/src/detect-engine-uri.c
C | 3897 lines | 3009 code | 744 blank | 144 comment | 656 complexity | 33c718194613c083cfdf1a14767e0850 MD5 | raw file
Large files files are truncated, but you can click here to view the full file
1/* Copyright (C) 2007-2010 Open Information Security Foundation 2 * 3 * You can copy, redistribute or modify this Program under the terms of 4 * the GNU General Public License version 2 as published by the Free 5 * Software Foundation. 6 * 7 * This program is distributed in the hope that it will be useful, 8 * but WITHOUT ANY WARRANTY; without even the implied warranty of 9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 10 * GNU General Public License for more details. 11 * 12 * You should have received a copy of the GNU General Public License 13 * version 2 along with this program; if not, write to the Free Software 14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 15 * 02110-1301, USA. 16 */ 17 18/** \file 19 * 20 * \author Victor Julien <victor@inliniac.net> 21 * \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com> 22 * 23 * Based on detect-engine-uri.c 24 */ 25 26#include "suricata-common.h" 27#include "suricata.h" 28#include "decode.h" 29 30#include "detect.h" 31#include "detect-engine.h" 32#include "detect-parse.h" 33#include "detect-engine-state.h" 34#include "detect-engine-content-inspection.h" 35 36#include "flow-util.h" 37#include "util-debug.h" 38#include "util-print.h" 39#include "flow.h" 40 41#include "app-layer-parser.h" 42 43#include "util-unittest.h" 44#include "util-unittest-helper.h" 45#include "app-layer.h" 46#include "app-layer-htp.h" 47#include "app-layer-protos.h" 48 49/** \brief Do the content inspection & validation for a signature 50 * 51 * \param de_ctx Detection engine context 52 * \param det_ctx Detection engine thread context 53 * \param s Signature to inspect 54 * \param sm SigMatch to inspect 55 * \param f Flow 56 * \param flags app layer flags 57 * \param state App layer state 58 * 59 * \retval 0 no match 60 * \retval 1 match 61 */ 62int DetectEngineInspectPacketUris(ThreadVars *tv, 63 DetectEngineCtx *de_ctx, 64 DetectEngineThreadCtx *det_ctx, 65 Signature *s, Flow *f, uint8_t flags, 66 void *alstate, int tx_id) 67{ 68 HtpState *htp_state = (HtpState *)alstate; 69 70 htp_tx_t *tx = list_get(htp_state->connp->conn->transactions, tx_id); 71 if (tx == NULL || tx->request_uri_normalized == NULL) 72 return 0; 73 74 det_ctx->discontinue_matching = 0; 75 det_ctx->buffer_offset = 0; 76 det_ctx->inspection_recursion_counter = 0; 77 78 //PrintRawDataFp(stdout, (uint8_t *)bstr_ptr(tx->request_uri_normalized), 79 // bstr_len(tx->request_uri_normalized)); 80 81 /* Inspect all the uricontents fetched on each 82 * transaction at the app layer */ 83 int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_UMATCH], 84 f, 85 (uint8_t *)bstr_ptr(tx->request_uri_normalized), 86 bstr_len(tx->request_uri_normalized), 87 DETECT_ENGINE_CONTENT_INSPECTION_MODE_URI, NULL); 88 if (r == 1) { 89 return 1; 90 } 91 92 return 0; 93} 94 95/***********************************Unittests**********************************/ 96 97#ifdef UNITTESTS 98/** \test Test a simple uricontent option */ 99static int UriTestSig01(void) 100{ 101 int result = 0; 102 Flow f; 103 HtpState *http_state = NULL; 104 uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n" 105 "User-Agent: Mozilla/1.0\r\n" 106 "Cookie: hellocatch\r\n\r\n"; 107 uint32_t http_buf1_len = sizeof(http_buf1) - 1; 108 uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n" 109 "User-Agent: Mozilla/1.0\r\n" 110 "Cookie: hellocatch\r\n\r\n"; 111 uint32_t http_buf2_len = sizeof(http_buf2) - 1; 112 TcpSession ssn; 113 Packet *p = NULL; 114 Signature *s = NULL; 115 ThreadVars tv; 116 DetectEngineThreadCtx *det_ctx = NULL; 117 118 memset(&tv, 0, sizeof(ThreadVars)); 119 memset(&f, 0, sizeof(Flow)); 120 memset(&ssn, 0, sizeof(TcpSession)); 121 122 