suricata
detect-http-uri.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /** \file
19  *
20  * \author Victor Julien <victor@inliniac.net>
21  * \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com>
22  */
23 
24 #include "../suricata-common.h"
25 #include "../app-layer.h"
26 #include "../app-layer-parser.h"
27 #include "../app-layer-htp.h"
28 #include "../util-unittest.h"
29 #include "../util-unittest-helper.h"
30 
31 #include "../flow.h"
32 #include "../flow-util.h"
33 
34 #include "../detect-isdataat.h"
35 
36 /** \test Test a simple uricontent option */
37 static int UriTestSig01(void)
38 {
39  int result = 0;
40  Flow f;
41  HtpState *http_state = NULL;
42  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
43  "User-Agent: Mozilla/1.0\r\n"
44  "Cookie: hellocatch\r\n\r\n";
45  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
46  uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
47  "User-Agent: Mozilla/1.0\r\n"
48  "Cookie: hellocatch\r\n\r\n";
49  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
50  TcpSession ssn;
51  Packet *p = NULL;
52  Signature *s = NULL;
53  ThreadVars tv;
54  DetectEngineThreadCtx *det_ctx = NULL;
56 
57  memset(&tv, 0, sizeof(ThreadVars));
58  memset(&f, 0, sizeof(Flow));
59  memset(&ssn, 0, sizeof(TcpSession));
60 
61  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
62 
63  FLOW_INITIALIZE(&f);
64  f.protoctx = (void *)&ssn;
65  f.proto = IPPROTO_TCP;
66  f.flags |= FLOW_IPV4;
67 
68  p->flow = &f;
73 
75 
77  if (de_ctx == NULL) {
78  goto end;
79  }
80  de_ctx->flags |= DE_QUIET;
81 
82  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
83  "(msg:\"Test uricontent option\"; "
84  "uricontent:\"one\"; sid:1;)");
85  if (s == NULL) {
86  goto end;
87  }
88 
89  SigGroupBuild(de_ctx);
90  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
91 
92  FLOWLOCK_WRLOCK(&f);
93  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
94  STREAM_TOSERVER, http_buf1, http_buf1_len);
95  if (r != 0) {
96  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
97  FLOWLOCK_UNLOCK(&f);
98  goto end;
99  }
100  FLOWLOCK_UNLOCK(&f);
101 
102  http_state = f.alstate;
103  if (http_state == NULL) {
104  printf("no http state: ");
105  goto end;
106  }
107 
108  /* do detect */
109  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
110 
111  if (!PacketAlertCheck(p, 1)) {
112  printf("sig 1 alerted, but it should not: ");
113  goto end;
114  }
115 
116  FLOWLOCK_WRLOCK(&f);
117  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
118  STREAM_TOSERVER, http_buf2, http_buf2_len);
119  if (r != 0) {
120  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
121  FLOWLOCK_UNLOCK(&f);
122  goto end;
123  }
124  FLOWLOCK_UNLOCK(&f);
125 
126  http_state = f.alstate;
127  if (http_state == NULL) {
128  printf("no http state: ");
129  goto end;
130  }
131 
132  if (!PacketAlertCheck(p, 1)) {
133  printf("sig 1 alerted, but it should not: ");
134  goto end;
135  }
136 
137  /* do detect */
138  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
139 
140  result = 1;
141 
142 end:
143  if (alp_tctx != NULL)
144  AppLayerParserThreadCtxFree(alp_tctx);
145  if (det_ctx != NULL)
146  DetectEngineThreadCtxDeinit(&tv, det_ctx);
147  if (de_ctx != NULL)
148  SigGroupCleanup(de_ctx);
149  if (de_ctx != NULL)
150  DetectEngineCtxFree(de_ctx);
151 
153  FLOW_DESTROY(&f);
154  UTHFreePacket(p);
155  return result;
156 }
157 
158 /** \test Test the pcre /U option */
159 static int UriTestSig02(void)
160 {
161  int result = 0;
162  Flow f;
163  HtpState *http_state = NULL;
164  uint8_t http_buf1[] = "POST /on HTTP/1.0\r\n"
165  "User-Agent: Mozilla/1.0\r\n"
166  "Cookie: hellocatch\r\n\r\n";
167  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
168  uint8_t http_buf2[] = "POST /one HTTP/1.0\r\n"
169  "User-Agent: Mozilla/1.0\r\n"
170  "Cookie: hellocatch\r\n\r\n";
171  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
172  TcpSession ssn;
173  Packet *p = NULL;
174  Signature *s = NULL;
175  ThreadVars tv;
176  DetectEngineThreadCtx *det_ctx = NULL;
178 
179  memset(&tv, 0, sizeof(ThreadVars));
180  memset(&f, 0, sizeof(Flow));
181  memset(&ssn, 0, sizeof(TcpSession));
182 
183  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
184 
185  FLOW_INITIALIZE(&f);
186  f.protoctx = (void *)&ssn;
187  f.proto = IPPROTO_TCP;
188  f.flags |= FLOW_IPV4;
189 
190  p->flow = &f;
194  f.alproto = ALPROTO_HTTP;
195 
197 
199  if (de_ctx == NULL) {
200  goto end;
201  }
202  de_ctx->flags |= DE_QUIET;
203 
204  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
205  "(msg:\"Test pcre /U option\"; "
206  "pcre:/one/U; sid:1;)");
207  if (s == NULL) {
208  goto end;
209  }
210 
211  SigGroupBuild(de_ctx);
212  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
213 
214  FLOWLOCK_WRLOCK(&f);
215  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
216  STREAM_TOSERVER, http_buf1, http_buf1_len);
217  if (r != 0) {
218  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
219  FLOWLOCK_UNLOCK(&f);
220  goto end;
221  }
222  FLOWLOCK_UNLOCK(&f);
223 
224  http_state = f.alstate;
225  if (http_state == NULL) {
226  printf("no http state: ");
227  goto end;
228  }
229 
230  /* do detect */
231  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
232 
233  if (PacketAlertCheck(p, 1)) {
234  printf("sig 1 alerted with payload2, but it should not: ");
235  goto end;
236  }
237 
238  FLOWLOCK_WRLOCK(&f);
239  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
240  STREAM_TOSERVER, http_buf2, http_buf2_len);
241  if (r != 0) {
242  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
243  FLOWLOCK_UNLOCK(&f);
244  goto end;
245  }
246  FLOWLOCK_UNLOCK(&f);
247 
248  http_state = f.alstate;
249  if (http_state == NULL) {
250  printf("no http state: ");
251  goto end;
252  }
253 
254  /* do detect */
255  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
256 
257  if (!PacketAlertCheck(p, 1)) {
258  printf("sig 1 didnt alert, but it should: ");
259  goto end;
260  }
261 
262  result = 1;
263 
264 end:
265  if (alp_tctx != NULL)
266  AppLayerParserThreadCtxFree(alp_tctx);
267  if (det_ctx != NULL)
268  DetectEngineThreadCtxDeinit(&tv, det_ctx);
269  if (de_ctx != NULL)
270  SigGroupCleanup(de_ctx);
271  if (de_ctx != NULL)
272  DetectEngineCtxFree(de_ctx);
273 
275  FLOW_DESTROY(&f);
276  UTHFreePacket(p);
277  return result;
278 }
279 
280 /** \test Test the pcre /U option */
281 static int UriTestSig03(void)
282 {
283  int result = 0;
284  Flow f;
285  HtpState *http_state = NULL;
286  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
287  "User-Agent: Mozilla/1.0\r\n"
288  "Cookie: hellocatch\r\n\r\n";
289  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
290  uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
291  "User-Agent: Mozilla/1.0\r\n"
292  "Cookie: hellocatch\r\n\r\n";
293  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
294  TcpSession ssn;
295  Packet *p = NULL;
296  Signature *s = NULL;
297  ThreadVars tv;
298  DetectEngineThreadCtx *det_ctx = NULL;
300 
301  memset(&tv, 0, sizeof(ThreadVars));
302  memset(&f, 0, sizeof(Flow));
303  memset(&ssn, 0, sizeof(TcpSession));
304 
305  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
306 
307  FLOW_INITIALIZE(&f);
308  f.protoctx = (void *)&ssn;
309  f.proto = IPPROTO_TCP;
310  f.flags |= FLOW_IPV4;
311 
312  p->flow = &f;
316  f.alproto = ALPROTO_HTTP;
317 
319 
321  if (de_ctx == NULL) {
322  goto end;
323  }
324  de_ctx->flags |= DE_QUIET;
325 
326  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
327  "(msg:\"Test pcre /U option\"; "
328  "pcre:/blah/U; sid:1;)");
329  if (s == NULL) {
330  goto end;
331  }
332 
333  SigGroupBuild(de_ctx);
334  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
335 
336  FLOWLOCK_WRLOCK(&f);
337  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
338  STREAM_TOSERVER, http_buf1, http_buf1_len);
339  if (r != 0) {
340  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
341  FLOWLOCK_UNLOCK(&f);
342  goto end;
343  }
344  FLOWLOCK_UNLOCK(&f);
345 
346  http_state = f.alstate;
347  if (http_state == NULL) {
348  printf("no http state: ");
349  goto end;
350  }
351 
352  /* do detect */
353  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
354 
355  if (PacketAlertCheck(p, 1)) {
356  printf("sig 1 alerted, but it should not: ");
357  goto end;
358  }
359 
360  FLOWLOCK_WRLOCK(&f);
361  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
362  STREAM_TOSERVER, http_buf2, http_buf2_len);
363  if (r != 0) {
364  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
365  FLOWLOCK_UNLOCK(&f);
366  goto end;
367  }
368  FLOWLOCK_UNLOCK(&f);
369 
370  http_state = f.alstate;
371  if (http_state == NULL) {
372  printf("no http state: ");
373  goto end;
374  }
375 
376  /* do detect */
377  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
378 
379  if (PacketAlertCheck(p, 1)) {
380  printf("sig 1 alerted, but it should not: ");
381  goto end;
382  }
383 
384  result = 1;
385 
386 end:
387  if (alp_tctx != NULL)
388  AppLayerParserThreadCtxFree(alp_tctx);
389  if (det_ctx != NULL)
390  DetectEngineThreadCtxDeinit(&tv, det_ctx);
391  if (de_ctx != NULL)
392  SigGroupCleanup(de_ctx);
393  if (de_ctx != NULL)
394  DetectEngineCtxFree(de_ctx);
395 
397  FLOW_DESTROY(&f);
398  UTHFreePacket(p);
399  return result;
400 }
401 
402 /** \test Test the urilen option */
403 static int UriTestSig04(void)
404 {
405  int result = 0;
406  Flow f;
407  HtpState *http_state = NULL;
408  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
409  "User-Agent: Mozilla/1.0\r\n"
410  "Cookie: hellocatch\r\n\r\n";
411  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
412  uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
413  "User-Agent: Mozilla/1.0\r\n"
414  "Cookie: hellocatch\r\n\r\n";
415  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
416  TcpSession ssn;
417  Packet *p = NULL;
418  Signature *s = NULL;
419  ThreadVars tv;
420  DetectEngineThreadCtx *det_ctx = NULL;
422 
423  memset(&tv, 0, sizeof(ThreadVars));
424  memset(&f, 0, sizeof(Flow));
425  memset(&ssn, 0, sizeof(TcpSession));
426 
427  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
428 
429  FLOW_INITIALIZE(&f);
430  f.protoctx = (void *)&ssn;
431  f.proto = IPPROTO_TCP;
432  f.flags |= FLOW_IPV4;
433 
434  p->flow = &f;
438  f.alproto = ALPROTO_HTTP;
439 
441 
443  if (de_ctx == NULL) {
444  goto end;
445  }
446  de_ctx->flags |= DE_QUIET;
447 
448  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
449  "(msg:\"Test urilen option\"; "
450  "urilen:>20; sid:1;)");
451  if (s == NULL) {
452  goto end;
453  }
454 
455  SigGroupBuild(de_ctx);
456  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
457 
458  FLOWLOCK_WRLOCK(&f);
459  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
460  STREAM_TOSERVER, http_buf1, http_buf1_len);
461  if (r != 0) {
462  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
463  FLOWLOCK_UNLOCK(&f);
464  goto end;
465  }
466  FLOWLOCK_UNLOCK(&f);
467 
468  http_state = f.alstate;
469  if (http_state == NULL) {
470  printf("no http state: ");
471  goto end;
472  }
473 
474  /* do detect */
475  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
476 
477  if (PacketAlertCheck(p, 1)) {
478  printf("sig 1 alerted, but it should not: ");
479  goto end;
480  }
481 
482  FLOWLOCK_WRLOCK(&f);
483  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
484  STREAM_TOSERVER, http_buf2, http_buf2_len);
485  if (r != 0) {
486  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
487  FLOWLOCK_UNLOCK(&f);
488  goto end;
489  }
490  FLOWLOCK_UNLOCK(&f);
491 
492  http_state = f.alstate;
493  if (http_state == NULL) {
494  printf("no http state: ");
495  goto end;
496  }
497 
498  /* do detect */
499  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
500 
501  if (PacketAlertCheck(p, 1)) {
502  printf("sig 1 alerted, but it should not: ");
503  goto end;
504  }
505 
506  result = 1;
507 
508 end:
509  if (alp_tctx != NULL)
510  AppLayerParserThreadCtxFree(alp_tctx);
511  if (det_ctx != NULL)
512  DetectEngineThreadCtxDeinit(&tv, det_ctx);
513  if (de_ctx != NULL)
514  SigGroupCleanup(de_ctx);
515  if (de_ctx != NULL)
516  DetectEngineCtxFree(de_ctx);
517 
519  FLOW_DESTROY(&f);
520  UTHFreePacket(p);
521  return result;
522 }
523 
524 /** \test Test the urilen option */
525 static int UriTestSig05(void)
526 {
527  int result = 0;
528  Flow f;
529  HtpState *http_state = NULL;
530  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
531  "User-Agent: Mozilla/1.0\r\n"
532  "Cookie: hellocatch\r\n\r\n";
533  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
534  uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
535  "User-Agent: Mozilla/1.0\r\n"
536  "Cookie: hellocatch\r\n\r\n";
537  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
538  TcpSession ssn;
539  Packet *p = NULL;
540  Signature *s = NULL;
541  ThreadVars tv;
542  DetectEngineThreadCtx *det_ctx = NULL;
544 
545  memset(&tv, 0, sizeof(ThreadVars));
546  memset(&f, 0, sizeof(Flow));
547  memset(&ssn, 0, sizeof(TcpSession));
548 
549  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
550 
551  FLOW_INITIALIZE(&f);
552  f.protoctx = (void *)&ssn;
553  f.proto = IPPROTO_TCP;
554  f.flags |= FLOW_IPV4;
555 
556  p->flow = &f;
560  f.alproto = ALPROTO_HTTP;
561 
563 
565  if (de_ctx == NULL) {
566  goto end;
567  }
568  de_ctx->flags |= DE_QUIET;
569 
570  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
571  "(msg:\"Test urilen option\"; "
572  "urilen:>4; sid:1;)");
573  if (s == NULL) {
574  goto end;
575  }
576 
577  SigGroupBuild(de_ctx);
578  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
579 
580  FLOWLOCK_WRLOCK(&f);
581  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
582  STREAM_TOSERVER, http_buf1, http_buf1_len);
583  if (r != 0) {
584  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
585  FLOWLOCK_UNLOCK(&f);
586  goto end;
587  }
588  FLOWLOCK_UNLOCK(&f);
589 
590  http_state = f.alstate;
591  if (http_state == NULL) {
592  printf("no http state: ");
593  goto end;
594  }
595 
596  /* do detect */
597  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
598 
599  if (PacketAlertCheck(p, 1)) {
600  printf("sig 1 alerted, but it should not: ");
601  goto end;
602  }
603 
604  FLOWLOCK_WRLOCK(&f);
605  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
606  STREAM_TOSERVER, http_buf2, http_buf2_len);
607  if (r != 0) {
608  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
609  FLOWLOCK_UNLOCK(&f);
610  goto end;
611  }
612  FLOWLOCK_UNLOCK(&f);
613 
614  http_state = f.alstate;
615  if (http_state == NULL) {
616  printf("no http state: ");
617  goto end;
618  }
619 
620  /* do detect */
621  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
622 
623  if (!PacketAlertCheck(p, 1)) {
624  printf("sig 1 didnt alert with payload2, but it should: ");
625  goto end;
626  }
627 
628  result = 1;
629 
630 end:
631  if (alp_tctx != NULL)
632  AppLayerParserThreadCtxFree(alp_tctx);
633  if (det_ctx != NULL)
634  DetectEngineThreadCtxDeinit(&tv, det_ctx);
635  if (de_ctx != NULL)
636  SigGroupCleanup(de_ctx);
637  if (de_ctx != NULL)
638  DetectEngineCtxFree(de_ctx);
639 
641  FLOW_DESTROY(&f);
642  UTHFreePacket(p);
643  return result;
644 }
645 
646 /** \test Test the pcre /U option */
647 static int UriTestSig06(void)
648 {
649  int result = 0;
650  Flow f;
651  HtpState *http_state = NULL;
652  uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
653  "User-Agent: Mozilla/1.0\r\n"
654  "Cookie: hellocatch\r\n\r\n";
655  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
656  uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
657  "User-Agent: Mozilla/1.0\r\n"
658  "Cookie: hellocatch\r\n\r\n";
659  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
660  TcpSession ssn;
661  Packet *p = NULL;
662  Signature *s = NULL;
663  ThreadVars tv;
664  DetectEngineThreadCtx *det_ctx = NULL;
666 
667  memset(&tv, 0, sizeof(ThreadVars));
668  memset(&f, 0, sizeof(Flow));
669  memset(&ssn, 0, sizeof(TcpSession));
670 
671  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
672 
673  FLOW_INITIALIZE(&f);
674  f.protoctx = (void *)&ssn;
675  f.proto = IPPROTO_TCP;
676  f.flags |= FLOW_IPV4;
677 
678  p->flow = &f;
682  f.alproto = ALPROTO_HTTP;
683 
685 
687  if (de_ctx == NULL) {
688  goto end;
689  }
690  de_ctx->flags |= DE_QUIET;
691 
692  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
693  "(msg:\"Test pcre /U option\"; "
694  "pcre:/(oneself)+/U; sid:1;)");
695  if (s == NULL) {
696  goto end;
697  }
698 
699  SigGroupBuild(de_ctx);
700  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
701 
702  FLOWLOCK_WRLOCK(&f);
703  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
704  STREAM_TOSERVER, http_buf1, http_buf1_len);
705  if (r != 0) {
706  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
707  FLOWLOCK_UNLOCK(&f);
708  goto end;
709  }
710  FLOWLOCK_UNLOCK(&f);
711 
712  http_state = f.alstate;
713  if (http_state == NULL) {
714  printf("no http state: ");
715  goto end;
716  }
717 
718  /* do detect */
719  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
720 
721  if (PacketAlertCheck(p, 1)) {
722  printf("sig 1 alerted, but it should not: ");
723  goto end;
724  }
725 
726  FLOWLOCK_WRLOCK(&f);
727  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
728  STREAM_TOSERVER, http_buf2, http_buf2_len);
729  if (r != 0) {
730  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
731  FLOWLOCK_UNLOCK(&f);
732  goto end;
733  }
734  FLOWLOCK_UNLOCK(&f);
735 
736  http_state = f.alstate;
737  if (http_state == NULL) {
738  printf("no http state: ");
739  goto end;
740  }
741 
742  /* do detect */
743  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
744 
745  if (!PacketAlertCheck(p, 1)) {
746  printf("sig 1 didnt alert on payload2, but it should: ");
747  goto end;
748  }
749 
750  result = 1;
751 
752 end:
753  if (alp_tctx != NULL)
754  AppLayerParserThreadCtxFree(alp_tctx);
755  if (det_ctx != NULL)
756  DetectEngineThreadCtxDeinit(&tv, det_ctx);
757  if (de_ctx != NULL)
758  SigGroupCleanup(de_ctx);
759  if (de_ctx != NULL)
760  DetectEngineCtxFree(de_ctx);
761 
763  FLOW_DESTROY(&f);
764  UTHFreePacket(p);
765  return result;
766 }
767 
768 /** \test Test the pcre /U option in combination with urilen */
769 static int UriTestSig07(void)
770 {
771  int result = 0;
772  Flow f;
773  HtpState *http_state = NULL;
774  uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
775  "User-Agent: Mozilla/1.0\r\n"
776  "Cookie: hellocatch\r\n\r\n";
777  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
778  uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
779  "User-Agent: Mozilla/1.0\r\n"
780  "Cookie: hellocatch\r\n\r\n";
781  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
782  TcpSession ssn;
783  Packet *p = NULL;
784  Signature *s = NULL;
785  ThreadVars tv;
786  DetectEngineThreadCtx *det_ctx = NULL;
788 
789  memset(&tv, 0, sizeof(ThreadVars));
790  memset(&f, 0, sizeof(Flow));
791  memset(&ssn, 0, sizeof(TcpSession));
792 
793  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
794 
795  FLOW_INITIALIZE(&f);
796  f.protoctx = (void *)&ssn;
797  f.proto = IPPROTO_TCP;
798  f.flags |= FLOW_IPV4;
799 
800  p->flow = &f;
804  f.alproto = ALPROTO_HTTP;
805 
807 
809  if (de_ctx == NULL) {
810  goto end;
811  }
812  de_ctx->flags |= DE_QUIET;
813 
814  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
815  "(msg:\"Test pcre /U option with urilen \"; "
816  "pcre:/(one){2,}(self)?/U; urilen:3<>20; sid:1;)");
817  if (s == NULL) {
818  goto end;
819  }
820 
821  SigGroupBuild(de_ctx);
822  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
823 
824  FLOWLOCK_WRLOCK(&f);
825  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
826  STREAM_TOSERVER, http_buf1, http_buf1_len);
