/src/detect-engine-uri.c

https://github.com/decanio/suricata-tilera · C · 3897 lines · 3009 code · 744 blank · 144 comment · 656 complexity · 33c718194613c083cfdf1a14767e0850 MD5 · raw file

Large files are truncated click here to view the full file

  1. /* Copyright (C) 2007-2010 Open Information Security Foundation
  2. *
  3. * You can copy, redistribute or modify this Program under the terms of
  4. * the GNU General Public License version 2 as published by the Free
  5. * Software Foundation.
  6. *
  7. * This program is distributed in the hope that it will be useful,
  8. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  9. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  10. * GNU General Public License for more details.
  11. *
  12. * You should have received a copy of the GNU General Public License
  13. * version 2 along with this program; if not, write to the Free Software
  14. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  15. * 02110-1301, USA.
  16. */
  17. /** \file
  18. *
  19. * \author Victor Julien <victor@inliniac.net>
  20. * \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com>
  21. *
  22. * Based on detect-engine-uri.c
  23. */
  24. #include "suricata-common.h"
  25. #include "suricata.h"
  26. #include "decode.h"
  27. #include "detect.h"
  28. #include "detect-engine.h"
  29. #include "detect-parse.h"
  30. #include "detect-engine-state.h"
  31. #include "detect-engine-content-inspection.h"
  32. #include "flow-util.h"
  33. #include "util-debug.h"
  34. #include "util-print.h"
  35. #include "flow.h"
  36. #include "app-layer-parser.h"
  37. #include "util-unittest.h"
  38. #include "util-unittest-helper.h"
  39. #include "app-layer.h"
  40. #include "app-layer-htp.h"
  41. #include "app-layer-protos.h"
  42. /** \brief Do the content inspection & validation for a signature
  43. *
  44. * \param de_ctx Detection engine context
  45. * \param det_ctx Detection engine thread context
  46. * \param s Signature to inspect
  47. * \param sm SigMatch to inspect
  48. * \param f Flow
  49. * \param flags app layer flags
  50. * \param state App layer state
  51. *
  52. * \retval 0 no match
  53. * \retval 1 match
  54. */
  55. int DetectEngineInspectPacketUris(ThreadVars *tv,
  56. DetectEngineCtx *de_ctx,
  57. DetectEngineThreadCtx *det_ctx,
  58. Signature *s, Flow *f, uint8_t flags,
  59. void *alstate, int tx_id)
  60. {
  61. HtpState *htp_state = (HtpState *)alstate;
  62. htp_tx_t *tx = list_get(htp_state->connp->conn->transactions, tx_id);
  63. if (tx == NULL || tx->request_uri_normalized == NULL)
  64. return 0;
  65. det_ctx->discontinue_matching = 0;
  66. det_ctx->buffer_offset = 0;
  67. det_ctx->inspection_recursion_counter = 0;
  68. //PrintRawDataFp(stdout, (uint8_t *)bstr_ptr(tx->request_uri_normalized),
  69. // bstr_len(tx->request_uri_normalized));
  70. /* Inspect all the uricontents fetched on each
  71. * transaction at the app layer */
  72. int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_UMATCH],
  73. f,
  74. (uint8_t *)bstr_ptr(tx->request_uri_normalized),
  75. bstr_len(tx->request_uri_normalized),
  76. DETECT_ENGINE_CONTENT_INSPECTION_MODE_URI, NULL);
  77. if (r == 1) {
  78. return 1;
  79. }
  80. return 0;
  81. }
  82. /***********************************Unittests**********************************/
  83. #ifdef UNITTESTS
  84. /** \test Test a simple uricontent option */
  85. static int UriTestSig01(void)
  86. {
  87. int result = 0;
  88. Flow f;
  89. HtpState *http_state = NULL;
  90. uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
  91. "User-Agent: Mozilla/1.0\r\n"
  92. "Cookie: hellocatch\r\n\r\n";
  93. uint32_t http_buf1_len = sizeof(http_buf1) - 1;
  94. uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
  95. "User-Agent: Mozilla/1.0\r\n"
  96. "Cookie: hellocatch\r\n\r\n";
  97. uint32_t http_buf2_len = sizeof(http_buf2) - 1;
  98. TcpSession ssn;
  99. Packet *p = NULL;
  100. Signature *s = NULL;
  101. ThreadVars tv;
  102. DetectEngineThreadCtx *det_ctx = NULL;
  103. memset(&tv, 0, sizeof(ThreadVars));
  104. memset(&f, 0, sizeof(Flow));
  105. memset(&ssn, 0, sizeof(TcpSession));
  106. p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
  107. FLOW_INITIALIZE(&f);
  108. f.protoctx = (void *)&ssn;
  109. f.flags |= FLOW_IPV4;
  110. p->flow = &f;
  111. p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
  112. p->flowflags |= FLOW_PKT_TOSERVER;
  113. p->flowflags |= FLOW_PKT_ESTABLISHED;
  114. f.alproto = ALPROTO_HTTP;
  115. StreamTcpInitConfig(TRUE);
  116. DetectEngineCtx *de_ctx = DetectEngineCtxInit();
  117. if (de_ctx == NULL) {
  118. goto end;
  119. }
  120. de_ctx->mpm_matcher = MPM_B2G;
  121. de_ctx->flags |= DE_QUIET;
  122. s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
  123. "(msg:\"Test uricontent option\"; "
  124. "uricontent:\"one\"; sid:1;)");
  125. if (s == NULL) {
  126. goto end;
  127. }
  128. SigGroupBuild(de_ctx);
  129. DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
  130. int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
  131. if (r != 0) {
  132. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  133. goto end;
  134. }
  135. http_state = f.alstate;
  136. if (http_state == NULL) {
  137. printf("no http state: ");
  138. goto end;
  139. }
  140. /* do detect */
  141. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  142. if (!PacketAlertCheck(p, 1)) {
  143. printf("sig 1 alerted, but it should not: ");
  144. goto end;
  145. }
  146. DetectEngineStateReset(f.de_state);
  147. r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
  148. if (r != 0) {
  149. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  150. goto end;
  151. }
  152. http_state = f.alstate;
  153. if (http_state == NULL) {
  154. printf("no http state: ");
  155. goto end;
  156. }
  157. if (!PacketAlertCheck(p, 1)) {
  158. printf("sig 1 alerted, but it should not: ");
  159. goto end;
  160. }
  161. /* do detect */
  162. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  163. result = 1;
  164. end:
  165. if (det_ctx != NULL)
  166. DetectEngineThreadCtxDeinit(&tv, det_ctx);
  167. if (de_ctx != NULL)
  168. SigGroupCleanup(de_ctx);
  169. if (de_ctx != NULL)
  170. DetectEngineCtxFree(de_ctx);
  171. StreamTcpFreeConfig(TRUE);
  172. FLOW_DESTROY(&f);
  173. UTHFreePacket(p);
  174. return result;
  175. }
