;
775  }
776  de_ctx->flags |= DE_QUIET;
777 
778  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
779  "(msg:\"Test pcre /U option with urilen \"; "
780  "pcre:/(one){2,}(self)?/U; urilen:3<>20; sid:1;)");
781  if (s == NULL) {
782  goto end;
783  }
784 
786  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
787 
788  int r = AppLayerParserParse(
789  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
790  if (r != 0) {
791  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
792  goto end;
793  }
794 
795  http_state = f.alstate;
796  if (http_state == NULL) {
797  printf("no http state: ");
798  goto end;
799  }
800 
801  /* do detect */
802  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
803 
804  if (!PacketAlertCheck(p, 1)) {
805  printf("sig 1 didnt alert, but it should: ");
806  goto end;
807  }
808 
810  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
811  if (r != 0) {
812  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
813  goto end;
814  }
815 
816  http_state = f.alstate;
817  if (http_state == NULL) {
818  printf("no http state: ");
819  goto end;
820  }
821 
822  /* do detect */
823  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
824 
825  if (!PacketAlertCheck(p, 1)) {
826  printf("sig 1 didnt alert with payload2, but it should: ");
827  goto end;
828  }
829 
830  result = 1;
831 
832 end:
833  if (alp_tctx != NULL)
835  if (det_ctx != NULL)
836  DetectEngineThreadCtxDeinit(&tv, det_ctx);
837  if (de_ctx != NULL)
839  if (de_ctx != NULL)
841 
842  StreamTcpFreeConfig(true);
843  FLOW_DESTROY(&f);
844  UTHFreePacket(p);
845  return result;
846 }
847 
848 /** \test Test the pcre /U option in combination with urilen */
849 static int UriTestSig08(void)
850 {
851  int result = 0;
852  Flow f;
853  HtpState *http_state = NULL;
854  uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
855  "User-Agent: Mozilla/1.0\r\n"
856  "Cookie: hellocatch\r\n\r\n";
857  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
858  uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
859  "User-Agent: Mozilla/1.0\r\n"
860  "Cookie: hellocatch\r\n\r\n";
861  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
862  TcpSession ssn;
863  Packet *p = NULL;
864  Signature *s = NULL;
865  ThreadVars tv;
866  DetectEngineThreadCtx *det_ctx = NULL;
868 
869  memset(&tv, 0, sizeof(ThreadVars));
870  memset(&f, 0, sizeof(Flow));
871  memset(&ssn, 0, sizeof(TcpSession));
872 
873  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
874 
875  FLOW_INITIALIZE(&f);
876  f.protoctx = (void *)&ssn;
877  f.proto = IPPROTO_TCP;
878  f.flags |= FLOW_IPV4;
879 
880  p->flow = &f;
885 
886  StreamTcpInitConfig(true);
887 
889  if (de_ctx == NULL) {
890  goto end;
891  }
892  de_ctx->flags |= DE_QUIET;
893 
894  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
895  "(msg:\"Test pcre /U option with urilen\"; "
896  "pcre:/(blabla){2,}(self)?/U; urilen:3<>20; sid:1;)");
897  if (s == NULL) {
898  goto end;
899  }
900 
902  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
903 
904  int r = AppLayerParserParse(
905  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
906  if (r != 0) {
907  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
908  goto end;
909  }
910 
911  http_state = f.alstate;
912  if (http_state == NULL) {
913  printf("no http state: ");
914  goto end;
915  }
916 
917  /* do detect */
918  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
919 
920  if (PacketAlertCheck(p, 1)) {
921  printf("sig 1 alerted, but it should not: ");
922  goto end;
923  }
924 
926  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
927  if (r != 0) {
928  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
929  goto end;
930  }
931 
932  http_state = f.alstate;
933  if (http_state == NULL) {
934  printf("no http state: ");
935  goto end;
936  }
937 
938  /* do detect */
939  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
940 
941  if (PacketAlertCheck(p, 1)) {
942  printf("sig 1 alerted, but it should not: ");
943  goto end;
944  }
945 
946  result = 1;
947 
948 end:
949  if (alp_tctx != NULL)
951  if (det_ctx != NULL)
952  DetectEngineThreadCtxDeinit(&tv, det_ctx);
953  if (de_ctx != NULL)
955  if (de_ctx != NULL)
957 
958  StreamTcpFreeConfig(true);
959  FLOW_DESTROY(&f);
960  UTHFreePacket(p);
961  return result;
962 }
963 
964 /** \test Test the pcre /U option in combination with urilen */
965 static int UriTestSig09(void)
966 {
967  int result = 0;
968  Flow f;
969  HtpState *http_state = NULL;
970  uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
971  "User-Agent: Mozilla/1.0\r\n"
972  "Cookie: hellocatch\r\n\r\n";
973  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
974  uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
975  "User-Agent: Mozilla/1.0\r\n"
976  "Cookie: hellocatch\r\n\r\n";
977  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
978  TcpSession ssn;
979  Packet *p = NULL;
980  Signature *s = NULL;
981  ThreadVars tv;
982  DetectEngineThreadCtx *det_ctx = NULL;
984 
985  memset(&tv, 0, sizeof(ThreadVars));
986  memset(&f, 0, sizeof(Flow));
987  memset(&ssn, 0, sizeof(TcpSession));
988 
989  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
990 
991  FLOW_INITIALIZE(&f);
992  f.protoctx = (void *)&ssn;
993  f.proto = IPPROTO_TCP;
994  f.flags |= FLOW_IPV4;
995 
996  p->flow = &f;
1000  f.alproto = ALPROTO_HTTP1;
1001 
1002  StreamTcpInitConfig(true);
1003 
1005  if (de_ctx == NULL) {
1006  goto end;
1007  }
1008  de_ctx->flags |= DE_QUIET;
1009 
1010  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1011  "(msg:\"Test pcre /U option with urilen \"; "
1012  "pcre:/(one){2,}(self)?/U; urilen:<2; sid:1;)");
1013  if (s == NULL) {
1014  goto end;
1015  }
1016 
1018  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1019 
1020  int r = AppLayerParserParse(
1021  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
1022  if (r != 0) {
1023  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1024  goto end;
1025  }
1026 
1027  http_state = f.alstate;
1028  if (http_state == NULL) {
1029  printf("no http state: ");
1030  goto end;
1031  }
1032 
1033  /* do detect */
1034  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1035 
1036  if (PacketAlertCheck(p, 1)) {
1037  printf("sig 1 alerted, but it should not: ");
1038  goto end;
1039  }
1040 
1041  r = AppLayerParserParse(
1042  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
1043  if (r != 0) {
1044  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1045  goto end;
1046  }
1047 
1048  http_state = f.alstate;
1049  if (http_state == NULL) {
1050  printf("no http state: ");
1051  goto end;
1052  }
1053 
1054  /* do detect */
1055  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1056 
1057  if (PacketAlertCheck(p, 1)) {
1058  printf("sig 1 alerted, but it should not: ");
1059  goto end;
1060  }
1061 
1062  result = 1;
1063 
1064 end:
1065  if (alp_tctx != NULL)
1067  if (det_ctx != NULL)
1068  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1069  if (de_ctx != NULL)
1071  if (de_ctx != NULL)
1073 
1074  StreamTcpFreeConfig(true);
1075  FLOW_DESTROY(&f);
1076  UTHFreePacket(p);
1077  return result;
1078 }
1079 
1080 /** \test Test uricontent, urilen, pcre /U options */
1081 static int UriTestSig12(void)
1082 {
1083  int result = 0;
1084  Flow f;
1085  HtpState *http_state = NULL;
1086  uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
1087  "User-Agent: Mozilla/1.0\r\n"
1088  "Cookie: hellocatch\r\n\r\n";
1089  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
1090  uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
1091  "User-Agent: Mozilla/1.0\r\n"
1092  "Cookie: hellocatch\r\n\r\n";
1093  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
1094  TcpSession ssn;
1095  Packet *p = NULL;
1096  Signature *s = NULL;
1097  ThreadVars tv;
1098  DetectEngineThreadCtx *det_ctx = NULL;
1100 
1101  memset(&tv, 0, sizeof(ThreadVars));
1102  memset(&f, 0, sizeof(Flow));
1103  memset(&ssn, 0, sizeof(TcpSession));
1104 
1105  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
1106 
1107  FLOW_INITIALIZE(&f);
1108  f.protoctx = (void *)&ssn;
1109  f.proto = IPPROTO_TCP;
1110  f.flags |= FLOW_IPV4;
1111 
1112  p->flow = &f;
1116  f.alproto = ALPROTO_HTTP1;
1117 
1118  StreamTcpInitConfig(true);
1119 
1121  if (de_ctx == NULL) {
1122  goto end;
1123  }
1124  de_ctx->flags |= DE_QUIET;
1125 
1126  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1127  "(msg:\"Test pcre /U, uricontent and urilen option\"; "
1128  "uricontent:\"one\"; "
1129  "pcre:/(one)+self/U; urilen:>2; sid:1;)");
1130  if (s == NULL) {
1131  goto end;
1132  }
1133 
1135  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1136 
1137  int r = AppLayerParserParse(
1138  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
1139  if (r != 0) {
1140  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1141  goto end;
1142  }
1143 
1144  http_state = f.alstate;
1145  if (http_state == NULL) {
1146  printf("no http state: ");
1147  goto end;
1148  }
1149 
1150  /* do detect */
1151  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1152 
1153  if (PacketAlertCheck(p, 1)) {
1154  printf("sig 1 alerted, but it should not: ");
1155  goto end;
1156  }
1157 
1158  r = AppLayerParserParse(
1159  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
1160  if (r != 0) {
1161  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1162  goto end;
1163  }
1164 
1165  http_state = f.alstate;
1166  if (http_state == NULL) {
1167  printf("no http state: ");
1168  goto end;
1169  }
1170 
1171  /* do detect */
1172  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1173 
1174  if (!PacketAlertCheck(p, 1)) {
1175  printf("sig 1 didnt alert with payload2, but it should: ");
1176  goto end;
1177  }
1178 
1179  result = 1;
1180 
1181 end:
1182  if (alp_tctx != NULL)
1184  if (det_ctx != NULL)
1185  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1186  if (de_ctx != NULL)
1188  if (de_ctx != NULL)
1190 
1191  StreamTcpFreeConfig(true);
1192  FLOW_DESTROY(&f);
1193  UTHFreePacket(p);
1194  return result;
1195 }
1196 
1197 /** \test Test uricontent, urilen */
1198 static int UriTestSig13(void)
1199 {
1200  int result = 0;
1201  Flow f;
1202  HtpState *http_state = NULL;
1203  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
1204  "User-Agent: Mozilla/1.0\r\n"
1205  "Cookie: hellocatch\r\n\r\n";
1206  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
1207  uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
1208  "User-Agent: Mozilla/1.0\r\n"
1209  "Cookie: hellocatch\r\n\r\n";
1210  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
1211  TcpSession ssn;
1212  Packet *p = NULL;
1213  Signature *s = NULL;
1214  ThreadVars tv;
1215  DetectEngineThreadCtx *det_ctx = NULL;
1217 
1218  memset(&tv, 0, sizeof(ThreadVars));
1219  memset(&f, 0, sizeof(Flow));
1220  memset(&ssn, 0, sizeof(TcpSession));
1221 
1222  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
1223 
1224  FLOW_INITIALIZE(&f);
1225  f.protoctx = (void *)&ssn;
1226  f.proto = IPPROTO_TCP;
1227  f.flags |= FLOW_IPV4;
1228 
1229  p->flow = &f;
1233  f.alproto = ALPROTO_HTTP1;
1234 
1235  StreamTcpInitConfig(true);
1236 
1238  if (de_ctx == NULL) {
1239  goto end;
1240  }
1241  de_ctx->flags |= DE_QUIET;
1242 
1243  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1244  "(msg:\"Test urilen option\"; "
1245  "urilen:>2; uricontent:\"one\"; sid:1;)");
1246  if (s == NULL) {
1247  goto end;
1248  }
1249 
1251  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1252 
1253  int r = AppLayerParserParse(
1254  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
1255  if (r != 0) {
1256  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1257  goto end;
1258  }
1259 
1260  http_state = f.alstate;
1261  if (http_state == NULL) {
1262  printf("no http state: ");
1263  goto end;
1264  }
1265 
1266  /* do detect */
1267  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1268 
1269  if (!PacketAlertCheck(p, 1)) {
1270  printf("sig 1 didnt alert with pkt, but it should: ");
1271  goto end;
1272  }
1273 
1274  r = AppLayerParserParse(
1275  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
1276  if (r != 0) {
1277  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1278  goto end;
1279  }
1280 
1281  http_state = f.alstate;
1282  if (http_state == NULL) {
1283  printf("no http state: ");
1284  goto end;
1285  }
1286 
1287  /* do detect */
1288  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1289 
1290 
1291  if (!PacketAlertCheck(p, 1)) {
1292  printf("sig 1 didnt alert with payload2, but it should: ");
1293  goto end;
1294  }
1295 
1296  result = 1;
1297 
1298 end:
1299  if (alp_tctx != NULL)
1301  if (det_ctx != NULL)
1302  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1303  if (de_ctx != NULL)
1305  if (de_ctx != NULL)
1307 
1308  StreamTcpFreeConfig(true);
1309  FLOW_DESTROY(&f);
1310  UTHFreePacket(p);
1311  return result;
1312 }
1313 
1314 /** \test Test uricontent, pcre /U */
1315 static int UriTestSig14(void)
1316 {
1317  int result = 0;
1318  Flow f;
1319  HtpState *http_state = NULL;
1320  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
1321  "User-Agent: Mozilla/1.0\r\n"
1322  "Cookie: hellocatch\r\n\r\n";
1323  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
1324  uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
1325  "User-Agent: Mozilla/1.0\r\n"
1326  "Cookie: hellocatch\r\n\r\n";
1327  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
1328  TcpSession ssn;
1329  Packet *p = NULL;
1330  Signature *s = NULL;
1331  ThreadVars tv;
1332  DetectEngineThreadCtx *det_ctx = NULL;
1334 
1335  memset(&tv, 0, sizeof(ThreadVars));
1336  memset(&f, 0, sizeof(Flow));
1337  memset(&ssn, 0, sizeof(TcpSession));
1338 
1339  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
1340 
1341  FLOW_INITIALIZE(&f);
1342  f.protoctx = (void *)&ssn;
1343  f.proto = IPPROTO_TCP;
1344  f.flags |= FLOW_IPV4;
1345 
1346  p->flow = &f;
1350  f.alproto = ALPROTO_HTTP1;
1351 
1352  StreamTcpInitConfig(true);
1353 
1355  if (de_ctx == NULL) {
1356  goto end;
1357  }
1358  de_ctx->flags |= DE_QUIET;
1359 
1360  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1361  "(msg:\"Test uricontent option\"; "
1362  "uricontent:\"one\"; pcre:/one(self)?/U;sid:1;)");
1363  if (s == NULL) {
1364  goto end;
1365  }
1366 
1368  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1369 
1370  int r = AppLayerParserParse(
1371  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
1372  if (r != 0) {
1373  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1374  goto end;
1375  }
1376 
1377  http_state = f.alstate;
1378  if (http_state == NULL) {
1379  printf("no http state: ");
1380  goto end;
1381  }
1382 
1383  /* do detect */
1384  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1385 
1386  if (!PacketAlertCheck(p, 1)) {
1387  printf("sig 1 didnt alert with pkt, but it should: ");
1388  goto end;
1389  }
1390 
1391  r = AppLayerParserParse(
1392  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
1393  if (r != 0) {
1394  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1395  goto end;
1396  }
1397 