827  if (r != 0) {
828  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
829  FLOWLOCK_UNLOCK(&f);
830  goto end;
831  }
832  FLOWLOCK_UNLOCK(&f);
833 
834  http_state = f.alstate;
835  if (http_state == NULL) {
836  printf("no http state: ");
837  goto end;
838  }
839 
840  /* do detect */
841  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
842 
843  if (!PacketAlertCheck(p, 1)) {
844  printf("sig 1 didnt alert, but it should: ");
845  goto end;
846  }
847 
848  FLOWLOCK_WRLOCK(&f);
849  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
850  STREAM_TOSERVER, http_buf2, http_buf2_len);
851  if (r != 0) {
852  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
853  FLOWLOCK_UNLOCK(&f);
854  goto end;
855  }
856  FLOWLOCK_UNLOCK(&f);
857 
858  http_state = f.alstate;
859  if (http_state == NULL) {
860  printf("no http state: ");
861  goto end;
862  }
863 
864  /* do detect */
865  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
866 
867  if (!PacketAlertCheck(p, 1)) {
868  printf("sig 1 didnt alert with payload2, but it should: ");
869  goto end;
870  }
871 
872  result = 1;
873 
874 end:
875  if (alp_tctx != NULL)
876  AppLayerParserThreadCtxFree(alp_tctx);
877  if (det_ctx != NULL)
878  DetectEngineThreadCtxDeinit(&tv, det_ctx);
879  if (de_ctx != NULL)
880  SigGroupCleanup(de_ctx);
881  if (de_ctx != NULL)
882  DetectEngineCtxFree(de_ctx);
883 
885  FLOW_DESTROY(&f);
886  UTHFreePacket(p);
887  return result;
888 }
889 
890 /** \test Test the pcre /U option in combination with urilen */
891 static int UriTestSig08(void)
892 {
893  int result = 0;
894  Flow f;
895  HtpState *http_state = NULL;
896  uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
897  "User-Agent: Mozilla/1.0\r\n"
898  "Cookie: hellocatch\r\n\r\n";
899  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
900  uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
901  "User-Agent: Mozilla/1.0\r\n"
902  "Cookie: hellocatch\r\n\r\n";
903  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
904  TcpSession ssn;
905  Packet *p = NULL;
906  Signature *s = NULL;
907  ThreadVars tv;
908  DetectEngineThreadCtx *det_ctx = NULL;
910 
911  memset(&tv, 0, sizeof(ThreadVars));
912  memset(&f, 0, sizeof(Flow));
913  memset(&ssn, 0, sizeof(TcpSession));
914 
915  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
916 
917  FLOW_INITIALIZE(&f);
918  f.protoctx = (void *)&ssn;
919  f.proto = IPPROTO_TCP;
920  f.flags |= FLOW_IPV4;
921 
922  p->flow = &f;
926  f.alproto = ALPROTO_HTTP;
927 
929 
931  if (de_ctx == NULL) {
932  goto end;
933  }
934  de_ctx->flags |= DE_QUIET;
935 
936  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
937  "(msg:\"Test pcre /U option with urilen\"; "
938  "pcre:/(blabla){2,}(self)?/U; urilen:3<>20; sid:1;)");
939  if (s == NULL) {
940  goto end;
941  }
942 
943  SigGroupBuild(de_ctx);
944  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
945 
946  FLOWLOCK_WRLOCK(&f);
947  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
948  STREAM_TOSERVER, http_buf1, http_buf1_len);
949  if (r != 0) {
950  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
951  FLOWLOCK_UNLOCK(&f);
952  goto end;
953  }
954  FLOWLOCK_UNLOCK(&f);
955 
956  http_state = f.alstate;
957  if (http_state == NULL) {
958  printf("no http state: ");
959  goto end;
960  }
961 
962  /* do detect */
963  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
964 
965  if (PacketAlertCheck(p, 1)) {
966  printf("sig 1 alerted, but it should not: ");
967  goto end;
968  }
969 
970  FLOWLOCK_WRLOCK(&f);
971  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
972  STREAM_TOSERVER, http_buf2, http_buf2_len);
973  if (r != 0) {
974  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
975  FLOWLOCK_UNLOCK(&f);
976  goto end;
977  }
978  FLOWLOCK_UNLOCK(&f);
979 
980  http_state = f.alstate;
981  if (http_state == NULL) {
982  printf("no http state: ");
983  goto end;
984  }
985 
986  /* do detect */
987  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
988 
989  if (PacketAlertCheck(p, 1)) {
990  printf("sig 1 alerted, but it should not: ");
991  goto end;
992  }
993 
994  result = 1;
995 
996 end:
997  if (alp_tctx != NULL)
998  AppLayerParserThreadCtxFree(alp_tctx);
999  if (det_ctx != NULL)
1000  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1001  if (de_ctx != NULL)
1002  SigGroupCleanup(de_ctx);
1003  if (de_ctx != NULL)
1004  DetectEngineCtxFree(de_ctx);
1005 
1007  FLOW_DESTROY(&f);
1008  UTHFreePacket(p);
1009  return result;
1010 }
1011 
1012 /** \test Test the pcre /U option in combination with urilen */
1013 static int UriTestSig09(void)
1014 {
1015  int result = 0;
1016  Flow f;
1017  HtpState *http_state = NULL;
1018  uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
1019  "User-Agent: Mozilla/1.0\r\n"
1020  "Cookie: hellocatch\r\n\r\n";
1021  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
1022  uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
1023  "User-Agent: Mozilla/1.0\r\n"
1024  "Cookie: hellocatch\r\n\r\n";
1025  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
1026  TcpSession ssn;
1027  Packet *p = NULL;
1028  Signature *s = NULL;
1029  ThreadVars tv;
1030  DetectEngineThreadCtx *det_ctx = NULL;
1032 
1033  memset(&tv, 0, sizeof(ThreadVars));
1034  memset(&f, 0, sizeof(Flow));
1035  memset(&ssn, 0, sizeof(TcpSession));
1036 
1037  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
1038 
1039  FLOW_INITIALIZE(&f);
1040  f.protoctx = (void *)&ssn;
1041  f.proto = IPPROTO_TCP;
1042  f.flags |= FLOW_IPV4;
1043 
1044  p->flow = &f;
1048  f.alproto = ALPROTO_HTTP;
1049 
1051 
1053  if (de_ctx == NULL) {
1054  goto end;
1055  }
1056  de_ctx->flags |= DE_QUIET;
1057 
1058  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1059  "(msg:\"Test pcre /U option with urilen \"; "
1060  "pcre:/(one){2,}(self)?/U; urilen:<2; sid:1;)");
1061  if (s == NULL) {
1062  goto end;
1063  }
1064 
1065  SigGroupBuild(de_ctx);
1066  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1067 
1068  FLOWLOCK_WRLOCK(&f);
1069  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1070  STREAM_TOSERVER, http_buf1, http_buf1_len);
1071  if (r != 0) {
1072  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1073  FLOWLOCK_UNLOCK(&f);
1074  goto end;
1075  }
1076  FLOWLOCK_UNLOCK(&f);
1077 
1078  http_state = f.alstate;
1079  if (http_state == NULL) {
1080  printf("no http state: ");
1081  goto end;
1082  }
1083 
1084  /* do detect */
1085  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1086 
1087  if (PacketAlertCheck(p, 1)) {
1088  printf("sig 1 alerted, but it should not: ");
1089  goto end;
1090  }
1091 
1092  FLOWLOCK_WRLOCK(&f);
1093  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1094  STREAM_TOSERVER, http_buf2, http_buf2_len);
1095  if (r != 0) {
1096  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1097  FLOWLOCK_UNLOCK(&f);
1098  goto end;
1099  }
1100  FLOWLOCK_UNLOCK(&f);
1101 
1102  http_state = f.alstate;
1103  if (http_state == NULL) {
1104  printf("no http state: ");
1105  goto end;
1106  }
1107 
1108  /* do detect */
1109  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1110 
1111  if (PacketAlertCheck(p, 1)) {
1112  printf("sig 1 alerted, but it should not: ");
1113  goto end;
1114  }
1115 
1116  result = 1;
1117 
1118 end:
1119  if (alp_tctx != NULL)
1120  AppLayerParserThreadCtxFree(alp_tctx);
1121  if (det_ctx != NULL)
1122  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1123  if (de_ctx != NULL)
1124  SigGroupCleanup(de_ctx);
1125  if (de_ctx != NULL)
1126  DetectEngineCtxFree(de_ctx);
1127 
1129  FLOW_DESTROY(&f);
1130  UTHFreePacket(p);
1131  return result;
1132 }
1133 
1134 /** \test Test uricontent, urilen, pcre /U options */
1135 static int UriTestSig12(void)
1136 {
1137  int result = 0;
1138  Flow f;
1139  HtpState *http_state = NULL;
1140  uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
1141  "User-Agent: Mozilla/1.0\r\n"
1142  "Cookie: hellocatch\r\n\r\n";
1143  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
1144  uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
1145  "User-Agent: Mozilla/1.0\r\n"
1146  "Cookie: hellocatch\r\n\r\n";
1147  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
1148  TcpSession ssn;
1149  Packet *p = NULL;
1150  Signature *s = NULL;
1151  ThreadVars tv;
1152  DetectEngineThreadCtx *det_ctx = NULL;
1154 
1155  memset(&tv, 0, sizeof(ThreadVars));
1156  memset(&f, 0, sizeof(Flow));
1157  memset(&ssn, 0, sizeof(TcpSession));
1158 
1159  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
1160 
1161  FLOW_INITIALIZE(&f);
1162  f.protoctx = (void *)&ssn;
1163  f.proto = IPPROTO_TCP;
1164  f.flags |= FLOW_IPV4;
1165 
1166  p->flow = &f;
1170  f.alproto = ALPROTO_HTTP;
1171 
1173 
1175  if (de_ctx == NULL) {
1176  goto end;
1177  }
1178  de_ctx->flags |= DE_QUIET;
1179 
1180  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1181  "(msg:\"Test pcre /U, uricontent and urilen option\"; "
1182  "uricontent:\"one\"; "
1183  "pcre:/(one)+self/U; urilen:>2; sid:1;)");
1184  if (s == NULL) {
1185  goto end;
1186  }
1187 
1188  SigGroupBuild(de_ctx);
1189  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1190 
1191  FLOWLOCK_WRLOCK(&f);
1192  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1193  STREAM_TOSERVER, http_buf1, http_buf1_len);
1194  if (r != 0) {
1195  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1196  FLOWLOCK_UNLOCK(&f);
1197  goto end;
1198  }
1199  FLOWLOCK_UNLOCK(&f);
1200 
1201  http_state = f.alstate;
1202  if (http_state == NULL) {
1203  printf("no http state: ");
1204  goto end;
1205  }
1206 
1207  /* do detect */
1208  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1209 
1210  if (PacketAlertCheck(p, 1)) {
1211  printf("sig 1 alerted, but it should not: ");
1212  goto end;
1213  }
1214 
1215  FLOWLOCK_WRLOCK(&f);
1216  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1217  STREAM_TOSERVER, http_buf2, http_buf2_len);
1218  if (r != 0) {
1219  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1220  FLOWLOCK_UNLOCK(&f);
1221  goto end;
1222  }
1223  FLOWLOCK_UNLOCK(&f);
1224 
1225  http_state = f.alstate;
1226  if (http_state == NULL) {
1227  printf("no http state: ");
1228  goto end;
1229  }
1230 
1231  /* do detect */
1232  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1233 
1234  if (!PacketAlertCheck(p, 1)) {
1235  printf("sig 1 didnt alert with payload2, but it should: ");
1236  goto end;
1237  }
1238 
1239  result = 1;
1240 
1241 end:
1242  if (alp_tctx != NULL)
1243  AppLayerParserThreadCtxFree(alp_tctx);
1244  if (det_ctx != NULL)
1245  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1246  if (de_ctx != NULL)
1247  SigGroupCleanup(de_ctx);
1248  if (de_ctx != NULL)
1249  DetectEngineCtxFree(de_ctx);
1250 
1252  FLOW_DESTROY(&f);
1253  UTHFreePacket(p);
1254  return result;
1255 }
1256 
1257 /** \test Test uricontent, urilen */
1258 static int UriTestSig13(void)
1259 {
1260  int result = 0;
1261  Flow f;
1262  HtpState *http_state = NULL;
1263  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
1264  "User-Agent: Mozilla/1.0\r\n"
1265  "Cookie: hellocatch\r\n\r\n";
1266  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
1267  uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
1268  "User-Agent: Mozilla/1.0\r\n"
1269  "Cookie: hellocatch\r\n\r\n";
1270  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
1271  TcpSession ssn;
1272  Packet *p = NULL;
1273  Signature *s = NULL;
1274  ThreadVars tv;
1275  DetectEngineThreadCtx *det_ctx = NULL;
1277 
1278  memset(&tv, 0, sizeof(ThreadVars));
1279  memset(&f, 0, sizeof(Flow));
1280  memset(&ssn, 0, sizeof(TcpSession));
1281 
1282  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
1283 
1284  FLOW_INITIALIZE(&f);
1285  f.protoctx = (void *)&ssn;
1286  f.proto = IPPROTO_TCP;
1287  f.flags |= FLOW_IPV4;
1288 
1289  p->flow = &f;
1293  f.alproto = ALPROTO_HTTP;
1294 
1296 
1298  if (de_ctx == NULL) {
1299  goto end;
1300  }
1301  de_ctx->flags |= DE_QUIET;
1302 
1303  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1304  "(msg:\"Test urilen option\"; "
1305  "urilen:>2; uricontent:\"one\"; sid:1;)");
1306  if (s == NULL) {
1307  goto end;
1308  }
1309 
1310  SigGroupBuild(de_ctx);
1311  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1312 
1313  FLOWLOCK_WRLOCK(&f);
1314  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1315  STREAM_TOSERVER, http_buf1, http_buf1_len);
1316  if (r != 0) {
1317  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1318  FLOWLOCK_UNLOCK(&f);
1319  goto end;
1320  }
1321  FLOWLOCK_UNLOCK(&f);
1322 
1323  http_state = f.alstate;
1324  if (http_state == NULL) {
1325  printf("no http state: ");
1326  goto end;
1327  }
1328 
1329  /* do detect */
1330  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1331 
1332  if (!PacketAlertCheck(p, 1)) {
1333  printf("sig 1 didnt alert with pkt, but it should: ");
1334  goto end;
1335  }
1336 
1337  FLOWLOCK_WRLOCK(&f);
1338  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1339  STREAM_TOSERVER, http_buf2, http_buf2_len);
1340  if (r != 0) {
1341  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1342  FLOWLOCK_UNLOCK(&f);
1343  goto end;
1344  }
1345  FLOWLOCK_UNLOCK(&f);
1346 
1347  http_state = f.alstate;
1348  if (http_state == NULL) {
1349  printf("no http state: ");
1350  goto end;
1351  }
1352 
1353  /* do detect */
1354  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1355 
1356 
1357  if (!PacketAlertCheck(p, 1)) {
1358  printf("sig 1 didnt alert with payload2, but it should: ");
1359  goto end;
1360  }
1361 
1362  result = 1;
1363 
1364 end:
1365  if (alp_tctx != NULL)
1366  AppLayerParserThreadCtxFree(alp_tctx);
1367  if (det_ctx != NULL)
1368  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1369  if (de_ctx != NULL)
1370  SigGroupCleanup(de_ctx);
1371  if (de_ctx != NULL)
1372  DetectEngineCtxFree(de_ctx);
1373 
1375  FLOW_DESTROY(&f);
1376  UTHFreePacket(p);
1377  return result;
1378 }
1379 
1380 /** \test Test uricontent, pcre /U */
1381 static int UriTestSig14(void)
1382 {
1383  int result = 0;
1384  Flow f;
1385  HtpState *http_state = NULL;
1386  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
1387  "User-Agent: Mozilla/1.0\r\n"
1388  "Cookie: hellocatch\r\n\r\n";
1389  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
1390  uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
1391  "User-Agent: Mozilla/1.0\r\n"
1392  "Cookie: hellocatch\r\n\r\n";
1393  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
1394  TcpSession ssn;
1395  Packet *p = NULL;
1396  Signature *s = NULL;
1397  ThreadVars tv;
1398  DetectEngineThreadCtx *det_ctx = NULL;
1400 
1401  memset(&tv, 0, sizeof(ThreadVars));
1402  memset(&f, 0, sizeof(Flow));
1403  memset(&ssn, 0, sizeof(TcpSession));
1404 
1405  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
1406 
1407  FLOW_INITIALIZE(&f);
1408  f.protoctx = (void *)&ssn;
1409  f.proto = IPPROTO_TCP;
1410  f.flags |= FLOW_IPV4;
1411 
1412  p->flow = &f;
1416  f.alproto = ALPROTO_HTTP;
1417 
1419 
1421  if (de_ctx == NULL) {
1422  goto end;
1423  }
1424  de_ctx->flags |= DE_QUIET;
1425 
1426  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1427  "(msg:\"Test uricontent option\"; "
1428  "uricontent:\"one\"; pcre:/one(self)?/U;sid:1;)");
1429  if (s == NULL) {
1430  goto end;
1431  }
1432 
1433  SigGroupBuild(de_ctx);
1434  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1435 
1436  FLOWLOCK_WRLOCK(&f);
1437  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1438  STREAM_TOSERVER, http_buf1, http_buf1_len);
1439  if (r != 0) {
1440  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1441  FLOWLOCK_UNLOCK(&f);
1442  goto end;
1443  }
1444  FLOWLOCK_UNLOCK(&f);
1445 
1446  http_state = f.alstate;
1447  if (http_state == NULL) {
1448  printf("no http state: ");
1449  goto end;
1450  }
1451 
1452  /* do detect */
1453  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1454 
1455  if (!PacketAlertCheck(p, 1)) {
1456  printf("sig 1 didnt alert with pkt, but it should: ");
1457  goto end;
1458  }
1459 
1460  FLOWLOCK_WRLOCK(&f);
1461  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1462  STREAM_TOSERVER, http_buf2, http_buf2_len);
1463  if (r != 0) {
1464  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1465  FLOWLOCK_UNLOCK(&f);
1466  goto end;
1467  }
1468  FLOWLOCK_UNLOCK(&f);
1469 
1470  http_state = f.alstate;
1471  if (http_state == NULL) {
1472  printf("no http state: ");
1473  goto end;
1474  }
1475 
1476  /* do detect */
1477  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1478 
1479 
1480  if (!PacketAlertCheck(p, 1)) {
1481  printf("sig 1 didnt alert with payload2, but it should: ");
1482  goto end;
1483  }
1484 
1485  result = 1;
1486 
1487 end:
1488  if (alp_tctx != NULL)
1489  AppLayerParserThreadCtxFree(alp_tctx);
1490  if (det_ctx != NULL)
1491  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1492  if (de_ctx != NULL)
1493  SigGroupCleanup(de_ctx);
1494  if (de_ctx != NULL)
1495  DetectEngineCtxFree(de_ctx);
1496 
1498  FLOW_DESTROY(&f);
1499  UTHFreePacket(p);
1500  return result;
1501 }
1502 
1503 /** \test Test pcre /U with anchored regex (bug 155) */
1504 static int UriTestSig15(void)
1505 {
1506  int result = 0;
1507  Flow f;
1508  HtpState *http_state = NULL;
1509  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
1510  "User-Agent: Mozilla/1.0\r\n"
1511  "Cookie: hellocatch\r\n\r\n";
1512  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
1513  uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
1514  "User-Agent: Mozilla/1.0\r\n"
1515  "Cookie: hellocatch\r\n\r\n";
1516  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
1517  TcpSession ssn;
1518  Packet *p = NULL;
1519  Signature *s = NULL;
1520  ThreadVars tv;
1521  DetectEngineThreadCtx *det_ctx = NULL;
1523 
1524  memset(&tv, 0, sizeof(ThreadVars));
1525  memset(&f, 0, sizeof(Flow));
1526  memset(&ssn, 0, sizeof(TcpSession));
1527 
1528  p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
1529 
1530  FLOW_INITIALIZE(&f);
1531  f.protoctx = (void *)&ssn;
1532  f.proto = IPPROTO_TCP;
1533  f.flags |= FLOW_IPV4;
1534 
1535  p->flow = &f;
1539  f.alproto = ALPROTO_HTTP;
1540 
1542 
1544  if (de_ctx == NULL) {
1545  goto end;
1546  }
1547  de_ctx->flags |= DE_QUIET;
1548 
1549  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1550  "(msg:\"Test uricontent option\"; "
1551  "uricontent:\"one\"; pcre:/^\\/one(self)?$/U;sid:1;)");
1552  if (s == NULL) {
1553  goto end;
1554  }
1555 
1556  SigGroupBuild(de_ctx);
1557  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1558 
1559  FLOWLOCK_WRLOCK(&f);
1560  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1561  STREAM_TOSERVER, http_buf1, http_buf1_len);
1562  if (r != 0) {
1563  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1564  FLOWLOCK_UNLOCK(&f);
1565  goto end;
1566  }
1567  FLOWLOCK_UNLOCK(&f);
1568 
1569  http_state = f.alstate;
1570  if (http_state == NULL) {
1571  printf("no http state: ");
1572  goto end;
1573  }
1574 
1575  /* do detect */
1576  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1577 
1578  if (!PacketAlertCheck(p, 1)) {
1579  printf("sig 1 didnt alert with pkt, but it should: ");
1580  goto end;
1581  }
1582 
1583  FLOWLOCK_WRLOCK(&f);
1584  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1585  STREAM_TOSERVER, http_buf2, http_buf2_len);
1586  if (r != 0) {
1587  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1588  FLOWLOCK_UNLOCK(&f);
1589  goto end;
1590  }
1591  FLOWLOCK_UNLOCK(&f);
1592 
1593  http_state = f.alstate;
1594  if (http_state == NULL) {
1595  printf("no http state: ");
1596  goto end;
1597  }
1598 
1599  /* do detect */
1600  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1601 
1602 
1603  if (!PacketAlertCheck(p, 1)) {
1604  printf("sig 1 didnt alert with payload2, but it should: ");