  176. /** \test Test the pcre /U option */
  177. static int UriTestSig02(void)
  178. {
  179. int result = 0;
  180. Flow f;
  181. HtpState *http_state = NULL;
  182. uint8_t http_buf1[] = "POST /on HTTP/1.0\r\n"
  183. "User-Agent: Mozilla/1.0\r\n"
  184. "Cookie: hellocatch\r\n\r\n";
  185. uint32_t http_buf1_len = sizeof(http_buf1) - 1;
  186. uint8_t http_buf2[] = "POST /one HTTP/1.0\r\n"
  187. "User-Agent: Mozilla/1.0\r\n"
  188. "Cookie: hellocatch\r\n\r\n";
  189. uint32_t http_buf2_len = sizeof(http_buf2) - 1;
  190. TcpSession ssn;
  191. Packet *p = NULL;
  192. Signature *s = NULL;
  193. ThreadVars tv;
  194. DetectEngineThreadCtx *det_ctx = NULL;
  195. memset(&tv, 0, sizeof(ThreadVars));
  196. memset(&f, 0, sizeof(Flow));
  197. memset(&ssn, 0, sizeof(TcpSession));
  198. p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
  199. FLOW_INITIALIZE(&f);
  200. f.protoctx = (void *)&ssn;
  201. f.flags |= FLOW_IPV4;
  202. p->flow = &f;
  203. p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
  204. p->flowflags |= FLOW_PKT_TOSERVER;
  205. p->flowflags |= FLOW_PKT_ESTABLISHED;
  206. f.alproto = ALPROTO_HTTP;
  207. StreamTcpInitConfig(TRUE);
  208. DetectEngineCtx *de_ctx = DetectEngineCtxInit();
  209. if (de_ctx == NULL) {
  210. goto end;
  211. }
  212. de_ctx->mpm_matcher = MPM_B2G;
  213. de_ctx->flags |= DE_QUIET;
  214. s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
  215. "(msg:\"Test pcre /U option\"; "
  216. "pcre:/one/U; sid:1;)");
  217. if (s == NULL) {
  218. goto end;
  219. }
  220. SigGroupBuild(de_ctx);
  221. DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
  222. int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
  223. if (r != 0) {
  224. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  225. goto end;
  226. }
  227. http_state = f.alstate;
  228. if (http_state == NULL) {
  229. printf("no http state: ");
  230. goto end;
  231. }
  232. /* do detect */
  233. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  234. if (PacketAlertCheck(p, 1)) {
  235. printf("sig 1 alerted with payload2, but it should not: ");
  236. goto end;
  237. }
  238. DetectEngineStateReset(f.de_state);
  239. r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
  240. if (r != 0) {
  241. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  242. goto end;
  243. }
  244. http_state = f.alstate;
  245. if (http_state == NULL) {
  246. printf("no http state: ");
  247. goto end;
  248. }
  249. /* do detect */
  250. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  251. if (!PacketAlertCheck(p, 1)) {
  252. printf("sig 1 didnt alert, but it should: ");
  253. goto end;
  254. }
  255. result = 1;
  256. end:
  257. if (det_ctx != NULL)
  258. DetectEngineThreadCtxDeinit(&tv, det_ctx);
  259. if (de_ctx != NULL)
  260. SigGroupCleanup(de_ctx);
  261. if (de_ctx != NULL)
  262. DetectEngineCtxFree(de_ctx);
  263. StreamTcpFreeConfig(TRUE);
  264. FLOW_DESTROY(&f);
  265. UTHFreePacket(p);
  266. return result;
  267. }
  268. /** \test Test the pcre /U option */
  269. static int UriTestSig03(void)
  270. {
  271. int result = 0;
  272. Flow f;
  273. HtpState *http_state = NULL;
  274. uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
  275. "User-Agent: Mozilla/1.0\r\n"
  276. "Cookie: hellocatch\r\n\r\n";
  277. uint32_t http_buf1_len = sizeof(http_buf1) - 1;
  278. uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
  279. "User-Agent: Mozilla/1.0\r\n"
  280. "Cookie: hellocatch\r\n\r\n";
  281. uint32_t http_buf2_len = sizeof(http_buf2) - 1;
  282. TcpSession ssn;
  283. Packet *p = NULL;
  284. Signature *s = NULL;
  285. ThreadVars tv;
  286. DetectEngineThreadCtx *det_ctx = NULL;
  287. memset(&tv, 0, sizeof(ThreadVars));
  288. memset(&f, 0, sizeof(Flow));
  289. memset(&ssn, 0, sizeof(TcpSession));
  290. p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
  291. FLOW_INITIALIZE(&f);
  292. f.protoctx = (void *)&ssn;
  293. f.flags |= FLOW_IPV4;
  294. p->flow = &f;
  295. p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
  296. p->flowflags |= FLOW_PKT_TOSERVER;
  297. p->flowflags |= FLOW_PKT_ESTABLISHED;
  298. f.alproto = ALPROTO_HTTP;
  299. StreamTcpInitConfig(TRUE);
  300. DetectEngineCtx *de_ctx = DetectEngineCtxInit();
  301. if (de_ctx == NULL) {
  302. goto end;
  303. }
  304. de_ctx->mpm_matcher = MPM_B2G;
  305. de_ctx->flags |= DE_QUIET;
  306. s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
  307. "(msg:\"Test pcre /U option\"; "
  308. "pcre:/blah/U; sid:1;)");
  309. if (s == NULL) {
  310. goto end;
  311. }
  312. SigGroupBuild(de_ctx);
  313. DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
  314. int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
  315. if (r != 0) {
  316. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  317. goto end;
  318. }
  319. http_state = f.alstate;
  320. if (http_state == NULL) {
  321. printf("no http state: ");
  322. goto end;
  323. }
  324. /* do detect */
  325. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  326. if (PacketAlertCheck(p, 1)) {
  327. printf("sig 1 alerted, but it should not: ");
  328. goto end;
  329. }
  330. DetectEngineStateReset(f.de_state);
  331. r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
  332. if (r != 0) {
  333. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  334. goto end;
  335. }
  336. http_state = f.alstate;
  337. if (http_state == NULL) {
  338. printf("no http state: ");
  339. goto end;
  340. }
  341. /* do detect */
  342. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  343. if (PacketAlertCheck(p, 1)) {
  344. printf("sig 1 alerted, but it should not: ");
  345. goto end;
  346. }
  347. result = 1;
  348. end:
  349. if (det_ctx != NULL)
  350. DetectEngineThreadCtxDeinit(&tv, det_ctx);
  351. if (de_ctx != NULL)
  352. SigGroupCleanup(de_ctx);
  353. if (de_ctx != NULL)
  354. DetectEngineCtxFree(de_ctx);
  355. StreamTcpFreeConfig(TRUE);
  356. FLOW_DESTROY(&f);
  357. UTHFreePacket(p);
  358. return result;
  359. }
  360. /** \test Test the urilen option */
  361. static int UriTestSig04(void)
  362. {
  363. int result = 0;
  364. Flow f;
  365. HtpState *http_state = NULL;
  366. uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
  367. "User-Agent: Mozilla/1.0\r\n"
  368. "Cookie: hellocatch\r\n\r\n";
  369. uint32_t http_buf1_len = sizeof(http_buf1) - 1;