1398  http_state = f.alstate;
1399  if (http_state == NULL) {
1400  printf("no http state: ");
1401  goto end;
1402  }
1403 
1404  /* do detect */
1405  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1406 
1407 
1408  if (!PacketAlertCheck(p, 1)) {
1409  printf("sig 1 didnt alert with payload2, but it should: ");
1410  goto end;
1411  }
1412 
1413  result = 1;
1414 
1415 end:
1416  if (alp_tctx != NULL)
1418  if (det_ctx != NULL)
1419  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1420  if (de_ctx != NULL)
1422  if (de_ctx != NULL)
1424 
1425  StreamTcpFreeConfig(true);
1426  FLOW_DESTROY(&f);
1427  UTHFreePacket(p);
1428  return result;
1429 }
1430 
1431 /** \test Test pcre /U with anchored regex (bug 155) */
1432 static int UriTestSig15(void)
1433 {
1434  int result = 0;
1435  Flow f;
1436  HtpState *http_state = NULL;
1437  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
1438  "User-Agent: Mozilla/1.0\r\n"
1439  "Cookie: hellocatch\r\n\r\n";
1440  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
1441  uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
1442  "User-Agent: Mozilla/1.0\r\n"
1443  "Cookie: hellocatch\r\n\r\n";
1444  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
1445  TcpSession ssn;
1446  Packet *p = NULL;
1447  Signature *s = NULL;
1448  ThreadVars tv;
1449  DetectEngineThreadCtx *det_ctx = NULL;
1451 
1452  memset(&tv, 0, sizeof(ThreadVars));
1453  memset(&f, 0, sizeof(Flow));
1454  memset(&ssn, 0, sizeof(TcpSession));
1455 
1456  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
1457 
1458  FLOW_INITIALIZE(&f);
1459  f.protoctx = (void *)&ssn;
1460  f.proto = IPPROTO_TCP;
1461  f.flags |= FLOW_IPV4;
1462 
1463  p->flow = &f;
1467  f.alproto = ALPROTO_HTTP1;
1468 
1469  StreamTcpInitConfig(true);
1470 
1472  if (de_ctx == NULL) {
1473  goto end;
1474  }
1475  de_ctx->flags |= DE_QUIET;
1476 
1477  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1478  "(msg:\"Test uricontent option\"; "
1479  "uricontent:\"one\"; pcre:/^\\/one(self)?$/U;sid:1;)");
1480  if (s == NULL) {
1481  goto end;
1482  }
1483 
1485  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1486 
1487  int r = AppLayerParserParse(
1488  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
1489  if (r != 0) {
1490  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1491  goto end;
1492  }
1493 
1494  http_state = f.alstate;
1495  if (http_state == NULL) {
1496  printf("no http state: ");
1497  goto end;
1498  }
1499 
1500  /* do detect */
1501  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1502 
1503  if (!PacketAlertCheck(p, 1)) {
1504  printf("sig 1 didnt alert with pkt, but it should: ");
1505  goto end;
1506  }
1507 
1508  r = AppLayerParserParse(
1509  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
1510  if (r != 0) {
1511  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1512  goto end;
1513  }
1514 
1515  http_state = f.alstate;
1516  if (http_state == NULL) {
1517  printf("no http state: ");
1518  goto end;
1519  }
1520 
1521  /* do detect */
1522  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1523 
1524 
1525  if (!PacketAlertCheck(p, 1)) {
1526  printf("sig 1 didnt alert with payload2, but it should: ");
1527  goto end;
1528  }
1529 
1530  result = 1;
1531 
1532 end:
1533  if (alp_tctx != NULL)
1535  if (det_ctx != NULL)
1536  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1537  if (de_ctx != NULL)
1539  if (de_ctx != NULL)
1541 
1542  StreamTcpFreeConfig(true);
1543  FLOW_DESTROY(&f);
1544  UTHFreePacket(p);
1545  return result;
1546 }
1547 
1548 /** \test Test pcre /U with anchored regex (bug 155) */
1549 static int UriTestSig16(void)
1550 {
1551  HtpState *http_state = NULL;
1552  uint8_t http_buf1[] = "POST /search?q=123&aq=7123abcee HTTP/1.0\r\n"
1553  "User-Agent: Mozilla/1.0/\r\n"
1554  "Host: 1.2.3.4\r\n\r\n";
1555  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
1556  uint8_t http_buf2[] = "POST /search?q=123&aq=7123abcee HTTP/1.0\r\n"
1557  "User-Agent: Mozilla/1.0\r\n"
1558  "Cookie: hellocatch\r\n\r\n";
1559  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
1560  TcpSession ssn;
1561  Signature *s = NULL;
1562  ThreadVars tv;
1563  DetectEngineThreadCtx *det_ctx = NULL;
1565 
1566  memset(&tv, 0, sizeof(ThreadVars));
1567  memset(&ssn, 0, sizeof(TcpSession));
1568  StreamTcpInitConfig(true);
1569 
1570  Packet *p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
1571  FAIL_IF_NULL(p);
1572  p->tcph->th_seq = htonl(1000);
1573  Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80);
1574  FAIL_IF_NULL(f);
1575  f->proto = IPPROTO_TCP;
1576 
1577  UTHAddSessionToFlow(f, 1000, 1000);
1578  UTHAddStreamToFlow(f, 0, http_buf1, http_buf1_len);
1579 
1580  p->flow = f;
1584  f->alproto = ALPROTO_HTTP1;
1585 
1588  de_ctx->flags |= DE_QUIET;
1589 
1590  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any any (flow:to_server,established; uricontent:\"/search?q=\"; pcre:\"/^\\/search\\?q=[0-9]{1,3}(&aq=7(\\?[0-9a-f]{8})?)?/U\"; pcre:\"/\\x0d\\x0aHost\\: \\d+\\.\\d+\\.\\d+\\.\\d+\\x0d\\x0a/\"; sid:2009024; rev:9;)");
1591  FAIL_IF_NULL(s);
1592 
1594  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1595 
1596  UTHAddStreamToFlow(f, 0, http_buf2, http_buf2_len);
1597 
1598  int r = AppLayerParserParse(
1599  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
1600  FAIL_IF(r != 0);
1601 
1602  http_state = f->alstate;
1603  FAIL_IF_NULL(http_state);
1604 
1605  /* do detect */
1606  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1607  FAIL_IF(!PacketAlertCheck(p, 2009024));
1608  p->alerts.cnt = 0;
1609 
1610  p->payload = http_buf2;
1611  p->payload_len = http_buf2_len;
1612 
1613  r = AppLayerParserParse(
1614  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
1615  FAIL_IF(r != 0);
1616 
1617  http_state = f->alstate;
1618  FAIL_IF_NULL(http_state);
1619 
1620  /* do detect */
1621  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1622  FAIL_IF(PacketAlertCheck(p, 2009024));
1623 
1625  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1627 
1629  UTHFreeFlow(f);
1630 
1631  StreamTcpFreeConfig(true);
1632  UTHFreePacket(p);
1633  PASS;
1634 }
1635 
1636 /**
1637  * \test Test multiple relative contents
1638  */
1639 static int UriTestSig17(void)
1640 {
1641  int result = 0;
1642  uint8_t *http_buf = (uint8_t *)"POST /now_this_is_is_big_big_string_now HTTP/1.0\r\n"
1643  "User-Agent: Mozilla/1.0\r\n";
1644  uint32_t http_buf_len = strlen((char *)http_buf);
1645  Flow f;
1646  TcpSession ssn;
1647  HtpState *http_state = NULL;
1648  Packet *p = NULL;
1649  ThreadVars tv;
1650  DetectEngineThreadCtx *det_ctx = NULL;
1652 
1653  memset(&tv, 0, sizeof(ThreadVars));
1654  memset(&f, 0, sizeof(Flow));
1655  memset(&ssn, 0, sizeof(TcpSession));
1656 
1657  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
1658 
1659  FLOW_INITIALIZE(&f);
1660  f.protoctx = (void *)&ssn;
1661  f.proto = IPPROTO_TCP;
1662  f.flags |= FLOW_IPV4;
1663 
1664  p->flow = &f;
1668  f.alproto = ALPROTO_HTTP1;
1669 
1670  StreamTcpInitConfig(true);
1671 
1673  if (de_ctx == NULL) {
1674  goto end;
1675  }
1676  de_ctx->flags |= DE_QUIET;
1677 
1678  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1679  "(msg:\"test multiple relative uricontents\"; "
1680  "uricontent:\"this\"; uricontent:\"is\"; within:6; "
1681  "uricontent:\"big\"; within:8; "
1682  "uricontent:\"string\"; within:8; sid:1;)");
1683  if (de_ctx->sig_list == NULL) {
1684  goto end;
1685  }
1686 
1688  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1689 
1690  int r = AppLayerParserParse(
1691  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
1692  if (r != 0) {
1693  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1694  goto end;
1695  }
1696 
1697  http_state = f.alstate;
1698  if (http_state == NULL) {
1699  printf("no http state: ");
1700  goto end;
1701  }
1702 
1703  /* do detect */
1704  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1705 
1706  if (!PacketAlertCheck(p, 1)) {
1707  printf("sig 1 alerted, but it should not: ");
1708  goto end;
1709  }
1710 
1711  result = 1;
1712 
1713 end:
1714  if (alp_tctx != NULL)
1716  if (det_ctx != NULL)
1717  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1718  if (de_ctx != NULL)
1720  if (de_ctx != NULL)
1722 
1723  StreamTcpFreeConfig(true);
1724  FLOW_DESTROY(&f);
1725  UTHFreePacket(p);
1726  return result;
1727 }
1728 
1729 /**
1730  * \test Test multiple relative contents
1731  */
1732 static int UriTestSig18(void)
1733 {
1734  int result = 0;
1735  uint8_t *http_buf = (uint8_t *)"POST /now_this_is_is_is_big_big_big_string_now HTTP/1.0\r\n"
1736  "User-Agent: Mozilla/1.0\r\n";
1737  uint32_t http_buf_len = strlen((char *)http_buf);
1738  Flow f;
1739  TcpSession ssn;
1740  HtpState *http_state = NULL;
1741  Packet *p = NULL;
1742  ThreadVars tv;
1743  DetectEngineThreadCtx *det_ctx = NULL;
1745 
1746  memset(&tv, 0, sizeof(ThreadVars));
1747  memset(&f, 0, sizeof(Flow));
1748  memset(&ssn, 0, sizeof(TcpSession));
1749 
1750  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
1751 
1752  FLOW_INITIALIZE(&f);
1753  f.protoctx = (void *)&ssn;
1754  f.proto = IPPROTO_TCP;
1755  f.flags |= FLOW_IPV4;
1756 
1757  p->flow = &f;
1761  f.alproto = ALPROTO_HTTP1;
1762 
1763  StreamTcpInitConfig(true);
1764 
1766  if (de_ctx == NULL) {
1767  goto end;
1768  }
1769  de_ctx->flags |= DE_QUIET;
1770 
1771  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1772  "(msg:\"test multiple relative uricontents\"; "
1773  "uricontent:\"this\"; uricontent:\"is\"; within:9; "
1774  "uricontent:\"big\"; within:12; "
1775  "uricontent:\"string\"; within:8; sid:1;)");
1776  if (de_ctx->sig_list == NULL) {
1777  goto end;
1778  }
1779 
1781  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1782 
1783  int r = AppLayerParserParse(
1784  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
1785  if (r != 0) {
1786  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1787  goto end;
1788  }
1789 
1790  http_state = f.alstate;
1791  if (http_state == NULL) {
1792  printf("no http state: ");
1793  goto end;
1794  }
1795 
1796  /* do detect */
1797  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1798 
1799  if (!PacketAlertCheck(p, 1)) {
1800  printf("sig 1 alerted, but it should not: ");
1801  goto end;
1802  }
1803 
1804  result = 1;
1805 
1806 end:
1807  if (alp_tctx != NULL)
1809  if (det_ctx != NULL)
1810  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1811  if (de_ctx != NULL)
1813  if (de_ctx != NULL)
1815 
1816  StreamTcpFreeConfig(true);
1817  FLOW_DESTROY(&f);
1818  UTHFreePacket(p);
1819  return result;
1820 }
1821 
1822 /**
1823  * \test Test multiple relative contents
1824  */
1825 static int UriTestSig19(void)
1826 {
1827  int result = 0;
1828  uint8_t *http_buf = (uint8_t *)"POST /this_this_now_is_is_____big_string_now HTTP/1.0\r\n"
1829  "User-Agent: Mozilla/1.0\r\n";
1830  uint32_t http_buf_len = strlen((char *)http_buf);
1831  Flow f;
1832  TcpSession ssn;
1833  HtpState *http_state = NULL;
1834  Packet *p = NULL;
1835  ThreadVars tv;
1836  DetectEngineThreadCtx *det_ctx = NULL;
1838 
1839  memset(&tv, 0, sizeof(ThreadVars));
1840  memset(&f, 0, sizeof(Flow));
1841  memset(&ssn, 0, sizeof(TcpSession));
1842 
1843  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
1844 
1845  FLOW_INITIALIZE(&f);
1846  f.protoctx = (void *)&ssn;
1847  f.proto = IPPROTO_TCP;
1848  f.flags |= FLOW_IPV4;
1849 
1850  p->flow = &f;
1854  f.alproto = ALPROTO_HTTP1;
1855 
1856  StreamTcpInitConfig(true);
1857 
1859  if (de_ctx == NULL) {
1860  goto end;
1861  }
1862  de_ctx->flags |= DE_QUIET;
1863 
1864  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1865  "(msg:\"test multiple relative uricontents\"; "
1866  "uricontent:\"now\"; uricontent:\"this\"; "
1867  "uricontent:\"is\"; within:12; "
1868  "uricontent:\"big\"; within:8; "
1869  "uricontent:\"string\"; within:8; sid:1;)");
1870  if (de_ctx->sig_list == NULL) {
1871  goto end;
1872  }
1873 
1875  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1876 
1877  int r = AppLayerParserParse(
1878  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
1879  if (r != 0) {
1880  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1881  goto end;
1882  }
1883 
1884  http_state = f.alstate;
1885  if (http_state == NULL) {
1886  printf("no http state: ");
1887  goto end;
1888  }
1889 
1890  /* do detect */
1891  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1892 
1893  if (!PacketAlertCheck(p, 1)) {
1894  printf("sig 1 alerted, but it should not: ");
1895  goto end;
1896  }
1897 
1898  result = 1;
1899 
1900 end:
1901  if (alp_tctx != NULL)
1903  if (det_ctx != NULL)
1904  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1905  if (de_ctx != NULL)
1907  if (de_ctx != NULL)
1909 
1910  StreamTcpFreeConfig(true);
1911  FLOW_DESTROY(&f);
1912  UTHFreePacket(p);
1913  return result;
1914 }
1915 
1916 /**
1917  * \test Test multiple relative contents with offset
1918  */
1919 static int UriTestSig20(void)
1920 {
1921  int result = 0;
1922  uint8_t *http_buf = (uint8_t *)"POST /_________thus_thus_is_a_big HTTP/1.0\r\n"
1923  "User-Agent: Mozilla/1.0\r\n";
1924  uint32_t http_buf_len = strlen((char *)http_buf);
1925  Flow f;
1926  TcpSession ssn;
1927  HtpState *http_state = NULL;
1928  Packet *p = NULL;
1929  ThreadVars tv;
1930  DetectEngineThreadCtx *det_ctx = NULL;
1932 
1933  memset(&tv, 0, sizeof(ThreadVars));
1934  memset(&f, 0, sizeof(Flow));
1935  memset(&ssn, 0, sizeof(TcpSession));
1936 
1937  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
1938 
1939  FLOW_INITIALIZE(&f);
1940  f.protoctx = (void *)&ssn;
1941  f.proto = IPPROTO_TCP;
1942  f.flags |= FLOW_IPV4;
1943 
1944  p->flow = &f;
1948  f.alproto = ALPROTO_HTTP1;
1949 
1950  StreamTcpInitConfig(true);
1951 
1953  if (de_ctx == NULL) {
1954  goto end;
1955  }
1956  de_ctx->flags |= DE_QUIET;
1957 
1958  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1959  "(msg:\"test multiple relative uricontents\"; "
1960  "uricontent:\"thus\"; offset:8; "
1961  "uricontent:\"is\"; within:6; "
1962  "uricontent:\"big\"; within:8; sid:1;)");
1963  if (de_ctx->sig_list == NULL) {
1964  goto end;
1965  }
1966 
1968  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1969 
1970  int r = AppLayerParserParse(
1971  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
1972  if (r != 0) {
1973  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1974  goto end;
1975  }
1976 
1977  http_state = f.alstate;
1978  if (http_state == NULL) {
1979  printf("no http state: ");
1980  goto end;
1981  }
1982 
1983  /* do detect */
1984  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1985 
1986  if (!PacketAlertCheck(p, 1)) {
1987  printf("sig 1 alerted, but it should not: ");
1988  goto end;
1989  }
1990 
1991  result = 1;
1992 
1993 end:
1994  if (alp_tctx != NULL)
1996  if (det_ctx != NULL)
1997  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1998  if (de_ctx != NULL)
2000  if (de_ctx != NULL)
2002 
2003  StreamTcpFreeConfig(true);
2004  FLOW_DESTROY(&f);
2005  UTHFreePacket(p);
2006  return result;
2007 }
2008 
2009 /**
2010  * \test Test multiple relative contents with a negated content.