1605  goto end;
1606  }
1607 
1608  result = 1;
1609 
1610 end:
1611  if (alp_tctx != NULL)
1612  AppLayerParserThreadCtxFree(alp_tctx);
1613  if (det_ctx != NULL)
1614  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1615  if (de_ctx != NULL)
1616  SigGroupCleanup(de_ctx);
1617  if (de_ctx != NULL)
1618  DetectEngineCtxFree(de_ctx);
1619 
1621  FLOW_DESTROY(&f);
1622  UTHFreePacket(p);
1623  return result;
1624 }
1625 
1626 /** \test Test pcre /U with anchored regex (bug 155) */
1627 static int UriTestSig16(void)
1628 {
1629  HtpState *http_state = NULL;
1630  uint8_t http_buf1[] = "POST /search?q=123&aq=7123abcee HTTP/1.0\r\n"
1631  "User-Agent: Mozilla/1.0/\r\n"
1632  "Host: 1.2.3.4\r\n\r\n";
1633  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
1634  uint8_t http_buf2[] = "POST /search?q=123&aq=7123abcee HTTP/1.0\r\n"
1635  "User-Agent: Mozilla/1.0\r\n"
1636  "Cookie: hellocatch\r\n\r\n";
1637  uint32_t http_buf2_len = sizeof(http_buf2) - 1;
1638  TcpSession ssn;
1639  Signature *s = NULL;
1640  ThreadVars tv;
1641  DetectEngineThreadCtx *det_ctx = NULL;
1643 
1644  memset(&tv, 0, sizeof(ThreadVars));
1645  memset(&ssn, 0, sizeof(TcpSession));
1647 
1648  Packet *p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
1649  FAIL_IF_NULL(p);
1650  p->tcph->th_seq = htonl(1000);
1651  Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80);
1652  FAIL_IF_NULL(f);
1653  f->proto = IPPROTO_TCP;
1654 
1655  UTHAddSessionToFlow(f, 1000, 1000);
1656  UTHAddStreamToFlow(f, 0, http_buf1, http_buf1_len);
1657 
1658  p->flow = f;
1662  f->alproto = ALPROTO_HTTP;
1663 
1665  FAIL_IF_NULL(de_ctx);
1666  de_ctx->flags |= DE_QUIET;
1667 
1668  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any any (flow:to_server,established; uricontent:\"/search?q=\"; pcre:\"/^\\/search\\?q=[0-9]{1,3}(&aq=7(\\?[0-9a-f]{8})?)?/U\"; pcre:\"/\\x0d\\x0aHost\\: \\d+\\.\\d+\\.\\d+\\.\\d+\\x0d\\x0a/\"; sid:2009024; rev:9;)");
1669  FAIL_IF_NULL(s);
1670 
1671  SigGroupBuild(de_ctx);
1672  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1673 
1674  UTHAddStreamToFlow(f, 0, http_buf2, http_buf2_len);
1675 
1676  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP,
1677  STREAM_TOSERVER, http_buf1, http_buf1_len);
1678  FAIL_IF(r != 0);
1679 
1680  http_state = f->alstate;
1681  FAIL_IF_NULL(http_state);
1682 
1683  /* do detect */
1684  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1685  FAIL_IF(!PacketAlertCheck(p, 2009024));
1686  p->alerts.cnt = 0;
1687 
1688  p->payload = http_buf2;
1689  p->payload_len = http_buf2_len;
1690 
1691  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP,
1692  STREAM_TOSERVER, http_buf2, http_buf2_len);
1693  FAIL_IF(r != 0);
1694 
1695  http_state = f->alstate;
1696  FAIL_IF_NULL(http_state);
1697 
1698  /* do detect */
1699  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1700  FAIL_IF(PacketAlertCheck(p, 2009024));
1701 
1702  AppLayerParserThreadCtxFree(alp_tctx);
1703  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1704  DetectEngineCtxFree(de_ctx);
1705 
1707  UTHFreeFlow(f);
1708 
1710  UTHFreePacket(p);
1711  PASS;
1712 }
1713 
1714 /**
1715  * \test Test multiple relative contents
1716  */
1717 static int UriTestSig17(void)
1718 {
1719  int result = 0;
1720  uint8_t *http_buf = (uint8_t *)"POST /now_this_is_is_big_big_string_now HTTP/1.0\r\n"
1721  "User-Agent: Mozilla/1.0\r\n";
1722  uint32_t http_buf_len = strlen((char *)http_buf);
1723  Flow f;
1724  TcpSession ssn;
1725  HtpState *http_state = NULL;
1726  Packet *p = NULL;
1727  ThreadVars tv;
1728  DetectEngineThreadCtx *det_ctx = NULL;
1730 
1731  memset(&tv, 0, sizeof(ThreadVars));
1732  memset(&f, 0, sizeof(Flow));
1733  memset(&ssn, 0, sizeof(TcpSession));
1734 
1735  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
1736 
1737  FLOW_INITIALIZE(&f);
1738  f.protoctx = (void *)&ssn;
1739  f.proto = IPPROTO_TCP;
1740  f.flags |= FLOW_IPV4;
1741 
1742  p->flow = &f;
1746  f.alproto = ALPROTO_HTTP;
1747 
1749 
1751  if (de_ctx == NULL) {
1752  goto end;
1753  }
1754  de_ctx->flags |= DE_QUIET;
1755 
1756  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1757  "(msg:\"test multiple relative uricontents\"; "
1758  "uricontent:\"this\"; uricontent:\"is\"; within:6; "
1759  "uricontent:\"big\"; within:8; "
1760  "uricontent:\"string\"; within:8; sid:1;)");
1761  if (de_ctx->sig_list == NULL) {
1762  goto end;
1763  }
1764 
1765  SigGroupBuild(de_ctx);
1766  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1767 
1768  FLOWLOCK_WRLOCK(&f);
1769  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1770  STREAM_TOSERVER, http_buf, http_buf_len);
1771  if (r != 0) {
1772  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1773  FLOWLOCK_UNLOCK(&f);
1774  goto end;
1775  }
1776  FLOWLOCK_UNLOCK(&f);
1777 
1778  http_state = f.alstate;
1779  if (http_state == NULL) {
1780  printf("no http state: ");
1781  goto end;
1782  }
1783 
1784  /* do detect */
1785  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1786 
1787  if (!PacketAlertCheck(p, 1)) {
1788  printf("sig 1 alerted, but it should not: ");
1789  goto end;
1790  }
1791 
1792  result = 1;
1793 
1794 end:
1795  if (alp_tctx != NULL)
1796  AppLayerParserThreadCtxFree(alp_tctx);
1797  if (det_ctx != NULL)
1798  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1799  if (de_ctx != NULL)
1800  SigGroupCleanup(de_ctx);
1801  if (de_ctx != NULL)
1802  DetectEngineCtxFree(de_ctx);
1803 
1805  FLOW_DESTROY(&f);
1806  UTHFreePacket(p);
1807  return result;
1808 }
1809 
1810 /**
1811  * \test Test multiple relative contents
1812  */
1813 static int UriTestSig18(void)
1814 {
1815  int result = 0;
1816  uint8_t *http_buf = (uint8_t *)"POST /now_this_is_is_is_big_big_big_string_now HTTP/1.0\r\n"
1817  "User-Agent: Mozilla/1.0\r\n";
1818  uint32_t http_buf_len = strlen((char *)http_buf);
1819  Flow f;
1820  TcpSession ssn;
1821  HtpState *http_state = NULL;
1822  Packet *p = NULL;
1823  ThreadVars tv;
1824  DetectEngineThreadCtx *det_ctx = NULL;
1826 
1827  memset(&tv, 0, sizeof(ThreadVars));
1828  memset(&f, 0, sizeof(Flow));
1829  memset(&ssn, 0, sizeof(TcpSession));
1830 
1831  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
1832 
1833  FLOW_INITIALIZE(&f);
1834  f.protoctx = (void *)&ssn;
1835  f.proto = IPPROTO_TCP;
1836  f.flags |= FLOW_IPV4;
1837 
1838  p->flow = &f;
1842  f.alproto = ALPROTO_HTTP;
1843 
1845 
1847  if (de_ctx == NULL) {
1848  goto end;
1849  }
1850  de_ctx->flags |= DE_QUIET;
1851 
1852  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1853  "(msg:\"test multiple relative uricontents\"; "
1854  "uricontent:\"this\"; uricontent:\"is\"; within:9; "
1855  "uricontent:\"big\"; within:12; "
1856  "uricontent:\"string\"; within:8; sid:1;)");
1857  if (de_ctx->sig_list == NULL) {
1858  goto end;
1859  }
1860 
1861  SigGroupBuild(de_ctx);
1862  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1863 
1864  FLOWLOCK_WRLOCK(&f);
1865  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1866  STREAM_TOSERVER, http_buf, http_buf_len);
1867  if (r != 0) {
1868  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1869  FLOWLOCK_UNLOCK(&f);
1870  goto end;
1871  }
1872  FLOWLOCK_UNLOCK(&f);
1873 
1874  http_state = f.alstate;
1875  if (http_state == NULL) {
1876  printf("no http state: ");
1877  goto end;
1878  }
1879 
1880  /* do detect */
1881  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1882 
1883  if (!PacketAlertCheck(p, 1)) {
1884  printf("sig 1 alerted, but it should not: ");
1885  goto end;
1886  }
1887 
1888  result = 1;
1889 
1890 end:
1891  if (alp_tctx != NULL)
1892  AppLayerParserThreadCtxFree(alp_tctx);
1893  if (det_ctx != NULL)
1894  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1895  if (de_ctx != NULL)
1896  SigGroupCleanup(de_ctx);
1897  if (de_ctx != NULL)
1898  DetectEngineCtxFree(de_ctx);
1899 
1901  FLOW_DESTROY(&f);
1902  UTHFreePacket(p);
1903  return result;
1904 }
1905 
1906 /**
1907  * \test Test multiple relative contents
1908  */
1909 static int UriTestSig19(void)
1910 {
1911  int result = 0;
1912  uint8_t *http_buf = (uint8_t *)"POST /this_this_now_is_is_____big_string_now HTTP/1.0\r\n"
1913  "User-Agent: Mozilla/1.0\r\n";
1914  uint32_t http_buf_len = strlen((char *)http_buf);
1915  Flow f;
1916  TcpSession ssn;
1917  HtpState *http_state = NULL;
1918  Packet *p = NULL;
1919  ThreadVars tv;
1920  DetectEngineThreadCtx *det_ctx = NULL;
1922 
1923  memset(&tv, 0, sizeof(ThreadVars));
1924  memset(&f, 0, sizeof(Flow));
1925  memset(&ssn, 0, sizeof(TcpSession));
1926 
1927  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
1928 
1929  FLOW_INITIALIZE(&f);
1930  f.protoctx = (void *)&ssn;
1931  f.proto = IPPROTO_TCP;
1932  f.flags |= FLOW_IPV4;
1933 
1934  p->flow = &f;
1938  f.alproto = ALPROTO_HTTP;
1939 
1941 
1943  if (de_ctx == NULL) {
1944  goto end;
1945  }
1946  de_ctx->flags |= DE_QUIET;
1947 
1948  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1949  "(msg:\"test multiple relative uricontents\"; "
1950  "uricontent:\"now\"; uricontent:\"this\"; "
1951  "uricontent:\"is\"; within:12; "
1952  "uricontent:\"big\"; within:8; "
1953  "uricontent:\"string\"; within:8; sid:1;)");
1954  if (de_ctx->sig_list == NULL) {
1955  goto end;
1956  }
1957 
1958  SigGroupBuild(de_ctx);
1959  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1960 
1961  FLOWLOCK_WRLOCK(&f);
1962  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
1963  STREAM_TOSERVER, http_buf, http_buf_len);
1964  if (r != 0) {
1965  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1966  FLOWLOCK_UNLOCK(&f);
1967  goto end;
1968  }
1969  FLOWLOCK_UNLOCK(&f);
1970 
1971  http_state = f.alstate;
1972  if (http_state == NULL) {
1973  printf("no http state: ");
1974  goto end;
1975  }
1976 
1977  /* do detect */
1978  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1979 
1980  if (!PacketAlertCheck(p, 1)) {
1981  printf("sig 1 alerted, but it should not: ");
1982  goto end;
1983  }
1984 
1985  result = 1;
1986 
1987 end:
1988  if (alp_tctx != NULL)
1989  AppLayerParserThreadCtxFree(alp_tctx);
1990  if (det_ctx != NULL)
1991  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1992  if (de_ctx != NULL)
1993  SigGroupCleanup(de_ctx);
1994  if (de_ctx != NULL)
1995  DetectEngineCtxFree(de_ctx);
1996 
1998  FLOW_DESTROY(&f);
1999  UTHFreePacket(p);
2000  return result;
2001 }
2002 
2003 /**
2004  * \test Test multiple relative contents with offset
2005  */
2006 static int UriTestSig20(void)
2007 {
2008  int result = 0;
2009  uint8_t *http_buf = (uint8_t *)"POST /_________thus_thus_is_a_big HTTP/1.0\r\n"
2010  "User-Agent: Mozilla/1.0\r\n";
2011  uint32_t http_buf_len = strlen((char *)http_buf);
2012  Flow f;
2013  TcpSession ssn;
2014  HtpState *http_state = NULL;
2015  Packet *p = NULL;
2016  ThreadVars tv;
2017  DetectEngineThreadCtx *det_ctx = NULL;
2019 
2020  memset(&tv, 0, sizeof(ThreadVars));
2021  memset(&f, 0, sizeof(Flow));
2022  memset(&ssn, 0, sizeof(TcpSession));
2023 
2024  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2025 
2026  FLOW_INITIALIZE(&f);
2027  f.protoctx = (void *)&ssn;
2028  f.proto = IPPROTO_TCP;
2029  f.flags |= FLOW_IPV4;
2030 
2031  p->flow = &f;
2035  f.alproto = ALPROTO_HTTP;
2036 
2038 
2040  if (de_ctx == NULL) {
2041  goto end;
2042  }
2043  de_ctx->flags |= DE_QUIET;
2044 
2045  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2046  "(msg:\"test multiple relative uricontents\"; "
2047  "uricontent:\"thus\"; offset:8; "
2048  "uricontent:\"is\"; within:6; "
2049  "uricontent:\"big\"; within:8; sid:1;)");
2050  if (de_ctx->sig_list == NULL) {
2051  goto end;
2052  }
2053 
2054  SigGroupBuild(de_ctx);
2055  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2056 
2057  FLOWLOCK_WRLOCK(&f);
2058  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2059  STREAM_TOSERVER, http_buf, http_buf_len);
2060  if (r != 0) {
2061  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2062  FLOWLOCK_UNLOCK(&f);
2063  goto end;
2064  }
2065  FLOWLOCK_UNLOCK(&f);
2066 
2067  http_state = f.alstate;
2068  if (http_state == NULL) {
2069  printf("no http state: ");
2070  goto end;
2071  }
2072 
2073  /* do detect */
2074  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2075 
2076  if (!PacketAlertCheck(p, 1)) {
2077  printf("sig 1 alerted, but it should not: ");
2078  goto end;
2079  }
2080 
2081  result = 1;
2082 
2083 end:
2084  if (alp_tctx != NULL)
2085  AppLayerParserThreadCtxFree(alp_tctx);
2086  if (det_ctx != NULL)
2087  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2088  if (de_ctx != NULL)
2089  SigGroupCleanup(de_ctx);
2090  if (de_ctx != NULL)
2091  DetectEngineCtxFree(de_ctx);
2092 
2094  FLOW_DESTROY(&f);
2095  UTHFreePacket(p);
2096  return result;
2097 }
2098 
2099 /**
2100  * \test Test multiple relative contents with a negated content.
2101  */
2102 static int UriTestSig21(void)
2103 {
2104  int result = 0;
2105  uint8_t *http_buf = (uint8_t *)"POST /we_need_to_fix_this_and_yes_fix_this_now HTTP/1.0\r\n"
2106  "User-Agent: Mozilla/1.0\r\n";
2107  uint32_t http_buf_len = strlen((char *)http_buf);
2108  Flow f;
2109  TcpSession ssn;
2110  HtpState *http_state = NULL;
2111  Packet *p = NULL;
2112  ThreadVars tv;
2113  DetectEngineThreadCtx *det_ctx = NULL;
2115 
2116  memset(&tv, 0, sizeof(ThreadVars));
2117  memset(&f, 0, sizeof(Flow));
2118  memset(&ssn, 0, sizeof(TcpSession));
2119 
2120  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2121 
2122  FLOW_INITIALIZE(&f);
2123  f.protoctx = (void *)&ssn;
2124  f.proto = IPPROTO_TCP;
2125  f.flags |= FLOW_IPV4;
2126 
2127  p->flow = &f;
2131  f.alproto = ALPROTO_HTTP;
2132 
2134 
2136  if (de_ctx == NULL) {
2137  goto end;
2138  }
2139  de_ctx->flags |= DE_QUIET;
2140 
2141  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2142  "(msg:\"test multiple relative uricontents\"; "
2143  "uricontent:\"fix\"; uricontent:\"this\"; within:6; "
2144  "uricontent:!\"and\"; distance:0; sid:1;)");
2145  if (de_ctx->sig_list == NULL) {
2146  goto end;
2147  }
2148 
2149  SigGroupBuild(de_ctx);
2150  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2151 
2152  FLOWLOCK_WRLOCK(&f);
2153  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2154  STREAM_TOSERVER, http_buf, http_buf_len);
2155  if (r != 0) {
2156  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2157  FLOWLOCK_UNLOCK(&f);
2158  goto end;
2159  }
2160  FLOWLOCK_UNLOCK(&f);
2161 
2162  http_state = f.alstate;
2163  if (http_state == NULL) {
2164  printf("no http state: ");
2165  goto end;
2166  }
2167 
2168  /* do detect */
2169  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2170 
2171  if (!PacketAlertCheck(p, 1)) {
2172  printf("sig 1 alerted, but it should not: ");
2173  goto end;
2174  }
2175 
2176  result = 1;
2177 
2178 end:
2179  if (alp_tctx != NULL)
2180  AppLayerParserThreadCtxFree(alp_tctx);
2181  if (det_ctx != NULL)
2182  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2183  if (de_ctx != NULL)
2184  SigGroupCleanup(de_ctx);
2185  if (de_ctx != NULL)
2186  DetectEngineCtxFree(de_ctx);
2187 
2189  FLOW_DESTROY(&f);
2190  UTHFreePacket(p);
2191  return result;
2192 }
2193 
2194 /**
2195  * \test Test relative pcre.
2196  */
2197 static int UriTestSig22(void)
2198 {
2199  int result = 0;
2200  uint8_t *http_buf = (uint8_t *)"POST /this_is_a_super_duper_"
2201  "nova_in_super_nova_now HTTP/1.0\r\n"
2202  "User-Agent: Mozilla/1.0\r\n";
2203  uint32_t http_buf_len = strlen((char *)http_buf);
2204  Flow f;
2205  TcpSession ssn;
2206  HtpState *http_state = NULL;
2207  Packet *p = NULL;
2208  ThreadVars tv;
2209  DetectEngineThreadCtx *det_ctx = NULL;
2211 
2212  memset(&tv, 0, sizeof(ThreadVars));
2213  memset(&f, 0, sizeof(Flow));
2214  memset(&ssn, 0, sizeof(TcpSession));
2215 
2216  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2217 
2218  FLOW_INITIALIZE(&f);
2219  f.protoctx = (void *)&ssn;
2220  f.proto = IPPROTO_TCP;
2221  f.flags |= FLOW_IPV4;
2222 
2223  p->flow = &f;
2227  f.alproto = ALPROTO_HTTP;
2228 
2230 
2232  if (de_ctx == NULL) {
2233  goto end;
2234  }
2235  de_ctx->flags |= DE_QUIET;
2236 
2237  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2238  "(msg:\"test multiple relative uricontents\"; "
2239  "pcre:/super/U; uricontent:\"nova\"; within:7; sid:1;)");
2240  if (de_ctx->sig_list == NULL) {
2241  goto end;
2242  }
2243 
2244  SigGroupBuild(de_ctx);
2245  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2246 
2247  FLOWLOCK_WRLOCK(&f);
2248  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2249  STREAM_TOSERVER, http_buf, http_buf_len);
2250  if (r != 0) {
2251  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2252  FLOWLOCK_UNLOCK(&f);
2253  goto end;
2254  }
2255  FLOWLOCK_UNLOCK(&f);
2256 
2257  http_state = f.alstate;
2258  if (http_state == NULL) {
2259  printf("no http state: ");
2260  goto end;
2261  }
2262 
2263  /* do detect */
2264  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2265 
2266  if (!PacketAlertCheck(p, 1)) {
2267  printf("sig 1 didn't alert, but it should have: ");
2268  goto end;
2269  }
2270 
2271  result = 1;
2272 
2273 end:
2274  if (alp_tctx != NULL)
2275  AppLayerParserThreadCtxFree(alp_tctx);
2276  if (det_ctx != NULL)
2277  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2278  if (de_ctx != NULL)
2279  SigGroupCleanup(de_ctx);
2280  if (de_ctx != NULL)
2281  DetectEngineCtxFree(de_ctx);
2282 
2284  FLOW_DESTROY(&f);
2285  UTHFreePacket(p);
2286  return result;
2287 }
2288 
2289 /**
2290  * \test Test multiple relative contents with a negated content.
2291  */
2292 static int UriTestSig23(void)
2293 {
2294  int result = 0;
2295  uint8_t *http_buf = (uint8_t *)"POST /we_need_to_fix_this_and_yes_fix_this_now HTTP/1.0\r\n"
2296  "User-Agent: Mozilla/1.0\r\n";
2297  uint32_t http_buf_len = strlen((char *)http_buf);
2298  Flow f;
2299  TcpSession ssn;
2300  HtpState *http_state = NULL;
2301  Packet *p = NULL;
2302  ThreadVars tv;
2303  DetectEngineThreadCtx *det_ctx = NULL;
2305 
2306  memset(&tv, 0, sizeof(ThreadVars));
2307  memset(&f, 0, sizeof(Flow));
2308  memset(&ssn, 0, sizeof(TcpSession));
2309 
2310  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2311 
2312  FLOW_INITIALIZE(&f);
2313  f.protoctx = (void *)&ssn;
2314  f.proto = IPPROTO_TCP;
2315  f.flags |= FLOW_IPV4;
2316 
2317  p->flow = &f;
2321  f.alproto = ALPROTO_HTTP;
2322 
2324 
2326  if (de_ctx == NULL) {
2327  goto end;
2328  }
2329  de_ctx->flags |= DE_QUIET;
2330 
2331  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2332  "(msg:\"test multiple relative uricontents\"; "
2333  "uricontent:!\"fix_this_now\"; sid:1;)");
2334  if (de_ctx->sig_list == NULL) {
2335  goto end;
2336  }
2337 
2338  SigGroupBuild(de_ctx);
2339  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2340 
2341  FLOWLOCK_WRLOCK(&f);
2342  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2343  STREAM_TOSERVER, http_buf, http_buf_len);
2344  if (r != 0) {
2345  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2346  FLOWLOCK_UNLOCK(&f);
2347  goto end;
2348  }
2349  FLOWLOCK_UNLOCK(&f);
2350 
2351  http_state = f.alstate;
2352  if (http_state == NULL) {
2353  printf("no http state: ");
2354  goto end;
2355  }
2356 
2357  /* do detect */
2358  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2359 
2360  if (PacketAlertCheck(p, 1)) {
2361  printf("sig 1 alerted, but it should not: ");
2362  goto end;
2363  }
2364 
2365  result = 1;
2366 
2367 end:
2368  if (alp_tctx != NULL)
2369  AppLayerParserThreadCtxFree(alp_tctx);
2370  if (det_ctx != NULL)
2371  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2372  if (de_ctx != NULL)
2373  SigGroupCleanup(de_ctx);
2374  if (de_ctx != NULL)
2375  DetectEngineCtxFree(de_ctx);
2376 
2378  FLOW_DESTROY(&f);
2379  UTHFreePacket(p);
2380  return result;
2381 }
2382 
2383 /**
2384  * \test Test multiple relative contents with a negated content.