  370. uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
  371. "User-Agent: Mozilla/1.0\r\n"
  372. "Cookie: hellocatch\r\n\r\n";
  373. uint32_t http_buf2_len = sizeof(http_buf2) - 1;
  374. TcpSession ssn;
  375. Packet *p = NULL;
  376. Signature *s = NULL;
  377. ThreadVars tv;
  378. DetectEngineThreadCtx *det_ctx = NULL;
  379. memset(&tv, 0, sizeof(ThreadVars));
  380. memset(&f, 0, sizeof(Flow));
  381. memset(&ssn, 0, sizeof(TcpSession));
  382. p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
  383. FLOW_INITIALIZE(&f);
  384. f.protoctx = (void *)&ssn;
  385. f.flags |= FLOW_IPV4;
  386. p->flow = &f;
  387. p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
  388. p->flowflags |= FLOW_PKT_TOSERVER;
  389. p->flowflags |= FLOW_PKT_ESTABLISHED;
  390. f.alproto = ALPROTO_HTTP;
  391. StreamTcpInitConfig(TRUE);
  392. DetectEngineCtx *de_ctx = DetectEngineCtxInit();
  393. if (de_ctx == NULL) {
  394. goto end;
  395. }
  396. de_ctx->mpm_matcher = MPM_B2G;
  397. de_ctx->flags |= DE_QUIET;
  398. s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
  399. "(msg:\"Test urilen option\"; "
  400. "urilen:>20; sid:1;)");
  401. if (s == NULL) {
  402. goto end;
  403. }
  404. SigGroupBuild(de_ctx);
  405. DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
  406. int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
  407. if (r != 0) {
  408. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  409. goto end;
  410. }
  411. http_state = f.alstate;
  412. if (http_state == NULL) {
  413. printf("no http state: ");
  414. goto end;
  415. }
  416. /* do detect */
  417. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  418. if (PacketAlertCheck(p, 1)) {
  419. printf("sig 1 alerted, but it should not: ");
  420. goto end;
  421. }
  422. DetectEngineStateReset(f.de_state);
  423. r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
  424. if (r != 0) {
  425. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  426. goto end;
  427. }
  428. http_state = f.alstate;
  429. if (http_state == NULL) {
  430. printf("no http state: ");
  431. goto end;
  432. }
  433. /* do detect */
  434. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  435. if (PacketAlertCheck(p, 1)) {
  436. printf("sig 1 alerted, but it should not: ");
  437. goto end;
  438. }
  439. result = 1;
  440. end:
  441. if (det_ctx != NULL)
  442. DetectEngineThreadCtxDeinit(&tv, det_ctx);
  443. if (de_ctx != NULL)
  444. SigGroupCleanup(de_ctx);
  445. if (de_ctx != NULL)
  446. DetectEngineCtxFree(de_ctx);
  447. StreamTcpFreeConfig(TRUE);
  448. FLOW_DESTROY(&f);
  449. UTHFreePacket(p);
  450. return result;
  451. }
  452. /** \test Test the urilen option */
  453. static int UriTestSig05(void)
  454. {
  455. int result = 0;
  456. Flow f;
  457. HtpState *http_state = NULL;
  458. uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
  459. "User-Agent: Mozilla/1.0\r\n"
  460. "Cookie: hellocatch\r\n\r\n";
  461. uint32_t http_buf1_len = sizeof(http_buf1) - 1;
  462. uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
  463. "User-Agent: Mozilla/1.0\r\n"
  464. "Cookie: hellocatch\r\n\r\n";
  465. uint32_t http_buf2_len = sizeof(http_buf2) - 1;
  466. TcpSession ssn;
  467. Packet *p = NULL;
  468. Signature *s = NULL;
  469. ThreadVars tv;
  470. DetectEngineThreadCtx *det_ctx = NULL;
  471. memset(&tv, 0, sizeof(ThreadVars));
  472. memset(&f, 0, sizeof(Flow));
  473. memset(&ssn, 0, sizeof(TcpSession));
  474. p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
  475. FLOW_INITIALIZE(&f);
  476. f.protoctx = (void *)&ssn;
  477. f.flags |= FLOW_IPV4;
  478. p->flow = &f;
  479. p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
  480. p->flowflags |= FLOW_PKT_TOSERVER;
  481. p->flowflags |= FLOW_PKT_ESTABLISHED;
  482. f.alproto = ALPROTO_HTTP;
  483. StreamTcpInitConfig(TRUE);
  484. DetectEngineCtx *de_ctx = DetectEngineCtxInit();
  485. if (de_ctx == NULL) {
  486. goto end;
  487. }
  488. de_ctx->mpm_matcher = MPM_B2G;
  489. de_ctx->flags |= DE_QUIET;
  490. s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
  491. "(msg:\"Test urilen option\"; "
  492. "urilen:>4; sid:1;)");
  493. if (s == NULL) {
  494. goto end;
  495. }
  496. SigGroupBuild(de_ctx);
  497. DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
  498. int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
  499. if (r != 0) {
  500. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  501. goto end;
  502. }
  503. http_state = f.alstate;
  504. if (http_state == NULL) {
  505. printf("no http state: ");
  506. goto end;
  507. }
  508. /* do detect */
  509. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  510. if (PacketAlertCheck(p, 1)) {
  511. printf("sig 1 alerted, but it should not: ");
  512. goto end;
  513. }
  514. DetectEngineStateReset(f.de_state);
  515. r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
  516. if (r != 0) {
  517. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  518. goto end;
  519. }
  520. http_state = f.alstate;
  521. if (http_state == NULL) {
  522. printf("no http state: ");
  523. goto end;
  524. }
  525. /* do detect */
  526. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  527. if (!PacketAlertCheck(p, 1)) {
  528. printf("sig 1 didnt alert with payload2, but it should: ");
  529. goto end;
  530. }
  531. result = 1;
  532. end:
  533. if (det_ctx != NULL)
  534. DetectEngineThreadCtxDeinit(&tv, det_ctx);
  535. if (de_ctx != NULL)
  536. SigGroupCleanup(de_ctx);
  537. if (de_ctx != NULL)
  538. DetectEngineCtxFree(de_ctx);
  539. StreamTcpFreeConfig(TRUE);
  540. FLOW_DESTROY(&f);
  541. UTHFreePacket(p);
  542. return result;
  543. }
  544. /** \test Test the pcre /U option */
  545. static int UriTestSig06(void)
  546. {
  547. int result = 0;
  548. Flow f;
  549. HtpState *http_state = NULL;
  550. uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
  551. "User-Agent: Mozilla/1.0\r\n"
  552. "Cookie: hellocatch\r\n\r\n";
  553. uint32_t http_buf1_len = sizeof(http_buf1) - 1;
  554. uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
  555. "User-Agent: Mozilla/1.0\r\n"
  556. "Cookie: hellocatch\r\n\r\n";
  557. uint32_t http_buf2_len = sizeof(http_buf2) - 1;
  558. TcpSession ssn;
  559. Packet *p = NULL;
  560. Signature *s = NULL;
  561. ThreadVars tv;
  562. DetectEngineThreadCtx *det_ctx = NULL;