2011  */
2012 static int UriTestSig21(void)
2013 {
2014  int result = 0;
2015  uint8_t *http_buf = (uint8_t *)"POST /we_need_to_fix_this_and_yes_fix_this_now HTTP/1.0\r\n"
2016  "User-Agent: Mozilla/1.0\r\n";
2017  uint32_t http_buf_len = strlen((char *)http_buf);
2018  Flow f;
2019  TcpSession ssn;
2020  HtpState *http_state = NULL;
2021  Packet *p = NULL;
2022  ThreadVars tv;
2023  DetectEngineThreadCtx *det_ctx = NULL;
2025 
2026  memset(&tv, 0, sizeof(ThreadVars));
2027  memset(&f, 0, sizeof(Flow));
2028  memset(&ssn, 0, sizeof(TcpSession));
2029 
2030  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2031 
2032  FLOW_INITIALIZE(&f);
2033  f.protoctx = (void *)&ssn;
2034  f.proto = IPPROTO_TCP;
2035  f.flags |= FLOW_IPV4;
2036 
2037  p->flow = &f;
2041  f.alproto = ALPROTO_HTTP1;
2042 
2043  StreamTcpInitConfig(true);
2044 
2046  if (de_ctx == NULL) {
2047  goto end;
2048  }
2049  de_ctx->flags |= DE_QUIET;
2050 
2051  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2052  "(msg:\"test multiple relative uricontents\"; "
2053  "uricontent:\"fix\"; uricontent:\"this\"; within:6; "
2054  "uricontent:!\"and\"; distance:0; sid:1;)");
2055  if (de_ctx->sig_list == NULL) {
2056  goto end;
2057  }
2058 
2060  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2061 
2062  int r = AppLayerParserParse(
2063  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
2064  if (r != 0) {
2065  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2066  goto end;
2067  }
2068 
2069  http_state = f.alstate;
2070  if (http_state == NULL) {
2071  printf("no http state: ");
2072  goto end;
2073  }
2074 
2075  /* do detect */
2076  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2077 
2078  if (!PacketAlertCheck(p, 1)) {
2079  printf("sig 1 alerted, but it should not: ");
2080  goto end;
2081  }
2082 
2083  result = 1;
2084 
2085 end:
2086  if (alp_tctx != NULL)
2088  if (det_ctx != NULL)
2089  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2090  if (de_ctx != NULL)
2092  if (de_ctx != NULL)
2094 
2095  StreamTcpFreeConfig(true);
2096  FLOW_DESTROY(&f);
2097  UTHFreePacket(p);
2098  return result;
2099 }
2100 
2101 /**
2102  * \test Test relative pcre.
2103  */
2104 static int UriTestSig22(void)
2105 {
2106  int result = 0;
2107  uint8_t *http_buf = (uint8_t *)"POST /this_is_a_super_duper_"
2108  "nova_in_super_nova_now HTTP/1.0\r\n"
2109  "User-Agent: Mozilla/1.0\r\n";
2110  uint32_t http_buf_len = strlen((char *)http_buf);
2111  Flow f;
2112  TcpSession ssn;
2113  HtpState *http_state = NULL;
2114  Packet *p = NULL;
2115  ThreadVars tv;
2116  DetectEngineThreadCtx *det_ctx = NULL;
2118 
2119  memset(&tv, 0, sizeof(ThreadVars));
2120  memset(&f, 0, sizeof(Flow));
2121  memset(&ssn, 0, sizeof(TcpSession));
2122 
2123  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2124 
2125  FLOW_INITIALIZE(&f);
2126  f.protoctx = (void *)&ssn;
2127  f.proto = IPPROTO_TCP;
2128  f.flags |= FLOW_IPV4;
2129 
2130  p->flow = &f;
2134  f.alproto = ALPROTO_HTTP1;
2135 
2136  StreamTcpInitConfig(true);
2137 
2139  if (de_ctx == NULL) {
2140  goto end;
2141  }
2142  de_ctx->flags |= DE_QUIET;
2143 
2144  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2145  "(msg:\"test multiple relative uricontents\"; "
2146  "pcre:/super/U; uricontent:\"nova\"; within:7; sid:1;)");
2147  if (de_ctx->sig_list == NULL) {
2148  goto end;
2149  }
2150 
2152  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2153 
2154  int r = AppLayerParserParse(
2155  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
2156  if (r != 0) {
2157  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2158  goto end;
2159  }
2160 
2161  http_state = f.alstate;
2162  if (http_state == NULL) {
2163  printf("no http state: ");
2164  goto end;
2165  }
2166 
2167  /* do detect */
2168  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2169 
2170  if (!PacketAlertCheck(p, 1)) {
2171  printf("sig 1 didn't alert, but it should have: ");
2172  goto end;
2173  }
2174 
2175  result = 1;
2176 
2177 end:
2178  if (alp_tctx != NULL)
2180  if (det_ctx != NULL)
2181  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2182  if (de_ctx != NULL)
2184  if (de_ctx != NULL)
2186 
2187  StreamTcpFreeConfig(true);
2188  FLOW_DESTROY(&f);
2189  UTHFreePacket(p);
2190  return result;
2191 }
2192 
2193 /**
2194  * \test Test multiple relative contents with a negated content.
2195  */
2196 static int UriTestSig23(void)
2197 {
2198  int result = 0;
2199  uint8_t *http_buf = (uint8_t *)"POST /we_need_to_fix_this_and_yes_fix_this_now HTTP/1.0\r\n"
2200  "User-Agent: Mozilla/1.0\r\n";
2201  uint32_t http_buf_len = strlen((char *)http_buf);
2202  Flow f;
2203  TcpSession ssn;
2204  HtpState *http_state = NULL;
2205  Packet *p = NULL;
2206  ThreadVars tv;
2207  DetectEngineThreadCtx *det_ctx = NULL;
2209 
2210  memset(&tv, 0, sizeof(ThreadVars));
2211  memset(&f, 0, sizeof(Flow));
2212  memset(&ssn, 0, sizeof(TcpSession));
2213 
2214  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2215 
2216  FLOW_INITIALIZE(&f);
2217  f.protoctx = (void *)&ssn;
2218  f.proto = IPPROTO_TCP;
2219  f.flags |= FLOW_IPV4;
2220 
2221  p->flow = &f;
2225  f.alproto = ALPROTO_HTTP1;
2226 
2227  StreamTcpInitConfig(true);
2228 
2230  if (de_ctx == NULL) {
2231  goto end;
2232  }
2233  de_ctx->flags |= DE_QUIET;
2234 
2235  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2236  "(msg:\"test multiple relative uricontents\"; "
2237  "uricontent:!\"fix_this_now\"; sid:1;)");
2238  if (de_ctx->sig_list == NULL) {
2239  goto end;
2240  }
2241 
2243  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2244 
2245  int r = AppLayerParserParse(
2246  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
2247  if (r != 0) {
2248  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2249  goto end;
2250  }
2251 
2252  http_state = f.alstate;
2253  if (http_state == NULL) {
2254  printf("no http state: ");
2255  goto end;
2256  }
2257 
2258  /* do detect */
2259  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2260 
2261  if (PacketAlertCheck(p, 1)) {
2262  printf("sig 1 alerted, but it should not: ");
2263  goto end;
2264  }
2265 
2266  result = 1;
2267 
2268 end:
2269  if (alp_tctx != NULL)
2271  if (det_ctx != NULL)
2272  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2273  if (de_ctx != NULL)
2275  if (de_ctx != NULL)
2277 
2278  StreamTcpFreeConfig(true);
2279  FLOW_DESTROY(&f);
2280  UTHFreePacket(p);
2281  return result;
2282 }
2283 
2284 /**
2285  * \test Test multiple relative contents with a negated content.
2286  */
2287 static int UriTestSig24(void)
2288 {
2289  int result = 0;
2290  uint8_t *http_buf = (uint8_t *)"POST /we_need_to_fix_this_and_yes_fix_this_now HTTP/1.0\r\n"
2291  "User-Agent: Mozilla/1.0\r\n";
2292  uint32_t http_buf_len = strlen((char *)http_buf);
2293  Flow f;
2294  TcpSession ssn;
2295  HtpState *http_state = NULL;
2296  Packet *p = NULL;
2297  ThreadVars tv;
2298  DetectEngineThreadCtx *det_ctx = NULL;
2300 
2301  memset(&tv, 0, sizeof(ThreadVars));
2302  memset(&f, 0, sizeof(Flow));
2303  memset(&ssn, 0, sizeof(TcpSession));
2304 
2305  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2306 
2307  FLOW_INITIALIZE(&f);
2308  f.protoctx = (void *)&ssn;
2309  f.proto = IPPROTO_TCP;
2310  f.flags |= FLOW_IPV4;
2311 
2312  p->flow = &f;
2316  f.alproto = ALPROTO_HTTP1;
2317 
2318  StreamTcpInitConfig(true);
2319 
2321  if (de_ctx == NULL) {
2322  goto end;
2323  }
2324  de_ctx->flags |= DE_QUIET;
2325 
2326  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2327  "(msg:\"test multiple relative uricontents\"; "
2328  "uricontent:\"we_need_to\"; uricontent:!\"fix_this_now\"; sid:1;)");
2329  if (de_ctx->sig_list == NULL) {
2330  goto end;
2331  }
2332 
2334  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2335 
2336  int r = AppLayerParserParse(
2337  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
2338  if (r != 0) {
2339  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2340  goto end;
2341  }
2342 
2343  http_state = f.alstate;
2344  if (http_state == NULL) {
2345  printf("no http state: ");
2346  goto end;
2347  }
2348 
2349  /* do detect */
2350  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2351 
2352  if (PacketAlertCheck(p, 1)) {
2353  printf("sig 1 alerted, but it should not: ");
2354  goto end;
2355  }
2356 
2357  result = 1;
2358 
2359 end:
2360  if (alp_tctx != NULL)
2362  if (det_ctx != NULL)
2363  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2364  if (de_ctx != NULL)
2366  if (de_ctx != NULL)
2368 
2369  StreamTcpFreeConfig(true);
2370  FLOW_DESTROY(&f);
2371  UTHFreePacket(p);
2372  return result;
2373 }
2374 
2375 /**
2376  * \test Test normalized uricontents.
2377  */
2378 static int UriTestSig25(void)
2379 {
2380  int result = 0;
2381  uint8_t *http_buf = (uint8_t *)"POST /normalized%20uri "
2382  "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
2383  uint32_t http_buf_len = strlen((char *)http_buf);
2384  Flow f;
2385  TcpSession ssn;
2386  HtpState *http_state = NULL;
2387  Packet *p = NULL;
2388  ThreadVars tv;
2389  DetectEngineThreadCtx *det_ctx = NULL;
2391 
2392  memset(&tv, 0, sizeof(ThreadVars));
2393  memset(&f, 0, sizeof(Flow));
2394  memset(&ssn, 0, sizeof(TcpSession));
2395 
2396  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2397 
2398  FLOW_INITIALIZE(&f);
2399  f.protoctx = (void *)&ssn;
2400  f.proto = IPPROTO_TCP;
2401  f.flags |= FLOW_IPV4;
2402 
2403  p->flow = &f;
2406  f.alproto = ALPROTO_HTTP1;
2408 
2409  StreamTcpInitConfig(true);
2410 
2412  if (de_ctx == NULL) {
2413  goto end;
2414  }
2415  de_ctx->flags |= DE_QUIET;
2416 
2417  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2418  "(msg:\"test multiple relative uricontents\"; "
2419  "pcre:/normalized/U; uricontent:\"normalized uri\"; sid:1;)");
2420  if (de_ctx->sig_list == NULL) {
2421  goto end;
2422  }
2423 
2425  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2426 
2427  int r = AppLayerParserParse(
2428  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
2429  if (r != 0) {
2430  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2431  goto end;
2432  }
2433 
2434  http_state = f.alstate;
2435  if (http_state == NULL) {
2436  printf("no http state: ");
2437  goto end;
2438  }
2439 
2440  /* do detect */
2441  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2442 
2443  if (!PacketAlertCheck(p, 1)) {
2444  printf("sig 1 didn't alert, but it should have: ");
2445  goto end;
2446  }
2447 
2448  result = 1;
2449 
2450 end:
2451  if (alp_tctx != NULL)
2453  if (det_ctx != NULL)
2454  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2455  if (de_ctx != NULL)
2457  if (de_ctx != NULL)
2459 
2460  StreamTcpFreeConfig(true);
2461  FLOW_DESTROY(&f);
2462  UTHFreePacket(p);
2463  return result;
2464 }
2465 
2466 /**
2467  * \test Test multiple relative contents with a negated content.
2468  */
2469 static int UriTestSig26(void)
2470 {
2471  int result = 0;
2472  uint8_t *http_buf = (uint8_t *)"POST /we_need_to_fix_this_and_yes_fix_this_now HTTP/1.0\r\n"
2473  "User-Agent: Mozilla/1.0\r\n";
2474  uint32_t http_buf_len = strlen((char *)http_buf);
2475  Flow f;
2476  TcpSession ssn;
2477  HtpState *http_state = NULL;
2478  Packet *p = NULL;
2479  ThreadVars tv;
2480  DetectEngineThreadCtx *det_ctx = NULL;
2482 
2483  memset(&tv, 0, sizeof(ThreadVars));
2484  memset(&f, 0, sizeof(Flow));
2485  memset(&ssn, 0, sizeof(TcpSession));
2486 
2487  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2488 
2489  FLOW_INITIALIZE(&f);
2490  f.protoctx = (void *)&ssn;
2491  f.proto = IPPROTO_TCP;
2492  f.flags |= FLOW_IPV4;
2493 
2494  p->flow = &f;
2498  f.alproto = ALPROTO_HTTP1;
2499 
2500  StreamTcpInitConfig(true);
2501 
2503  if (de_ctx == NULL) {
2504  goto end;
2505  }
2506  de_ctx->flags |= DE_QUIET;
2507 
2508  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2509  "(msg:\"test multiple relative uricontents\"; "
2510  "uricontent:\"fix_this\"; isdataat:4,relative; sid:1;)");
2511  if (de_ctx->sig_list == NULL) {
2512  goto end;
2513  }
2514 
2516  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2517 
2518  int r = AppLayerParserParse(
2519  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
2520  if (r != 0) {
2521  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2522  goto end;
2523  }
2524 
2525  http_state = f.alstate;
2526  if (http_state == NULL) {
2527  printf("no http state: ");
2528  goto end;
2529  }
2530 
2531  /* do detect */
2532  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2533 
2534  if (!PacketAlertCheck(p, 1)) {
2535  printf("sig 1 didn't alert, but it should have: ");
2536  goto end;
2537  }
2538 
2539  result = 1;
2540 
2541 end:
2542  if (alp_tctx != NULL)
2544  if (det_ctx != NULL)
2545  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2546  if (de_ctx != NULL)
2548  if (de_ctx != NULL)
2550 
2551  StreamTcpFreeConfig(true);
2552  FLOW_DESTROY(&f);
2553  UTHFreePacket(p);
2554  return result;
2555 }
2556 
2557 /**
2558  * \test Test multiple relative contents with a negated content.