2385  */
2386 static int UriTestSig24(void)
2387 {
2388  int result = 0;
2389  uint8_t *http_buf = (uint8_t *)"POST /we_need_to_fix_this_and_yes_fix_this_now HTTP/1.0\r\n"
2390  "User-Agent: Mozilla/1.0\r\n";
2391  uint32_t http_buf_len = strlen((char *)http_buf);
2392  Flow f;
2393  TcpSession ssn;
2394  HtpState *http_state = NULL;
2395  Packet *p = NULL;
2396  ThreadVars tv;
2397  DetectEngineThreadCtx *det_ctx = NULL;
2399 
2400  memset(&tv, 0, sizeof(ThreadVars));
2401  memset(&f, 0, sizeof(Flow));
2402  memset(&ssn, 0, sizeof(TcpSession));
2403 
2404  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2405 
2406  FLOW_INITIALIZE(&f);
2407  f.protoctx = (void *)&ssn;
2408  f.proto = IPPROTO_TCP;
2409  f.flags |= FLOW_IPV4;
2410 
2411  p->flow = &f;
2415  f.alproto = ALPROTO_HTTP;
2416 
2418 
2420  if (de_ctx == NULL) {
2421  goto end;
2422  }
2423  de_ctx->flags |= DE_QUIET;
2424 
2425  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2426  "(msg:\"test multiple relative uricontents\"; "
2427  "uricontent:\"we_need_to\"; uricontent:!\"fix_this_now\"; sid:1;)");
2428  if (de_ctx->sig_list == NULL) {
2429  goto end;
2430  }
2431 
2432  SigGroupBuild(de_ctx);
2433  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2434 
2435  FLOWLOCK_WRLOCK(&f);
2436  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2437  STREAM_TOSERVER, http_buf, http_buf_len);
2438  if (r != 0) {
2439  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2440  FLOWLOCK_UNLOCK(&f);
2441  goto end;
2442  }
2443  FLOWLOCK_UNLOCK(&f);
2444 
2445  http_state = f.alstate;
2446  if (http_state == NULL) {
2447  printf("no http state: ");
2448  goto end;
2449  }
2450 
2451  /* do detect */
2452  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2453 
2454  if (PacketAlertCheck(p, 1)) {
2455  printf("sig 1 alerted, but it should not: ");
2456  goto end;
2457  }
2458 
2459  result = 1;
2460 
2461 end:
2462  if (alp_tctx != NULL)
2463  AppLayerParserThreadCtxFree(alp_tctx);
2464  if (det_ctx != NULL)
2465  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2466  if (de_ctx != NULL)
2467  SigGroupCleanup(de_ctx);
2468  if (de_ctx != NULL)
2469  DetectEngineCtxFree(de_ctx);
2470 
2472  FLOW_DESTROY(&f);
2473  UTHFreePacket(p);
2474  return result;
2475 }
2476 
2477 /**
2478  * \test Test normalized uricontents.
2479  */
2480 static int UriTestSig25(void)
2481 {
2482  int result = 0;
2483  uint8_t *http_buf = (uint8_t *)"POST /normalized%20uri "
2484  "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
2485  uint32_t http_buf_len = strlen((char *)http_buf);
2486  Flow f;
2487  TcpSession ssn;
2488  HtpState *http_state = NULL;
2489  Packet *p = NULL;
2490  ThreadVars tv;
2491  DetectEngineThreadCtx *det_ctx = NULL;
2493 
2494  memset(&tv, 0, sizeof(ThreadVars));
2495  memset(&f, 0, sizeof(Flow));
2496  memset(&ssn, 0, sizeof(TcpSession));
2497 
2498  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2499 
2500  FLOW_INITIALIZE(&f);
2501  f.protoctx = (void *)&ssn;
2502  f.proto = IPPROTO_TCP;
2503  f.flags |= FLOW_IPV4;
2504 
2505  p->flow = &f;
2508  f.alproto = ALPROTO_HTTP;
2510 
2512 
2514  if (de_ctx == NULL) {
2515  goto end;
2516  }
2517  de_ctx->flags |= DE_QUIET;
2518 
2519  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2520  "(msg:\"test multiple relative uricontents\"; "
2521  "pcre:/normalized/U; uricontent:\"normalized uri\"; sid:1;)");
2522  if (de_ctx->sig_list == NULL) {
2523  goto end;
2524  }
2525 
2526  SigGroupBuild(de_ctx);
2527  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2528 
2529  FLOWLOCK_WRLOCK(&f);
2530  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2531  STREAM_TOSERVER, http_buf, http_buf_len);
2532  if (r != 0) {
2533  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2534  FLOWLOCK_UNLOCK(&f);
2535  goto end;
2536  }
2537  FLOWLOCK_UNLOCK(&f);
2538 
2539  http_state = f.alstate;
2540  if (http_state == NULL) {
2541  printf("no http state: ");
2542  goto end;
2543  }
2544 
2545  /* do detect */
2546  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2547 
2548  if (!PacketAlertCheck(p, 1)) {
2549  printf("sig 1 didn't alert, but it should have: ");
2550  goto end;
2551  }
2552 
2553  result = 1;
2554 
2555 end:
2556  if (alp_tctx != NULL)
2557  AppLayerParserThreadCtxFree(alp_tctx);
2558  if (det_ctx != NULL)
2559  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2560  if (de_ctx != NULL)
2561  SigGroupCleanup(de_ctx);
2562  if (de_ctx != NULL)
2563  DetectEngineCtxFree(de_ctx);
2564 
2566  FLOW_DESTROY(&f);
2567  UTHFreePacket(p);
2568  return result;
2569 }
2570 
2571 /**
2572  * \test Test multiple relative contents with a negated content.
2573  */
2574 static int UriTestSig26(void)
2575 {
2576  int result = 0;
2577  uint8_t *http_buf = (uint8_t *)"POST /we_need_to_fix_this_and_yes_fix_this_now HTTP/1.0\r\n"
2578  "User-Agent: Mozilla/1.0\r\n";
2579  uint32_t http_buf_len = strlen((char *)http_buf);
2580  Flow f;
2581  TcpSession ssn;
2582  HtpState *http_state = NULL;
2583  Packet *p = NULL;
2584  ThreadVars tv;
2585  DetectEngineThreadCtx *det_ctx = NULL;
2587 
2588  memset(&tv, 0, sizeof(ThreadVars));
2589  memset(&f, 0, sizeof(Flow));
2590  memset(&ssn, 0, sizeof(TcpSession));
2591 
2592  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2593 
2594  FLOW_INITIALIZE(&f);
2595  f.protoctx = (void *)&ssn;
2596  f.proto = IPPROTO_TCP;
2597  f.flags |= FLOW_IPV4;
2598 
2599  p->flow = &f;
2603  f.alproto = ALPROTO_HTTP;
2604 
2606 
2608  if (de_ctx == NULL) {
2609  goto end;
2610  }
2611  de_ctx->flags |= DE_QUIET;
2612 
2613  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2614  "(msg:\"test multiple relative uricontents\"; "
2615  "uricontent:\"fix_this\"; isdataat:4,relative; sid:1;)");
2616  if (de_ctx->sig_list == NULL) {
2617  goto end;
2618  }
2619 
2620  SigGroupBuild(de_ctx);
2621  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2622 
2623  FLOWLOCK_WRLOCK(&f);
2624  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2625  STREAM_TOSERVER, http_buf, http_buf_len);
2626  if (r != 0) {
2627  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2628  FLOWLOCK_UNLOCK(&f);
2629  goto end;
2630  }
2631  FLOWLOCK_UNLOCK(&f);
2632 
2633  http_state = f.alstate;
2634  if (http_state == NULL) {
2635  printf("no http state: ");
2636  goto end;
2637  }
2638 
2639  /* do detect */
2640  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2641 
2642  if (!PacketAlertCheck(p, 1)) {
2643  printf("sig 1 didn't alert, but it should have: ");
2644  goto end;
2645  }
2646 
2647  result = 1;
2648 
2649 end:
2650  if (alp_tctx != NULL)
2651  AppLayerParserThreadCtxFree(alp_tctx);
2652  if (det_ctx != NULL)
2653  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2654  if (de_ctx != NULL)
2655  SigGroupCleanup(de_ctx);
2656  if (de_ctx != NULL)
2657  DetectEngineCtxFree(de_ctx);
2658 
2660  FLOW_DESTROY(&f);
2661  UTHFreePacket(p);
2662  return result;
2663 }
2664 
2665 /**
2666  * \test Test multiple relative contents with a negated content.
2667  */
2668 static int UriTestSig27(void)
2669 {
2670  int result = 0;
2671  uint8_t *http_buf = (uint8_t *)"POST /we_need_to_fix_this_and_yes_fix_this_now HTTP/1.0\r\n"
2672  "User-Agent: Mozilla/1.0\r\n";
2673  uint32_t http_buf_len = strlen((char *)http_buf);
2674  Flow f;
2675  TcpSession ssn;
2676  HtpState *http_state = NULL;
2677  Packet *p = NULL;
2678  ThreadVars tv;
2679  DetectEngineThreadCtx *det_ctx = NULL;
2681 
2682  memset(&tv, 0, sizeof(ThreadVars));
2683  memset(&f, 0, sizeof(Flow));
2684  memset(&ssn, 0, sizeof(TcpSession));
2685 
2686  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2687 
2688  FLOW_INITIALIZE(&f);
2689  f.protoctx = (void *)&ssn;
2690  f.proto = IPPROTO_TCP;
2691  f.flags |= FLOW_IPV4;
2692 
2693  p->flow = &f;
2697  f.alproto = ALPROTO_HTTP;
2698 
2700 
2702  if (de_ctx == NULL) {
2703  goto end;
2704  }
2705  de_ctx->flags |= DE_QUIET;
2706 
2707  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2708  "(msg:\"test multiple relative uricontents\"; "
2709  "uricontent:\"fix_this\"; isdataat:!10,relative; sid:1;)");
2710  if (de_ctx->sig_list == NULL) {
2711  goto end;
2712  }
2713 
2714  SigGroupBuild(de_ctx);
2715  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2716 
2717  FLOWLOCK_WRLOCK(&f);
2718  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2719  STREAM_TOSERVER, http_buf, http_buf_len);
2720  if (r != 0) {
2721  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2722  FLOWLOCK_UNLOCK(&f);
2723  goto end;
2724  }
2725  FLOWLOCK_UNLOCK(&f);
2726 
2727  http_state = f.alstate;
2728  if (http_state == NULL) {
2729  printf("no http state: ");
2730  goto end;
2731  }
2732 
2733  /* do detect */
2734  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2735 
2736  if (!PacketAlertCheck(p, 1)) {
2737  printf("sig 1 didn't alert, but it should have: ");
2738  goto end;
2739  }
2740 
2741  result = 1;
2742 
2743 end:
2744  if (alp_tctx != NULL)
2745  AppLayerParserThreadCtxFree(alp_tctx);
2746  if (det_ctx != NULL)
2747  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2748  if (de_ctx != NULL)
2749  SigGroupCleanup(de_ctx);
2750  if (de_ctx != NULL)
2751  DetectEngineCtxFree(de_ctx);
2752 
2754  FLOW_DESTROY(&f);
2755  UTHFreePacket(p);
2756  return result;
2757 }
2758 
2759 
2760 
2761 
2762 
2763 
2764 
2765 
2766 
2767 
2768 
2769 
2770 
2771 
2772 
2773 
2774 
2775 
2776 
2777 
2778 
2779 
2780 
2781 
2782 
2783 
2784 
2785 
2786 
2787 
2788 
2789 
2790 
2791 
2792 
2793 
2794 static int UriTestSig28(void)
2795 {
2796  int result = 0;
2797  uint8_t *http_buf = (uint8_t *)"POST /this_b5ig_string_now_in_http HTTP/1.0\r\n"
2798  "User-Agent: Mozilla/1.0\r\n";
2799  uint32_t http_buf_len = strlen((char *)http_buf);
2800  Flow f;
2801  TcpSession ssn;
2802  HtpState *http_state = NULL;
2803  Packet *p = NULL;
2804  ThreadVars tv;
2805  DetectEngineThreadCtx *det_ctx = NULL;
2807 
2808  memset(&tv, 0, sizeof(ThreadVars));
2809  memset(&f, 0, sizeof(Flow));
2810  memset(&ssn, 0, sizeof(TcpSession));
2811 
2812  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2813 
2814  FLOW_INITIALIZE(&f);
2815  f.protoctx = (void *)&ssn;
2816  f.proto = IPPROTO_TCP;
2817  f.flags |= FLOW_IPV4;
2818 
2819  p->flow = &f;
2823  f.alproto = ALPROTO_HTTP;
2824 
2826 
2828  if (de_ctx == NULL) {
2829  goto end;
2830  }
2831  de_ctx->flags |= DE_QUIET;
2832 
2833  de_ctx->sig_list = SigInit(de_ctx,
2834  "alert tcp any any -> any any (msg:\"dummy\"; "
2835  "uricontent:\"this\"; "
2836  "byte_extract:1,2,one,string,dec,relative; "
2837  "uricontent:\"ring\"; distance:one; sid:1;)");
2838  if (de_ctx->sig_list == NULL) {
2839  goto end;
2840  }
2841 
2842  SigGroupBuild(de_ctx);
2843  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2844 
2845  FLOWLOCK_WRLOCK(&f);
2846  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2847  STREAM_TOSERVER, http_buf, http_buf_len);
2848  if (r != 0) {
2849  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2850  FLOWLOCK_UNLOCK(&f);
2851  goto end;
2852  }
2853  FLOWLOCK_UNLOCK(&f);
2854 
2855  http_state = f.alstate;
2856  if (http_state == NULL) {
2857  printf("no http state: ");
2858  goto end;
2859  }
2860 
2861  /* do detect */
2862  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2863 
2864  if (!PacketAlertCheck(p, 1)) {
2865  printf("sig 1 didn't alert, but should have: ");
2866  goto end;
2867  }
2868 
2869  result = 1;
2870 
2871 end:
2872  if (alp_tctx != NULL)
2873  AppLayerParserThreadCtxFree(alp_tctx);
2874  if (det_ctx != NULL)
2875  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2876  if (de_ctx != NULL)
2877  SigGroupCleanup(de_ctx);
2878  if (de_ctx != NULL)
2879  DetectEngineCtxFree(de_ctx);
2880 
2882  FLOW_DESTROY(&f);
2883  UTHFreePacket(p);
2884  return result;
2885 }
2886 
2887 static int UriTestSig29(void)
2888 {
2889  int result = 0;
2890  uint8_t *http_buf = (uint8_t *)"POST /this_b5ig_string_now_in_http HTTP/1.0\r\n"
2891  "User-Agent: Mozilla/1.0\r\n";
2892  uint32_t http_buf_len = strlen((char *)http_buf);
2893  Flow f;
2894  TcpSession ssn;
2895  HtpState *http_state = NULL;
2896  Packet *p = NULL;
2897  ThreadVars tv;
2898  DetectEngineThreadCtx *det_ctx = NULL;
2900 
2901  memset(&tv, 0, sizeof(ThreadVars));
2902  memset(&f, 0, sizeof(Flow));
2903  memset(&ssn, 0, sizeof(TcpSession));
2904 
2905  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2906 
2907  FLOW_INITIALIZE(&f);
2908  f.protoctx = (void *)&ssn;
2909  f.proto = IPPROTO_TCP;
2910  f.flags |= FLOW_IPV4;
2911 
2912  p->flow = &f;
2916  f.alproto = ALPROTO_HTTP;
2917 
2919 
2921  if (de_ctx == NULL) {
2922  goto end;
2923  }
2924  de_ctx->flags |= DE_QUIET;
2925 
2926  de_ctx->sig_list = SigInit(de_ctx,
2927  "alert tcp any any -> any any (msg:\"dummy\"; "
2928  "uricontent:\"this\"; "
2929  "byte_extract:1,2,one,string,dec,relative; "
2930  "uricontent:\"ring\"; distance:one; sid:1;)");
2931  if (de_ctx->sig_list == NULL) {
2932  goto end;
2933  }
2934 
2935  SigGroupBuild(de_ctx);
2936  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
2937 
2938  FLOWLOCK_WRLOCK(&f);
2939  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
2940  STREAM_TOSERVER, http_buf, http_buf_len);
2941  if (r != 0) {
2942  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2943  FLOWLOCK_UNLOCK(&f);
2944  goto end;
2945  }
2946  FLOWLOCK_UNLOCK(&f);
2947 
2948  http_state = f.alstate;
2949  if (http_state == NULL) {
2950  printf("no http state: ");
2951  goto end;
2952  }
2953 
2954  /* do detect */
2955  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
2956 
2957  if (!PacketAlertCheck(p, 1)) {
2958  printf("sig 1 didn't alert, but should have: ");
2959  goto end;
2960  }
2961 
2962  result = 1;
2963 
2964 end:
2965  if (alp_tctx != NULL)
2966  AppLayerParserThreadCtxFree(alp_tctx);
2967  if (det_ctx != NULL)
2968  DetectEngineThreadCtxDeinit(&tv, det_ctx);
2969  if (de_ctx != NULL)
2970  SigGroupCleanup(de_ctx);
2971  if (de_ctx != NULL)
2972  DetectEngineCtxFree(de_ctx);
2973 
2975  FLOW_DESTROY(&f);
2976  UTHFreePacket(p);
2977  return result;
2978 }
2979 
2980 static int UriTestSig30(void)
2981 {
2982  int result = 0;
2983  uint8_t *http_buf = (uint8_t *)"POST /this_b5ig_string_now_in_http HTTP/1.0\r\n"
2984  "User-Agent: Mozilla/1.0\r\n";
2985  uint32_t http_buf_len = strlen((char *)http_buf);
2986  Flow f;
2987  TcpSession ssn;
2988  HtpState *http_state = NULL;
2989  Packet *p = NULL;
2990  ThreadVars tv;
2991  DetectEngineThreadCtx *det_ctx = NULL;
2993 
2994  memset(&tv, 0, sizeof(ThreadVars));
2995  memset(&f, 0, sizeof(Flow));
2996  memset(&ssn, 0, sizeof(TcpSession));
2997 
2998  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
2999 
3000  FLOW_INITIALIZE(&f);
3001  f.protoctx = (void *)&ssn;
3002  f.proto = IPPROTO_TCP;
3003  f.flags |= FLOW_IPV4;
3004 
3005  p->flow = &f;
3009  f.alproto = ALPROTO_HTTP;
3010 
3012 
3014  if (de_ctx == NULL) {
3015  goto end;
3016  }
3017  de_ctx->flags |= DE_QUIET;
3018 
3019  de_ctx->sig_list = SigInit(de_ctx,
3020  "alert tcp any any -> any any (msg:\"dummy\"; "
3021  "uricontent:\"this\"; "
3022  "byte_extract:1,2,one,string,dec,relative; "
3023  "uricontent:\"_b5ig\"; offset:one; sid:1;)");
3024  if (de_ctx->sig_list == NULL) {
3025  goto end;
3026  }
3027 
3028  SigGroupBuild(de_ctx);
3029  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
3030 
3031  FLOWLOCK_WRLOCK(&f);
3032  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3033  STREAM_TOSERVER, http_buf, http_buf_len);
3034  if (r != 0) {
3035  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3036  FLOWLOCK_UNLOCK(&f);
3037  goto end;
3038  }
3039  FLOWLOCK_UNLOCK(&f);
3040 
3041  http_state = f.alstate;
3042  if (http_state == NULL) {
3043  printf("no http state: ");
3044  goto end;
3045  }
3046 
3047  /* do detect */
3048  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
3049 
3050  if (!PacketAlertCheck(p, 1)) {
3051  printf("sig 1 didn't alert, but should have: ");
3052  goto end;
3053  }
3054 
3055  result = 1;
3056 
3057 end:
3058  if (alp_tctx != NULL)
3059  AppLayerParserThreadCtxFree(alp_tctx);
3060  if (det_ctx != NULL)
3061  DetectEngineThreadCtxDeinit(&tv, det_ctx);
3062  if (de_ctx != NULL)
3063  SigGroupCleanup(de_ctx);
3064  if (de_ctx != NULL)
3065  DetectEngineCtxFree(de_ctx);
3066 
3068  FLOW_DESTROY(&f);
3069  UTHFreePacket(p);
3070  return result;
3071 }
3072 
3073 static int UriTestSig31(void)
3074 {
3075  int result = 0;
3076  uint8_t *http_buf = (uint8_t *)"POST /this_b5ig_string_now_in_http HTTP/1.0\r\n"
3077  "User-Agent: Mozilla/1.0\r\n";
3078  uint32_t http_buf_len = strlen((char *)http_buf);
3079  Flow f;
3080  TcpSession ssn;
3081  HtpState *http_state = NULL;
3082  Packet *p = NULL;
3083  ThreadVars tv;
3084  DetectEngineThreadCtx *det_ctx = NULL;
3086 
3087  memset(&tv, 0, sizeof(ThreadVars));
3088  memset(&f, 0, sizeof(Flow));
3089  memset(&ssn, 0, sizeof(TcpSession));
3090 
3091  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
3092 
3093  FLOW_INITIALIZE(&f);
3094  f.protoctx = (void *)&ssn;
3095  f.proto = IPPROTO_TCP;
3096  f.flags |= FLOW_IPV4;
3097 
3098  p->flow = &f;
3102  f.alproto = ALPROTO_HTTP;
3103 
3105 
3107  if (de_ctx == NULL) {
3108  goto end;
3109  }
3110  de_ctx->flags |= DE_QUIET;
3111 
3112  de_ctx->sig_list = SigInit(de_ctx,
3113  "alert tcp any any -> any any (msg:\"dummy\"; "
3114  "uricontent:\"this\"; "
3115  "byte_extract:1,2,one,string,dec,relative; "
3116  "uricontent:\"his\"; depth:one; sid:1;)");
3117  if (de_ctx->sig_list == NULL) {
3118  goto end;
3119  }
3120 
3121  SigGroupBuild(de_ctx);
3122  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
3123 
3124  FLOWLOCK_WRLOCK(&f);
3125  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3126  STREAM_TOSERVER, http_buf, http_buf_len);
3127  if (r != 0) {
3128  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3129  FLOWLOCK_UNLOCK(&f);
3130  goto end;
3131  }
3132  FLOWLOCK_UNLOCK(&f);
3133 
3134  http_state = f.alstate;
3135  if (http_state == NULL) {
3136  printf("no http state: ");
3137  goto end;
3138  }
3139 
3140  /* do detect */
3141  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
3142 
3143  if (!PacketAlertCheck(p, 1)) {
3144  printf("sig 1 didn't alert, but should have: ");
3145  goto end;
3146  }
3147 
3148  result = 1;
3149 
3150 end:
3151  if (alp_tctx != NULL)
3152  AppLayerParserThreadCtxFree(alp_tctx);
3153  if (det_ctx != NULL)
3154  DetectEngineThreadCtxDeinit(&tv, det_ctx);
3155  if (de_ctx != NULL)
3156  SigGroupCleanup(de_ctx);
3157  if (de_ctx != NULL)
3158  DetectEngineCtxFree(de_ctx);
3159 
3161  FLOW_DESTROY(&f);
3162  UTHFreePacket(p);
3163  return result;
3164 }
3165 
3166 static int UriTestSig32(void)
3167 {
3168  int result = 0;
3169  uint8_t *http_buf = (uint8_t *)"POST /this_b5ig_string_now_in_http HTTP/1.0\r\n"
3170  "User-Agent: Mozilla/1.0\r\n";
3171  uint32_t http_buf_len = strlen((char *)http_buf);
3172  Flow f;
3173  TcpSession ssn;
3174  HtpState *http_state = NULL;