  563. memset(&tv, 0, sizeof(ThreadVars));
  564. memset(&f, 0, sizeof(Flow));
  565. memset(&ssn, 0, sizeof(TcpSession));
  566. p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
  567. FLOW_INITIALIZE(&f);
  568. f.protoctx = (void *)&ssn;
  569. f.flags |= FLOW_IPV4;
  570. p->flow = &f;
  571. p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
  572. p->flowflags |= FLOW_PKT_TOSERVER;
  573. p->flowflags |= FLOW_PKT_ESTABLISHED;
  574. f.alproto = ALPROTO_HTTP;
  575. StreamTcpInitConfig(TRUE);
  576. DetectEngineCtx *de_ctx = DetectEngineCtxInit();
  577. if (de_ctx == NULL) {
  578. goto end;
  579. }
  580. de_ctx->mpm_matcher = MPM_B2G;
  581. de_ctx->flags |= DE_QUIET;
  582. s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
  583. "(msg:\"Test pcre /U option\"; "
  584. "pcre:/(oneself)+/U; sid:1;)");
  585. if (s == NULL) {
  586. goto end;
  587. }
  588. SigGroupBuild(de_ctx);
  589. DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
  590. int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
  591. if (r != 0) {
  592. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  593. goto end;
  594. }
  595. http_state = f.alstate;
  596. if (http_state == NULL) {
  597. printf("no http state: ");
  598. goto end;
  599. }
  600. /* do detect */
  601. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  602. if (PacketAlertCheck(p, 1)) {
  603. printf("sig 1 alerted, but it should not: ");
  604. goto end;
  605. }
  606. DetectEngineStateReset(f.de_state);
  607. r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
  608. if (r != 0) {
  609. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  610. goto end;
  611. }
  612. http_state = f.alstate;
  613. if (http_state == NULL) {
  614. printf("no http state: ");
  615. goto end;
  616. }
  617. /* do detect */
  618. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  619. if (!PacketAlertCheck(p, 1)) {
  620. printf("sig 1 didnt alert on payload2, but it should: ");
  621. goto end;
  622. }
  623. result = 1;
  624. end:
  625. if (det_ctx != NULL)
  626. DetectEngineThreadCtxDeinit(&tv, det_ctx);
  627. if (de_ctx != NULL)
  628. SigGroupCleanup(de_ctx);
  629. if (de_ctx != NULL)
  630. DetectEngineCtxFree(de_ctx);
  631. StreamTcpFreeConfig(TRUE);
  632. FLOW_DESTROY(&f);
  633. UTHFreePacket(p);
  634. return result;
  635. }
  636. /** \test Test the pcre /U option in combination with urilen */
  637. static int UriTestSig07(void)
  638. {
  639. int result = 0;
  640. Flow f;
  641. HtpState *http_state = NULL;
  642. uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
  643. "User-Agent: Mozilla/1.0\r\n"
  644. "Cookie: hellocatch\r\n\r\n";
  645. uint32_t http_buf1_len = sizeof(http_buf1) - 1;
  646. uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
  647. "User-Agent: Mozilla/1.0\r\n"
  648. "Cookie: hellocatch\r\n\r\n";
  649. uint32_t http_buf2_len = sizeof(http_buf2) - 1;
  650. TcpSession ssn;
  651. Packet *p = NULL;
  652. Signature *s = NULL;
  653. ThreadVars tv;
  654. DetectEngineThreadCtx *det_ctx = NULL;
  655. memset(&tv, 0, sizeof(ThreadVars));
  656. memset(&f, 0, sizeof(Flow));
  657. memset(&ssn, 0, sizeof(TcpSession));
  658. p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
  659. FLOW_INITIALIZE(&f);
  660. f.protoctx = (void *)&ssn;
  661. f.flags |= FLOW_IPV4;
  662. p->flow = &f;
  663. p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
  664. p->flowflags |= FLOW_PKT_TOSERVER;
  665. p->flowflags |= FLOW_PKT_ESTABLISHED;
  666. f.alproto = ALPROTO_HTTP;
  667. StreamTcpInitConfig(TRUE);
  668. DetectEngineCtx *de_ctx = DetectEngineCtxInit();
  669. if (de_ctx == NULL) {
  670. goto end;
  671. }
  672. de_ctx->mpm_matcher = MPM_B2G;
  673. de_ctx->flags |= DE_QUIET;
  674. s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
  675. "(msg:\"Test pcre /U option with urilen \"; "
  676. "pcre:/(one){2,}(self)?/U; urilen:3<>20; sid:1;)");
  677. if (s == NULL) {
  678. goto end;
  679. }
  680. SigGroupBuild(de_ctx);
  681. DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
  682. int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
  683. if (r != 0) {
  684. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  685. goto end;
  686. }
  687. http_state = f.alstate;
  688. if (http_state == NULL) {
  689. printf("no http state: ");
  690. goto end;
  691. }
  692. /* do detect */
  693. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  694. if (!PacketAlertCheck(p, 1)) {
  695. printf("sig 1 didnt alert, but it should: ");
  696. goto end;
  697. }
  698. DetectEngineStateReset(f.de_state);
  699. r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
  700. if (r != 0) {
  701. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  702. goto end;
  703. }
  704. http_state = f.alstate;
  705. if (http_state == NULL) {
  706. printf("no http state: ");
  707. goto end;
  708. }
  709. /* do detect */
  710. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  711. if (!PacketAlertCheck(p, 1)) {
  712. printf("sig 1 didnt alert with payload2, but it should: ");
  713. goto end;
  714. }
  715. result = 1;
  716. end:
  717. if (det_ctx != NULL)
  718. DetectEngineThreadCtxDeinit(&tv, det_ctx);
  719. if (de_ctx != NULL)
  720. SigGroupCleanup(de_ctx);
  721. if (de_ctx != NULL)
  722. DetectEngineCtxFree(de_ctx);
  723. StreamTcpFreeConfig(TRUE);
  724. FLOW_DESTROY(&f);
  725. UTHFreePacket(p);
  726. return result;
  727. }
  728. /** \test Test the pcre /U option in combination with urilen */
  729. static int UriTestSig08(void)
  730. {
  731. int result = 0;
  732. Flow f;
  733. HtpState *http_state = NULL;
  734. uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
  735. "User-Agent: Mozilla/1.0\r\n"
  736. "Cookie: hellocatch\r\n\r\n";
  737. uint32_t http_buf1_len = sizeof(http_buf1) - 1;
  738. uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
  739. "User-Agent: Mozilla/1.0\r\n"
  740. "Cookie: hellocatch\r\n\r\n";
  741. uint32_t http_buf2_len = sizeof(http_buf2) - 1;
  742. TcpSession ssn;
  743. Packet *p = NULL;
  744. Signature *s = NULL;
  745. ThreadVars tv;
  746. DetectEngineThreadCtx *det_ctx = NULL;
  747. memset(&tv, 0, sizeof(ThreadVars));
  748. memset(&f, 0, sizeof(Flow));
  749. memset(&ssn, 0, sizeof(TcpSession));
  750. p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
  751. FLOW_INITIALIZE(&f);
  752. f.protoctx = (void *)&ssn;