2559  */
2560 static int UriTestSig27(void)
2561 {
2562  int result = 0;
2563  uint8_t *http_buf = (uint8_t *)"POST /we_need_to_fix_this_and_yes_fix_this_now HTTP/1.0\r\n"
2564  "User-Agent: Mozilla/1.0\r\n";
2565  uint32_t http_buf_len = strlen((char *)http_buf);
2566  Flow f;
2567  TcpSession ssn;
2568  HtpState *http_state = NULL;
2569  Packet *p = NULL;
2570  ThreadVars tv;
2571  DetectEngineThreadCtx *det_ctx = NULL;
2573 
2574  memset(&tv, 0, sizeof(ThreadVars));
2575  memset(&f, 0, sizeof(Flow));
2576  memset(&ssn, 0, sizeof(TcpSession));
2577 
2578  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2579 
2580  FLOW_INITIALIZE(&f);
2581  f.protoctx = (void *)&ssn;
2582  f.proto = IPPROTO_TCP;
2583  f.flags |= FLOW_IPV4;
2584 
2585  p->flow = &f;
2589  f.alproto = ALPROTO_HTTP1;
2590 
2591  StreamTcpInitConfig(true);
2592 
2594  if (de_ctx == NULL) {
2595  goto end;
2596  }
2597  de_ctx->flags |= DE_QUIET;
2598 
2599  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2600  "(msg:\"test multiple relative uricontents\"; "
2601  "uricontent:\"fix_this\"; isdataat:!10,relative; sid:1;)");
2602  if (de_ctx->sig_list == NULL) {
2603  goto end;
2604  }
2605 
2607  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2608 
2609  int r = AppLayerParserParse(
2610  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
2611  if (r != 0) {
2612  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2613  goto end;
2614  }
2615 
2616  http_state = f.alstate;
2617  if (http_state == NULL) {
2618  printf("no http state: ");
2619  goto end;
2620  }
2621 
2622  /* do detect */
2623  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2624 
2625  if (!PacketAlertCheck(p, 1)) {
2626  printf("sig 1 didn't alert, but it should have: ");
2627  goto end;
2628  }
2629 
2630  result = 1;
2631 
2632 end:
2633  if (alp_tctx != NULL)
2635  if (det_ctx != NULL)
2636  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2637  if (de_ctx != NULL)
2639  if (de_ctx != NULL)
2641 
2642  StreamTcpFreeConfig(true);
2643  FLOW_DESTROY(&f);
2644  UTHFreePacket(p);
2645  return result;
2646 }
2647 
2648 
2649 
2650 
2651 
2652 
2653 
2654 
2655 
2656 
2657 
2658 
2659 
2660 
2661 
2662 
2663 
2664 
2665 
2666 
2667 
2668 
2669 
2670 
2671 
2672 
2673 
2674 
2675 
2676 
2677 
2678 
2679 
2680 
2681 
2682 
2683 static int UriTestSig28(void)
2684 {
2685  int result = 0;
2686  uint8_t *http_buf = (uint8_t *)"POST /this_b5ig_string_now_in_http HTTP/1.0\r\n"
2687  "User-Agent: Mozilla/1.0\r\n";
2688  uint32_t http_buf_len = strlen((char *)http_buf);
2689  Flow f;
2690  TcpSession ssn;
2691  HtpState *http_state = NULL;
2692  Packet *p = NULL;
2693  ThreadVars tv;
2694  DetectEngineThreadCtx *det_ctx = NULL;
2696 
2697  memset(&tv, 0, sizeof(ThreadVars));
2698  memset(&f, 0, sizeof(Flow));
2699  memset(&ssn, 0, sizeof(TcpSession));
2700 
2701  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2702 
2703  FLOW_INITIALIZE(&f);
2704  f.protoctx = (void *)&ssn;
2705  f.proto = IPPROTO_TCP;
2706  f.flags |= FLOW_IPV4;
2707 
2708  p->flow = &f;
2712  f.alproto = ALPROTO_HTTP1;
2713 
2714  StreamTcpInitConfig(true);
2715 
2717  if (de_ctx == NULL) {
2718  goto end;
2719  }
2720  de_ctx->flags |= DE_QUIET;
2721 
2723  "alert tcp any any -> any any (msg:\"dummy\"; "
2724  "uricontent:\"this\"; "
2725  "byte_extract:1,2,one,string,dec,relative; "
2726  "uricontent:\"ring\"; distance:one; sid:1;)");
2727  if (de_ctx->sig_list == NULL) {
2728  goto end;
2729  }
2730 
2732  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2733 
2734  int r = AppLayerParserParse(
2735  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
2736  if (r != 0) {
2737  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2738  goto end;
2739  }
2740 
2741  http_state = f.alstate;
2742  if (http_state == NULL) {
2743  printf("no http state: ");
2744  goto end;
2745  }
2746 
2747  /* do detect */
2748  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2749 
2750  if (!PacketAlertCheck(p, 1)) {
2751  printf("sig 1 didn't alert, but should have: ");
2752  goto end;
2753  }
2754 
2755  result = 1;
2756 
2757 end:
2758  if (alp_tctx != NULL)
2760  if (det_ctx != NULL)
2761  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2762  if (de_ctx != NULL)
2764  if (de_ctx != NULL)
2766 
2767  StreamTcpFreeConfig(true);
2768  FLOW_DESTROY(&f);
2769  UTHFreePacket(p);
2770  return result;
2771 }
2772 
2773 static int UriTestSig29(void)
2774 {
2775  int result = 0;
2776  uint8_t *http_buf = (uint8_t *)"POST /this_b5ig_string_now_in_http HTTP/1.0\r\n"
2777  "User-Agent: Mozilla/1.0\r\n";
2778  uint32_t http_buf_len = strlen((char *)http_buf);
2779  Flow f;
2780  TcpSession ssn;
2781  HtpState *http_state = NULL;
2782  Packet *p = NULL;
2783  ThreadVars tv;
2784  DetectEngineThreadCtx *det_ctx = NULL;
2786 
2787  memset(&tv, 0, sizeof(ThreadVars));
2788  memset(&f, 0, sizeof(Flow));
2789  memset(&ssn, 0, sizeof(TcpSession));
2790 
2791  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2792 
2793  FLOW_INITIALIZE(&f);
2794  f.protoctx = (void *)&ssn;
2795  f.proto = IPPROTO_TCP;
2796  f.flags |= FLOW_IPV4;
2797 
2798  p->flow = &f;
2802  f.alproto = ALPROTO_HTTP1;
2803 
2804  StreamTcpInitConfig(true);
2805 
2807  if (de_ctx == NULL) {
2808  goto end;
2809  }
2810  de_ctx->flags |= DE_QUIET;
2811 
2813  "alert tcp any any -> any any (msg:\"dummy\"; "
2814  "uricontent:\"this\"; "
2815  "byte_extract:1,2,one,string,dec,relative; "
2816  "uricontent:\"ring\"; distance:one; sid:1;)");
2817  if (de_ctx->sig_list == NULL) {
2818  goto end;
2819  }
2820 
2822  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2823 
2824  int r = AppLayerParserParse(
2825  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
2826  if (r != 0) {
2827  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2828  goto end;
2829  }
2830 
2831  http_state = f.alstate;
2832  if (http_state == NULL) {
2833  printf("no http state: ");
2834  goto end;
2835  }
2836 
2837  /* do detect */
2838  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2839 
2840  if (!PacketAlertCheck(p, 1)) {
2841  printf("sig 1 didn't alert, but should have: ");
2842  goto end;
2843  }
2844 
2845  result = 1;
2846 
2847 end:
2848  if (alp_tctx != NULL)
2850  if (det_ctx != NULL)
2851  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2852  if (de_ctx != NULL)
2854  if (de_ctx != NULL)
2856 
2857  StreamTcpFreeConfig(true);
2858  FLOW_DESTROY(&f);
2859  UTHFreePacket(p);
2860  return result;
2861 }
2862 
2863 static int UriTestSig30(void)
2864 {
2865  int result = 0;
2866  uint8_t *http_buf = (uint8_t *)"POST /this_b5ig_string_now_in_http HTTP/1.0\r\n"
2867  "User-Agent: Mozilla/1.0\r\n";
2868  uint32_t http_buf_len = strlen((char *)http_buf);
2869  Flow f;
2870  TcpSession ssn;
2871  HtpState *http_state = NULL;
2872  Packet *p = NULL;
2873  ThreadVars tv;
2874  DetectEngineThreadCtx *det_ctx = NULL;
2876 
2877  memset(&tv, 0, sizeof(ThreadVars));
2878  memset(&f, 0, sizeof(Flow));
2879  memset(&ssn, 0, sizeof(TcpSession));
2880 
2881  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2882 
2883  FLOW_INITIALIZE(&f);
2884  f.protoctx = (void *)&ssn;
2885  f.proto = IPPROTO_TCP;
2886  f.flags |= FLOW_IPV4;
2887 
2888  p->flow = &f;
2892  f.alproto = ALPROTO_HTTP1;
2893 
2894  StreamTcpInitConfig(true);
2895 
2897  if (de_ctx == NULL) {
2898  goto end;
2899  }
2900  de_ctx->flags |= DE_QUIET;
2901 
2903  "alert tcp any any -> any any (msg:\"dummy\"; "
2904  "uricontent:\"this\"; "
2905  "byte_extract:1,2,one,string,dec,relative; "
2906  "uricontent:\"_b5ig\"; offset:one; sid:1;)");
2907  if (de_ctx->sig_list == NULL) {
2908  goto end;
2909  }
2910 
2912  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2913 
2914  int r = AppLayerParserParse(
2915  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
2916  if (r != 0) {
2917  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2918  goto end;
2919  }
2920 
2921  http_state = f.alstate;
2922  if (http_state == NULL) {
2923  printf("no http state: ");
2924  goto end;
2925  }
2926 
2927  /* do detect */
2928  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2929 
2930  if (!PacketAlertCheck(p, 1)) {
2931  printf("sig 1 didn't alert, but should have: ");
2932  goto end;
2933  }
2934 
2935  result = 1;
2936 
2937 end:
2938  if (alp_tctx != NULL)
2940  if (det_ctx != NULL)
2941  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2942  if (de_ctx != NULL)
2944  if (de_ctx != NULL)
2946 
2947  StreamTcpFreeConfig(true);
2948  FLOW_DESTROY(&f);
2949  UTHFreePacket(p);
2950  return result;
2951 }
2952 
2953 static int UriTestSig31(void)
2954 {
2955  int result = 0;
2956  uint8_t *http_buf = (uint8_t *)"POST /this_b5ig_string_now_in_http HTTP/1.0\r\n"
2957  "User-Agent: Mozilla/1.0\r\n";
2958  uint32_t http_buf_len = strlen((char *)http_buf);
2959  Flow f;
2960  TcpSession ssn;
2961  HtpState *http_state = NULL;
2962  Packet *p = NULL;
2963  ThreadVars tv;
2964  DetectEngineThreadCtx *det_ctx = NULL;
2966 
2967  memset(&tv, 0, sizeof(ThreadVars));
2968  memset(&f, 0, sizeof(Flow));
2969  memset(&ssn, 0, sizeof(TcpSession));
2970 
2971  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2972 
2973  FLOW_INITIALIZE(&f);
2974  f.protoctx = (void *)&ssn;
2975  f.proto = IPPROTO_TCP;
2976  f.flags |= FLOW_IPV4;
2977 
2978  p->flow = &f;
2982  f.alproto = ALPROTO_HTTP1;
2983 
2984  StreamTcpInitConfig(true);
2985 
2987  if (de_ctx == NULL) {
2988  goto end;
2989  }
2990  de_ctx->flags |= DE_QUIET;
2991 
2993  "alert tcp any any -> any any (msg:\"dummy\"; "
2994  "uricontent:\"this\"; "
2995  "byte_extract:1,2,one,string,dec,relative; "
2996  "uricontent:\"his\"; depth:one; sid:1;)");
2997  if (de_ctx->sig_list == NULL) {
2998  goto end;
2999  }
3000 
3002  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
3003 
3004  int r = AppLayerParserParse(
3005  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
3006  if (r != 0) {
3007  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3008  goto end;
3009  }
3010 
3011  http_state = f.alstate;
3012  if (http_state == NULL) {
3013  printf("no http state: ");
3014  goto end;
3015  }
3016 
3017  /* do detect */
3018  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
3019 
3020  if (!PacketAlertCheck(p, 1)) {
3021  printf("sig 1 didn't alert, but should have: ");
3022  goto end;
3023  }
3024 
3025  result = 1;
3026 
3027 end:
3028  if (alp_tctx != NULL)
3030  if (det_ctx != NULL)
3031  DetectEngineThreadCtxDeinit(&tv, det_ctx);
3032  if (de_ctx != NULL)
3034  if (de_ctx != NULL)
3036 
3037  StreamTcpFreeConfig(true);
3038  FLOW_DESTROY(&f);
3039  UTHFreePacket(p);
3040  return result;
3041 }
3042 
3043 static int UriTestSig32(void)
3044 {
3045  int result = 0;
3046  uint8_t *http_buf = (uint8_t *)"POST /this_b5ig_string_now_in_http HTTP/1.0\r\n"
3047  "User-Agent: Mozilla/1.0\r\n";
3048  uint32_t http_buf_len = strlen((char *)http_buf);
3049  Flow f;
3050  TcpSession ssn;
3051  HtpState *http_state = NULL;
3052  Packet *p = NULL;
3053  ThreadVars tv;
3054  DetectEngineThreadCtx *det_ctx = NULL;
3056 
3057  memset(&tv, 0, sizeof(ThreadVars));
3058  memset(&f, 0, sizeof(Flow));
3059  memset(&ssn, 0, sizeof(TcpSession));
3060 
3061  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
3062 
3063  FLOW_INITIALIZE(&f);
3064  f.protoctx = (void *)&ssn;
3065  f.proto = IPPROTO_TCP;
3066  f.flags |= FLOW_IPV4;
3067 
3068  p->flow = &f;
3072  f.alproto = ALPROTO_HTTP1;
3073 
3074  StreamTcpInitConfig(true);
3075 
3077  if (de_ctx == NULL) {
3078  goto end;
3079  }
3080  de_ctx->flags |= DE_QUIET;
3081 
3083  "alert tcp any any -> any any (msg:\"dummy\"; "
3084  "uricontent:\"this\"; "
3085  "byte_extract:1,2,one,string,dec,relative; "
3086  "uricontent:\"g_st\"; within:one; sid:1;)");
3087  if (de_ctx->sig_list == NULL) {
3088  goto end;
3089  }
3090 
3092  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
3093 
3094  int r = AppLayerParserParse(
3095  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
3096  if (r != 0) {
3097  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3098  goto end;
3099  }
3100 
3101  http_state = f.alstate;
3102  if (http_state == NULL) {
3103  printf("no http state: ");
3104  goto end;
3105  }
3106 
3107  /* do detect */
3108  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
3109 
3110  if (!PacketAlertCheck(p, 1)) {
3111  printf("sig 1 didn't alert, but should have: ");
3112  goto end;
3113  }
3114 
3115  result = 1;
3116 
3117 end:
3118  if (alp_tctx != NULL)
3120  if (det_ctx != NULL)
3121  DetectEngineThreadCtxDeinit(&tv, det_ctx);
3122  if (de_ctx != NULL)
3124  if (de_ctx != NULL)
3126 
3127  StreamTcpFreeConfig(true);
3128  FLOW_DESTROY(&f);
3129  UTHFreePacket(p);
3130  return result;
3131 }
3132 
3133 static int UriTestSig33(void)
3134 {
3135  int result = 0;
3136  uint8_t *http_buf = (uint8_t *)"POST /normalized%20uri "
3137  "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
3138  uint32_t http_buf_len = strlen((char *)http_buf);
3139  Flow f;
3140  TcpSession ssn;
3141  HtpState *http_state = NULL;
3142  Packet *p = NULL;
3143  ThreadVars tv;
3144  DetectEngineThreadCtx *det_ctx = NULL;
3146 
3147  memset(&tv, 0, sizeof(ThreadVars));
3148  memset(&f, 0, sizeof(Flow));
3149  memset(&ssn, 0, sizeof(TcpSession));
3150 
3151  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
3152 
3153  FLOW_INITIALIZE(&f);
3154  f.protoctx = (void *)&ssn;