3175  Packet *p = NULL;
3176  ThreadVars tv;
3177  DetectEngineThreadCtx *det_ctx = NULL;
3179 
3180  memset(&tv, 0, sizeof(ThreadVars));
3181  memset(&f, 0, sizeof(Flow));
3182  memset(&ssn, 0, sizeof(TcpSession));
3183 
3184  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
3185 
3186  FLOW_INITIALIZE(&f);
3187  f.protoctx = (void *)&ssn;
3188  f.proto = IPPROTO_TCP;
3189  f.flags |= FLOW_IPV4;
3190 
3191  p->flow = &f;
3195  f.alproto = ALPROTO_HTTP;
3196 
3198 
3200  if (de_ctx == NULL) {
3201  goto end;
3202  }
3203  de_ctx->flags |= DE_QUIET;
3204 
3205  de_ctx->sig_list = SigInit(de_ctx,
3206  "alert tcp any any -> any any (msg:\"dummy\"; "
3207  "uricontent:\"this\"; "
3208  "byte_extract:1,2,one,string,dec,relative; "
3209  "uricontent:\"g_st\"; within:one; sid:1;)");
3210  if (de_ctx->sig_list == NULL) {
3211  goto end;
3212  }
3213 
3214  SigGroupBuild(de_ctx);
3215  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
3216 
3217  FLOWLOCK_WRLOCK(&f);
3218  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3219  STREAM_TOSERVER, http_buf, http_buf_len);
3220  if (r != 0) {
3221  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3222  FLOWLOCK_UNLOCK(&f);
3223  goto end;
3224  }
3225  FLOWLOCK_UNLOCK(&f);
3226 
3227  http_state = f.alstate;
3228  if (http_state == NULL) {
3229  printf("no http state: ");
3230  goto end;
3231  }
3232 
3233  /* do detect */
3234  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
3235 
3236  if (!PacketAlertCheck(p, 1)) {
3237  printf("sig 1 didn't alert, but should have: ");
3238  goto end;
3239  }
3240 
3241  result = 1;
3242 
3243 end:
3244  if (alp_tctx != NULL)
3245  AppLayerParserThreadCtxFree(alp_tctx);
3246  if (det_ctx != NULL)
3247  DetectEngineThreadCtxDeinit(&tv, det_ctx);
3248  if (de_ctx != NULL)
3249  SigGroupCleanup(de_ctx);
3250  if (de_ctx != NULL)
3251  DetectEngineCtxFree(de_ctx);
3252 
3254  FLOW_DESTROY(&f);
3255  UTHFreePacket(p);
3256  return result;
3257 }
3258 
3259 static int UriTestSig33(void)
3260 {
3261  int result = 0;
3262  uint8_t *http_buf = (uint8_t *)"POST /normalized%20uri "
3263  "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
3264  uint32_t http_buf_len = strlen((char *)http_buf);
3265  Flow f;
3266  TcpSession ssn;
3267  HtpState *http_state = NULL;
3268  Packet *p = NULL;
3269  ThreadVars tv;
3270  DetectEngineThreadCtx *det_ctx = NULL;
3272 
3273  memset(&tv, 0, sizeof(ThreadVars));
3274  memset(&f, 0, sizeof(Flow));
3275  memset(&ssn, 0, sizeof(TcpSession));
3276 
3277  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
3278 
3279  FLOW_INITIALIZE(&f);
3280  f.protoctx = (void *)&ssn;
3281  f.proto = IPPROTO_TCP;
3282  f.flags |= FLOW_IPV4;
3283 
3284  p->flow = &f;
3287  f.alproto = ALPROTO_HTTP;
3289 
3291 
3293  if (de_ctx == NULL) {
3294  goto end;
3295  }
3296  de_ctx->flags |= DE_QUIET;
3297 
3298  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3299  "(msg:\"test multiple relative uricontents\"; "
3300  "urilen:15; sid:1;)");
3301  if (de_ctx->sig_list == NULL) {
3302  goto end;
3303  }
3304 
3305  SigGroupBuild(de_ctx);
3306  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
3307 
3308  FLOWLOCK_WRLOCK(&f);
3309  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3310  STREAM_TOSERVER, http_buf, http_buf_len);
3311  if (r != 0) {
3312  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3313  FLOWLOCK_UNLOCK(&f);
3314  goto end;
3315  }
3316  FLOWLOCK_UNLOCK(&f);
3317 
3318  http_state = f.alstate;
3319  if (http_state == NULL) {
3320  printf("no http state: ");
3321  goto end;
3322  }
3323 
3324  /* do detect */
3325  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
3326 
3327  if (!PacketAlertCheck(p, 1)) {
3328  printf("sig 1 didn't alert, but it should have: ");
3329  goto end;
3330  }
3331 
3332  result = 1;
3333 
3334 end:
3335  if (alp_tctx != NULL)
3336  AppLayerParserThreadCtxFree(alp_tctx);
3337  if (det_ctx != NULL)
3338  DetectEngineThreadCtxDeinit(&tv, det_ctx);
3339  if (de_ctx != NULL)
3340  SigGroupCleanup(de_ctx);
3341  if (de_ctx != NULL)
3342  DetectEngineCtxFree(de_ctx);
3343 
3345  FLOW_DESTROY(&f);
3346  UTHFreePacket(p);
3347  return result;
3348 }
3349 
3350 static int UriTestSig34(void)
3351 {
3352  int result = 0;
3353  uint8_t *http_buf = (uint8_t *)"POST /normalized%20uri "
3354  "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
3355  uint32_t http_buf_len = strlen((char *)http_buf);
3356  Flow f;
3357  TcpSession ssn;
3358  HtpState *http_state = NULL;
3359  Packet *p = NULL;
3360  ThreadVars tv;
3361  DetectEngineThreadCtx *det_ctx = NULL;
3363 
3364  memset(&tv, 0, sizeof(ThreadVars));
3365  memset(&f, 0, sizeof(Flow));
3366  memset(&ssn, 0, sizeof(TcpSession));
3367 
3368  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
3369 
3370  FLOW_INITIALIZE(&f);
3371  f.protoctx = (void *)&ssn;
3372  f.proto = IPPROTO_TCP;
3373  f.flags |= FLOW_IPV4;
3374 
3375  p->flow = &f;
3378  f.alproto = ALPROTO_HTTP;
3380 
3382 
3384  if (de_ctx == NULL) {
3385  goto end;
3386  }
3387  de_ctx->flags |= DE_QUIET;
3388 
3389  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3390  "(msg:\"test multiple relative uricontents\"; "
3391  "urilen:15, norm; sid:1;)");
3392  if (de_ctx->sig_list == NULL) {
3393  goto end;
3394  }
3395 
3396  SigGroupBuild(de_ctx);
3397  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
3398 
3399  FLOWLOCK_WRLOCK(&f);
3400  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3401  STREAM_TOSERVER, http_buf, http_buf_len);
3402  if (r != 0) {
3403  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3404  FLOWLOCK_UNLOCK(&f);
3405  goto end;
3406  }
3407  FLOWLOCK_UNLOCK(&f);
3408 
3409  http_state = f.alstate;
3410  if (http_state == NULL) {
3411  printf("no http state: ");
3412  goto end;
3413  }
3414 
3415  /* do detect */
3416  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
3417 
3418  if (!PacketAlertCheck(p, 1)) {
3419  printf("sig 1 didn't alert, but it should have: ");
3420  goto end;
3421  }
3422 
3423  result = 1;
3424 
3425 end:
3426  if (alp_tctx != NULL)
3427  AppLayerParserThreadCtxFree(alp_tctx);
3428  if (det_ctx != NULL)
3429  DetectEngineThreadCtxDeinit(&tv, det_ctx);
3430  if (de_ctx != NULL)
3431  SigGroupCleanup(de_ctx);
3432  if (de_ctx != NULL)
3433  DetectEngineCtxFree(de_ctx);
3434 
3436  FLOW_DESTROY(&f);
3437  UTHFreePacket(p);
3438  return result;
3439 }
3440 
3441 static int UriTestSig35(void)
3442 {
3443  int result = 0;
3444  uint8_t *http_buf = (uint8_t *)"POST /normalized%20uri "
3445  "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
3446  uint32_t http_buf_len = strlen((char *)http_buf);
3447  Flow f;
3448  TcpSession ssn;
3449  HtpState *http_state = NULL;
3450  Packet *p = NULL;
3451  ThreadVars tv;
3452  DetectEngineThreadCtx *det_ctx = NULL;
3454 
3455  memset(&tv, 0, sizeof(ThreadVars));
3456  memset(&f, 0, sizeof(Flow));
3457  memset(&ssn, 0, sizeof(TcpSession));
3458 
3459  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
3460 
3461  FLOW_INITIALIZE(&f);
3462  f.protoctx = (void *)&ssn;
3463  f.proto = IPPROTO_TCP;
3464  f.flags |= FLOW_IPV4;
3465 
3466  p->flow = &f;
3469  f.alproto = ALPROTO_HTTP;
3471 
3473 
3475  if (de_ctx == NULL) {
3476  goto end;
3477  }
3478  de_ctx->flags |= DE_QUIET;
3479 
3480  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3481  "(msg:\"test multiple relative uricontents\"; "
3482  "urilen:16; sid:1;)");
3483  if (de_ctx->sig_list == NULL) {
3484  goto end;
3485  }
3486 
3487  SigGroupBuild(de_ctx);
3488  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
3489 
3490  FLOWLOCK_WRLOCK(&f);
3491  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3492  STREAM_TOSERVER, http_buf, http_buf_len);
3493  if (r != 0) {
3494  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3495  FLOWLOCK_UNLOCK(&f);
3496  goto end;
3497  }
3498  FLOWLOCK_UNLOCK(&f);
3499 
3500  http_state = f.alstate;
3501  if (http_state == NULL) {
3502  printf("no http state: ");
3503  goto end;
3504  }
3505 
3506  /* do detect */
3507  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
3508 
3509  if (PacketAlertCheck(p, 1)) {
3510  printf("sig 1 alerted, but it shouldn't have: ");
3511  goto end;
3512  }
3513 
3514  result = 1;
3515 
3516 end:
3517  if (alp_tctx != NULL)
3518  AppLayerParserThreadCtxFree(alp_tctx);
3519  if (det_ctx != NULL)
3520  DetectEngineThreadCtxDeinit(&tv, det_ctx);
3521  if (de_ctx != NULL)
3522  SigGroupCleanup(de_ctx);
3523  if (de_ctx != NULL)
3524  DetectEngineCtxFree(de_ctx);
3525 
3527  FLOW_DESTROY(&f);
3528  UTHFreePacket(p);
3529  return result;
3530 }
3531 
3532 static int UriTestSig36(void)
3533 {
3534  int result = 0;
3535  uint8_t *http_buf = (uint8_t *)"POST /normalized%20uri "
3536  "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
3537  uint32_t http_buf_len = strlen((char *)http_buf);
3538  Flow f;
3539  TcpSession ssn;
3540  HtpState *http_state = NULL;
3541  Packet *p = NULL;
3542  ThreadVars tv;
3543  DetectEngineThreadCtx *det_ctx = NULL;
3545 
3546  memset(&tv, 0, sizeof(ThreadVars));
3547  memset(&f, 0, sizeof(Flow));
3548  memset(&ssn, 0, sizeof(TcpSession));
3549 
3550  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
3551 
3552  FLOW_INITIALIZE(&f);
3553  f.protoctx = (void *)&ssn;
3554  f.proto = IPPROTO_TCP;
3555  f.flags |= FLOW_IPV4;
3556 
3557  p->flow = &f;
3560  f.alproto = ALPROTO_HTTP;
3562 
3564 
3566  if (de_ctx == NULL) {
3567  goto end;
3568  }
3569  de_ctx->flags |= DE_QUIET;
3570 
3571  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3572  "(msg:\"test multiple relative uricontents\"; "
3573  "urilen:16, norm; sid:1;)");
3574  if (de_ctx->sig_list == NULL) {
3575  goto end;
3576  }
3577 
3578  SigGroupBuild(de_ctx);
3579  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
3580 
3581  FLOWLOCK_WRLOCK(&f);
3582  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3583  STREAM_TOSERVER, http_buf, http_buf_len);
3584  if (r != 0) {
3585  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3586  FLOWLOCK_UNLOCK(&f);
3587  goto end;
3588  }
3589  FLOWLOCK_UNLOCK(&f);
3590 
3591  http_state = f.alstate;
3592  if (http_state == NULL) {
3593  printf("no http state: ");
3594  goto end;
3595  }
3596 
3597  /* do detect */
3598  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
3599 
3600  if (PacketAlertCheck(p, 1)) {
3601  printf("sig 1 alerted, but it shouldn't have: ");
3602  goto end;
3603  }
3604 
3605  result = 1;
3606 
3607 end:
3608  if (alp_tctx != NULL)
3609  AppLayerParserThreadCtxFree(alp_tctx);
3610  if (det_ctx != NULL)
3611  DetectEngineThreadCtxDeinit(&tv, det_ctx);
3612  if (de_ctx != NULL)
3613  SigGroupCleanup(de_ctx);
3614  if (de_ctx != NULL)
3615  DetectEngineCtxFree(de_ctx);
3616 
3618  FLOW_DESTROY(&f);
3619  UTHFreePacket(p);
3620  return result;
3621 }
3622 
3623 static int UriTestSig37(void)
3624 {
3625  int result = 0;
3626  uint8_t *http_buf = (uint8_t *)"POST /normalized%20uri "
3627  "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
3628  uint32_t http_buf_len = strlen((char *)http_buf);
3629  Flow f;
3630  TcpSession ssn;
3631  HtpState *http_state = NULL;
3632  Packet *p = NULL;
3633  ThreadVars tv;
3634  DetectEngineThreadCtx *det_ctx = NULL;
3636 
3637  memset(&tv, 0, sizeof(ThreadVars));
3638  memset(&f, 0, sizeof(Flow));
3639  memset(&ssn, 0, sizeof(TcpSession));
3640 
3641  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
3642 
3643  FLOW_INITIALIZE(&f);
3644  f.protoctx = (void *)&ssn;
3645  f.proto = IPPROTO_TCP;
3646  f.flags |= FLOW_IPV4;
3647 
3648  p->flow = &f;
3651  f.alproto = ALPROTO_HTTP;
3653 
3655 
3657  if (de_ctx == NULL) {
3658  goto end;
3659  }
3660  de_ctx->flags |= DE_QUIET;
3661 
3662  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3663  "(msg:\"test multiple relative uricontents\"; "
3664  "urilen:17, raw; sid:1;)");
3665  if (de_ctx->sig_list == NULL) {
3666  goto end;
3667  }
3668 
3669  SigGroupBuild(de_ctx);
3670  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
3671 
3672  FLOWLOCK_WRLOCK(&f);
3673  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3674  STREAM_TOSERVER, http_buf, http_buf_len);
3675  if (r != 0) {
3676  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3677  FLOWLOCK_UNLOCK(&f);
3678  goto end;
3679  }
3680  FLOWLOCK_UNLOCK(&f);
3681 
3682  http_state = f.alstate;
3683  if (http_state == NULL) {
3684  printf("no http state: ");
3685  goto end;
3686  }
3687 
3688  /* do detect */
3689  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
3690 
3691  if (!PacketAlertCheck(p, 1)) {
3692  printf("sig 1 didn't alert, but it should have: ");
3693  goto end;
3694  }
3695 
3696  result = 1;
3697 
3698 end:
3699  if (alp_tctx != NULL)
3700  AppLayerParserThreadCtxFree(alp_tctx);
3701  if (det_ctx != NULL)
3702  DetectEngineThreadCtxDeinit(&tv, det_ctx);
3703  if (de_ctx != NULL)
3704  SigGroupCleanup(de_ctx);
3705  if (de_ctx != NULL)
3706  DetectEngineCtxFree(de_ctx);
3707 
3709  FLOW_DESTROY(&f);
3710  UTHFreePacket(p);
3711  return result;
3712 }
3713 
3714 static int UriTestSig38(void)
3715 {
3716  int result = 0;
3717  uint8_t *http_buf = (uint8_t *)"POST /normalized%20uri "
3718  "HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n";
3719  uint32_t http_buf_len = strlen((char *)http_buf);
3720  Flow f;
3721  TcpSession ssn;
3722  HtpState *http_state = NULL;
3723  Packet *p = NULL;
3724  ThreadVars tv;
3725  DetectEngineThreadCtx *det_ctx = NULL;
3727 
3728  memset(&tv, 0, sizeof(ThreadVars));
3729  memset(&f, 0, sizeof(Flow));
3730  memset(&ssn, 0, sizeof(TcpSession));
3731 
3732  p = UTHBuildPacket(http_buf, http_buf_len, IPPROTO_TCP);
3733 
3734  FLOW_INITIALIZE(&f);
3735  f.protoctx = (void *)&ssn;
3736  f.proto = IPPROTO_TCP;
3737  f.flags |= FLOW_IPV4;
3738 
3739  p->flow = &f;
3742  f.alproto = ALPROTO_HTTP;
3744 
3746 
3748  if (de_ctx == NULL) {
3749  goto end;
3750  }
3751  de_ctx->flags |= DE_QUIET;
3752 
3753  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3754  "(msg:\"test multiple relative uricontents\"; "
3755  "urilen:18, raw; sid:1;)");
3756  if (de_ctx->sig_list == NULL) {
3757  goto end;
3758  }
3759 
3760  SigGroupBuild(de_ctx);
3761  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
3762 
3763  FLOWLOCK_WRLOCK(&f);
3764  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
3765  STREAM_TOSERVER, http_buf, http_buf_len);
3766  if (r != 0) {
3767  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3768  FLOWLOCK_UNLOCK(&f);
3769  goto end;
3770  }
3771  FLOWLOCK_UNLOCK(&f);
3772 
3773  http_state = f.alstate;
3774  if (http_state == NULL) {
3775  printf("no http state: ");
3776  goto end;
3777  }
3778 
3779  /* do detect */
3780  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
3781 
3782  if (PacketAlertCheck(p, 1)) {
3783  printf("sig 1 alerted, but it shouldn't have: ");
3784  goto end;
3785  }
3786 
3787  result = 1;
3788 
3789 end:
3790  if (alp_tctx != NULL)
3791  AppLayerParserThreadCtxFree(alp_tctx);
3792  if (det_ctx != NULL)
3793  DetectEngineThreadCtxDeinit(&tv, det_ctx);
3794  if (de_ctx != NULL)
3795  SigGroupCleanup(de_ctx);
3796  if (de_ctx != NULL)
3797  DetectEngineCtxFree(de_ctx);
3798 
3800  FLOW_DESTROY(&f);
3801  UTHFreePacket(p);
3802  return result;
3803 }
3804 
3805 /**
3806  * \test Checks if a http_uri is registered in a Signature, if content is not
3807  * specified in the signature
3808  */
3809 static int DetectHttpUriTest01(void)
3810 {
3811  DetectEngineCtx *de_ctx = NULL;
3812  int result = 0;
3813 
3814  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3815  goto end;
3816 
3817  de_ctx->flags |= DE_QUIET;
3818  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3819  "(msg:\"Testing http_uri\"; http_uri;sid:1;)");
3820  if (de_ctx->sig_list == NULL)
3821  result = 1;
3822 
3823 end:
3824  if (de_ctx != NULL)
3825  DetectEngineCtxFree(de_ctx);
3826  return result;
3827 }
3828 
3829 /**
3830  * \test Checks if a http_uri is registered in a Signature, if some parameter
3831  * is specified with http_uri in the signature
3832  */
3833 static int DetectHttpUriTest02(void)
3834 {
3835  DetectEngineCtx *de_ctx = NULL;
3836  int result = 0;
3837 
3838  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3839  goto end;
3840 
3841  de_ctx->flags |= DE_QUIET;
3842  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3843  "(msg:\"Testing http_uri\"; content:\"one\"; "
3844  "http_cookie:wrong; sid:1;)");
3845  if (de_ctx->sig_list == NULL)
3846  result = 1;
3847 
3848 end:
3849  if (de_ctx != NULL)
3850  DetectEngineCtxFree(de_ctx);
3851  return result;
3852 }
3853 
3854 /**
3855  * \test Checks if a http_uri is registered in a Signature
3856  */
3857 static int DetectHttpUriTest03(void)
3858 {
3859  SigMatch *sm = NULL;
3860  DetectEngineCtx *de_ctx = NULL;
3861  int result = 0;
3862 
3863  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3864  goto end;
3865 
3866  de_ctx->flags |= DE_QUIET;
3867  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3868  "(msg:\"Testing http_uri\"; content:\"one\"; "
3869  "http_uri; content:\"two\"; http_uri; "
3870  "content:\"three\"; http_uri; "
3871  "sid:1;)");
3872 
3873  if (de_ctx->sig_list == NULL) {
3874  printf("sig parse failed: ");
3875  goto end;
3876  }
3877 
3878  sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id];
3879  if (sm == NULL) {
3880  printf("no sigmatch(es): ");
3881  goto end;
3882  }
3883 
3884  while (sm != NULL) {
3885  if (sm->type == DETECT_CONTENT) {
3886  result = 1;
3887  } else {
3888  printf("expected DETECT_AL_HTTP_URI, got %d: ", sm->type);
3889  goto end;
3890  }
3891  sm = sm->next;
3892  }
3893 
3894 end:
3895  if (de_ctx != NULL)
3896  DetectEngineCtxFree(de_ctx);
3897  return result;
3898 }
3899 
3900 /**
3901  * \test Checks if a http_uri is registered in a Signature, when rawbytes is
3902  * also specified in the signature
3903  */
3904 static int DetectHttpUriTest04(void)
3905 {
3906  DetectEngineCtx *de_ctx = NULL;
3907  int result = 0;
3908 
3909  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3910  goto end;
3911 
3912  de_ctx->flags |= DE_QUIET;
3913  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3914  "(msg:\"Testing http_uri\"; content:\"one\"; "
3915  "rawbytes; http_uri; sid:1;)");
3916  if (de_ctx->sig_list == NULL)
3917  result = 1;
3918 
3919  end:
3920  if (de_ctx != NULL) SigCleanSignatures(de_ctx);
3921  if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
3922  return result;
3923 }
3924 
3925 /**
3926  * \test Checks if a http_uri is successfully converted to a uricontent
3927  *
3928  */
3929 static int DetectHttpUriTest05(void)
3930 {
3931  DetectEngineCtx *de_ctx = NULL;
3932  Signature *s = NULL;
3933  int result = 0;
3934 
3935  if ((de_ctx = DetectEngineCtxInit()) == NULL)
3936  goto end;
3937 
3938  s = SigInit(de_ctx, "alert tcp any any -> any any "
3939  "(msg:\"Testing http_uri\"; "
3940  "content:\"we are testing http_uri keyword\"; "
3941  "http_uri; sid:1;)");
3942  if (s == NULL) {
