/src/detect-engine-hmd.c
https://github.com/decanio/suricata-tilera · C · 1728 lines · 1298 code · 298 blank · 132 comment · 274 complexity · b9caeee6f55de83ba9a4e023e9577604 MD5 · raw file
- /* Copyright (C) 2007-2010 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
- /**
- * \ingroup httplayer
- *
- * @{
- */
- /** \file
- *
- * \author Anoop Saldanha <anoopsaldanha@gmail.com>
- *
- * \brief Handle HTTP method match
- *
- */
- #include "suricata-common.h"
- #include "suricata.h"
- #include "decode.h"
- #include "detect.h"
- #include "detect-engine.h"
- #include "detect-engine-hmd.h"
- #include "detect-engine-mpm.h"
- #include "detect-parse.h"
- #include "detect-engine-state.h"
- #include "detect-engine-content-inspection.h"
- #include "flow-util.h"
- #include "util-debug.h"
- #include "util-print.h"
- #include "flow.h"
- #include "app-layer-parser.h"
- #include "util-unittest.h"
- #include "util-unittest-helper.h"
- #include "app-layer.h"
- #include "app-layer-htp.h"
- #include "app-layer-protos.h"
- int DetectEngineRunHttpMethodMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
- HtpState *htp_state, uint8_t flags)
- {
- htp_tx_t *tx = NULL;
- uint32_t cnt = 0;
- int idx;
- /* we need to lock because the buffers are not actually true buffers
- * but are ones that point to a buffer given by libhtp */
- FLOWLOCK_RDLOCK(f);
- if (htp_state == NULL) {
- SCLogDebug("no HTTP state");
- goto end;
- }
- if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
- SCLogDebug("HTP state has no conn(p)");
- goto end;
- }
- idx = AppLayerTransactionGetInspectId(f);
- if (idx == -1) {
- goto end;
- }
- int size = (int)list_size(htp_state->connp->conn->transactions);
- for (; idx < size; idx++) {
- tx = list_get(htp_state->connp->conn->transactions, idx);
- if (tx == NULL || tx->request_method == NULL)
- continue;
- cnt += HttpMethodPatternSearch(det_ctx,
- (uint8_t *)bstr_ptr(tx->request_method),
- bstr_len(tx->request_method),
- flags);
- }
- end:
- FLOWLOCK_UNLOCK(f);
- return cnt;
- }
- /**
- * \brief Do the http_method content inspection for a signature.
- *
- * \param de_ctx Detection engine context.
- * \param det_ctx Detection engine thread context.
- * \param s Signature to inspect.
- * \param f Flow.
- * \param flags App layer flags.
- * \param state App layer state.
- *
- * \retval 0 No match.
- * \retval 1 Match.
- */
- int DetectEngineInspectHttpMethod(ThreadVars *tv,
- DetectEngineCtx *de_ctx,
- DetectEngineThreadCtx *det_ctx,
- Signature *s, Flow *f, uint8_t flags,
- void *alstate, int tx_id)
- {
- HtpState *htp_state = (HtpState *)alstate;
- htp_tx_t *tx = list_get(htp_state->connp->conn->transactions, tx_id);
- if (tx == NULL || tx->request_method == NULL)
- return 0;
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
- int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HMDMATCH],
- f,
- (uint8_t *)bstr_ptr(tx->request_method),
- bstr_len(tx->request_method),
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_HMD, NULL);
- if (r == 1)
- return 1;
- return 0;
- }
- /***********************************Unittests**********************************/
- #ifdef UNITTESTS
- /**
- * \test Test that the http_method content matches against a http request
- * which holds the content.
- */
- static int DetectEngineHttpMethodTest01(void)
- {
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"GET\"; http_method; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (!(PacketAlertCheck(p, 1))) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
- result = 1;
- end:
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
- }
- /**
- * \test Test that the http_method content matches against a http request
- * which holds the content.
- */
- static int DetectEngineHttpMethodTest02(void)
- {
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "CONNECT /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"CO\"; depth:4; http_method; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (!(PacketAlertCheck(p, 1))) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
- result = 1;
- end:
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
- }
- /**
- * \test Test that the http_method content matches against a http request
- * which holds the content.
- */
- static int DetectEngineHttpMethodTest03(void)
- {
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "CONNECT /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:!\"ECT\"; depth:4; http_method; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (!(PacketAlertCheck(p, 1))) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
- result = 1;
- end:
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
- }
- /**
- * \test Test that the http_method content matches against a http request
- * which holds the content.
- */
- static int DetectEngineHttpMethodTest04(void)
- {
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "CONNECT /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"ECT\"; depth:4; http_method; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sid 1 matched but shouldn't have: ");
- goto end;
- }
- result = 1;
- end:
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
- }
- /**
- * \test Test that the http_method content matches against a http request
- * which holds the content.
- */
- static int DetectEngineHttpMethodTest05(void)
- {
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "CONNECT /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:!\"CON\"; depth:4; http_method; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sid 1 matched but shouldn't have: ");
- goto end;
- }
- result = 1;
- end:
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
- }
- /**
- * \test Test that the http_method content matches against a http request
- * which holds the content.
- */
- static int DetectEngineHttpMethodTest06(void)
- {
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "CONNECT /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"ECT\"; offset:3; http_method; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (!(PacketAlertCheck(p, 1))) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
- result = 1;
- end:
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
- }
- /**
- * \test Test that the http_method content matches against a http request
- * which holds the content.
- */
- static int DetectEngineHttpMethodTest07(void)
- {
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "CONNECT /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:!\"CO\"; offset:3; http_method; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (!(PacketAlertCheck(p, 1))) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
- result = 1;
- end:
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
- }
- /**
- * \test Test that the http_method content matches against a http request
- * which holds the content.