p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP); 123 124 FLOW_INITIALIZE(&f); 125 f.protoctx = (void *)&ssn; 126 f.flags |= FLOW_IPV4; 127 128 p->flow = &f; 129 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; 130 p->flowflags |= FLOW_PKT_TOSERVER; 131 p->flowflags |= FLOW_PKT_ESTABLISHED; 132 f.alproto = ALPROTO_HTTP; 133 134 StreamTcpInitConfig(TRUE); 135 136 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); 137 if (de_ctx == NULL) { 138 goto end; 139 } 140 de_ctx->mpm_matcher = MPM_B2G; 141 de_ctx->flags |= DE_QUIET; 142 143 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " 144 "(msg:\"Test uricontent option\"; " 145 "uricontent:\"one\"; sid:1;)"); 146 if (s == NULL) { 147 goto end; 148 } 149 150 SigGroupBuild(de_ctx); 151 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); 152 153 int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len); 154 if (r != 0) { 155 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 156 goto end; 157 } 158 159 http_state = f.alstate; 160 if (http_state == NULL) { 161 printf("no http state: "); 162 goto end; 163 } 164 165 /* do detect */ 166 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 167 168 if (!PacketAlertCheck(p, 1)) { 169 printf("sig 1 alerted, but it should not: "); 170 goto end; 171 } 172 173 DetectEngineStateReset(f.de_state); 174 175 r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); 176 if (r != 0) { 177 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 178 goto end; 179 } 180 181 http_state = f.alstate; 182 if (http_state == NULL) { 183 printf("no http state: "); 184 goto end; 185 } 186 187 if (!PacketAlertCheck(p, 1)) { 188 printf("sig 1 alerted, but it should not: "); 189 goto end; 190 } 191 192 /* do detect */ 193 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 194 195 result = 1; 196 197end: 198 if (det_ctx != NULL) 199 DetectEngineThreadCtxDeinit(&tv, det_ctx); 200 if (de_ctx != NULL) 201 SigGroupCleanup(de_ctx); 202 if (de_ctx != NULL) 203 DetectEngineCtxFree(de_ctx); 204 205 StreamTcpFreeConfig(TRUE); 206 FLOW_DESTROY(&f); 207 UTHFreePacket(p); 208 return result; 209} 210 211/** \test Test the pcre /U option */ 212static int UriTestSig02(void) 213{ 214 int result = 0; 215 Flow f; 216 HtpState *http_state = NULL; 217 uint8_t http_buf1[] = "POST /on HTTP/1.0\r\n" 218 "User-Agent: Mozilla/1.0\r\n" 219 "Cookie: hellocatch\r\n\r\n"; 220 uint32_t http_buf1_len = sizeof(http_buf1) - 1; 221 uint8_t http_buf2[] = "POST /one HTTP/1.0\r\n" 222 "User-Agent: Mozilla/1.0\r\n" 223 "Cookie: hellocatch\r\n\r\n"; 224 uint32_t http_buf2_len = sizeof(http_buf2) - 1; 225 TcpSession ssn; 226 Packet *p = NULL; 227 Signature *s = NULL; 228 ThreadVars tv; 229 DetectEngineThreadCtx *det_ctx = NULL; 230 231 memset(&tv, 0, sizeof(ThreadVars)); 232 memset(&f, 0, sizeof(Flow)); 233 memset(&ssn, 0, sizeof(TcpSession)); 234 235 p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP); 236 237 FLOW_INITIALIZE(&f); 238 f.protoctx = (void *)&ssn; 239 f.flags |= FLOW_IPV4; 240 241 p->flow = &f; 242 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; 243 p->flowflags |= FLOW_PKT_TOSERVER; 244 p->flowflags |= FLOW_PKT_ESTABLISHED; 245 f.alproto = ALPROTO_HTTP; 246 247 StreamTcpInitConfig(TRUE); 248 249 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); 250 if (de_ctx == NULL) { 251 goto end; 252 } 253 de_ctx->mpm_matcher = MPM_B2G; 254 de_ctx->flags |= DE_QUIET; 255 256 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " 257 "(msg:\"Test pcre /U option\"; " 258 "pcre:/one/U; sid:1;)"); 259 if (s == NULL) { 260 goto end; 261 } 262 263 SigGroupBuild(de_ctx); 264 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); 265 266 int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len); 267 if (r != 0) { 268 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 269 goto end; 270 } 271 272 http_state = f.alstate; 273 if (http_state == NULL) { 274 printf("no http state: "); 275 