3943  printf("sig failed to parse\n");
3944  goto end;
3945  }
3946  if (s->sm_lists[g_http_uri_buffer_id] == NULL)
3947  goto end;
3948  if (s->sm_lists[g_http_uri_buffer_id]->type != DETECT_CONTENT) {
3949  printf("wrong type\n");
3950  goto end;
3951  }
3952 
3953  const char *str = "we are testing http_uri keyword";
3954  int uricomp = memcmp((const char *)((DetectContentData*) s->sm_lists[g_http_uri_buffer_id]->ctx)->content, str, strlen(str)-1);
3955  int urilen = ((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->content_len;
3956  if (uricomp != 0 ||
3957  urilen != strlen("we are testing http_uri keyword")) {
3958  printf("sig failed to parse, content not setup properly\n");
3959  goto end;
3960  }
3961  result = 1;
3962 
3963 end:
3964  if (de_ctx != NULL) SigCleanSignatures(de_ctx);
3965  if (de_ctx != NULL) SigGroupCleanup(de_ctx);
3966  return result;
3967 }
3968 
3969 static int DetectHttpUriTest12(void)
3970 {
3971  DetectEngineCtx *de_ctx = NULL;
3972  int result = 0;
3973 
3974  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
3975  goto end;
3976 
3977  de_ctx->flags |= DE_QUIET;
3978  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
3979  "(content:\"one\"; http_uri; "
3980  "content:\"two\"; distance:0; http_uri; sid:1;)");
3981  if (de_ctx->sig_list == NULL) {
3982  printf("de_ctx->sig_list == NULL\n");
3983  goto end;
3984  }
3985 
3986  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
3987  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
3988  goto end;
3989  }
3990 
3991  if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) {
3992  printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n");
3993  goto end;
3994  }
3995 
3996  DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
3997  DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
3998  if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
3999  memcmp(ud1->content, "one", ud1->content_len) != 0 ||
4000  ud2->flags != DETECT_CONTENT_DISTANCE ||
4001  memcmp(ud2->content, "two", ud1->content_len) != 0) {
4002  goto end;
4003  }
4004 
4005  result = 1;
4006 
4007  end:
4008  SigCleanSignatures(de_ctx);
4009  DetectEngineCtxFree(de_ctx);
4010  return result;
4011 }
4012 
4013 static int DetectHttpUriTest13(void)
4014 {
4015  DetectEngineCtx *de_ctx = NULL;
4016  int result = 0;
4017 
4018  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4019  goto end;
4020 
4021  de_ctx->flags |= DE_QUIET;
4022  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4023  "(content:\"one\"; http_uri; "
4024  "content:\"two\"; within:5; http_uri; sid:1;)");
4025  if (de_ctx->sig_list == NULL) {
4026  printf("de_ctx->sig_list == NULL\n");
4027  goto end;
4028  }
4029 
4030  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4031  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4032  goto end;
4033  }
4034 
4035  if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) {
4036  printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n");
4037  goto end;
4038  }
4039 
4040  DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
4041  DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
4042  if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4043  memcmp(ud1->content, "one", ud1->content_len) != 0 ||
4044  ud2->flags != DETECT_CONTENT_WITHIN ||
4045  memcmp(ud2->content, "two", ud1->content_len) != 0) {
4046  goto end;
4047  }
4048 
4049  result = 1;
4050 
4051  end:
4052  SigCleanSignatures(de_ctx);
4053  DetectEngineCtxFree(de_ctx);
4054  return result;
4055 }
4056 
4057 static int DetectHttpUriTest14(void)
4058 {
4059  DetectEngineCtx *de_ctx = NULL;
4060  int result = 0;
4061 
4062  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4063  goto end;
4064 
4065  de_ctx->flags |= DE_QUIET;
4066  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4067  "(content:\"one\"; within:5; http_uri; sid:1;)");
4068  if (de_ctx->sig_list == NULL) {
4069  printf("de_ctx->sig_list == NULL\n");
4070  goto end;
4071  }
4072 
4073  result = 1;
4074 
4075  end:
4076  SigCleanSignatures(de_ctx);
4077  DetectEngineCtxFree(de_ctx);
4078  return result;
4079 }
4080 
4081 static int DetectHttpUriTest15(void)
4082 {
4083  DetectEngineCtx *de_ctx = NULL;
4084  int result = 0;
4085 
4086  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4087  goto end;
4088 
4089  de_ctx->flags |= DE_QUIET;
4090  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4091  "(content:\"one\"; http_uri; within:5; sid:1;)");
4092  if (de_ctx->sig_list == NULL) {
4093  printf("de_ctx->sig_list == NULL\n");
4094  goto end;
4095  }
4096 
4097  if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) {
4098  printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n");
4099  goto end;
4100  }
4101 
4102  DetectContentData *cd = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
4103  if (memcmp(cd->content, "one", cd->content_len) != 0 ||
4104  cd->flags != DETECT_CONTENT_WITHIN) {
4105  goto end;
4106  }
4107 
4108  result = 1;
4109 
4110  end:
4111  SigCleanSignatures(de_ctx);
4112  DetectEngineCtxFree(de_ctx);
4113  return result;
4114 }
4115 
4116 static int DetectHttpUriTest16(void)
4117 {
4118  DetectEngineCtx *de_ctx = NULL;
4119  int result = 0;
4120 
4121  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4122  goto end;
4123 
4124  de_ctx->flags |= DE_QUIET;
4125  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4126  "(content:\"one\"; within:5; sid:1;)");
4127  if (de_ctx->sig_list == NULL) {
4128  printf("de_ctx->sig_list == NULL\n");
4129  goto end;
4130  }
4131 
4132  result = 1;
4133 
4134  end:
4135  SigCleanSignatures(de_ctx);
4136  DetectEngineCtxFree(de_ctx);
4137  return result;
4138 }
4139 
4140 static int DetectHttpUriTest17(void)
4141 {
4142  DetectEngineCtx *de_ctx = NULL;
4143  int result = 0;
4144 
4145  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4146  goto end;
4147 
4148  de_ctx->flags |= DE_QUIET;
4149  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4150  "(uricontent:\"one\"; "
4151  "content:\"two\"; distance:0; http_uri; sid:1;)");
4152  if (de_ctx->sig_list == NULL) {
4153  printf("de_ctx->sig_list == NULL\n");
4154  goto end;
4155  }
4156 
4157  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4158  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4159  goto end;
4160  }
4161 
4162  if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) {
4163  printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n");
4164  goto end;
4165  }
4166 
4167  DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
4168  DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
4169  if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4170  memcmp(ud1->content, "one", ud1->content_len) != 0 ||
4171  ud2->flags != DETECT_CONTENT_DISTANCE ||
4172  memcmp(ud2->content, "two", ud1->content_len) != 0) {
4173  goto end;
4174  }
4175 
4176  result = 1;
4177 
4178  end:
4179  SigCleanSignatures(de_ctx);
4180  DetectEngineCtxFree(de_ctx);
4181  return result;
4182 }
4183 
4184 static int DetectHttpUriTest18(void)
4185 {
4186  DetectEngineCtx *de_ctx = NULL;
4187  int result = 0;
4188 
4189  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4190  goto end;
4191 
4192  de_ctx->flags |= DE_QUIET;
4193  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4194  "(uricontent:\"one\"; "
4195  "content:\"two\"; within:5; http_uri; sid:1;)");
4196  if (de_ctx->sig_list == NULL) {
4197  printf("de_ctx->sig_list == NULL\n");
4198  goto end;
4199  }
4200 
4201  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4202  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4203  goto end;
4204  }
4205 
4206  if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) {
4207  printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n");
4208  goto end;
4209  }
4210 
4211  DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
4212  DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
4213  if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4214  memcmp(ud1->content, "one", ud1->content_len) != 0 ||
4215  ud2->flags != DETECT_CONTENT_WITHIN ||
4216  memcmp(ud2->content, "two", ud1->content_len) != 0) {
4217  goto end;
4218  }
4219 
4220  result = 1;
4221 
4222  end:
4223  SigCleanSignatures(de_ctx);
4224  DetectEngineCtxFree(de_ctx);
4225  return result;
4226 }
4227 
4228 static int DetectHttpUriIsdataatParseTest(void)
4229 {
4231  FAIL_IF_NULL(de_ctx);
4232  de_ctx->flags |= DE_QUIET;
4233 
4234  Signature *s = DetectEngineAppendSig(de_ctx,
4235  "alert tcp any any -> any any ("
4236  "content:\"one\"; http_uri; "
4237  "isdataat:!4,relative; sid:1;)");
4238  FAIL_IF_NULL(s);
4239 
4240  SigMatch *sm = s->init_data->smlists_tail[g_http_uri_buffer_id];
4241  FAIL_IF_NULL(sm);
4243 
4244  DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
4247  FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
4248 
4249  DetectEngineCtxFree(de_ctx);
4250  PASS;
4251 }
4252 
4253 /**
4254  * \test Checks if a http_raw_uri is registered in a Signature, if content is not
4255  * specified in the signature.
4256  */
4257 static int DetectHttpRawUriTest01(void)
4258 {
4259  DetectEngineCtx *de_ctx = NULL;
4260  int result = 0;
4261 
4262  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4263  goto end;
4264 
4265  de_ctx->flags |= DE_QUIET;
4266  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4267  "(msg:\"Testing http_raw_uri\"; http_raw_uri; sid:1;)");
4268  if (de_ctx->sig_list == NULL)
4269  result = 1;
4270 
4271 end:
4272  if (de_ctx != NULL)
4273  DetectEngineCtxFree(de_ctx);
4274  return result;
4275 }
4276 
4277 /**
4278  * \test Checks if a http_raw_uri is registered in a Signature, if some parameter
4279  * is specified with http_raw_uri in the signature.
4280  */
4281 static int DetectHttpRawUriTest02(void)
4282 {
4283  DetectEngineCtx *de_ctx = NULL;
4284  int result = 0;
4285 
4286  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4287  goto end;
4288 
4289  de_ctx->flags |= DE_QUIET;
4290  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4291  "(msg:\"Testing http_raw_uri\"; content:\"one\"; "
4292  "http_raw_uri:wrong; sid:1;)");
4293  if (de_ctx->sig_list == NULL)
4294  result = 1;
4295 
4296 end:
4297  if (de_ctx != NULL)
4298  DetectEngineCtxFree(de_ctx);
4299  return result;
4300 }
4301 
4302 /**
4303  * \test Checks if a http_raw_uri is registered in a Signature.
4304  */
4305 static int DetectHttpRawUriTest03(void)
4306 {
4307  SigMatch *sm = NULL;
4308  DetectEngineCtx *de_ctx = NULL;
4309  int result = 0;
4310 
4311  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4312  goto end;
4313 
4314  de_ctx->flags |= DE_QUIET;
4315  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4316  "(msg:\"Testing http_raw_uri\"; "
4317  "content:\"one\"; http_raw_uri; "
4318  "content:\"two\"; http_raw_uri; "
4319  "content:\"three\"; http_raw_uri; "
4320  "sid:1;)");
4321  if (de_ctx->sig_list == NULL) {
4322  printf("sig parse failed: ");
4323  goto end;
4324  }
4325 
4326  sm = de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id];
4327  if (sm == NULL) {
4328  printf("no sigmatch(es): ");
4329  goto end;
4330  }
4331 
4332  while (sm != NULL) {
4333  if (sm->type == DETECT_CONTENT) {
4334  result = 1;
4335  } else {
4336  printf("expected DETECT_CONTENT for http_raw_uri(%d), got %d: ",
4337  DETECT_CONTENT, sm->type);
4338  goto end;
4339  }
4340  sm = sm->next;
4341  }
4342 
4343 end:
4344  if (de_ctx != NULL)
4345  DetectEngineCtxFree(de_ctx);
4346  return result;
4347 }
4348 
4349 /**
4350  * \test Checks if a http_raw_uri is registered in a Signature, when rawbytes is
4351  * also specified in the signature.
4352  */
4353 static int DetectHttpRawUriTest04(void)
4354 {
4355  DetectEngineCtx *de_ctx = NULL;
4356  int result = 0;
4357 
4358  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4359  goto end;
4360 
4361  de_ctx->flags |= DE_QUIET;
4362  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4363  "(msg:\"Testing http_raw_uri\"; "
4364  "content:\"one\"; rawbytes; http_raw_uri; "
4365  "sid:1;)");
4366  if (de_ctx->sig_list == NULL)
4367  result = 1;
4368 
4369  end:
4370  if (de_ctx != NULL)
4371  DetectEngineCtxFree(de_ctx);
4372  return result;
4373 }
4374 
4375 /**
4376  * \test Checks if a http_raw_uri is successfully converted to a rawuricontent.
4377  *
4378  */
4379 static int DetectHttpRawUriTest05(void)
4380 {
4381  DetectEngineCtx *de_ctx = NULL;
4382  Signature *s = NULL;
4383  int result = 0;
4384 
4385  if ((de_ctx = DetectEngineCtxInit()) == NULL)
4386  goto end;
4387 
4388  s = SigInit(de_ctx, "alert tcp any any -> any any "
4389  "(msg:\"Testing http_raw_uri\"; "
4390  "content:\"we are testing http_raw_uri keyword\"; http_raw_uri; "
4391  "sid:1;)");
4392  if (s == NULL) {
4393  printf("sig failed to parse\n");
4394  goto end;
4395  }
4396  if (s->sm_lists[g_http_raw_uri_buffer_id] == NULL)
4397  goto end;
4398  if (s->sm_lists[g_http_raw_uri_buffer_id]->type != DETECT_CONTENT) {
4399  printf("wrong type\n");
4400  goto end;
4401  }
4402 
4403  const char *str = "we are testing http_raw_uri keyword";
4404  int uricomp = memcmp((const char *)
4405  ((DetectContentData*)s->sm_lists[g_http_raw_uri_buffer_id]->ctx)->content,
4406  str,
4407  strlen(str) - 1);
4408  int urilen = ((DetectContentData*)s->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx)->content_len;
4409  if (uricomp != 0 ||
4410  urilen != strlen("we are testing http_raw_uri keyword")) {
4411  printf("sig failed to parse, content not setup properly\n");
4412  goto end;
4413  }
4414  result = 1;
4415 
4416 end:
4417  if (de_ctx != NULL)
4418  SigGroupCleanup(de_ctx);
4419  return result;
4420 }
4421 
4422 static int DetectHttpRawUriTest12(void)
4423 {
4424  DetectEngineCtx *de_ctx = NULL;
4425  int result = 0;
4426 
4427  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4428  goto end;
4429 
4430  de_ctx->flags |= DE_QUIET;
4431  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4432  "(content:\"one\"; http_raw_uri; "
4433  "content:\"two\"; distance:0; http_raw_uri; sid:1;)");
4434  if (de_ctx->sig_list == NULL) {
4435  printf("de_ctx->sig_list == NULL\n");
4436  goto end;
4437  }
4438 
4439  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4440  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4441  goto end;
4442  }
4443 
4444  if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) {
4445  printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n");
4446  goto end;
4447  }
4448 
4449  DetectContentData *ud1 =
4450  (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
4451  DetectContentData *ud2 =
4452  (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
4453  if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4454  memcmp(ud1->content, "one", ud1->content_len) != 0 ||
4455  ud2->flags != DETECT_CONTENT_DISTANCE ||
4456  memcmp(ud2->content, "two", ud1->content_len) != 0) {
4457  /* inside body */
4458  goto end;
4459  }
4460 
4461  result = 1;
4462 
4463  end:
4464  DetectEngineCtxFree(de_ctx);
4465  return result;
4466 }
4467 
4468 static int DetectHttpRawUriTest13(void)
4469 {
4470  DetectEngineCtx *de_ctx = NULL;
4471  int result = 0;
4472 
4473  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4474  goto end;
4475 
4476  de_ctx->flags |= DE_QUIET;
4477  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4478  "(content:\"one\"; http_raw_uri; "
4479  "content:\"two\"; within:5; http_raw_uri; sid:1;)");
4480  if (de_ctx->sig_list == NULL) {
4481  printf("de_ctx->sig_list == NULL\n");
4482  goto end;
4483  }
4484 
4485  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4486  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4487  goto end;
4488  }
4489 
4490  if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) {
4491  printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n");
4492  goto end;
4493  }
4494 
4495  DetectContentData *ud1 =
4496  (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
4497  DetectContentData *ud2 =
4498  (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
4499  if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4500  memcmp(ud1->content, "one", ud1->content_len) != 0 ||
4501  ud2->flags != DETECT_CONTENT_WITHIN ||
4502  memcmp(ud2->content, "two", ud1->content_len) != 0) {
4503  /* inside the body */
4504  goto end;
4505  }
4506 
4507  result = 1;
4508 
4509  end:
4510  DetectEngineCtxFree(de_ctx);
4511  return result;
4512 }
4513 
4514 static int DetectHttpRawUriTest14(void)
4515 {
4516  DetectEngineCtx *de_ctx = NULL;
4517  int result = 0;
4518 
4519  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4520  goto end;
4521 
4522  de_ctx->flags |= DE_QUIET;
4523  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4524  "(content:\"one\"; within:5; http_raw_uri; sid:1;)");
4525  if (de_ctx->sig_list == NULL) {
4526  printf("de_ctx->sig_list == NULL\n");
4527  goto end;
4528  }
4529 
4530  result = 1;
4531 
4532  end:
4533  DetectEngineCtxFree(de_ctx);
4534  return result;
4535 }
4536 
4537 static int DetectHttpRawUriTest15(void)
4538 {
4539  DetectEngineCtx *de_ctx = NULL;
4540  int result = 0;
4541 
4542  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4543  goto end;
4544 
4545  de_ctx->flags |= DE_QUIET;
4546  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4547  "(content:\"one\"; http_raw_uri; within:5; sid:1;)");
4548  if (de_ctx->sig_list == NULL) {
4549  printf("de_ctx->sig_list == NULL\n");
4550  goto end;
4551  }
4552 
4553  result = 1;
4554 
4555  end:
4556  DetectEngineCtxFree(de_ctx);
4557  return result;
4558 }
4559 
4560 static int DetectHttpRawUriTest16(void)
4561 {
4562  DetectEngineCtx *de_ctx = NULL;
4563  int result = 0;
4564 
4565  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4566  goto end;
4567 
4568  de_ctx->flags |= DE_QUIET;
4569  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4570  "(content:\"one\"; within:5; sid:1;)");
4571  if (de_ctx->sig_list == NULL) {
4572  printf("de_ctx->sig_list == NULL\n");
4573  goto end;
4574  }
4575 
4576  result = 1;
4577 
4578  end:
4579  DetectEngineCtxFree(de_ctx);
4580  return result;
4581 }
4582 
4583 static int DetectHttpRawUriTest17(void)
4584 {
4585  DetectEngineCtx *de_ctx = NULL;
4586  int result = 0;
4587 
4588  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4589  goto end;
4590 
4591  de_ctx->flags |= DE_QUIET;
4592  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4593  "(content:\"one\"; http_raw_uri; "
4594  "content:\"two\"; distance:0; http_raw_uri; sid:1;)");
4595  if (de_ctx->sig_list == NULL) {
4596  printf("de_ctx->sig_list == NULL\n");
4597  goto end;
4598  }
4599 
4600  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4601  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4602  goto end;
4603  }
4604 
4605  if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) {
4606  printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n");
4607  goto end;
4608  }
4609 
4610  DetectContentData *ud1 =