  753. f.flags |= FLOW_IPV4;
  754. p->flow = &f;
  755. p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
  756. p->flowflags |= FLOW_PKT_TOSERVER;
  757. p->flowflags |= FLOW_PKT_ESTABLISHED;
  758. f.alproto = ALPROTO_HTTP;
  759. StreamTcpInitConfig(TRUE);
  760. DetectEngineCtx *de_ctx = DetectEngineCtxInit();
  761. if (de_ctx == NULL) {
  762. goto end;
  763. }
  764. de_ctx->mpm_matcher = MPM_B2G;
  765. de_ctx->flags |= DE_QUIET;
  766. s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
  767. "(msg:\"Test pcre /U option with urilen\"; "
  768. "pcre:/(blabla){2,}(self)?/U; urilen:3<>20; sid:1;)");
  769. if (s == NULL) {
  770. goto end;
  771. }
  772. SigGroupBuild(de_ctx);
  773. DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
  774. int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
  775. if (r != 0) {
  776. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  777. goto end;
  778. }
  779. http_state = f.alstate;
  780. if (http_state == NULL) {
  781. printf("no http state: ");
  782. goto end;
  783. }
  784. /* do detect */
  785. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  786. if (PacketAlertCheck(p, 1)) {
  787. printf("sig 1 alerted, but it should not: ");
  788. goto end;
  789. }
  790. DetectEngineStateReset(f.de_state);
  791. r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
  792. if (r != 0) {
  793. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  794. goto end;
  795. }
  796. http_state = f.alstate;
  797. if (http_state == NULL) {
  798. printf("no http state: ");
  799. goto end;
  800. }
  801. /* do detect */
  802. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  803. if (PacketAlertCheck(p, 1)) {
  804. printf("sig 1 alerted, but it should not: ");
  805. goto end;
  806. }
  807. result = 1;
  808. end:
  809. if (det_ctx != NULL)
  810. DetectEngineThreadCtxDeinit(&tv, det_ctx);
  811. if (de_ctx != NULL)
  812. SigGroupCleanup(de_ctx);
  813. if (de_ctx != NULL)
  814. DetectEngineCtxFree(de_ctx);
  815. StreamTcpFreeConfig(TRUE);
  816. FLOW_DESTROY(&f);
  817. UTHFreePacket(p);
  818. return result;
  819. }
  820. /** \test Test the pcre /U option in combination with urilen */
  821. static int UriTestSig09(void)
  822. {
  823. int result = 0;
  824. Flow f;
  825. HtpState *http_state = NULL;
  826. uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
  827. "User-Agent: Mozilla/1.0\r\n"
  828. "Cookie: hellocatch\r\n\r\n";
  829. uint32_t http_buf1_len = sizeof(http_buf1) - 1;
  830. uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
  831. "User-Agent: Mozilla/1.0\r\n"
  832. "Cookie: hellocatch\r\n\r\n";
  833. uint32_t http_buf2_len = sizeof(http_buf2) - 1;
  834. TcpSession ssn;
  835. Packet *p = NULL;
  836. Signature *s = NULL;
  837. ThreadVars tv;
  838. DetectEngineThreadCtx *det_ctx = NULL;
  839. memset(&tv, 0, sizeof(ThreadVars));
  840. memset(&f, 0, sizeof(Flow));
  841. memset(&ssn, 0, sizeof(TcpSession));
  842. p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
  843. FLOW_INITIALIZE(&f);
  844. f.protoctx = (void *)&ssn;
  845. f.flags |= FLOW_IPV4;
  846. p->flow = &f;
  847. p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
  848. p->flowflags |= FLOW_PKT_TOSERVER;
  849. p->flowflags |= FLOW_PKT_ESTABLISHED;
  850. f.alproto = ALPROTO_HTTP;
  851. StreamTcpInitConfig(TRUE);
  852. DetectEngineCtx *de_ctx = DetectEngineCtxInit();
  853. if (de_ctx == NULL) {
  854. goto end;
  855. }
  856. de_ctx->mpm_matcher = MPM_B2G;
  857. de_ctx->flags |= DE_QUIET;
  858. s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
  859. "(msg:\"Test pcre /U option with urilen \"; "
  860. "pcre:/(one){2,}(self)?/U; urilen:<2; sid:1;)");
  861. if (s == NULL) {
  862. goto end;
  863. }
  864. SigGroupBuild(de_ctx);
  865. DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
  866. int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
  867. if (r != 0) {
  868. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  869. goto end;
  870. }
  871. http_state = f.alstate;
  872. if (http_state == NULL) {
  873. printf("no http state: ");
  874. goto end;
  875. }
  876. /* do detect */
  877. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  878. if (PacketAlertCheck(p, 1)) {
  879. printf("sig 1 alerted, but it should not: ");
  880. goto end;
  881. }
  882. DetectEngineStateReset(f.de_state);
  883. r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
  884. if (r != 0) {
  885. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  886. goto end;
  887. }
  888. http_state = f.alstate;
  889. if (http_state == NULL) {
  890. printf("no http state: ");
  891. goto end;
  892. }
  893. /* do detect */
  894. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  895. if (PacketAlertCheck(p, 1)) {
  896. printf("sig 1 alerted, but it should not: ");
  897. goto end;
  898. }
  899. result = 1;
  900. end:
  901. if (det_ctx != NULL)
  902. DetectEngineThreadCtxDeinit(&tv, det_ctx);
  903. if (de_ctx != NULL)
  904. SigGroupCleanup(de_ctx);
  905. if (de_ctx != NULL)
  906. DetectEngineCtxFree(de_ctx);
  907. StreamTcpFreeConfig(TRUE);
  908. FLOW_DESTROY(&f);
  909. UTHFreePacket(p);
  910. return result;
  911. }
  912. /** \test Test the uricontent option in combination with urilen */
  913. static int UriTestSig10(void)
  914. {
  915. int result = 0;
  916. Flow f;
  917. HtpState *http_state = NULL;
  918. uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
  919. "User-Agent: Mozilla/1.0\r\n"
  920. "Cookie: hellocatch\r\n\r\n";
  921. uint32_t http_buf1_len = sizeof(http_buf1) - 1;
  922. uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
  923. "User-Agent: Mozilla/1.0\r\n"
  924. "Cookie: hellocatch\r\n\r\n";
  925. uint32_t http_buf2_len = sizeof(http_buf2) - 1;
  926. TcpSession ssn;
  927. Packet *p = NULL;
  928. Signature *s = NULL;
  929. ThreadVars tv;
  930. DetectEngineThreadCtx *det_ctx = NULL;
  931. memset(&tv, 0, sizeof(ThreadVars));
  932. memset(&f, 0, sizeof(Flow));
  933. memset(&ssn, 0, sizeof(TcpSession));
  934. p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
  935. FLOW_INITIALIZE(&f);
  936. f.protoctx = (void *)&ssn;
  937. f.flags |= FLOW_IPV4;
  938. p->flow = &f;
  939. p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
  940. p->flowflags |= FLOW_PKT_TOSERVER;
  941. p->flowflags |= FLOW_PKT_ESTABLISHED;