3155  f.proto = IPPROTO_TCP;
3156  f.flags |= FLOW_IPV4;
3157 
3158  p->flow = &f;
3161  f.alproto = ALPROTO_HTTP1;
3163 
3164  StreamTcpInitConfig(true);
3165 
3167  if (de_ctx == NULL) {
3168  goto end;
3169  }
3170  de_ctx->flags |= DE_QUIET;
3171 
3172  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3173  "(msg:\"test multiple relative uricontents\"; "
3174  "urilen:15; sid:1;)");
3175  if (de_ctx->sig_list == NULL) {
3176  goto end;
3177  }
3178 
3180  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
3181 
3182  int r = AppLayerParserParse(
3183  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
3184  if (r != 0) {
3185  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3186  goto end;
3187  }
3188 
3189  http_state = f.alstate;
3190  if (http_state == NULL) {
3191  printf("no http state: ");
3192  goto end;
3193  }
3194 
3195  /* do detect */
3196  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
3197 
3198  if (!PacketAlertCheck(p, 1)) {
3199  printf("sig 1 didn't alert, but it should have: ");
3200  goto end;
3201  }
3202 
3203  result = 1;
3204 
3205 end:
3206  if (alp_tctx != NULL)
3208  if (det_ctx != NULL)
3209  DetectEngineThreadCtxDeinit(&tv, det_ctx);
3210  if (de_ctx != NULL)
3212  if (de_ctx != NULL)
3214 
3215  StreamTcpFreeConfig(true);
3216  FLOW_DESTROY(&f);
3217  UTHFreePacket(p);
3218  return result;
3219 }
3220 
3221 static int UriTestSig34(void)
3222 {
3223  int result = 0;
3224  uint8_t *http_buf = (uint8_t *)"POST /normalized%20uri "
3225  "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
3226  uint32_t http_buf_len = strlen((char *)http_buf);
3227  Flow f;
3228  TcpSession ssn;
3229  HtpState *http_state = NULL;
3230  Packet *p = NULL;
3231  ThreadVars tv;
3232  DetectEngineThreadCtx *det_ctx = NULL;
3234 
3235  memset(&tv, 0, sizeof(ThreadVars));
3236  memset(&f, 0, sizeof(Flow));
3237  memset(&ssn, 0, sizeof(TcpSession));
3238 
3239  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
3240 
3241  FLOW_INITIALIZE(&f);
3242  f.protoctx = (void *)&ssn;
3243  f.proto = IPPROTO_TCP;
3244  f.flags |= FLOW_IPV4;
3245 
3246  p->flow = &f;
3249  f.alproto = ALPROTO_HTTP1;
3251 
3252  StreamTcpInitConfig(true);
3253 
3255  if (de_ctx == NULL) {
3256  goto end;
3257  }
3258  de_ctx->flags |= DE_QUIET;
3259 
3260  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3261  "(msg:\"test multiple relative uricontents\"; "
3262  "urilen:15, norm; sid:1;)");
3263  if (de_ctx->sig_list == NULL) {
3264  goto end;
3265  }
3266 
3268  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
3269 
3270  int r = AppLayerParserParse(
3271  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
3272  if (r != 0) {
3273  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3274  goto end;
3275  }
3276 
3277  http_state = f.alstate;
3278  if (http_state == NULL) {
3279  printf("no http state: ");
3280  goto end;
3281  }
3282 
3283  /* do detect */
3284  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
3285 
3286  if (!PacketAlertCheck(p, 1)) {
3287  printf("sig 1 didn't alert, but it should have: ");
3288  goto end;
3289  }
3290 
3291  result = 1;
3292 
3293 end:
3294  if (alp_tctx != NULL)
3296  if (det_ctx != NULL)
3297  DetectEngineThreadCtxDeinit(&tv, det_ctx);
3298  if (de_ctx != NULL)
3300  if (de_ctx != NULL)
3302 
3303  StreamTcpFreeConfig(true);
3304  FLOW_DESTROY(&f);
3305  UTHFreePacket(p);
3306  return result;
3307 }
3308 
3309 static int UriTestSig35(void)
3310 {
3311  int result = 0;
3312  uint8_t *http_buf = (uint8_t *)"POST /normalized%20uri "
3313  "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
3314  uint32_t http_buf_len = strlen((char *)http_buf);
3315  Flow f;
3316  TcpSession ssn;
3317  HtpState *http_state = NULL;
3318  Packet *p = NULL;
3319  ThreadVars tv;
3320  DetectEngineThreadCtx *det_ctx = NULL;
3322 
3323  memset(&tv, 0, sizeof(ThreadVars));
3324  memset(&f, 0, sizeof(Flow));
3325  memset(&ssn, 0, sizeof(TcpSession));
3326 
3327  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
3328 
3329  FLOW_INITIALIZE(&f);
3330  f.protoctx = (void *)&ssn;
3331  f.proto = IPPROTO_TCP;
3332  f.flags |= FLOW_IPV4;
3333 
3334  p->flow = &f;
3337  f.alproto = ALPROTO_HTTP1;
3339 
3340  StreamTcpInitConfig(true);
3341 
3343  if (de_ctx == NULL) {
3344  goto end;
3345  }
3346  de_ctx->flags |= DE_QUIET;
3347 
3348  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3349  "(msg:\"test multiple relative uricontents\"; "
3350  "urilen:16; sid:1;)");
3351  if (de_ctx->sig_list == NULL) {
3352  goto end;
3353  }
3354 
3356  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
3357 
3358  int r = AppLayerParserParse(
3359  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
3360  if (r != 0) {
3361  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3362  goto end;
3363  }
3364 
3365  http_state = f.alstate;
3366  if (http_state == NULL) {
3367  printf("no http state: ");
3368  goto end;
3369  }
3370 
3371  /* do detect */
3372  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
3373 
3374  if (PacketAlertCheck(p, 1)) {
3375  printf("sig 1 alerted, but it shouldn't have: ");
3376  goto end;
3377  }
3378 
3379  result = 1;
3380 
3381 end:
3382  if (alp_tctx != NULL)
3384  if (det_ctx != NULL)
3385  DetectEngineThreadCtxDeinit(&tv, det_ctx);
3386  if (de_ctx != NULL)
3388  if (de_ctx != NULL)
3390 
3391  StreamTcpFreeConfig(true);
3392  FLOW_DESTROY(&f);
3393  UTHFreePacket(p);
3394  return result;
3395 }
3396 
3397 static int UriTestSig36(void)
3398 {
3399  int result = 0;
3400  uint8_t *http_buf = (uint8_t *)"POST /normalized%20uri "
3401  "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
3402  uint32_t http_buf_len = strlen((char *)http_buf);
3403  Flow f;
3404  TcpSession ssn;
3405  HtpState *http_state = NULL;
3406  Packet *p = NULL;
3407  ThreadVars tv;
3408  DetectEngineThreadCtx *det_ctx = NULL;
3410 
3411  memset(&tv, 0, sizeof(ThreadVars));
3412  memset(&f, 0, sizeof(Flow));
3413  memset(&ssn, 0, sizeof(TcpSession));
3414 
3415  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
3416 
3417  FLOW_INITIALIZE(&f);
3418  f.protoctx = (void *)&ssn;
3419  f.proto = IPPROTO_TCP;
3420  f.flags |= FLOW_IPV4;
3421 
3422  p->flow = &f;
3425  f.alproto = ALPROTO_HTTP1;
3427 
3428  StreamTcpInitConfig(true);
3429 
3431  if (de_ctx == NULL) {
3432  goto end;
3433  }
3434  de_ctx->flags |= DE_QUIET;
3435 
3436  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3437  "(msg:\"test multiple relative uricontents\"; "
3438  "urilen:16, norm; sid:1;)");
3439  if (de_ctx->sig_list == NULL) {
3440  goto end;
3441  }
3442 
3444  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
3445 
3446  int r = AppLayerParserParse(
3447  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
3448  if (r != 0) {
3449  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3450  goto end;
3451  }
3452 
3453  http_state = f.alstate;
3454  if (http_state == NULL) {
3455  printf("no http state: ");
3456  goto end;
3457  }
3458 
3459  /* do detect */
3460  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
3461 
3462  if (PacketAlertCheck(p, 1)) {
3463  printf("sig 1 alerted, but it shouldn't have: ");
3464  goto end;
3465  }
3466 
3467  result = 1;
3468 
3469 end:
3470  if (alp_tctx != NULL)
3472  if (det_ctx != NULL)
3473  DetectEngineThreadCtxDeinit(&tv, det_ctx);
3474  if (de_ctx != NULL)
3476  if (de_ctx != NULL)
3478 
3479  StreamTcpFreeConfig(true);
3480  FLOW_DESTROY(&f);
3481  UTHFreePacket(p);
3482  return result;
3483 }
3484 
3485 static int UriTestSig37(void)
3486 {
3487  int result = 0;
3488  uint8_t *http_buf = (uint8_t *)"POST /normalized%20uri "
3489  "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
3490  uint32_t http_buf_len = strlen((char *)http_buf);
3491  Flow f;
3492  TcpSession ssn;
3493  HtpState *http_state = NULL;
3494  Packet *p = NULL;
3495  ThreadVars tv;
3496  DetectEngineThreadCtx *det_ctx = NULL;
3498 
3499  memset(&tv, 0, sizeof(ThreadVars));
3500  memset(&f, 0, sizeof(Flow));
3501  memset(&ssn, 0, sizeof(TcpSession));
3502 
3503  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
3504 
3505  FLOW_INITIALIZE(&f);
3506  f.protoctx = (void *)&ssn;
3507  f.proto = IPPROTO_TCP;
3508  f.flags |= FLOW_IPV4;
3509 
3510  p->flow = &f;
3513  f.alproto = ALPROTO_HTTP1;
3515 
3516  StreamTcpInitConfig(true);
3517 
3519  if (de_ctx == NULL) {
3520  goto end;
3521  }
3522  de_ctx->flags |= DE_QUIET;
3523 
3524  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3525  "(msg:\"test multiple relative uricontents\"; "
3526  "urilen:17, raw; sid:1;)");
3527  if (de_ctx->sig_list == NULL) {
3528  goto end;
3529  }
3530 
3532  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
3533 
3534  int r = AppLayerParserParse(
3535  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
3536  if (r != 0) {
3537  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3538  goto end;
3539  }
3540 
3541  http_state = f.alstate;
3542  if (http_state == NULL) {
3543  printf("no http state: ");
3544  goto end;
3545  }
3546 
3547  /* do detect */
3548  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
3549 
3550  if (!PacketAlertCheck(p, 1)) {
3551  printf("sig 1 didn't alert, but it should have: ");
3552  goto end;
3553  }
3554 
3555  result = 1;
3556 
3557 end:
3558  if (alp_tctx != NULL)
3560  if (det_ctx != NULL)
3561  DetectEngineThreadCtxDeinit(&tv, det_ctx);
3562  if (de_ctx != NULL)
3564  if (de_ctx != NULL)
3566 
3567  StreamTcpFreeConfig(true);
3568  FLOW_DESTROY(&f);
3569  UTHFreePacket(p);
3570  return result;
3571 }
3572 
3573 static int UriTestSig38(void)
3574 {
3575  int result = 0;
3576  uint8_t *http_buf = (uint8_t *)"POST /normalized%20uri "
3577  "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
3578  uint32_t http_buf_len = strlen((char *)http_buf);
3579  Flow f;
3580  TcpSession ssn;
3581  HtpState *http_state = NULL;
3582  Packet *p = NULL;
3583  ThreadVars tv;
3584  DetectEngineThreadCtx *det_ctx = NULL;
3586 
3587  memset(&tv, 0, sizeof(ThreadVars));
3588  memset(&f, 0, sizeof(Flow));
3589  memset(&ssn, 0, sizeof(TcpSession));
3590 
3591  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
3592 
3593  FLOW_INITIALIZE(&f);
3594  f.protoctx = (void *)&ssn;
3595  f.proto = IPPROTO_TCP;
3596  f.flags |= FLOW_IPV4;
3597 
3598  p->flow = &f;
3601  f.alproto = ALPROTO_HTTP1;
3603 
3604  StreamTcpInitConfig(true);
3605 
3607  if (de_ctx == NULL) {
3608  goto end;
3609  }
3610  de_ctx->flags |= DE_QUIET;
3611 
3612  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3613  "(msg:\"test multiple relative uricontents\"; "
3614  "urilen:18, raw; sid:1;)");
3615  if (de_ctx->sig_list == NULL) {
3616  goto end;
3617  }
3618 
3620  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
3621 
3622  int r = AppLayerParserParse(
3623  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_buf_len);
3624  if (r != 0) {
3625  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3626  goto end;
3627  }
3628 
3629  http_state = f.alstate;
3630  if (http_state == NULL) {
3631  printf("no http state: ");
3632  goto end;
3633  }
3634 
3635  /* do detect */
3636  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
3637 
3638  if (PacketAlertCheck(p, 1)) {
3639  printf("sig 1 alerted, but it shouldn't have: ");
3640  goto end;
3641  }
3642 
3643  result = 1;
3644 
3645 end:
3646  if (alp_tctx != NULL)
3648  if (det_ctx != NULL)
3649  DetectEngineThreadCtxDeinit(&tv, det_ctx);
3650  if (de_ctx != NULL)
3652  if (de_ctx != NULL)
3654 
3655  StreamTcpFreeConfig(true);
3656  FLOW_DESTROY(&f);
3657  UTHFreePacket(p);
3658  return result;
3659 }
3660 
3661 /**
3662  * \test Checks if a http_uri is registered in a Signature, if content is not
3663  * specified in the signature
3664  */
3665 static int DetectHttpUriTest01(void)
3666 {
3667  DetectEngineCtx *de_ctx = NULL;
3668  int result = 0;
3669 
3670  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3671  goto end;
3672 
3673  de_ctx->flags |= DE_QUIET;
3674  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3675  "(msg:\"Testing http_uri\"; http_uri;sid:1;)");
3676  if (de_ctx->sig_list == NULL)
3677  result = 1;
3678 
3679 end:
3680  if (de_ctx != NULL)
3682  return result;
3683 }
3684 
3685 /**
3686  * \test Checks if a http_uri is registered in a Signature, if some parameter
3687  * is specified with http_uri in the signature
3688  */
3689 static int DetectHttpUriTest02(void)
3690 {
3691  DetectEngineCtx *de_ctx = NULL;
3692  int result = 0;
3693 
3694  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3695  goto end;
3696 
3697  de_ctx->flags |= DE_QUIET;
3698  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3699  "(msg:\"Testing http_uri\"; content:\"one\"; "
3700  "http_cookie:wrong; sid:1;)");
3701  if (de_ctx->sig_list == NULL)
3702  result = 1;
3703 
3704 end:
3705  if (de_ctx != NULL)
3707  return result;
3708 }
3709 
3710 /**
3711  * \test Checks if a http_uri is registered in a Signature
3712  */
3713 static int DetectHttpUriTest03(void)
3714 {
3715  SigMatch *sm = NULL;
3716  DetectEngineCtx *de_ctx = NULL;
3717  int result = 0;
3718 
3719  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3720  goto end;
3721 
3722  de_ctx->flags |= DE_QUIET;
3723  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3724  "(msg:\"Testing http_uri\"; content:\"one\"; "
3725  "http_uri; content:\"two\"; http_uri; "
3726  "content:\"three\"; http_uri; "