4611  (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
4612  DetectContentData *ud2 =
4613  (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
4614  if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4615  memcmp(ud1->content, "one", ud1->content_len) != 0 ||
4616  ud2->flags != DETECT_CONTENT_DISTANCE ||
4617  memcmp(ud2->content, "two", ud1->content_len) != 0) {
4618  /* inside body */
4619  goto end;
4620  }
4621 
4622  result = 1;
4623 
4624  end:
4625  DetectEngineCtxFree(de_ctx);
4626  return result;
4627 }
4628 
4629 static int DetectHttpRawUriTest18(void)
4630 {
4631  DetectEngineCtx *de_ctx = NULL;
4632  int result = 0;
4633 
4634  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
4635  goto end;
4636 
4637  de_ctx->flags |= DE_QUIET;
4638  de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
4639  "(content:\"one\"; http_raw_uri; "
4640  "content:\"two\"; within:5; http_raw_uri; "
4641  "sid:1;)");
4642  if (de_ctx->sig_list == NULL) {
4643  printf("de_ctx->sig_list == NULL\n");
4644  goto end;
4645  }
4646 
4647  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
4648  printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
4649  goto end;
4650  }
4651 
4652  if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) {
4653  printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n");
4654  goto end;
4655  }
4656 
4657  DetectContentData *ud1 =
4658  (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
4659  DetectContentData *ud2 =
4660  (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
4661  if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4662  memcmp(ud1->content, "one", ud1->content_len) != 0 ||
4663  ud2->flags != DETECT_CONTENT_WITHIN ||
4664  memcmp(ud2->content, "two", ud1->content_len) != 0) {
4665  /* inside body */
4666  goto end;
4667  }
4668 
4669  result = 1;
4670 
4671  end:
4672  DetectEngineCtxFree(de_ctx);
4673  return result;
4674 }
4675 
4676 static int DetectEngineHttpRawUriTest01(void)
4677 {
4678  TcpSession ssn;
4679  Packet *p1 = NULL;
4680  Packet *p2 = NULL;
4681  ThreadVars th_v;
4682  DetectEngineCtx *de_ctx = NULL;
4683  DetectEngineThreadCtx *det_ctx = NULL;
4684  HtpState *http_state = NULL;
4685  Flow f;
4686  uint8_t http1_buf[] =
4687  "GET /../a/b/../c";
4688  uint8_t http2_buf[] =
4689  "/./d.html HTTP/1.1\r\n"
4690  "Host: www.openinfosecfoundation.org\r\n"
4691  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4692  "Content-Type: text/html\r\n"
4693  "Content-Length: 46\r\n"
4694  "\r\n"
4695  "This is dummy body1"
4696  "This is dummy message body2";
4697  uint32_t http1_len = sizeof(http1_buf) - 1;
4698  uint32_t http2_len = sizeof(http2_buf) - 1;
4699  int result = 0;
4701 
4702  memset(&th_v, 0, sizeof(th_v));
4703  memset(&f, 0, sizeof(f));
4704  memset(&ssn, 0, sizeof(ssn));
4705 
4706  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4707  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4708 
4709  FLOW_INITIALIZE(&f);
4710  f.protoctx = (void *)&ssn;
4711  f.proto = IPPROTO_TCP;
4712  f.flags |= FLOW_IPV4;
4713 
4714  p1->flow = &f;
4718  p2->flow = &f;
4722  f.alproto = ALPROTO_HTTP;
4723 
4725 
4726  de_ctx = DetectEngineCtxInit();
4727  if (de_ctx == NULL)
4728  goto end;
4729 
4730  de_ctx->flags |= DE_QUIET;
4731 
4732  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4733  "(msg:\"http raw uri test\"; "
4734  "content:\"../c/./d\"; http_raw_uri; "
4735  "sid:1;)");
4736  if (de_ctx->sig_list == NULL)
4737  goto end;
4738 
4739  SigGroupBuild(de_ctx);
4740  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4741 
4742  FLOWLOCK_WRLOCK(&f);
4743  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
4744  STREAM_TOSERVER, http1_buf, http1_len);
4745  if (r != 0) {
4746  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4747  result = 0;
4748  FLOWLOCK_UNLOCK(&f);
4749  goto end;
4750  }
4751  FLOWLOCK_UNLOCK(&f);
4752 
4753  http_state = f.alstate;
4754  if (http_state == NULL) {
4755  printf("no http state: \n");
4756  result = 0;
4757  goto end;
4758  }
4759 
4760  /* do detect */
4761  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4762 
4763  if ((PacketAlertCheck(p1, 1))) {
4764  printf("sid 1 matched but shouldn't have\n");
4765  goto end;
4766  }
4767 
4768  FLOWLOCK_WRLOCK(&f);
4769  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
4770  STREAM_TOSERVER, http2_buf, http2_len);
4771  if (r != 0) {
4772  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
4773  result = 0;
4774  FLOWLOCK_UNLOCK(&f);
4775  goto end;
4776  }
4777  FLOWLOCK_UNLOCK(&f);
4778 
4779  /* do detect */
4780  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4781 
4782  if (!(PacketAlertCheck(p2, 1))) {
4783  printf("sid 1 didn't match but should have");
4784  goto end;
4785  }
4786 
4787  result = 1;
4788 
4789 end:
4790  if (alp_tctx != NULL)
4791  AppLayerParserThreadCtxFree(alp_tctx);
4792  if (de_ctx != NULL)
4793  SigGroupCleanup(de_ctx);
4794  if (de_ctx != NULL)
4795  SigCleanSignatures(de_ctx);
4796  if (de_ctx != NULL)
4797  DetectEngineCtxFree(de_ctx);
4798 
4800  FLOW_DESTROY(&f);
4801  UTHFreePackets(&p1, 1);
4802  UTHFreePackets(&p2, 1);
4803  return result;
4804 }
4805 
4806 static int DetectEngineHttpRawUriTest02(void)
4807 {
4808  TcpSession ssn;
4809  Packet *p1 = NULL;
4810  Packet *p2 = NULL;
4811  ThreadVars th_v;
4812  DetectEngineCtx *de_ctx = NULL;
4813  DetectEngineThreadCtx *det_ctx = NULL;
4814  HtpState *http_state = NULL;
4815  Flow f;
4816  uint8_t http1_buf[] =
4817  "GET /../a/b/../c/./d.html HTTP/1.0\r\n"
4818  "Host: www.openinfosecfoundation.org\r\n"
4819  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4820  "Content-Type: text/html\r\n"
4821  "Content-Length: 19\r\n"
4822  "\r\n"
4823  "This is dummy body1";
4824  uint32_t http1_len = sizeof(http1_buf) - 1;
4825  int result = 0;
4827 
4828  memset(&th_v, 0, sizeof(th_v));
4829  memset(&f, 0, sizeof(f));
4830  memset(&ssn, 0, sizeof(ssn));
4831 
4832  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4833  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4834 
4835  FLOW_INITIALIZE(&f);
4836  f.protoctx = (void *)&ssn;
4837  f.proto = IPPROTO_TCP;
4838  f.flags |= FLOW_IPV4;
4839 
4840  p1->flow = &f;
4844  p2->flow = &f;
4848  f.alproto = ALPROTO_HTTP;
4849 
4851 
4852  de_ctx = DetectEngineCtxInit();
4853  if (de_ctx == NULL)
4854  goto end;
4855 
4856  de_ctx->flags |= DE_QUIET;
4857 
4858  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4859  "(msg:\"http raw uri test\"; "
4860  "content:\"/c/./d\"; http_raw_uri; offset:5; "
4861  "sid:1;)");
4862  if (de_ctx->sig_list == NULL)
4863  goto end;
4864 
4865  SigGroupBuild(de_ctx);
4866  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4867 
4868  FLOWLOCK_WRLOCK(&f);
4869  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
4870  STREAM_TOSERVER, http1_buf, http1_len);
4871  if (r != 0) {
4872  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4873  result = 0;
4874  FLOWLOCK_UNLOCK(&f);
4875  goto end;
4876  }
4877  FLOWLOCK_UNLOCK(&f);
4878 
4879  http_state = f.alstate;
4880  if (http_state == NULL) {
4881  printf("no http state: \n");
4882  result = 0;
4883  goto end;
4884  }
4885 
4886  /* do detect */
4887  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4888 
4889  if (!(PacketAlertCheck(p1, 1))) {
4890  printf("sid 1 didn't match but should have\n");
4891  goto end;
4892  }
4893 
4894  result = 1;
4895 
4896 end:
4897  if (alp_tctx != NULL)
4898  AppLayerParserThreadCtxFree(alp_tctx);
4899  if (de_ctx != NULL)
4900  SigGroupCleanup(de_ctx);
4901  if (de_ctx != NULL)
4902  SigCleanSignatures(de_ctx);
4903  if (de_ctx != NULL)
4904  DetectEngineCtxFree(de_ctx);
4905 
4907  FLOW_DESTROY(&f);
4908  UTHFreePackets(&p1, 1);
4909  UTHFreePackets(&p2, 1);
4910  return result;
4911 }
4912 
4913 static int DetectEngineHttpRawUriTest03(void)
4914 {
4915  TcpSession ssn;
4916  Packet *p1 = NULL;
4917  Packet *p2 = NULL;
4918  ThreadVars th_v;
4919  DetectEngineCtx *de_ctx = NULL;
4920  DetectEngineThreadCtx *det_ctx = NULL;
4921  HtpState *http_state = NULL;
4922  Flow f;
4923  uint8_t http1_buf[] =
4924  "GET /../a/b/../";
4925  uint8_t http2_buf[] =
4926  "c/./d.html HTTP/1.0\r\n"
4927  "Host: www.openinfosecfoundation.org\r\n"
4928  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
4929  "Content-Type: text/html\r\n"
4930  "Content-Length: 46\r\n"
4931  "\r\n"
4932  "This is dummy body1"
4933  "This is dummy message body2";
4934  uint32_t http1_len = sizeof(http1_buf) - 1;
4935  uint32_t http2_len = sizeof(http2_buf) - 1;
4936  int result = 0;
4938 
4939  memset(&th_v, 0, sizeof(th_v));
4940  memset(&f, 0, sizeof(f));
4941  memset(&ssn, 0, sizeof(ssn));
4942 
4943  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4944  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4945 
4946  FLOW_INITIALIZE(&f);
4947  f.protoctx = (void *)&ssn;
4948  f.proto = IPPROTO_TCP;
4949  f.flags |= FLOW_IPV4;
4950 
4951  p1->flow = &f;
4955  p2->flow = &f;
4959  f.alproto = ALPROTO_HTTP;
4960 
4962 
4963  de_ctx = DetectEngineCtxInit();
4964  if (de_ctx == NULL)
4965  goto end;
4966 
4967  de_ctx->flags |= DE_QUIET;
4968 
4969  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4970  "(msg:\"http raw uri test\"; "
4971  "content:\"/a/b\"; http_raw_uri; offset:10; "
4972  "sid:1;)");
4973  if (de_ctx->sig_list == NULL)
4974  goto end;
4975 
4976  SigGroupBuild(de_ctx);
4977  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4978 
4979  FLOWLOCK_WRLOCK(&f);
4980  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
4981  STREAM_TOSERVER, http1_buf, http1_len);
4982  if (r != 0) {
4983  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4984  result = 0;
4985  FLOWLOCK_UNLOCK(&f);
4986  goto end;
4987  }
4988  FLOWLOCK_UNLOCK(&f);
4989 
4990  http_state = f.alstate;
4991  if (http_state == NULL) {
4992  printf("no http state: \n");
4993  result = 0;
4994  goto end;
4995  }
4996 
4997  /* do detect */
4998  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4999 
5000  if (PacketAlertCheck(p1, 1)) {
5001  printf("sid 1 matched but shouldn't have\n");
5002  goto end;
5003  }
5004 
5005  FLOWLOCK_WRLOCK(&f);
5006  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5007  STREAM_TOSERVER, http2_buf, http2_len);
5008  if (r != 0) {
5009  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
5010  result = 0;
5011  FLOWLOCK_UNLOCK(&f);
5012  goto end;
5013  }
5014  FLOWLOCK_UNLOCK(&f);
5015 
5016  /* do detect */
5017  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5018 
5019  if (PacketAlertCheck(p2, 1)) {
5020  printf("sid 1 didn't match but should have");
5021  goto end;
5022  }
5023 
5024  result = 1;
5025 
5026 end:
5027  if (alp_tctx != NULL)
5028  AppLayerParserThreadCtxFree(alp_tctx);
5029  if (de_ctx != NULL)
5030  SigGroupCleanup(de_ctx);
5031  if (de_ctx != NULL)
5032  SigCleanSignatures(de_ctx);
5033  if (de_ctx != NULL)
5034  DetectEngineCtxFree(de_ctx);
5035 
5037  FLOW_DESTROY(&f);
5038  UTHFreePackets(&p1, 1);
5039  UTHFreePackets(&p2, 1);
5040  return result;
5041 }
5042 
5043 static int DetectEngineHttpRawUriTest04(void)
5044 {
5045  TcpSession ssn;
5046  Packet *p1 = NULL;
5047  Packet *p2 = NULL;
5048  ThreadVars th_v;
5049  DetectEngineCtx *de_ctx = NULL;
5050  DetectEngineThreadCtx *det_ctx = NULL;
5051  HtpState *http_state = NULL;
5052  Flow f;
5053  uint8_t http1_buf[] =
5054  "GET /../a/b/../";
5055  uint8_t http2_buf[] =
5056  "c/./d.html HTTP/1.0\r\n"
5057  "Host: www.openinfosecfoundation.org\r\n"
5058  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
5059  "Content-Type: text/html\r\n"
5060  "Content-Length: 46\r\n"
5061  "\r\n"
5062  "This is dummy body1"
5063  "This is dummy message body2";
5064  uint32_t http1_len = sizeof(http1_buf) - 1;
5065  uint32_t http2_len = sizeof(http2_buf) - 1;
5066  int result = 0;
5068 
5069  memset(&th_v, 0, sizeof(th_v));
5070  memset(&f, 0, sizeof(f));
5071  memset(&ssn, 0, sizeof(ssn));
5072 
5073  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5074  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5075 
5076  FLOW_INITIALIZE(&f);
5077  f.protoctx = (void *)&ssn;
5078  f.proto = IPPROTO_TCP;
5079  f.flags |= FLOW_IPV4;
5080 
5081  p1->flow = &f;
5085  p2->flow = &f;
5089  f.alproto = ALPROTO_HTTP;
5090 
5092 
5093  de_ctx = DetectEngineCtxInit();
5094  if (de_ctx == NULL)
5095  goto end;
5096 
5097  de_ctx->flags |= DE_QUIET;
5098 
5099  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5100  "(msg:\"http raw uri test\"; "
5101  "content:!\"/a/b\"; http_raw_uri; offset:10; "
5102  "sid:1;)");
5103  if (de_ctx->sig_list == NULL)
5104  goto end;
5105 
5106  SigGroupBuild(de_ctx);
5107  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5108 
5109  FLOWLOCK_WRLOCK(&f);
5110  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5111  STREAM_TOSERVER, http1_buf, http1_len);
5112  if (r != 0) {
5113  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5114  result = 0;
5115  FLOWLOCK_UNLOCK(&f);
5116  goto end;
5117  }
5118  FLOWLOCK_UNLOCK(&f);
5119 
5120  http_state = f.alstate;
5121  if (http_state == NULL) {
5122  printf("no http state: \n");
5123  result = 0;
5124  goto end;
5125  }
5126 
5127  /* do detect */
5128  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5129 
5130  if (PacketAlertCheck(p1, 1)) {
5131  printf("sid 1 matched but shouldn't have\n");
5132  goto end;
5133  }
5134 
5135  FLOWLOCK_WRLOCK(&f);
5136  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5137  STREAM_TOSERVER, http2_buf, http2_len);
5138  if (r != 0) {
5139  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
5140  result = 0;
5141  FLOWLOCK_UNLOCK(&f);
5142  goto end;
5143  }
5144  FLOWLOCK_UNLOCK(&f);
5145 
5146  /* do detect */
5147  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5148 
5149  if (!PacketAlertCheck(p2, 1)) {
5150  printf("sid 1 didn't match but should have");
5151  goto end;
5152  }
5153 
5154  result = 1;
5155 
5156 end:
5157  if (alp_tctx != NULL)
5158  AppLayerParserThreadCtxFree(alp_tctx);
5159  if (de_ctx != NULL)
5160  SigGroupCleanup(de_ctx);
5161  if (de_ctx != NULL)
5162  SigCleanSignatures(de_ctx);
5163  if (de_ctx != NULL)
5164  DetectEngineCtxFree(de_ctx);
5165 
5167  FLOW_DESTROY(&f);
5168  UTHFreePackets(&p1, 1);
5169  UTHFreePackets(&p2, 1);
5170  return result;
5171 }
5172 
5173 static int DetectEngineHttpRawUriTest05(void)
5174 {
5175  TcpSession ssn;
5176  Packet *p1 = NULL;
5177  Packet *p2 = NULL;
5178  ThreadVars th_v;
5179  DetectEngineCtx *de_ctx = NULL;
5180  DetectEngineThreadCtx *det_ctx = NULL;
5181  HtpState *http_state = NULL;
5182  Flow f;
5183  uint8_t http1_buf[] =
5184  "GET /../a/b/";
5185  uint8_t http2_buf[] =
5186  "../c/./d.html HTTP/1.0\r\n"
5187  "Host: www.openinfosecfoundation.org\r\n"
5188  "Content-Type: text/html\r\n"
5189  "Content-Length: 46\r\n"
5190  "\r\n"
5191  "This is dummy body1"
5192  "This is dummy message body2";
5193  uint32_t http1_len = sizeof(http1_buf) - 1;
5194  uint32_t http2_len = sizeof(http2_buf) - 1;
5195  int result = 0;
5197 
5198  memset(&th_v, 0, sizeof(th_v));
5199  memset(&f, 0, sizeof(f));
5200  memset(&ssn, 0, sizeof(ssn));
5201 
5202  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5203  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5204 
5205  FLOW_INITIALIZE(&f);
5206  f.protoctx = (void *)&ssn;
5207  f.proto = IPPROTO_TCP;
5208  f.flags |= FLOW_IPV4;
5209 
5210  p1->flow = &f;
5214  p2->flow = &f;
5218  f.alproto = ALPROTO_HTTP;
5219 
5221 
5222  de_ctx = DetectEngineCtxInit();
5223  if (de_ctx == NULL)
5224  goto end;
5225 
5226  de_ctx->flags |= DE_QUIET;
5227 
5228  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5229  "(msg:\"http raw uri test\"; "
5230  "content:\"a/b\"; http_raw_uri; depth:10; "
5231  "sid:1;)");
5232  if (de_ctx->sig_list == NULL)
5233  goto end;
5234 
5235  SigGroupBuild(de_ctx);
5236  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5237 
5238  FLOWLOCK_WRLOCK(&f);
5239  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5240  STREAM_TOSERVER, http1_buf, http1_len);
5241  if (r != 0) {
5242  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5243  result = 0;
5244  FLOWLOCK_UNLOCK(&f);
5245  goto end;
5246  }
5247  FLOWLOCK_UNLOCK(&f);
5248 
5249  http_state = f.alstate;
5250  if (http_state == NULL) {
5251  printf("no http state: \n");
5252  result = 0;
5253  goto end;
5254  }
5255 
5256  /* do detect */
5257  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5258 
5259  if (PacketAlertCheck(p1, 1)) {
5260  printf("sid 1 matched but shouldn't have\n");
5261  goto end;
5262  }
5263 
5264  FLOWLOCK_WRLOCK(&f);
5265  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5266  STREAM_TOSERVER, http2_buf, http2_len);
5267  if (r != 0) {
5268  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
5269  result = 0;
5270  FLOWLOCK_UNLOCK(&f);
5271  goto end;
5272  }
5273  FLOWLOCK_UNLOCK(&f);
5274 
5275  /* do detect */
5276  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5277 
5278  if (!PacketAlertCheck(p2, 1)) {
5279  printf("sid 1 didn't match but should have");
5280  goto end;
5281  }
5282 
5283  result = 1;
5284 
5285 end:
5286  if (alp_tctx != NULL)
5287  AppLayerParserThreadCtxFree(alp_tctx);
5288  if (de_ctx != NULL)
5289  SigGroupCleanup(de_ctx);
5290  if (de_ctx != NULL)
5291  SigCleanSignatures(de_ctx);
5292  if (de_ctx != NULL)
5293  DetectEngineCtxFree(de_ctx);
5294 
5296  FLOW_DESTROY(&f);
5297  UTHFreePackets(&p1, 1);
5298  UTHFreePackets(&p2, 1);
5299  return result;
5300 }
5301 
5302 static int DetectEngineHttpRawUriTest06(void)
5303 {
5304  TcpSession ssn;
5305  Packet *p1 = NULL;
5306  Packet *p2 = NULL;
5307  ThreadVars th_v;
5308  DetectEngineCtx *de_ctx = NULL;
5309  DetectEngineThreadCtx *det_ctx = NULL;
5310  HtpState *http_state = NULL;
5311  Flow f;
5312  uint8_t http1_buf[] =
5313  "GET /../a/b/";
5314  uint8_t http2_buf[] =
5315  "../c/./d.html HTTP/1.0\r\n"
5316  "Host: www.openinfosecfoundation.org\r\n"
5317  "Content-Type: text/html\r\n"
5318  "Content-Length: 46\r\n"
5319  "\r\n"
5320  "This is dummy body1"
5321  "This is dummy message body2";
5322  uint32_t http1_len = sizeof(http1_buf) - 1;
5323  uint32_t http2_len = sizeof(http2_buf) - 1;
5324  int result = 0;
5326 
5327  memset(&th_v, 0, sizeof(th_v));
5328  memset(&f, 0, sizeof(f));
5329  memset(&ssn, 0, sizeof(ssn));
5330 
5331  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5332  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5333 
5334  FLOW_INITIALIZE(&f);
5335  f.protoctx = (void *)&ssn;
5336  f.proto = IPPROTO_TCP;
5337  f.flags |= FLOW_IPV4;
5338 
5339  p1->flow = &f;
5343  p2->flow = &f;
5347  f.alproto = ALPROTO_HTTP;
5348 
5350 
5351  de_ctx = DetectEngineCtxInit();
5352  if (de_ctx == NULL)
5353  goto end;
5354 
5355  de_ctx->flags |= DE_QUIET;
5356 
5357  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5358  "(msg:\"http raw uri test\"; "
5359  "content:!\"/a/b\"; http_raw_uri; depth:25; "
5360  "sid:1;)");