  942. f.alproto = ALPROTO_HTTP;
  943. StreamTcpInitConfig(TRUE);
  944. DetectEngineCtx *de_ctx = DetectEngineCtxInit();
  945. if (de_ctx == NULL) {
  946. goto end;
  947. }
  948. de_ctx->mpm_matcher = MPM_B2G;
  949. de_ctx->flags |= DE_QUIET;
  950. s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
  951. "(msg:\"Test uricontent with urilen option\"; "
  952. "uricontent:\"one\"; urilen:<2; sid:1;)");
  953. if (s == NULL) {
  954. goto end;
  955. }
  956. SigGroupBuild(de_ctx);
  957. DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
  958. int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
  959. if (r != 0) {
  960. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  961. goto end;
  962. }
  963. http_state = f.alstate;
  964. if (http_state == NULL) {
  965. printf("no http state: ");
  966. goto end;
  967. }
  968. /* do detect */
  969. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  970. if (PacketAlertCheck(p, 1)) {
  971. printf("sig 1 alerted, but it should not: ");
  972. goto end;
  973. }
  974. DetectEngineStateReset(f.de_state);
  975. r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
  976. if (r != 0) {
  977. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  978. goto end;
  979. }
  980. http_state = f.alstate;
  981. if (http_state == NULL) {
  982. printf("no http state: ");
  983. goto end;
  984. }
  985. /* do detect */
  986. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  987. if (PacketAlertCheck(p, 1)) {
  988. printf("sig 1 alerted, but it should not: ");
  989. goto end;
  990. }
  991. result = 1;
  992. end:
  993. if (det_ctx != NULL)
  994. DetectEngineThreadCtxDeinit(&tv, det_ctx);
  995. if (de_ctx != NULL)
  996. SigGroupCleanup(de_ctx);
  997. if (de_ctx != NULL)
  998. DetectEngineCtxFree(de_ctx);
  999. StreamTcpFreeConfig(TRUE);
  1000. FLOW_DESTROY(&f);
  1001. UTHFreePacket(p);
  1002. return result;
  1003. }
  1004. /** \test Test content, uricontent, urilen, pcre /U options */
  1005. static int UriTestSig11(void)
  1006. {
  1007. int result = 0;
  1008. Flow f;
  1009. HtpState *http_state = NULL;
  1010. uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
  1011. "User-Agent: Mozilla/1.0\r\n"
  1012. "Cookie: hellocatch\r\n\r\n";
  1013. uint32_t http_buf1_len = sizeof(http_buf1) - 1;
  1014. uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
  1015. "User-Agent: Mozilla/1.0\r\n"
  1016. "Cookie: hellocatch\r\n\r\n";
  1017. uint32_t http_buf2_len = sizeof(http_buf2) - 1;
  1018. TcpSession ssn;
  1019. Packet *p = NULL;
  1020. Signature *s = NULL;
  1021. ThreadVars tv;
  1022. DetectEngineThreadCtx *det_ctx = NULL;
  1023. memset(&tv, 0, sizeof(ThreadVars));
  1024. memset(&f, 0, sizeof(Flow));
  1025. memset(&ssn, 0, sizeof(TcpSession));
  1026. p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
  1027. FLOW_INITIALIZE(&f);
  1028. f.protoctx = (void *)&ssn;
  1029. f.flags |= FLOW_IPV4;
  1030. p->flow = &f;
  1031. p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
  1032. p->flowflags |= FLOW_PKT_TOSERVER;
  1033. p->flowflags |= FLOW_PKT_ESTABLISHED;
  1034. f.alproto = ALPROTO_HTTP;
  1035. StreamTcpInitConfig(TRUE);
  1036. DetectEngineCtx *de_ctx = DetectEngineCtxInit();
  1037. if (de_ctx == NULL) {
  1038. goto end;
  1039. }
  1040. de_ctx->mpm_matcher = MPM_B2G;
  1041. de_ctx->flags |= DE_QUIET;
  1042. s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
  1043. "(msg:\"Test content, uricontent, pcre /U and urilen options\"; "
  1044. "content:\"one\"; uricontent:\"one\"; pcre:/(one){2,}(self)?/U;"
  1045. "urilen:<2; sid:1;)");
  1046. if (s == NULL) {
  1047. goto end;
  1048. }
  1049. SigGroupBuild(de_ctx);
  1050. DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
  1051. int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
  1052. if (r != 0) {
  1053. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  1054. goto end;
  1055. }
  1056. http_state = f.alstate;
  1057. if (http_state == NULL) {
  1058. printf("no http state: ");
  1059. goto end;
  1060. }
  1061. /* do detect */
  1062. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  1063. if (PacketAlertCheck(p, 1)) {
  1064. printf("sig 1 alerted, but it should not: ");
  1065. goto end;
  1066. }
  1067. DetectEngineStateReset(f.de_state);
  1068. r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
  1069. if (r != 0) {
  1070. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  1071. goto end;
  1072. }
  1073. http_state = f.alstate;
  1074. if (http_state == NULL) {
  1075. printf("no http state: ");
  1076. goto end;
  1077. }
  1078. /* do detect */
  1079. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  1080. if (PacketAlertCheck(p, 1)) {
  1081. printf("sig 1 alerted, but it should not: ");
  1082. goto end;
  1083. }
  1084. result = 1;
  1085. end:
  1086. if (det_ctx != NULL)
  1087. DetectEngineThreadCtxDeinit(&tv, det_ctx);
  1088. if (de_ctx != NULL)
  1089. SigGroupCleanup(de_ctx);
  1090. if (de_ctx != NULL)
  1091. DetectEngineCtxFree(de_ctx);
  1092. StreamTcpFreeConfig(TRUE);
  1093. FLOW_DESTROY(&f);
  1094. UTHFreePacket(p);
  1095. return result;
  1096. }
  1097. /** \test Test uricontent, urilen, pcre /U options */
  1098. static int UriTestSig12(void)
  1099. {
  1100. int result = 0;
  1101. Flow f;
  1102. HtpState *http_state = NULL;
  1103. uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
  1104. "User-Agent: Mozilla/1.0\r\n"
  1105. "Cookie: hellocatch\r\n\r\n";
  1106. uint32_t http_buf1_len = sizeof(http_buf1) - 1;
  1107. uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
  1108. "User-Agent: Mozilla/1.0\r\n"
  1109. "Cookie: hellocatch\r\n\r\n";
  1110. uint32_t http_buf2_len = sizeof(http_buf2) - 1;
  1111. TcpSession ssn;
  1112. Packet *p = NULL;
  1113. Signature *s = NULL;
  1114. ThreadVars tv;
  1115. DetectEngineThreadCtx *det_ctx = NULL;
  1116. memset(&tv, 0, sizeof(ThreadVars));
  1117. memset(&f, 0, sizeof(Flow));
  1118. memset(&ssn, 0, sizeof(TcpSession));
  1119. p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
  1120. FLOW_INITIALIZE(&f);
  1121. f.protoctx = (void *)&ssn;
  1122. f.flags |= FLOW_IPV4;
  1123. p->flow = &f;
  1124. p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
  1125. p->flowflags |= FLOW_PKT_TOSERVER;
  1126. p->flowflags |= FLOW_PKT_ESTABLISHED;
  1127. f.alproto = ALPROTO_HTTP;