3727  "sid:1;)");
3728 
3729  if (de_ctx->sig_list == NULL) {
3730  printf("sig parse failed: ");
3731  goto end;
3732  }
3733 
3734  sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id];
3735  if (sm == NULL) {
3736  printf("no sigmatch(es): ");
3737  goto end;
3738  }
3739 
3740  while (sm != NULL) {
3741  if (sm->type == DETECT_CONTENT) {
3742  result = 1;
3743  } else {
3744  printf("expected DETECT_AL_HTTP_URI, got %d: ", sm->type);
3745  goto end;
3746  }
3747  sm = sm->next;
3748  }
3749 
3750 end:
3751  if (de_ctx != NULL)
3753  return result;
3754 }
3755 
3756 /**
3757  * \test Checks if a http_uri is registered in a Signature, when rawbytes is
3758  * also specified in the signature
3759  */
3760 static int DetectHttpUriTest04(void)
3761 {
3762  DetectEngineCtx *de_ctx = NULL;
3763  int result = 0;
3764 
3765  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3766  goto end;
3767 
3768  de_ctx->flags |= DE_QUIET;
3769  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3770  "(msg:\"Testing http_uri\"; content:\"one\"; "
3771  "rawbytes; http_uri; sid:1;)");
3772  if (de_ctx->sig_list == NULL)
3773  result = 1;
3774 
3775  end:
3776  if (de_ctx != NULL) SigCleanSignatures(de_ctx);
3777  if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
3778  return result;
3779 }
3780 
3781 /**
3782  * \test Checks if a http_uri is successfully converted to a uricontent
3783  *
3784  */
3785 static int DetectHttpUriTest05(void)
3786 {
3787  DetectEngineCtx *de_ctx = NULL;
3788  Signature *s = NULL;
3789  int result = 0;
3790 
3791  if ((de_ctx = DetectEngineCtxInit()) == NULL)
3792  goto end;
3793 
3794  s = SigInit(de_ctx, "alert tcp any any -> any any "
3795  "(msg:\"Testing http_uri\"; "
3796  "content:\"we are testing http_uri keyword\"; "
3797  "http_uri; sid:1;)");
3798  if (s == NULL) {
3799  printf("sig failed to parse\n");
3800  goto end;
3801  }
3802  if (s->sm_lists[g_http_uri_buffer_id] == NULL)
3803  goto end;
3804  if (s->sm_lists[g_http_uri_buffer_id]->type != DETECT_CONTENT) {
3805  printf("wrong type\n");
3806  goto end;
3807  }
3808 
3809  const char *str = "we are testing http_uri keyword";
3810  int uricomp = memcmp((const char *)((DetectContentData*) s->sm_lists[g_http_uri_buffer_id]->ctx)->content, str, strlen(str)-1);
3811  int urilen = ((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->content_len;
3812  if (uricomp != 0 ||
3813  urilen != strlen("we are testing http_uri keyword")) {
3814  printf("sig failed to parse, content not setup properly\n");
3815  goto end;
3816  }
3817  result = 1;
3818 
3819 end:
3820  if (de_ctx != NULL) SigCleanSignatures(de_ctx);
3821  if (de_ctx != NULL) SigGroupCleanup(de_ctx);
3822  return result;
3823 }
3824 
3825 static int DetectHttpUriTest12(void)
3826 {
3827  DetectEngineCtx *de_ctx = NULL;
3828  int result = 0;
3829 
3830  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3831  goto end;
3832 
3833  de_ctx->flags |= DE_QUIET;
3834  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
3835  "(content:\"one\"; http_uri; "
3836  "content:\"two\"; distance:0; http_uri; sid:1;)");
3837  if (de_ctx->sig_list == NULL) {
3838  printf("de_ctx->sig_list == NULL\n");
3839  goto end;
3840  }
3841 
3842  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
3843  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
3844  goto end;
3845  }
3846 
3847  if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) {
3848  printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n");
3849  goto end;
3850  }
3851 
3852  DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
3853  DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
3854  if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
3855  memcmp(ud1->content, "one", ud1->content_len) != 0 ||
3856  ud2->flags != DETECT_CONTENT_DISTANCE ||
3857  memcmp(ud2->content, "two", ud1->content_len) != 0) {
3858  goto end;
3859  }
3860 
3861  result = 1;
3862 
3863  end:
3866  return result;
3867 }
3868 
3869 static int DetectHttpUriTest13(void)
3870 {
3871  DetectEngineCtx *de_ctx = NULL;
3872  int result = 0;
3873 
3874  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3875  goto end;
3876 
3877  de_ctx->flags |= DE_QUIET;
3878  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
3879  "(content:\"one\"; http_uri; "
3880  "content:\"two\"; within:5; http_uri; sid:1;)");
3881  if (de_ctx->sig_list == NULL) {
3882  printf("de_ctx->sig_list == NULL\n");
3883  goto end;
3884  }
3885 
3886  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
3887  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
3888  goto end;
3889  }
3890 
3891  if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) {
3892  printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n");
3893  goto end;
3894  }
3895 
3896  DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
3897  DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
3898  if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
3899  memcmp(ud1->content, "one", ud1->content_len) != 0 ||
3900  ud2->flags != DETECT_CONTENT_WITHIN ||
3901  memcmp(ud2->content, "two", ud1->content_len) != 0) {
3902  goto end;
3903  }
3904 
3905  result = 1;
3906 
3907  end:
3910  return result;
3911 }
3912 
3913 static int DetectHttpUriTest14(void)
3914 {
3915  DetectEngineCtx *de_ctx = NULL;
3916  int result = 0;
3917 
3918  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3919  goto end;
3920 
3921  de_ctx->flags |= DE_QUIET;
3922  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
3923  "(content:\"one\"; within:5; http_uri; sid:1;)");
3924  if (de_ctx->sig_list == NULL) {
3925  printf("de_ctx->sig_list == NULL\n");
3926  goto end;
3927  }
3928 
3929  result = 1;
3930 
3931  end:
3934  return result;
3935 }
3936 
3937 static int DetectHttpUriTest15(void)
3938 {
3939  DetectEngineCtx *de_ctx = NULL;
3940  int result = 0;
3941 
3942  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3943  goto end;
3944 
3945  de_ctx->flags |= DE_QUIET;
3946  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
3947  "(content:\"one\"; http_uri; within:5; sid:1;)");
3948  if (de_ctx->sig_list == NULL) {
3949  printf("de_ctx->sig_list == NULL\n");
3950  goto end;
3951  }
3952 
3953  if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) {
3954  printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n");
3955  goto end;
3956  }
3957 
3958  DetectContentData *cd = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
3959  if (memcmp(cd->content, "one", cd->content_len) != 0 ||
3960  cd->flags != DETECT_CONTENT_WITHIN) {
3961  goto end;
3962  }
3963 
3964  result = 1;
3965 
3966  end:
3969  return result;
3970 }
3971 
3972 static int DetectHttpUriTest16(void)
3973 {
3974  DetectEngineCtx *de_ctx = NULL;
3975  int result = 0;
3976 
3977  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3978  goto end;
3979 
3980  de_ctx->flags |= DE_QUIET;
3981  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
3982  "(content:\"one\"; within:5; sid:1;)");
3983  if (de_ctx->sig_list == NULL) {
3984  printf("de_ctx->sig_list == NULL\n");
3985  goto end;
3986  }
3987 
3988  result = 1;
3989 
3990  end:
3993  return result;
3994 }
3995 
3996 static int DetectHttpUriTest17(void)
3997 {
3998  DetectEngineCtx *de_ctx = NULL;
3999  int result = 0;
4000 
4001  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4002  goto end;
4003 
4004  de_ctx->flags |= DE_QUIET;
4005  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4006  "(uricontent:\"one\"; "
4007  "content:\"two\"; distance:0; http_uri; sid:1;)");
4008  if (de_ctx->sig_list == NULL) {
4009  printf("de_ctx->sig_list == NULL\n");
4010  goto end;
4011  }
4012 
4013  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4014  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4015  goto end;
4016  }
4017 
4018  if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) {
4019  printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n");
4020  goto end;
4021  }
4022 
4023  DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
4024  DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
4025  if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4026  memcmp(ud1->content, "one", ud1->content_len) != 0 ||
4027  ud2->flags != DETECT_CONTENT_DISTANCE ||
4028  memcmp(ud2->content, "two", ud1->content_len) != 0) {
4029  goto end;
4030  }
4031 
4032  result = 1;
4033 
4034  end:
4037  return result;
4038 }
4039 
4040 static int DetectHttpUriTest18(void)
4041 {
4042  DetectEngineCtx *de_ctx = NULL;
4043  int result = 0;
4044 
4045  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4046  goto end;
4047 
4048  de_ctx->flags |= DE_QUIET;
4049  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4050  "(uricontent:\"one\"; "
4051  "content:\"two\"; within:5; http_uri; sid:1;)");
4052  if (de_ctx->sig_list == NULL) {
4053  printf("de_ctx->sig_list == NULL\n");
4054  goto end;
4055  }
4056 
4057  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4058  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4059  goto end;
4060  }
4061 
4062  if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) {
4063  printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n");
4064  goto end;
4065  }
4066 
4067  DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
4068  DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
4069  if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4070  memcmp(ud1->content, "one", ud1->content_len) != 0 ||
4071  ud2->flags != DETECT_CONTENT_WITHIN ||
4072  memcmp(ud2->content, "two", ud1->content_len) != 0) {
4073  goto end;
4074  }
4075 
4076  result = 1;
4077 
4078  end:
4081  return result;
4082 }
4083 
4084 static int DetectHttpUriIsdataatParseTest(void)
4085 {
4088  de_ctx->flags |= DE_QUIET;
4089 
4091  "alert tcp any any -> any any ("
4092  "content:\"one\"; http_uri; "
4093  "isdataat:!4,relative; sid:1;)");
4094  FAIL_IF_NULL(s);
4095 
4096  SigMatch *sm = s->init_data->smlists_tail[g_http_uri_buffer_id];
4097  FAIL_IF_NULL(sm);
4099 
4100  DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
4103  FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
4104 
4106  PASS;
4107 }
4108 
4109 /**
4110  * \test Checks if a http_raw_uri is registered in a Signature, if content is not
4111  * specified in the signature.
4112  */
4113 static int DetectHttpRawUriTest01(void)
4114 {
4115  DetectEngineCtx *de_ctx = NULL;
4116  int result = 0;
4117 
4118  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4119  goto end;
4120 
4121  de_ctx->flags |= DE_QUIET;
4122  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4123  "(msg:\"Testing http_raw_uri\"; http_raw_uri; sid:1;)");
4124  if (de_ctx->sig_list == NULL)
4125  result = 1;
4126 
4127 end:
4128  if (de_ctx != NULL)
4130  return result;
4131 }
4132 
4133 /**
4134  * \test Checks if a http_raw_uri is registered in a Signature, if some parameter
4135  * is specified with http_raw_uri in the signature.
4136  */
4137 static int DetectHttpRawUriTest02(void)
4138 {
4139  DetectEngineCtx *de_ctx = NULL;
4140  int result = 0;
4141 
4142  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4143  goto end;
4144 
4145  de_ctx->flags |= DE_QUIET;
4146  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4147  "(msg:\"Testing http_raw_uri\"; content:\"one\"; "
4148  "http_raw_uri:wrong; sid:1;)");
4149  if (de_ctx->sig_list == NULL)
4150  result = 1;
4151 
4152 end:
4153  if (de_ctx != NULL)
4155  return result;
4156 }
4157 
4158 /**
4159  * \test Checks if a http_raw_uri is registered in a Signature.
4160  */
4161 static int DetectHttpRawUriTest03(void)
4162 {
4163  SigMatch *sm = NULL;
4164  DetectEngineCtx *de_ctx = NULL;
4165  int result = 0;
4166 
4167  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4168  goto end;
4169 
4170  de_ctx->flags |= DE_QUIET;
4171  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4172  "(msg:\"Testing http_raw_uri\"; "
4173  "content:\"one\"; http_raw_uri; "
4174  "content:\"two\"; http_raw_uri; "
4175  "content:\"three\"; http_raw_uri; "
4176  "sid:1;)");
4177  if (de_ctx->sig_list == NULL) {
4178  printf("sig parse failed: ");
4179  goto end;
4180  }
4181 
4182  sm = de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id];
4183  if (sm == NULL) {
4184  printf("no sigmatch(es): ");
4185  goto end;
4186  }
4187 
4188  while (sm != NULL) {
4189  if (sm->type == DETECT_CONTENT) {
4190  result = 1;
4191  } else {
4192  printf("expected DETECT_CONTENT for http_raw_uri(%d), got %d: ",
4193  DETECT_CONTENT, sm->type);
4194  goto end;
4195  }
4196  sm = sm->next;
4197  }
4198 
4199 end:
4200  if (de_ctx != NULL)
4202  return result;
4203 }
4204 
4205 /**
4206  * \test Checks if a http_raw_uri is registered in a Signature, when rawbytes is
4207  * also specified in the signature.
4208  */
4209 static int DetectHttpRawUriTest04(void)
4210 {
4211  DetectEngineCtx *de_ctx = NULL;
4212  int result = 0;
4213 
4214  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4215  goto end;
4216 
4217  de_ctx->flags |= DE_QUIET;
4218  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4219  "(msg:\"Testing http_raw_uri\"; "
4220  "content:\"one\"; rawbytes; http_raw_uri; "
4221  "sid:1;)");
4222  if (de_ctx->sig_list == NULL)
4223  result = 1;
4224 
4225  end:
4226  if (de_ctx != NULL)
4228  return result;
4229 }
4230 
4231 /**
4232  * \test Checks if a http_raw_uri is successfully converted to a rawuricontent.