- */
- static int DetectEngineHttpMethodTest08(void)
- {
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "CONNECT /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:!\"ECT\"; offset:3; http_method; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sid 1 matched but shouldn't have: ");
- goto end;
- }
- result = 1;
- end:
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
- }
- /**
- * \test Test that the http_method content matches against a http request
- * which holds the content.
- */
- static int DetectEngineHttpMethodTest09(void)
- {
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "CONNECT /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"CON\"; offset:3; http_method; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sid 1 matched but shouldn't have: ");
- goto end;
- }
- result = 1;
- end:
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
- }
- /**
- * \test Test that the http_method content matches against a http request
- * which holds the content.
- */
- static int DetectEngineHttpMethodTest10(void)
- {
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "CONNECT /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"CO\"; http_method; "
- "content:\"EC\"; within:4; http_method; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1)) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
- result = 1;
- end:
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
- }
- /**
- * \test Test that the http_method content matches against a http request
- * which holds the content.
- */
- static int DetectEngineHttpMethodTest11(void)
- {
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "CONNECT /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"CO\"; http_method; "
- "content:!\"EC\"; within:3; http_method; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1)) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
- result = 1;
- end:
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
- }
- /**
- * \test Test that the http_method content matches against a http request
- * which holds the content.
- */
- static int DetectEngineHttpMethodTest12(void)
- {
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "CONNECT /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"CO\"; http_method; "
- "content:\"EC\"; within:3; http_method; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sid 1 matched but shouldn't have: ");
- goto end;
- }
- result = 1;
- end:
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
- }
- /**
- * \test Test that the http_method content matches against a http request
- * which holds the content.
- */
- static int DetectEngineHttpMethodTest13(void)
- {
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "CONNECT /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"CO\"; http_method; "
- "content:!\"EC\"; within:4; http_method; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sid 1 matched but shouldn't have: ");
- goto end;
- }
- result = 1;
- end:
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
- }
- /**
- * \test Test that the http_method content matches against a http request
- * which holds the content.
- */
- static int DetectEngineHttpMethodTest14(void)
- {
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "CONNECT /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"CO\"; http_method; "
- "content:\"EC\"; distance:2; http_method; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1)) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
- result = 1;
- end:
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
- }
- /**
- * \test Test that the http_method content matches against a http request
- * which holds the content.
- */
- static int DetectEngineHttpMethodTest15(void)
- {
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "CONNECT /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"CO\"; http_method; "
- "content:!\"EC\"; distance:3; http_method; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1)) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
- result = 1;
- end:
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
- }
- /**
- * \test Test that the http_method content matches against a http request
- * which holds the content.
- */
- static int DetectEngineHttpMethodTest16(void)
- {
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "CONNECT /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"CO\"; http_method; "
- "content:\"EC\"; distance:3; http_method; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sid 1 matched but shouldn't have: ");
- goto end;
- }
- result = 1;
- end:
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
- }
- /**
- * \test Test that the http_method content matches against a http request
- * which holds the content.
- */
- static int DetectEngineHttpMethodTest17(void)
- {
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "CONNECT /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"CO\"; http_method; "
- "content:!\"EC\"; distance:2; http_method; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sid 1 matched but shouldn't have: ");
- goto end;
- }
- result = 1;
- end:
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
- }
- #endif /* UNITTESTS */
- void DetectEngineHttpMethodRegisterTests(void)
- {
- #ifdef UNITTESTS
- UtRegisterTest("DetectEngineHttpMethodTest01",
- DetectEngineHttpMethodTest01, 1);
- UtRegisterTest("DetectEngineHttpMethodTest02",
- DetectEngineHttpMethodTest02, 1);
- UtRegisterTest("DetectEngineHttpMethodTest03",
- DetectEngineHttpMethodTest03, 1);
- UtRegisterTest("DetectEngineHttpMethodTest04",
- DetectEngineHttpMethodTest04, 1);
- UtRegisterTest("DetectEngineHttpMethodTest05",
- DetectEngineHttpMethodTest05, 1);
- UtRegisterTest("DetectEngineHttpMethodTest06",
- DetectEngineHttpMethodTest06, 1);
- UtRegisterTest("DetectEngineHttpMethodTest07",
- DetectEngineHttpMethodTest07, 1);
- UtRegisterTest("DetectEngineHttpMethodTest08",
- DetectEngineHttpMethodTest08, 1);
- UtRegisterTest("DetectEngineHttpMethodTest09",
- DetectEngineHttpMethodTest09, 1);
- UtRegisterTest("DetectEngineHttpMethodTest10",
- DetectEngineHttpMethodTest10, 1);
- UtRegisterTest("DetectEngineHttpMethodTest11",
- DetectEngineHttpMethodTest11, 1);
- UtRegisterTest("DetectEngineHttpMethodTest12",
- DetectEngineHttpMethodTest12, 1);
- UtRegisterTest("DetectEngineHttpMethodTest13",
- DetectEngineHttpMethodTest13, 1);
- UtRegisterTest("DetectEngineHttpMethodTest14",
- DetectEngineHttpMethodTest14, 1);
- UtRegisterTest("DetectEngineHttpMethodTest15",
- DetectEngineHttpMethodTest15, 1);
- UtRegisterTest("DetectEngineHttpMethodTest16",
- DetectEngineHttpMethodTest16, 1);
- UtRegisterTest("DetectEngineHttpMethodTest17",
- DetectEngineHttpMethodTest17, 1);
- #endif /* UNITTESTS */
- return;
- }
- /**
- * @}
- */