  1128. StreamTcpInitConfig(TRUE);
  1129. DetectEngineCtx *de_ctx = DetectEngineCtxInit();
  1130. if (de_ctx == NULL) {
  1131. goto end;
  1132. }
  1133. de_ctx->mpm_matcher = MPM_B2G;
  1134. de_ctx->flags |= DE_QUIET;
  1135. s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
  1136. "(msg:\"Test pcre /U, uricontent and urilen option\"; "
  1137. "uricontent:\"one\"; "
  1138. "pcre:/(one)+self/U; urilen:>2; sid:1;)");
  1139. if (s == NULL) {
  1140. goto end;
  1141. }
  1142. SigGroupBuild(de_ctx);
  1143. DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
  1144. int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
  1145. if (r != 0) {
  1146. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  1147. goto end;
  1148. }
  1149. http_state = f.alstate;
  1150. if (http_state == NULL) {
  1151. printf("no http state: ");
  1152. goto end;
  1153. }
  1154. /* do detect */
  1155. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  1156. if (PacketAlertCheck(p, 1)) {
  1157. printf("sig 1 alerted, but it should not: ");
  1158. goto end;
  1159. }
  1160. DetectEngineStateReset(f.de_state);
  1161. r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
  1162. if (r != 0) {
  1163. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  1164. goto end;
  1165. }
  1166. http_state = f.alstate;
  1167. if (http_state == NULL) {
  1168. printf("no http state: ");
  1169. goto end;
  1170. }
  1171. /* do detect */
  1172. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  1173. if (!PacketAlertCheck(p, 1)) {
  1174. printf("sig 1 didnt alert with payload2, but it should: ");
  1175. goto end;
  1176. }
  1177. result = 1;
  1178. end:
  1179. if (det_ctx != NULL)
  1180. DetectEngineThreadCtxDeinit(&tv, det_ctx);
  1181. if (de_ctx != NULL)
  1182. SigGroupCleanup(de_ctx);
  1183. if (de_ctx != NULL)
  1184. DetectEngineCtxFree(de_ctx);
  1185. StreamTcpFreeConfig(TRUE);
  1186. FLOW_DESTROY(&f);
  1187. UTHFreePacket(p);
  1188. return result;
  1189. }
  1190. /** \test Test uricontent, urilen */
  1191. static int UriTestSig13(void)
  1192. {
  1193. int result = 0;
  1194. Flow f;
  1195. HtpState *http_state = NULL;
  1196. uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
  1197. "User-Agent: Mozilla/1.0\r\n"
  1198. "Cookie: hellocatch\r\n\r\n";
  1199. uint32_t http_buf1_len = sizeof(http_buf1) - 1;
  1200. uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
  1201. "User-Agent: Mozilla/1.0\r\n"
  1202. "Cookie: hellocatch\r\n\r\n";
  1203. uint32_t http_buf2_len = sizeof(http_buf2) - 1;
  1204. TcpSession ssn;
  1205. Packet *p = NULL;
  1206. Signature *s = NULL;
  1207. ThreadVars tv;
  1208. DetectEngineThreadCtx *det_ctx = NULL;
  1209. memset(&tv, 0, sizeof(ThreadVars));
  1210. memset(&f, 0, sizeof(Flow));
  1211. memset(&ssn, 0, sizeof(TcpSession));
  1212. p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
  1213. FLOW_INITIALIZE(&f);
  1214. f.protoctx = (void *)&ssn;
  1215. f.flags |= FLOW_IPV4;
  1216. p->flow = &f;
  1217. p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
  1218. p->flowflags |= FLOW_PKT_TOSERVER;
  1219. p->flowflags |= FLOW_PKT_ESTABLISHED;
  1220. f.alproto = ALPROTO_HTTP;
  1221. StreamTcpInitConfig(TRUE);
  1222. DetectEngineCtx *de_ctx = DetectEngineCtxInit();
  1223. if (de_ctx == NULL) {
  1224. goto end;
  1225. }
  1226. de_ctx->mpm_matcher = MPM_B2G;
  1227. de_ctx->flags |= DE_QUIET;
  1228. s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
  1229. "(msg:\"Test urilen option\"; "
  1230. "urilen:>2; uricontent:\"one\"; sid:1;)");
  1231. if (s == NULL) {
  1232. goto end;
  1233. }
  1234. SigGroupBuild(de_ctx);
  1235. DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
  1236. int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
  1237. if (r != 0) {
  1238. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  1239. goto end;
  1240. }
  1241. http_state = f.alstate;
  1242. if (http_state == NULL) {
  1243. printf("no http state: ");
  1244. goto end;
  1245. }
  1246. /* do detect */
  1247. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  1248. if (!PacketAlertCheck(p, 1)) {
  1249. printf("sig 1 didnt alert with pkt, but it should: ");
  1250. goto end;
  1251. }
  1252. DetectEngineStateReset(f.de_state);
  1253. r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
  1254. if (r != 0) {
  1255. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  1256. goto end;
  1257. }
  1258. http_state = f.alstate;
  1259. if (http_state == NULL) {
  1260. printf("no http state: ");
  1261. goto end;
  1262. }
  1263. /* do detect */
  1264. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  1265. if (!PacketAlertCheck(p, 1)) {
  1266. printf("sig 1 didnt alert with payload2, but it should: ");
  1267. goto end;
  1268. }
  1269. result = 1;
  1270. end:
  1271. if (det_ctx != NULL)
  1272. DetectEngineThreadCtxDeinit(&tv, det_ctx);
  1273. if (de_ctx != NULL)
  1274. SigGroupCleanup(de_ctx);
  1275. if (de_ctx != NULL)
  1276. DetectEngineCtxFree(de_ctx);
  1277. StreamTcpFreeConfig(TRUE);
  1278. FLOW_DESTROY(&f);
  1279. UTHFreePacket(p);
  1280. return result;
  1281. }
  1282. /** \test Test uricontent, pcre /U */
  1283. static int UriTestSig14(void)
  1284. {
  1285. int result = 0;
  1286. Flow f;
  1287. HtpState *http_state = NULL;
  1288. uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
  1289. "User-Agent: Mozilla/1.0\r\n"
  1290. "Cookie: hellocatch\r\n\r\n";
  1291. uint32_t http_buf1_len = sizeof(http_buf1) - 1;
  1292. uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
  1293. "User-Agent: Mozilla/1.0\r\n"
  1294. "Cookie: hellocatch\r\n\r\n";
  1295. uint32_t http_buf2_len = sizeof(http_buf2) - 1;
  1296. TcpSession ssn;
  1297. Packet *p = NULL;
  1298. Signature *s = NULL;
  1299. ThreadVars tv;
  1300. DetectEngineThreadCtx *det_ctx = NULL;
  1301. memset(&tv, 0, sizeof(ThreadVars));
  1302. memset(&f, 0, sizeof(Flow));
  1303. memset(&ssn, 0, sizeof(TcpSession));
  1304. p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
  1305. FLOW_INITIALIZE(&f);
  1306. f.protoctx = (void *)&ssn;
  1307. f.flags |= FLOW_IPV4;
  1308. p->flow = &f;
  1309. p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
  1310. p->flowflags |= FLOW_PKT_TOSERVER;
  1311. p->flowflags |= FLOW_PKT_ESTABLISHED;
  1312. f.alproto = ALPROTO_HTTP;
  1313. StreamTcpInitConfig(TRUE);