4233  *
4234  */
4235 static int DetectHttpRawUriTest05(void)
4236 {
4237  DetectEngineCtx *de_ctx = NULL;
4238  Signature *s = NULL;
4239  int result = 0;
4240 
4241  if ((de_ctx = DetectEngineCtxInit()) == NULL)
4242  goto end;
4243 
4244  s = SigInit(de_ctx, "alert tcp any any -> any any "
4245  "(msg:\"Testing http_raw_uri\"; "
4246  "content:\"we are testing http_raw_uri keyword\"; http_raw_uri; "
4247  "sid:1;)");
4248  if (s == NULL) {
4249  printf("sig failed to parse\n");
4250  goto end;
4251  }
4252  if (s->sm_lists[g_http_raw_uri_buffer_id] == NULL)
4253  goto end;
4254  if (s->sm_lists[g_http_raw_uri_buffer_id]->type != DETECT_CONTENT) {
4255  printf("wrong type\n");
4256  goto end;
4257  }
4258 
4259  const char *str = "we are testing http_raw_uri keyword";
4260  int uricomp = memcmp((const char *)
4261  ((DetectContentData*)s->sm_lists[g_http_raw_uri_buffer_id]->ctx)->content,
4262  str,
4263  strlen(str) - 1);
4264  int urilen = ((DetectContentData*)s->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx)->content_len;
4265  if (uricomp != 0 ||
4266  urilen != strlen("we are testing http_raw_uri keyword")) {
4267  printf("sig failed to parse, content not setup properly\n");
4268  goto end;
4269  }
4270  result = 1;
4271 
4272 end:
4273  if (de_ctx != NULL)
4275  return result;
4276 }
4277 
4278 static int DetectHttpRawUriTest12(void)
4279 {
4280  DetectEngineCtx *de_ctx = NULL;
4281  int result = 0;
4282 
4283  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4284  goto end;
4285 
4286  de_ctx->flags |= DE_QUIET;
4287  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4288  "(content:\"one\"; http_raw_uri; "
4289  "content:\"two\"; distance:0; http_raw_uri; sid:1;)");
4290  if (de_ctx->sig_list == NULL) {
4291  printf("de_ctx->sig_list == NULL\n");
4292  goto end;
4293  }
4294 
4295  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4296  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4297  goto end;
4298  }
4299 
4300  if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) {
4301  printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n");
4302  goto end;
4303  }
4304 
4305  DetectContentData *ud1 =
4306  (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
4307  DetectContentData *ud2 =
4308  (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
4309  if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4310  memcmp(ud1->content, "one", ud1->content_len) != 0 ||
4311  ud2->flags != DETECT_CONTENT_DISTANCE ||
4312  memcmp(ud2->content, "two", ud1->content_len) != 0) {
4313  /* inside body */
4314  goto end;
4315  }
4316 
4317  result = 1;
4318 
4319  end:
4321  return result;
4322 }
4323 
4324 static int DetectHttpRawUriTest13(void)
4325 {
4326  DetectEngineCtx *de_ctx = NULL;
4327  int result = 0;
4328 
4329  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4330  goto end;
4331 
4332  de_ctx->flags |= DE_QUIET;
4333  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4334  "(content:\"one\"; http_raw_uri; "
4335  "content:\"two\"; within:5; http_raw_uri; sid:1;)");
4336  if (de_ctx->sig_list == NULL) {
4337  printf("de_ctx->sig_list == NULL\n");
4338  goto end;
4339  }
4340 
4341  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4342  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4343  goto end;
4344  }
4345 
4346  if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) {
4347  printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n");
4348  goto end;
4349  }
4350 
4351  DetectContentData *ud1 =
4352  (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
4353  DetectContentData *ud2 =
4354  (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
4355  if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4356  memcmp(ud1->content, "one", ud1->content_len) != 0 ||
4357  ud2->flags != DETECT_CONTENT_WITHIN ||
4358  memcmp(ud2->content, "two", ud1->content_len) != 0) {
4359  /* inside the body */
4360  goto end;
4361  }
4362 
4363  result = 1;
4364 
4365  end:
4367  return result;
4368 }
4369 
4370 static int DetectHttpRawUriTest14(void)
4371 {
4372  DetectEngineCtx *de_ctx = NULL;
4373  int result = 0;
4374 
4375  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4376  goto end;
4377 
4378  de_ctx->flags |= DE_QUIET;
4379  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4380  "(content:\"one\"; within:5; http_raw_uri; sid:1;)");
4381  if (de_ctx->sig_list == NULL) {
4382  printf("de_ctx->sig_list == NULL\n");
4383  goto end;
4384  }
4385 
4386  result = 1;
4387 
4388  end:
4390  return result;
4391 }
4392 
4393 static int DetectHttpRawUriTest15(void)
4394 {
4395  DetectEngineCtx *de_ctx = NULL;
4396  int result = 0;
4397 
4398  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4399  goto end;
4400 
4401  de_ctx->flags |= DE_QUIET;
4402  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4403  "(content:\"one\"; http_raw_uri; within:5; sid:1;)");
4404  if (de_ctx->sig_list == NULL) {
4405  printf("de_ctx->sig_list == NULL\n");
4406  goto end;
4407  }
4408 
4409  result = 1;
4410 
4411  end:
4413  return result;
4414 }
4415 
4416 static int DetectHttpRawUriTest16(void)
4417 {
4418  DetectEngineCtx *de_ctx = NULL;
4419  int result = 0;
4420 
4421  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4422  goto end;
4423 
4424  de_ctx->flags |= DE_QUIET;
4425  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4426  "(content:\"one\"; within:5; sid:1;)");
4427  if (de_ctx->sig_list == NULL) {
4428  printf("de_ctx->sig_list == NULL\n");
4429  goto end;
4430  }
4431 
4432  result = 1;
4433 
4434  end:
4436  return result;
4437 }
4438 
4439 static int DetectHttpRawUriTest17(void)
4440 {
4441  DetectEngineCtx *de_ctx = NULL;
4442  int result = 0;
4443 
4444  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4445  goto end;
4446 
4447  de_ctx->flags |= DE_QUIET;
4448  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4449  "(content:\"one\"; http_raw_uri; "
4450  "content:\"two\"; distance:0; http_raw_uri; sid:1;)");
4451  if (de_ctx->sig_list == NULL) {
4452  printf("de_ctx->sig_list == NULL\n");
4453  goto end;
4454  }
4455 
4456  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4457  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4458  goto end;
4459  }
4460 
4461  if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) {
4462  printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n");
4463  goto end;
4464  }
4465 
4466  DetectContentData *ud1 =
4467  (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
4468  DetectContentData *ud2 =
4469  (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
4470  if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4471  memcmp(ud1->content, "one", ud1->content_len) != 0 ||
4472  ud2->flags != DETECT_CONTENT_DISTANCE ||
4473  memcmp(ud2->content, "two", ud1->content_len) != 0) {
4474  /* inside body */
4475  goto end;
4476  }
4477 
4478  result = 1;
4479 
4480  end:
4482  return result;
4483 }
4484 
4485 static int DetectHttpRawUriTest18(void)
4486 {
4487  DetectEngineCtx *de_ctx = NULL;
4488  int result = 0;
4489 
4490  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4491  goto end;
4492 
4493  de_ctx->flags |= DE_QUIET;
4494  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4495  "(content:\"one\"; http_raw_uri; "
4496  "content:\"two\"; within:5; http_raw_uri; "
4497  "sid:1;)");
4498  if (de_ctx->sig_list == NULL) {
4499  printf("de_ctx->sig_list == NULL\n");
4500  goto end;
4501  }
4502 
4503  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4504  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4505  goto end;
4506  }
4507 
4508  if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) {
4509  printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n");
4510  goto end;
4511  }
4512 
4513  DetectContentData *ud1 =
4514  (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
4515  DetectContentData *ud2 =
4516  (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
4517  if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4518  memcmp(ud1->content, "one", ud1->content_len) != 0 ||
4519  ud2->flags != DETECT_CONTENT_WITHIN ||
4520  memcmp(ud2->content, "two", ud1->content_len) != 0) {
4521  /* inside body */
4522  goto end;
4523  }
4524 
4525  result = 1;
4526 
4527  end:
4529  return result;
4530 }
4531 
4532 static int DetectEngineHttpRawUriTest01(void)
4533 {
4534  TcpSession ssn;
4535  Packet *p1 = NULL;
4536  Packet *p2 = NULL;
4537  ThreadVars th_v;
4538  DetectEngineCtx *de_ctx = NULL;
4539  DetectEngineThreadCtx *det_ctx = NULL;
4540  HtpState *http_state = NULL;
4541  Flow f;
4542  uint8_t http1_buf[] =
4543  "GET /../a/b/../c";
4544  uint8_t http2_buf[] =
4545  "/./d.html HTTP/1.1\r\n"
4546  "Host: www.openinfosecfoundation.org\r\n"
4547  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4548  "Content-Type: text/html\r\n"
4549  "Content-Length: 46\r\n"
4550  "\r\n"
4551  "This is dummy body1"
4552  "This is dummy message body2";
4553  uint32_t http1_len = sizeof(http1_buf) - 1;
4554  uint32_t http2_len = sizeof(http2_buf) - 1;
4555  int result = 0;
4557 
4558  memset(&th_v, 0, sizeof(th_v));
4559  memset(&f, 0, sizeof(f));
4560  memset(&ssn, 0, sizeof(ssn));
4561 
4562  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4563  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4564 
4565  FLOW_INITIALIZE(&f);
4566  f.protoctx = (void *)&ssn;
4567  f.proto = IPPROTO_TCP;
4568  f.flags |= FLOW_IPV4;
4569 
4570  p1->flow = &f;
4574  p2->flow = &f;
4578  f.alproto = ALPROTO_HTTP1;
4579 
4580  StreamTcpInitConfig(true);
4581 
4583  if (de_ctx == NULL)
4584  goto end;
4585 
4586  de_ctx->flags |= DE_QUIET;
4587 
4588  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4589  "(msg:\"http raw uri test\"; "
4590  "content:\"../c/./d\"; http_raw_uri; "
4591  "sid:1;)");
4592  if (de_ctx->sig_list == NULL)
4593  goto end;
4594 
4596  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4597 
4598  int r = AppLayerParserParse(
4599  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4600  if (r != 0) {
4601  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4602  result = 0;
4603  goto end;
4604  }
4605 
4606  http_state = f.alstate;
4607  if (http_state == NULL) {
4608  printf("no http state: \n");
4609  result = 0;
4610  goto end;
4611  }
4612 
4613  /* do detect */
4614  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4615 
4616  if ((PacketAlertCheck(p1, 1))) {
4617  printf("sid 1 matched but shouldn't have\n");
4618  goto end;
4619  }
4620 
4621  r = AppLayerParserParse(
4622  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4623  if (r != 0) {
4624  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
4625  result = 0;
4626  goto end;
4627  }
4628 
4629  /* do detect */
4630  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4631 
4632  if (!(PacketAlertCheck(p2, 1))) {
4633  printf("sid 1 didn't match but should have");
4634  goto end;
4635  }
4636 
4637  result = 1;
4638 
4639 end:
4640  if (alp_tctx != NULL)
4642  if (de_ctx != NULL)
4644  if (de_ctx != NULL)
4646  if (de_ctx != NULL)
4648 
4649  StreamTcpFreeConfig(true);
4650  FLOW_DESTROY(&f);
4651  UTHFreePackets(&p1, 1);
4652  UTHFreePackets(&p2, 1);
4653  return result;
4654 }
4655 
4656 static int DetectEngineHttpRawUriTest02(void)
4657 {
4658  TcpSession ssn;
4659  Packet *p1 = NULL;
4660  Packet *p2 = NULL;
4661  ThreadVars th_v;
4662  DetectEngineCtx *de_ctx = NULL;
4663  DetectEngineThreadCtx *det_ctx = NULL;
4664  HtpState *http_state = NULL;
4665  Flow f;
4666  uint8_t http1_buf[] =
4667  "GET /../a/b/../c/./d.html HTTP/1.0\r\n"
4668  "Host: www.openinfosecfoundation.org\r\n"
4669  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4670  "Content-Type: text/html\r\n"
4671  "Content-Length: 19\r\n"
4672  "\r\n"
4673  "This is dummy body1";
4674  uint32_t http1_len = sizeof(http1_buf) - 1;
4675  int result = 0;
4677 
4678  memset(&th_v, 0, sizeof(th_v));
4679  memset(&f, 0, sizeof(f));
4680  memset(&ssn, 0, sizeof(ssn));
4681 
4682  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4683  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4684 
4685  FLOW_INITIALIZE(&f);
4686  f.protoctx = (void *)&ssn;
4687  f.proto = IPPROTO_TCP;
4688  f.flags |= FLOW_IPV4;
4689 
4690  p1->flow = &f;
4694  p2->flow = &f;
4698  f.alproto = ALPROTO_HTTP1;
4699 
4700  StreamTcpInitConfig(true);
4701 
4703  if (de_ctx == NULL)
4704  goto end;
4705 
4706  de_ctx->flags |= DE_QUIET;
4707 
4708  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4709  "(msg:\"http raw uri test\"; "
4710  "content:\"/c/./d\"; http_raw_uri; offset:5; "
4711  "sid:1;)");
4712  if (de_ctx->sig_list == NULL)
4713  goto end;
4714 
4716  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4717 
4718  int r = AppLayerParserParse(
4719  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4720  if (r != 0) {
4721  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4722  result = 0;
4723  goto end;
4724  }
4725 
4726  http_state = f.alstate;
4727  if (http_state == NULL) {
4728  printf("no http state: \n");
4729  result = 0;
4730  goto end;
4731  }
4732 
4733  /* do detect */
4734  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4735 
4736  if (!(PacketAlertCheck(p1, 1))) {
4737  printf("sid 1 didn't match but should have\n");
4738  goto end;
4739  }
4740 
4741  result = 1;
4742 
4743 end:
4744  if (alp_tctx != NULL)
4746  if (de_ctx != NULL)
4748  if (de_ctx != NULL)
4750  if (de_ctx != NULL)
4752 
4753  StreamTcpFreeConfig(true);
4754  FLOW_DESTROY(&f);
4755  UTHFreePackets(&p1, 1);
4756  UTHFreePackets(&p2, 1);
4757  return result;
4758 }
4759 
4760 static int DetectEngineHttpRawUriTest03(void)
4761 {
4762  TcpSession ssn;
4763  Packet *p1 = NULL;
4764  Packet *p2 = NULL;
4765  ThreadVars th_v;
4766  DetectEngineCtx *de_ctx = NULL;
4767  DetectEngineThreadCtx *det_ctx = NULL;
4768  HtpState *http_state = NULL;
4769  Flow f;
4770  uint8_t http1_buf[] =
4771  "GET /../a/b/../";
4772  uint8_t http2_buf[] =
4773  "c/./d.html HTTP/1.0\r\n"
4774  "Host: www.openinfosecfoundation.org\r\n"
4775  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4776  "Content-Type: text/html\r\n"
4777  "Content-Length: 46\r\n"
4778  "\r\n"
4779  "This is dummy body1"
4780  "This is dummy message body2";
4781  uint32_t http1_len = sizeof(http1_buf) - 1;
4782  uint32_t http2_len = sizeof(http2_buf) - 1;
4783  int result = 0;
4785 
4786  memset(&th_v, 0, sizeof(th_v));
4787  memset(&f, 0, sizeof(f));
4788  memset(&ssn, 0, sizeof(ssn));
4789 
4790  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4791  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4792 
4793  FLOW_INITIALIZE(&f);
4794  f.protoctx = (void *)&ssn;
4795  f.proto = IPPROTO_TCP;
4796  f.flags |= FLOW_IPV4;
4797 
4798  p1->flow = &f;
4802  p2->flow = &f;
4806  f.alproto = ALPROTO_HTTP1;
4807 
4808  StreamTcpInitConfig(true);
4809 
4811  if (de_ctx == NULL)
4812  goto end;
4813 
4814  de_ctx->flags |= DE_QUIET;
4815 
4816  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4817  "(msg:\"http raw uri test\"; "
4818  "content:\"/a/b\"; http_raw_uri; offset:10; "
4819  "sid:1;)");
4820  if (de_ctx->sig_list == NULL)
4821  goto end;
4822 
4824  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4825 
4826  int r = AppLayerParserParse(
4827  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4828  if (r != 0) {
4829  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4830  result = 0;
4831  goto end;
4832  }
4833 
4834  http_state = f.alstate;
4835  if (http_state == NULL) {
4836  printf("no http state: \n");
4837  result = 0;
4838  goto end;
4839  }
4840 
4841  /* do detect */
4842  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4843 
4844  if (PacketAlertCheck(p1, 1)) {
4845  printf("sid 1 matched but shouldn't have\n");
4846  goto end;
4847  }
4848 
4849  r = AppLayerParserParse(
4850  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4851  if (r != 0) {
4852  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
4853  result = 0;
4854  goto end;
4855  }
4856 
4857  /* do detect */
4858  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4859 