5361  if (de_ctx->sig_list == NULL)
5362  goto end;
5363 
5364  SigGroupBuild(de_ctx);
5365  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5366 
5367  FLOWLOCK_WRLOCK(&f);
5368  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5369  STREAM_TOSERVER, http1_buf, http1_len);
5370  if (r != 0) {
5371  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5372  result = 0;
5373  FLOWLOCK_UNLOCK(&f);
5374  goto end;
5375  }
5376  FLOWLOCK_UNLOCK(&f);
5377 
5378  http_state = f.alstate;
5379  if (http_state == NULL) {
5380  printf("no http state: \n");
5381  result = 0;
5382  goto end;
5383  }
5384 
5385  /* do detect */
5386  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5387 
5388  if (PacketAlertCheck(p1, 1)) {
5389  printf("sid 1 matched but shouldn't have\n");
5390  goto end;
5391  }
5392 
5393  FLOWLOCK_WRLOCK(&f);
5394  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5395  STREAM_TOSERVER, http2_buf, http2_len);
5396  if (r != 0) {
5397  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
5398  result = 0;
5399  FLOWLOCK_UNLOCK(&f);
5400  goto end;
5401  }
5402  FLOWLOCK_UNLOCK(&f);
5403 
5404  /* do detect */
5405  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5406 
5407  if (PacketAlertCheck(p2, 1)) {
5408  printf("sid 1 matched but shouldn't have");
5409  goto end;
5410  }
5411 
5412  result = 1;
5413 
5414 end:
5415  if (alp_tctx != NULL)
5416  AppLayerParserThreadCtxFree(alp_tctx);
5417  if (de_ctx != NULL)
5418  SigGroupCleanup(de_ctx);
5419  if (de_ctx != NULL)
5420  SigCleanSignatures(de_ctx);
5421  if (de_ctx != NULL)
5422  DetectEngineCtxFree(de_ctx);
5423 
5425  FLOW_DESTROY(&f);
5426  UTHFreePackets(&p1, 1);
5427  UTHFreePackets(&p2, 1);
5428  return result;
5429 }
5430 
5431 static int DetectEngineHttpRawUriTest07(void)
5432 {
5433  TcpSession ssn;
5434  Packet *p1 = NULL;
5435  Packet *p2 = NULL;
5436  ThreadVars th_v;
5437  DetectEngineCtx *de_ctx = NULL;
5438  DetectEngineThreadCtx *det_ctx = NULL;
5439  HtpState *http_state = NULL;
5440  Flow f;
5441  uint8_t http1_buf[] =
5442  "GET /../a/b/";
5443  uint8_t http2_buf[] =
5444  "../c/./d.html HTTP/1.0\r\n"
5445  "Host: www.openinfosecfoundation.org\r\n"
5446  "Content-Type: text/html\r\n"
5447  "Content-Length: 46\r\n"
5448  "\r\n"
5449  "This is dummy body1"
5450  "This is dummy message body2";
5451  uint32_t http1_len = sizeof(http1_buf) - 1;
5452  uint32_t http2_len = sizeof(http2_buf) - 1;
5453  int result = 0;
5455 
5456  memset(&th_v, 0, sizeof(th_v));
5457  memset(&f, 0, sizeof(f));
5458  memset(&ssn, 0, sizeof(ssn));
5459 
5460  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5461  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5462 
5463  FLOW_INITIALIZE(&f);
5464  f.protoctx = (void *)&ssn;
5465  f.proto = IPPROTO_TCP;
5466  f.flags |= FLOW_IPV4;
5467 
5468  p1->flow = &f;
5472  p2->flow = &f;
5476  f.alproto = ALPROTO_HTTP;
5477 
5479 
5480  de_ctx = DetectEngineCtxInit();
5481  if (de_ctx == NULL)
5482  goto end;
5483 
5484  de_ctx->flags |= DE_QUIET;
5485 
5486  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5487  "(msg:\"http raw uri test\"; "
5488  "content:!\"/c/./d\"; http_raw_uri; depth:12; "
5489  "sid:1;)");
5490  if (de_ctx->sig_list == NULL)
5491  goto end;
5492 
5493  SigGroupBuild(de_ctx);
5494  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5495 
5496  FLOWLOCK_WRLOCK(&f);
5497  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5498  STREAM_TOSERVER, http1_buf, http1_len);
5499  if (r != 0) {
5500  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5501  result = 0;
5502  FLOWLOCK_UNLOCK(&f);
5503  goto end;
5504  }
5505  FLOWLOCK_UNLOCK(&f);
5506 
5507  http_state = f.alstate;
5508  if (http_state == NULL) {
5509  printf("no http state: \n");
5510  result = 0;
5511  goto end;
5512  }
5513 
5514  /* do detect */
5515  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5516 
5517  if (PacketAlertCheck(p1, 1)) {
5518  printf("sid 1 matched but shouldn't have\n");
5519  goto end;
5520  }
5521 
5522  FLOWLOCK_WRLOCK(&f);
5523  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5524  STREAM_TOSERVER, http2_buf, http2_len);
5525  if (r != 0) {
5526  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
5527  result = 0;
5528  FLOWLOCK_UNLOCK(&f);
5529  goto end;
5530  }
5531  FLOWLOCK_UNLOCK(&f);
5532 
5533  /* do detect */
5534  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5535 
5536  if (!PacketAlertCheck(p2, 1)) {
5537  printf("sid 1 didn't match but should have");
5538  goto end;
5539  }
5540 
5541  result = 1;
5542 
5543 end:
5544  if (alp_tctx != NULL)
5545  AppLayerParserThreadCtxFree(alp_tctx);
5546  if (de_ctx != NULL)
5547  SigGroupCleanup(de_ctx);
5548  if (de_ctx != NULL)
5549  SigCleanSignatures(de_ctx);
5550  if (de_ctx != NULL)
5551  DetectEngineCtxFree(de_ctx);
5552 
5554  FLOW_DESTROY(&f);
5555  UTHFreePackets(&p1, 1);
5556  UTHFreePackets(&p2, 1);
5557  return result;
5558 }
5559 
5560 static int DetectEngineHttpRawUriTest08(void)
5561 {
5562  TcpSession ssn;
5563  Packet *p1 = NULL;
5564  Packet *p2 = NULL;
5565  ThreadVars th_v;
5566  DetectEngineCtx *de_ctx = NULL;
5567  DetectEngineThreadCtx *det_ctx = NULL;
5568  HtpState *http_state = NULL;
5569  Flow f;
5570  uint8_t http1_buf[] =
5571  "GET /../a/";
5572  uint8_t http2_buf[] =
5573  "b/../c/./d.html HTTP/1.0\r\n"
5574  "Host: www.openinfosecfoundation.org\r\n"
5575  "Content-Type: text/html\r\n"
5576  "Content-Length: 46\r\n"
5577  "\r\n"
5578  "This is dummy body1"
5579  "This is dummy message body2";
5580  uint32_t http1_len = sizeof(http1_buf) - 1;
5581  uint32_t http2_len = sizeof(http2_buf) - 1;
5582  int result = 0;
5584 
5585  memset(&th_v, 0, sizeof(th_v));
5586  memset(&f, 0, sizeof(f));
5587  memset(&ssn, 0, sizeof(ssn));
5588 
5589  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5590  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5591 
5592  FLOW_INITIALIZE(&f);
5593  f.protoctx = (void *)&ssn;
5594  f.proto = IPPROTO_TCP;
5595  f.flags |= FLOW_IPV4;
5596 
5597  p1->flow = &f;
5601  p2->flow = &f;
5605  f.alproto = ALPROTO_HTTP;
5606 
5608 
5609  de_ctx = DetectEngineCtxInit();
5610  if (de_ctx == NULL)
5611  goto end;
5612 
5613  de_ctx->flags |= DE_QUIET;
5614 
5615  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5616  "(msg:\"http raw uri test\"; "
5617  "content:!\"/c/./d\"; http_raw_uri; depth:18; "
5618  "sid:1;)");
5619  if (de_ctx->sig_list == NULL)
5620  goto end;
5621 
5622  SigGroupBuild(de_ctx);
5623  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5624 
5625  FLOWLOCK_WRLOCK(&f);
5626  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5627  STREAM_TOSERVER, http1_buf, http1_len);
5628  if (r != 0) {
5629  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5630  result = 0;
5631  FLOWLOCK_UNLOCK(&f);
5632  goto end;
5633  }
5634  FLOWLOCK_UNLOCK(&f);
5635 
5636  http_state = f.alstate;
5637  if (http_state == NULL) {
5638  printf("no http state: \n");
5639  result = 0;
5640  goto end;
5641  }
5642 
5643  /* do detect */
5644  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5645 
5646  if (PacketAlertCheck(p1, 1)) {
5647  printf("sid 1 matched but shouldn't have\n");
5648  goto end;
5649  }
5650 
5651  FLOWLOCK_WRLOCK(&f);
5652  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5653  STREAM_TOSERVER, http2_buf, http2_len);
5654  if (r != 0) {
5655  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
5656  result = 0;
5657  FLOWLOCK_UNLOCK(&f);
5658  goto end;
5659  }
5660  FLOWLOCK_UNLOCK(&f);
5661 
5662  /* do detect */
5663  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5664 
5665  if (PacketAlertCheck(p2, 1)) {
5666  printf("sid 1 matched but shouldn't have");
5667  goto end;
5668  }
5669 
5670  result = 1;
5671 
5672 end:
5673  if (alp_tctx != NULL)
5674  AppLayerParserThreadCtxFree(alp_tctx);
5675  if (de_ctx != NULL)
5676  SigGroupCleanup(de_ctx);
5677  if (de_ctx != NULL)
5678  SigCleanSignatures(de_ctx);
5679  if (de_ctx != NULL)
5680  DetectEngineCtxFree(de_ctx);
5681 
5683  FLOW_DESTROY(&f);
5684  UTHFreePackets(&p1, 1);
5685  UTHFreePackets(&p2, 1);
5686  return result;
5687 }
5688 
5689 static int DetectEngineHttpRawUriTest09(void)
5690 {
5691  TcpSession ssn;
5692  Packet *p1 = NULL;
5693  Packet *p2 = NULL;
5694  ThreadVars th_v;
5695  DetectEngineCtx *de_ctx = NULL;
5696  DetectEngineThreadCtx *det_ctx = NULL;
5697  HtpState *http_state = NULL;
5698  Flow f;
5699  uint8_t http1_buf[] =
5700  "GET /../a";
5701  uint8_t http2_buf[] =
5702  "/b/../c/./d.html HTTP/1.0\r\n"
5703  "Host: www.openinfosecfoundation.org\r\n"
5704  "Content-Type: text/html\r\n"
5705  "Content-Length: 46\r\n"
5706  "\r\n"
5707  "This is dummy body1"
5708  "This is dummy message body2";
5709  uint32_t http1_len = sizeof(http1_buf) - 1;
5710  uint32_t http2_len = sizeof(http2_buf) - 1;
5711  int result = 0;
5713 
5714  memset(&th_v, 0, sizeof(th_v));
5715  memset(&f, 0, sizeof(f));
5716  memset(&ssn, 0, sizeof(ssn));
5717 
5718  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5719  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5720 
5721  FLOW_INITIALIZE(&f);
5722  f.protoctx = (void *)&ssn;
5723  f.proto = IPPROTO_TCP;
5724  f.flags |= FLOW_IPV4;
5725 
5726  p1->flow = &f;
5730  p2->flow = &f;
5734  f.alproto = ALPROTO_HTTP;
5735 
5737 
5738  de_ctx = DetectEngineCtxInit();
5739  if (de_ctx == NULL)
5740  goto end;
5741 
5742  de_ctx->flags |= DE_QUIET;
5743 
5744  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5745  "(msg:\"http raw uri test\"; "
5746  "content:\"/a\"; http_raw_uri; "
5747  "content:\"./c/.\"; http_raw_uri; within:9; "
5748  "sid:1;)");
5749  if (de_ctx->sig_list == NULL)
5750  goto end;
5751 
5752  SigGroupBuild(de_ctx);
5753  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5754 
5755  FLOWLOCK_WRLOCK(&f);
5756  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5757  STREAM_TOSERVER, http1_buf, http1_len);
5758  if (r != 0) {
5759  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5760  result = 0;
5761  FLOWLOCK_UNLOCK(&f);
5762  goto end;
5763  }
5764  FLOWLOCK_UNLOCK(&f);
5765 
5766  http_state = f.alstate;
5767  if (http_state == NULL) {
5768  printf("no http state: \n");
5769  result = 0;
5770  goto end;
5771  }
5772 
5773  /* do detect */
5774  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5775 
5776  if (PacketAlertCheck(p1, 1)) {
5777  printf("sid 1 matched but shouldn't have\n");
5778  goto end;
5779  }
5780 
5781  FLOWLOCK_WRLOCK(&f);
5782  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5783  STREAM_TOSERVER, http2_buf, http2_len);
5784  if (r != 0) {
5785  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
5786  result = 0;
5787  FLOWLOCK_UNLOCK(&f);
5788  goto end;
5789  }
5790  FLOWLOCK_UNLOCK(&f);
5791 
5792  /* do detect */
5793  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5794 
5795  if (!PacketAlertCheck(p2, 1)) {
5796  printf("sid 1 didn't match but should have");
5797  goto end;
5798  }
5799 
5800  result = 1;
5801 
5802 end:
5803  if (alp_tctx != NULL)
5804  AppLayerParserThreadCtxFree(alp_tctx);
5805  if (de_ctx != NULL)
5806  SigGroupCleanup(de_ctx);
5807  if (de_ctx != NULL)
5808  SigCleanSignatures(de_ctx);
5809  if (de_ctx != NULL)
5810  DetectEngineCtxFree(de_ctx);
5811 
5813  FLOW_DESTROY(&f);
5814  UTHFreePackets(&p1, 1);
5815  UTHFreePackets(&p2, 1);
5816  return result;
5817 }
5818 
5819 static int DetectEngineHttpRawUriTest10(void)
5820 {
5821  TcpSession ssn;
5822  Packet *p1 = NULL;
5823  Packet *p2 = NULL;
5824  ThreadVars th_v;
5825  DetectEngineCtx *de_ctx = NULL;
5826  DetectEngineThreadCtx *det_ctx = NULL;
5827  HtpState *http_state = NULL;
5828  Flow f;
5829  uint8_t http1_buf[] =
5830  "GET /../a";
5831  uint8_t http2_buf[] =
5832  "/b/../c/./d.html HTTP/1.0\r\n"
5833  "Host: www.openinfosecfoundation.org\r\n"
5834  "Content-Type: text/html\r\n"
5835  "Content-Length: 46\r\n"
5836  "\r\n"
5837  "This is dummy body1"
5838  "This is dummy message body2";
5839  uint32_t http1_len = sizeof(http1_buf) - 1;
5840  uint32_t http2_len = sizeof(http2_buf) - 1;
5841  int result = 0;
5843 
5844  memset(&th_v, 0, sizeof(th_v));
5845  memset(&f, 0, sizeof(f));
5846  memset(&ssn, 0, sizeof(ssn));
5847 
5848  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5849  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5850 
5851  FLOW_INITIALIZE(&f);
5852  f.protoctx = (void *)&ssn;
5853  f.proto = IPPROTO_TCP;
5854  f.flags |= FLOW_IPV4;
5855 
5856  p1->flow = &f;
5860  p2->flow = &f;
5864  f.alproto = ALPROTO_HTTP;
5865 
5867 
5868  de_ctx = DetectEngineCtxInit();
5869  if (de_ctx == NULL)
5870  goto end;
5871 
5872  de_ctx->flags |= DE_QUIET;
5873 
5874  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
5875  "(msg:\"http raw uri test\"; "
5876  "content:\"/a\"; http_raw_uri; "
5877  "content:!\"boom\"; http_raw_uri; within:5; "
5878  "sid:1;)");
5879  if (de_ctx->sig_list == NULL)
5880  goto end;
5881 
5882  SigGroupBuild(de_ctx);
5883  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5884 
5885  FLOWLOCK_WRLOCK(&f);
5886  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5887  STREAM_TOSERVER, http1_buf, http1_len);
5888  if (r != 0) {
5889  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
5890  result = 0;
5891  FLOWLOCK_UNLOCK(&f);
5892  goto end;
5893  }
5894  FLOWLOCK_UNLOCK(&f);
5895 
5896  http_state = f.alstate;
5897  if (http_state == NULL) {
5898  printf("no http state: \n");
5899  result = 0;
5900  goto end;
5901  }
5902 
5903  /* do detect */
5904  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
5905 
5906  if (PacketAlertCheck(p1, 1)) {
5907  printf("sid 1 matched but shouldn't have\n");
5908  goto end;
5909  }
5910 
5911  FLOWLOCK_WRLOCK(&f);
5912  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
5913  STREAM_TOSERVER, http2_buf, http2_len);
5914  if (r != 0) {
5915  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
5916  result = 0;
5917  FLOWLOCK_UNLOCK(&f);
5918  goto end;
5919  }
5920  FLOWLOCK_UNLOCK(&f);
5921 
5922  /* do detect */
5923  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
5924 
5925  if (!PacketAlertCheck(p2, 1)) {
5926  printf("sid 1 didn't match but should have");
5927  goto end;
5928  }
5929 
5930  result = 1;
5931 
5932 end:
5933  if (alp_tctx != NULL)
5934  AppLayerParserThreadCtxFree(alp_tctx);
5935  if (de_ctx != NULL)
5936  SigGroupCleanup(de_ctx);
5937  if (de_ctx != NULL)
5938  SigCleanSignatures(de_ctx);
5939  if (de_ctx != NULL)
5940  DetectEngineCtxFree(de_ctx);
5941 
5943  FLOW_DESTROY(&f);
5944  UTHFreePackets(&p1, 1);
5945  UTHFreePackets(&p2, 1);
5946  return result;
5947 }
5948 
5949 static int DetectEngineHttpRawUriTest11(void)
5950 {
5951  TcpSession ssn;
5952  Packet *p1 = NULL;
5953  Packet *p2 = NULL;
5954  ThreadVars th_v;
5955  DetectEngineCtx *de_ctx = NULL;
5956  DetectEngineThreadCtx *det_ctx = NULL;
5957  HtpState *http_state = NULL;
5958  Flow f;
5959  uint8_t http1_buf[] =
5960  "GET /../a";
5961  uint8_t http2_buf[] =
5962  "/b/../c/./d.html HTTP/1.0\r\n"
5963  "Host: www.openinfosecfoundation.org\r\n"
5964  "Content-Type: text/html\r\n"
5965  "Content-Length: 46\r\n"
5966  "\r\n"
5967  "This is dummy body1"
5968  "This is dummy message body2";
5969  uint32_t http1_len = sizeof(http1_buf) - 1;
5970  uint32_t http2_len = sizeof(http2_buf) - 1;
5971  int result = 0;
5973 
5974  memset(&th_v, 0, sizeof(th_v));
5975  memset(&f, 0, sizeof(f));
5976  memset(&ssn, 0, sizeof(ssn));
5977 
5978  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5979  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
5980 
5981  FLOW_INITIALIZE(&f);
5982  f.protoctx = (void *)&ssn;
5983  f.proto = IPPROTO_TCP;
5984  f.flags |= FLOW_IPV4;
5985 
5986  p1->flow = &f;
5990  p2->flow = &f;
5994  f.alproto = ALPROTO_HTTP;
5995 
5997 
5998  de_ctx = DetectEngineCtxInit();
5999  if (de_ctx == NULL)
6000  goto end;
6001 
6002  de_ctx->flags |= DE_QUIET;
6003 
6004  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
6005  "(msg:\"http raw uri test\"; "
6006  "content:\"./a\"; http_raw_uri; "
6007  "content:\"boom\"; http_raw_uri; within:5; "
6008  "sid:1;)");
6009  if (de_ctx->sig_list == NULL)
6010  goto end;
6011 
6012  SigGroupBuild(de_ctx);
6013  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6014 
6015  FLOWLOCK_WRLOCK(&f);
6016  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
6017  STREAM_TOSERVER, http1_buf, http1_len);
6018  if (r != 0) {
6019  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
6020  result = 0;
6021  FLOWLOCK_UNLOCK(&f);
6022  goto end;
6023  }
6024  FLOWLOCK_UNLOCK(&f);
6025 
6026  http_state = f.alstate;
6027  if (http_state == NULL) {
6028  printf("no http state: \n");
6029  result = 0;
6030  goto end;
6031  }
6032 
6033  /* do detect */
6034  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
6035 
6036  if (PacketAlertCheck(p1, 1)) {
6037  printf("sid 1 matched but shouldn't have\n");
6038  goto end;
6039  }
6040 
6041  FLOWLOCK_WRLOCK(&f);
6042  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
6043  STREAM_TOSERVER, http2_buf, http2_len);
6044  if (r != 0) {
6045  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
6046  result = 0;
6047  FLOWLOCK_UNLOCK(&f);
6048  goto end;
6049  }
6050  FLOWLOCK_UNLOCK(&f);
6051 
6052  /* do detect */
6053  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
6054 
6055  if (PacketAlertCheck(p2, 1)) {
6056  printf("sid 1 matched but shouldn't have");
6057  goto end;
6058  }
6059 
6060  result = 1;
6061 
6062 end:
6063  if (alp_tctx != NULL)
6064  AppLayerParserThreadCtxFree(alp_tctx);
6065  if (de_ctx != NULL)
6066  SigGroupCleanup(de_ctx);
6067  if (de_ctx != NULL)
6068  SigCleanSignatures(de_ctx);
6069  if (de_ctx != NULL)
6070  DetectEngineCtxFree(de_ctx);
6071 
6073  FLOW_DESTROY(&f);
6074  UTHFreePackets(&p1, 1);
6075  UTHFreePackets(&p2, 1);
6076  return result;
6077 }
6078 
6079 static int DetectEngineHttpRawUriTest12(void)
6080 {
6081  TcpSession ssn;
6082  Packet *p1 = NULL;
6083  Packet *p2 = NULL;
6084  ThreadVars th_v;
6085  DetectEngineCtx *de_ctx = NULL;
6086  DetectEngineThreadCtx *det_ctx = NULL;
6087  HtpState *http_state = NULL;
6088  Flow f;
6089  uint8_t http1_buf[] =
6090  "GET /../a";
6091  uint8_t http2_buf[] =
6092  "/b/../c/./d.html HTTP/1.0\r\n"
6093  "Host: www.openinfosecfoundation.org\r\n"
6094  "Content-Type: text/html\r\n"
6095  "Content-Length: 46\r\n"
6096  "\r\n"
6097  "This is dummy body1"
6098  "This is dummy message body2";
6099  uint32_t http1_len = sizeof(http1_buf) - 1;
6100  uint32_t http2_len = sizeof(http2_buf) - 1;
6101  int result = 0;
6103 
6104  memset(&th_v, 0, sizeof(th_v));
6105  memset(&f, 0, sizeof(f));
6106  memset(&ssn, 0, sizeof(ssn));
6107 
6108  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6109  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
6110 
6111  FLOW_INITIALIZE(&f);
6112  f.protoctx = (void *)&ssn;
6113  f.proto = IPPROTO_TCP;
6114  f.flags |= FLOW_IPV4;
6115 
6116  p1->flow = &f;
6120  p2->flow = &f;