  1314. DetectEngineCtx *de_ctx = DetectEngineCtxInit();
  1315. if (de_ctx == NULL) {
  1316. goto end;
  1317. }
  1318. de_ctx->mpm_matcher = MPM_B2G;
  1319. de_ctx->flags |= DE_QUIET;
  1320. s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
  1321. "(msg:\"Test uricontent option\"; "
  1322. "uricontent:\"one\"; pcre:/one(self)?/U;sid:1;)");
  1323. if (s == NULL) {
  1324. goto end;
  1325. }
  1326. SigGroupBuild(de_ctx);
  1327. DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
  1328. int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
  1329. if (r != 0) {
  1330. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  1331. goto end;
  1332. }
  1333. http_state = f.alstate;
  1334. if (http_state == NULL) {
  1335. printf("no http state: ");
  1336. goto end;
  1337. }
  1338. /* do detect */
  1339. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  1340. if (!PacketAlertCheck(p, 1)) {
  1341. printf("sig 1 didnt alert with pkt, but it should: ");
  1342. goto end;
  1343. }
  1344. DetectEngineStateReset(f.de_state);
  1345. r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
  1346. if (r != 0) {
  1347. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  1348. goto end;
  1349. }
  1350. http_state = f.alstate;
  1351. if (http_state == NULL) {
  1352. printf("no http state: ");
  1353. goto end;
  1354. }
  1355. /* do detect */
  1356. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  1357. if (!PacketAlertCheck(p, 1)) {
  1358. printf("sig 1 didnt alert with payload2, but it should: ");
  1359. goto end;
  1360. }
  1361. result = 1;
  1362. end:
  1363. if (det_ctx != NULL)
  1364. DetectEngineThreadCtxDeinit(&tv, det_ctx);
  1365. if (de_ctx != NULL)
  1366. SigGroupCleanup(de_ctx);
  1367. if (de_ctx != NULL)
  1368. DetectEngineCtxFree(de_ctx);
  1369. StreamTcpFreeConfig(TRUE);
  1370. FLOW_DESTROY(&f);
  1371. UTHFreePacket(p);
  1372. return result;
  1373. }
  1374. /** \test Test pcre /U with anchored regex (bug 155) */
  1375. static int UriTestSig15(void)
  1376. {
  1377. int result = 0;
  1378. Flow f;
  1379. HtpState *http_state = NULL;
  1380. uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
  1381. "User-Agent: Mozilla/1.0\r\n"
  1382. "Cookie: hellocatch\r\n\r\n";
  1383. uint32_t http_buf1_len = sizeof(http_buf1) - 1;
  1384. uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
  1385. "User-Agent: Mozilla/1.0\r\n"
  1386. "Cookie: hellocatch\r\n\r\n";
  1387. uint32_t http_buf2_len = sizeof(http_buf2) - 1;
  1388. TcpSession ssn;
  1389. Packet *p = NULL;
  1390. Signature *s = NULL;
  1391. ThreadVars tv;
  1392. DetectEngineThreadCtx *det_ctx = NULL;
  1393. memset(&tv, 0, sizeof(ThreadVars));
  1394. memset(&f, 0, sizeof(Flow));
  1395. memset(&ssn, 0, sizeof(TcpSession));
  1396. p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
  1397. FLOW_INITIALIZE(&f);
  1398. f.protoctx = (void *)&ssn;
  1399. f.flags |= FLOW_IPV4;
  1400. p->flow = &f;
  1401. p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
  1402. p->flowflags |= FLOW_PKT_TOSERVER;
  1403. p->flowflags |= FLOW_PKT_ESTABLISHED;
  1404. f.alproto = ALPROTO_HTTP;
  1405. StreamTcpInitConfig(TRUE);
  1406. DetectEngineCtx *de_ctx = DetectEngineCtxInit();
  1407. if (de_ctx == NULL) {
  1408. goto end;
  1409. }
  1410. de_ctx->mpm_matcher = MPM_B2G;
  1411. de_ctx->flags |= DE_QUIET;
  1412. s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
  1413. "(msg:\"Test uricontent option\"; "
  1414. "uricontent:\"one\"; pcre:/^\\/one(self)?$/U;sid:1;)");
  1415. if (s == NULL) {
  1416. goto end;
  1417. }
  1418. SigGroupBuild(de_ctx);
  1419. DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
  1420. int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
  1421. if (r != 0) {
  1422. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  1423. goto end;
  1424. }
  1425. http_state = f.alstate;
  1426. if (http_state == NULL) {
  1427. printf("no http state: ");
  1428. goto end;
  1429. }
  1430. /* do detect */
  1431. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  1432. if (!PacketAlertCheck(p, 1)) {
  1433. printf("sig 1 didnt alert with pkt, but it should: ");
  1434. goto end;
  1435. }
  1436. DetectEngineStateReset(f.de_state);
  1437. r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
  1438. if (r != 0) {
  1439. printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
  1440. goto end;
  1441. }
  1442. http_state = f.alstate;
  1443. if (http_state == NULL) {
  1444. printf("no http state: ");
  1445. goto end;
  1446. }
  1447. /* do detect */
  1448. SigMatchSignatures(&tv, de_ctx, det_ctx, p);
  1449. if (!PacketAlertCheck(p, 1)) {
  1450. printf("sig 1 didnt alert with payload2, but it should: ");
  1451. goto end;
  1452. }
  1453. result = 1;
  1454. end:
  1455. if (det_ctx != NULL)
  1456. DetectEngineThreadCtxDeinit(&tv, det_ctx);
  1457. if (de_ctx != NULL)
  1458. SigGroupCleanup(de_ctx);
  1459. if (de_ctx != NULL)
  1460. DetectEngineCtxFree(de_ctx);
  1461. StreamTcpFreeConfig(TRUE);
  1462. FLOW_DESTROY(&f);
  1463. UTHFreePacket(p);
  1464. return result;
  1465. }
  1466. /** \test Test pcre /U with anchored regex (bug 155) */
  1467. static int UriTestSig16(void)
  1468. {
  1469. int result = 0;
  1470. Flow f;
  1471. HtpState *http_state = NULL;
  1472. uint8_t http_buf1[] = "POST /search?q=123&aq=7123abcee HTTP/1.0\r\n"
  1473. "User-Agent: Mozilla/1.0/\r\n"
  1474. "Host: 1.2.3.4\r\n\r\n";
  1475. uint32_t http_buf1_len = sizeof(http_buf1) - 1;
  1476. uint8_t http_buf2[] = "POST /search?q=123&aq=7123abcee HTTP/1.0\r\n"
  1477. "User-Agent: Mozilla/1.0\r\n"
  1478. "Cookie: hellocatch\r\n\r\n";
  1479. uint32_t http_buf2_len = sizeof(http_buf2) - 1;
  1480. TcpSession ssn;
  1481. Packet *p = NULL;
  1482. Signature *s = NULL;
  1483. ThreadVars tv;
  1484. DetectEngineThreadCtx *det_ctx = NULL;
  1485. memset(&tv, 0, sizeof(ThreadVars));
  1486. memset(&f, 0, sizeof(Flow));
  1487. memset(&ssn, 0, sizeof(TcpSession));
  1488. p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
  1489. FLOW_INITIALIZE(&f);
  1490. f.protoctx = (void *)&ssn;
  1491. f.flags |= FLOW_IPV4;
  1492. p->flow = &f;
  1493. p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
  1494. p->flowflags |= FLOW_PKT_TOSERVER;
  1495. p->flowflags |= FLOW_PKT_ESTABLISHED;
  1496. f.alproto = ALPROTO_HTTP;
  1497. StreamTcpInitConfig(TRUE);
  1498. DetectE