4860  if (PacketAlertCheck(p2, 1)) {
4861  printf("sid 1 didn't match but should have");
4862  goto end;
4863  }
4864 
4865  result = 1;
4866 
4867 end:
4868  if (alp_tctx != NULL)
4870  if (de_ctx != NULL)
4872  if (de_ctx != NULL)
4874  if (de_ctx != NULL)
4876 
4877  StreamTcpFreeConfig(true);
4878  FLOW_DESTROY(&f);
4879  UTHFreePackets(&p1, 1);
4880  UTHFreePackets(&p2, 1);
4881  return result;
4882 }
4883 
4884 static int DetectEngineHttpRawUriTest04(void)
4885 {
4886  TcpSession ssn;
4887  Packet *p1 = NULL;
4888  Packet *p2 = NULL;
4889  ThreadVars th_v;
4890  DetectEngineCtx *de_ctx = NULL;
4891  DetectEngineThreadCtx *det_ctx = NULL;
4892  HtpState *http_state = NULL;
4893  Flow f;
4894  uint8_t http1_buf[] =
4895  "GET /../a/b/../";
4896  uint8_t http2_buf[] =
4897  "c/./d.html HTTP/1.0\r\n"
4898  "Host: www.openinfosecfoundation.org\r\n"
4899  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4900  "Content-Type: text/html\r\n"
4901  "Content-Length: 46\r\n"
4902  "\r\n"
4903  "This is dummy body1"
4904  "This is dummy message body2";
4905  uint32_t http1_len = sizeof(http1_buf) - 1;
4906  uint32_t http2_len = sizeof(http2_buf) - 1;
4907  int result = 0;
4909 
4910  memset(&th_v, 0, sizeof(th_v));
4911  memset(&f, 0, sizeof(f));
4912  memset(&ssn, 0, sizeof(ssn));
4913 
4914  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4915  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4916 
4917  FLOW_INITIALIZE(&f);
4918  f.protoctx = (void *)&ssn;
4919  f.proto = IPPROTO_TCP;
4920  f.flags |= FLOW_IPV4;
4921 
4922  p1->flow = &f;
4926  p2->flow = &f;
4930  f.alproto = ALPROTO_HTTP1;
4931 
4932  StreamTcpInitConfig(true);
4933 
4935  if (de_ctx == NULL)
4936  goto end;
4937 
4938  de_ctx->flags |= DE_QUIET;
4939 
4940  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4941  "(msg:\"http raw uri test\"; "
4942  "content:!\"/a/b\"; http_raw_uri; offset:10; "
4943  "sid:1;)");
4944  if (de_ctx->sig_list == NULL)
4945  goto end;
4946 
4948  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4949 
4950  int r = AppLayerParserParse(
4951  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4952  if (r != 0) {
4953  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4954  result = 0;
4955  goto end;
4956  }
4957 
4958  http_state = f.alstate;
4959  if (http_state == NULL) {
4960  printf("no http state: \n");
4961  result = 0;
4962  goto end;
4963  }
4964 
4965  /* do detect */
4966  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4967 
4968  if (PacketAlertCheck(p1, 1)) {
4969  printf("sid 1 matched but shouldn't have\n");
4970  goto end;
4971  }
4972 
4973  r = AppLayerParserParse(
4974  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4975  if (r != 0) {
4976  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
4977  result = 0;
4978  goto end;
4979  }
4980 
4981  /* do detect */
4982  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4983 
4984  if (!PacketAlertCheck(p2, 1)) {
4985  printf("sid 1 didn't match but should have");
4986  goto end;
4987  }
4988 
4989  result = 1;
4990 
4991 end:
4992  if (alp_tctx != NULL)
4994  if (de_ctx != NULL)
4996  if (de_ctx != NULL)
4998  if (de_ctx != NULL)
5000 
5001  StreamTcpFreeConfig(true);
5002  FLOW_DESTROY(&f);
5003  UTHFreePackets(&p1, 1);
5004  UTHFreePackets(&p2, 1);
5005  return result;
5006 }
5007 
5008 static int DetectEngineHttpRawUriTest05(void)
5009 {
5010  TcpSession ssn;
5011  Packet *p1 = NULL;
5012  Packet *p2 = NULL;
5013  ThreadVars th_v;
5014  DetectEngineCtx *de_ctx = NULL;
5015  DetectEngineThreadCtx *det_ctx = NULL;
5016  HtpState *http_state = NULL;
5017  Flow f;
5018  uint8_t http1_buf[] =
5019  "GET /../a/b/";
5020  uint8_t http2_buf[] =
5021  "../c/./d.html HTTP/1.0\r\n"
5022  "Host: www.openinfosecfoundation.org\r\n"
5023  "Content-Type: text/html\r\n"
5024  "Content-Length: 46\r\n"
5025  "\r\n"
5026  "This is dummy body1"
5027  "This is dummy message body2";
5028  uint32_t http1_len = sizeof(http1_buf) - 1;
5029  uint32_t http2_len = sizeof(http2_buf) - 1;
5030  int result = 0;
5032 
5033  memset(&th_v, 0, sizeof(th_v));
5034  memset(&f, 0, sizeof(f));
5035  memset(&ssn, 0, sizeof(ssn));
5036 
5037  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5038  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5039 
5040  FLOW_INITIALIZE(&f);
5041  f.protoctx = (void *)&ssn;
5042  f.proto = IPPROTO_TCP;
5043  f.flags |= FLOW_IPV4;
5044 
5045  p1->flow = &f;
5049  p2->flow = &f;
5053  f.alproto = ALPROTO_HTTP1;
5054 
5055  StreamTcpInitConfig(true);
5056 
5058  if (de_ctx == NULL)
5059  goto end;
5060 
5061  de_ctx->flags |= DE_QUIET;
5062 
5063  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5064  "(msg:\"http raw uri test\"; "
5065  "content:\"a/b\"; http_raw_uri; depth:10; "
5066  "sid:1;)");
5067  if (de_ctx->sig_list == NULL)
5068  goto end;
5069 
5071  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5072 
5073  int r = AppLayerParserParse(
5074  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
5075  if (r != 0) {
5076  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5077  result = 0;
5078  goto end;
5079  }
5080 
5081  http_state = f.alstate;
5082  if (http_state == NULL) {
5083  printf("no http state: \n");
5084  result = 0;
5085  goto end;
5086  }
5087 
5088  /* do detect */
5089  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5090 
5091  if (PacketAlertCheck(p1, 1)) {
5092  printf("sid 1 matched but shouldn't have\n");
5093  goto end;
5094  }
5095 
5096  r = AppLayerParserParse(
5097  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
5098  if (r != 0) {
5099  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
5100  result = 0;
5101  goto end;
5102  }
5103 
5104  /* do detect */
5105  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5106 
5107  if (!PacketAlertCheck(p2, 1)) {
5108  printf("sid 1 didn't match but should have");
5109  goto end;
5110  }
5111 
5112  result = 1;
5113 
5114 end:
5115  if (alp_tctx != NULL)
5117  if (de_ctx != NULL)
5119  if (de_ctx != NULL)
5121  if (de_ctx != NULL)
5123 
5124  StreamTcpFreeConfig(true);
5125  FLOW_DESTROY(&f);
5126  UTHFreePackets(&p1, 1);
5127  UTHFreePackets(&p2, 1);
5128  return result;
5129 }
5130 
5131 static int DetectEngineHttpRawUriTest06(void)
5132 {
5133  TcpSession ssn;
5134  Packet *p1 = NULL;
5135  Packet *p2 = NULL;
5136  ThreadVars th_v;
5137  DetectEngineCtx *de_ctx = NULL;
5138  DetectEngineThreadCtx *det_ctx = NULL;
5139  HtpState *http_state = NULL;
5140  Flow f;
5141  uint8_t http1_buf[] =
5142  "GET /../a/b/";
5143  uint8_t http2_buf[] =
5144  "../c/./d.html HTTP/1.0\r\n"
5145  "Host: www.openinfosecfoundation.org\r\n"
5146  "Content-Type: text/html\r\n"
5147  "Content-Length: 46\r\n"
5148  "\r\n"
5149  "This is dummy body1"
5150  "This is dummy message body2";
5151  uint32_t http1_len = sizeof(http1_buf) - 1;
5152  uint32_t http2_len = sizeof(http2_buf) - 1;
5153  int result = 0;
5155 
5156  memset(&th_v, 0, sizeof(th_v));
5157  memset(&f, 0, sizeof(f));
5158  memset(&ssn, 0, sizeof(ssn));
5159 
5160  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5161  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5162 
5163  FLOW_INITIALIZE(&f);
5164  f.protoctx = (void *)&ssn;
5165  f.proto = IPPROTO_TCP;
5166  f.flags |= FLOW_IPV4;
5167 
5168  p1->flow = &f;
5172  p2->flow = &f;
5176  f.alproto = ALPROTO_HTTP1;
5177 
5178  StreamTcpInitConfig(true);
5179 
5181  if (de_ctx == NULL)
5182  goto end;
5183 
5184  de_ctx->flags |= DE_QUIET;
5185 
5186  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5187  "(msg:\"http raw uri test\"; "
5188  "content:!\"/a/b\"; http_raw_uri; depth:25; "
5189  "sid:1;)");
5190  if (de_ctx->sig_list == NULL)
5191  goto end;
5192 
5194  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5195 
5196  int r = AppLayerParserParse(
5197  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
5198  if (r != 0) {
5199  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5200  result = 0;
5201  goto end;
5202  }
5203 
5204  http_state = f.alstate;
5205  if (http_state == NULL) {
5206  printf("no http state: \n");
5207  result = 0;
5208  goto end;
5209  }
5210 
5211  /* do detect */
5212  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5213 
5214  if (PacketAlertCheck(p1, 1)) {
5215  printf("sid 1 matched but shouldn't have\n");
5216  goto end;
5217  }
5218 
5219  r = AppLayerParserParse(
5220  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
5221  if (r != 0) {
5222  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
5223  result = 0;
5224  goto end;
5225  }
5226 
5227  /* do detect */
5228  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5229 
5230  if (PacketAlertCheck(p2, 1)) {
5231  printf("sid 1 matched but shouldn't have");
5232  goto end;
5233  }
5234 
5235  result = 1;
5236 
5237 end:
5238  if (alp_tctx != NULL)
5240  if (de_ctx != NULL)
5242  if (de_ctx != NULL)
5244  if (de_ctx != NULL)
5246 
5247  StreamTcpFreeConfig(true);
5248  FLOW_DESTROY(&f);
5249  UTHFreePackets(&p1, 1);
5250  UTHFreePackets(&p2, 1);
5251  return result;
5252 }
5253 
5254 static int DetectEngineHttpRawUriTest07(void)
5255 {
5256  TcpSession ssn;
5257  Packet *p1 = NULL;
5258  Packet *p2 = NULL;
5259  ThreadVars th_v;
5260  DetectEngineCtx *de_ctx = NULL;
5261  DetectEngineThreadCtx *det_ctx = NULL;
5262  HtpState *http_state = NULL;
5263  Flow f;
5264  uint8_t http1_buf[] =
5265  "GET /../a/b/";
5266  uint8_t http2_buf[] =
5267  "../c/./d.html HTTP/1.0\r\n"
5268  "Host: www.openinfosecfoundation.org\r\n"
5269  "Content-Type: text/html\r\n"
5270  "Content-Length: 46\r\n"
5271  "\r\n"
5272  "This is dummy body1"
5273  "This is dummy message body2";
5274  uint32_t http1_len = sizeof(http1_buf) - 1;
5275  uint32_t http2_len = sizeof(http2_buf) - 1;
5276  int result = 0;
5278 
5279  memset(&th_v, 0, sizeof(th_v));
5280  memset(&f, 0, sizeof(f));
5281  memset(&ssn, 0, sizeof(ssn));
5282 
5283  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5284  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5285 
5286  FLOW_INITIALIZE(&f);
5287  f.protoctx = (void *)&ssn;
5288  f.proto = IPPROTO_TCP;
5289  f.flags |= FLOW_IPV4;
5290 
5291  p1->flow = &f;
5295  p2->flow = &f;
5299  f.alproto = ALPROTO_HTTP1;
5300 
5301  StreamTcpInitConfig(true);
5302 
5304  if (de_ctx == NULL)
5305  goto end;
5306 
5307  de_ctx->flags |= DE_QUIET;
5308 
5309  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5310  "(msg:\"http raw uri test\"; "
5311  "content:!\"/c/./d\"; http_raw_uri; depth:12; "
5312  "sid:1;)");
5313  if (de_ctx->sig_list == NULL)
5314  goto end;
5315 
5317  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5318 
5319  int r = AppLayerParserParse(
5320  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
5321  if (r != 0) {
5322  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5323  result = 0;
5324  goto end;
5325  }
5326 
5327  http_state = f.alstate;
5328  if (http_state == NULL) {
5329  printf("no http state: \n");
5330  result = 0;
5331  goto end;
5332  }
5333 
5334  /* do detect */
5335  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5336 
5337  if (PacketAlertCheck(p1, 1)) {
5338  printf("sid 1 matched but shouldn't have\n");
5339  goto end;
5340  }
5341 
5342  r = AppLayerParserParse(
5343  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
5344  if (r != 0) {
5345  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
5346  result = 0;
5347  goto end;
5348  }
5349 
5350  /* do detect */
5351  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5352 
5353  if (!PacketAlertCheck(p2, 1)) {
5354  printf("sid 1 didn't match but should have");
5355  goto end;
5356  }
5357 
5358  result = 1;
5359 
5360 end:
5361  if (alp_tctx != NULL)
5363  if (de_ctx != NULL)
5365  if (de_ctx != NULL)
5367  if (de_ctx != NULL)
5369 
5370  StreamTcpFreeConfig(true);
5371  FLOW_DESTROY(&f);
5372  UTHFreePackets(&p1, 1);
5373  UTHFreePackets(&p2, 1);
5374  return result;
5375 }
5376 
5377 static int DetectEngineHttpRawUriTest08(void)
5378 {
5379  TcpSession ssn;
5380  Packet *p1 = NULL;
5381  Packet *p2 = NULL;
5382  ThreadVars th_v;
5383  DetectEngineCtx *de_ctx = NULL;
5384  DetectEngineThreadCtx *det_ctx = NULL;
5385  HtpState *http_state = NULL;
5386  Flow f;
5387  uint8_t http1_buf[] =
5388  "GET /../a/";
5389  uint8_t http2_buf[] =
5390  "b/../c/./d.html HTTP/1.0\r\n"
5391  "Host: www.openinfosecfoundation.org\r\n"
5392  "Content-Type: text/html\r\n"
5393  "Content-Length: 46\r\n"
5394  "\r\n"
5395  "This is dummy body1"
5396  "This is dummy message body2";
5397  uint32_t http1_len = sizeof(http1_buf) - 1;
5398  uint32_t http2_len = sizeof(http2_buf) - 1;
5399  int result = 0;
5401 
5402  memset(&th_v, 0, sizeof(th_v));
5403  memset(&f, 0, sizeof(f));
5404  memset(&ssn, 0, sizeof(ssn));
5405 
5406  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5407  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5408 
5409  FLOW_INITIALIZE(&f);
5410  f.protoctx = (void *)&ssn;
5411  f.proto = IPPROTO_TCP;
5412  f.flags |= FLOW_IPV4;
5413 
5414  p1->flow = &f;
5418  p2->flow = &f;
5422  f.alproto = ALPROTO_HTTP1;
5423 
5424  StreamTcpInitConfig(true);
5425 
5427  if (de_ctx == NULL)
5428  goto end;
5429 
5430  de_ctx->flags |= DE_QUIET;
5431 
5432  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5433  "(msg:\"http raw uri test\"; "
5434  "content:!\"/c/./d\"; http_raw_uri; depth:18; "
5435  "sid:1;)");
5436  if (de_ctx->sig_list == NULL)
5437  goto end;
5438 
5440  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5441 
5442  int r = AppLayerParserParse(
5443  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
5444  if (r != 0) {
5445  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5446  result = 0;
5447  goto end;
5448  }
5449 
5450  http_state = f.alstate;
5451  if (http_state == NULL) {
5452  printf("no http state: \n");
5453  result = 0;
5454  goto end;
5455  }
5456 
5457  /* do detect */
5458  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5459 
5460  if (PacketAlertCheck(p1, 1)) {
5461  printf("sid 1 matched but shouldn't have\n");
5462  goto end;
5463  }
5464 
5465  r = AppLayerParserParse(
5466  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
5467  if (r != 0) {
5468  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
5469  result = 0;
5470  goto end;
5471  }
5472 
5473  /* do detect */
5474  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5475 
5476  if (PacketAlertCheck(p2, 1)) {
5477  printf("sid 1 matched but shouldn't have");
5478  goto end;
5479  }
5480 
5481  result = 1;
5482 
5483 end:
5484  if (alp_tctx != NULL)
5486  if (de_ctx != NULL)
5488  if (de_ctx != NULL)
5490  if (de_ctx != NULL)
5492 
5493  StreamTcpFreeConfig(true);
5494  FLOW_DESTROY(&f);
5495  UTHFreePackets(&p1, 1);
5496  UTHFreePackets(&p2, 1);
5497  return result;
5498 }
5499 
5500 static int DetectEngineHttpRawUriTest09(void)
5501 {
5502  TcpSession ssn;
5503  Packet *p1 = NULL;
5504  Packet *p2 = NULL;
5505  ThreadVars th_v;
5506  DetectEngineCtx *de_ctx = NULL;
5507  DetectEngineThreadCtx *det_ctx = NULL;
5508  HtpState *http_state = NULL;
5509  Flow f;
5510  uint8_t http1_buf[] =
5511  "GET /../a";
5512  uint8_t http2_buf[] =
5513  "/b/../c/./d.html HTTP/1.0\r\n"
5514  "Host: www.openinfosecfoundation.org\r\n"
5515  "Content-Type: text/html\r\n"
5516  "Content-Length: 46\r\n"
5517  "\r\n"
5518  "This is dummy body1"
5519  "This is dummy message body2";
5520  uint32_t http1_len = sizeof(http1_buf) - 1;
5521  uint32_t http2_len = sizeof(http2_buf) - 1;
5522  int result = 0;
5524 
5525  memset(&th_v, 0, sizeof(th_v));
5526  memset(&f, 0, sizeof(f));
5527  memset(&ssn, 0, sizeof(ssn));
5528 
5529  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5530  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5531 
5532  FLOW_INITIALIZE(&f);
5533  f.protoctx = (void *)&ssn;
5534  f.proto = IPPROTO_TCP;
5535  f.flags |= FLOW_IPV4;
5536 
5537  p1->flow = &f;
5541  p2->flow = &f;
5545  f.alproto = ALPROTO_HTTP1;
5546 
5547  StreamTcpInitConfig(true);
5548 
5550  if (de_ctx == NULL)
5551  goto end;
5552 
5553  de_ctx->flags |= DE_QUIET;
5554 
5555  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any &qu