goto end; 276 } 277 278 /* do detect */ 279 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 280 281 if (PacketAlertCheck(p, 1)) { 282 printf("sig 1 alerted with payload2, but it should not: "); 283 goto end; 284 } 285 286 DetectEngineStateReset(f.de_state); 287 288 r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); 289 if (r != 0) { 290 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 291 goto end; 292 } 293 294 http_state = f.alstate; 295 if (http_state == NULL) { 296 printf("no http state: "); 297 goto end; 298 } 299 300 /* do detect */ 301 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 302 303 if (!PacketAlertCheck(p, 1)) { 304 printf("sig 1 didnt alert, but it should: "); 305 goto end; 306 } 307 308 result = 1; 309 310end: 311 if (det_ctx != NULL) 312 DetectEngineThreadCtxDeinit(&tv, det_ctx); 313 if (de_ctx != NULL) 314 SigGroupCleanup(de_ctx); 315 if (de_ctx != NULL) 316 DetectEngineCtxFree(de_ctx); 317 318 StreamTcpFreeConfig(TRUE); 319 FLOW_DESTROY(&f); 320 UTHFreePacket(p); 321 return result; 322} 323 324/** \test Test the pcre /U option */ 325static int UriTestSig03(void) 326{ 327 int result = 0; 328 Flow f; 329 HtpState *http_state = NULL; 330 uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n" 331 "User-Agent: Mozilla/1.0\r\n" 332 "Cookie: hellocatch\r\n\r\n"; 333 uint32_t http_buf1_len = sizeof(http_buf1) - 1; 334 uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n" 335 "User-Agent: Mozilla/1.0\r\n" 336 "Cookie: hellocatch\r\n\r\n"; 337 uint32_t http_buf2_len = sizeof(http_buf2) - 1; 338 TcpSession ssn; 339 Packet *p = NULL; 340 Signature *s = NULL; 341 ThreadVars tv; 342 DetectEngineThreadCtx *det_ctx = NULL; 343 344 memset(&tv, 0, sizeof(ThreadVars)); 345 memset(&f, 0, sizeof(Flow)); 346 memset(&ssn, 0, sizeof(TcpSession)); 347 348 p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP); 349 350 FLOW_INITIALIZE(&f); 351 f.protoctx = (void *)&ssn; 352 f.flags |= FLOW_IPV4; 353 354 p->flow = &f; 355 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; 356 p->flowflags |= FLOW_PKT_TOSERVER; 357 p->flowflags |= FLOW_PKT_ESTABLISHED; 358 f.alproto = ALPROTO_HTTP; 359 360 StreamTcpInitConfig(TRUE); 361 362 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); 363 if (de_ctx == NULL) { 364 goto end; 365 } 366 de_ctx->mpm_matcher = MPM_B2G; 367 de_ctx->flags |= DE_QUIET; 368 369 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " 370 "(msg:\"Test pcre /U option\"; " 371 "pcre:/blah/U; sid:1;)"); 372 if (s == NULL) { 373 goto end; 374 } 375 376 SigGroupBuild(de_ctx); 377 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); 378 379 int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len); 380 if (r != 0) { 381 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 382 goto end; 383 } 384 385 http_state = f.alstate; 386 if (http_state == NULL) { 387 printf("no http state: "); 388 goto end; 389 } 390 391 /* do detect */ 392 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 393 394 if (PacketAlertCheck(p, 1)) { 395 printf("sig 1 alerted, but it should not: "); 396 goto end; 397 } 398 399 DetectEngineStateReset(f.de_state); 400 401 r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); 402 if (r != 0) { 403 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 404 goto end; 405 } 406 407 http_state = f.alstate; 408 if (http_state == NULL) { 409 printf("no http state: "); 410 goto end; 411 } 412 413 /* do detect */ 414 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 415 416 if (PacketAlertCheck(p, 1)) { 417 printf("sig 1 alerted, but it should not: "); 418 goto end; 419 } 420 421 result = 1; 422 423end: 424 if (det_ctx != NULL) 425 DetectEngineThreadCtxDeinit(&tv, det_ctx); 426 if (de_ctx != NULL) 427 SigGroupCleanup(de_ctx); 428 if (de_ctx != NULL) 429 DetectEngineCtxFree(de_ctx); 430 431 StreamTcpFreeConfig(TRUE); 432 FLOW_DESTROY(&f); 433 UTHFreePacket(p); 434 return result; 435} 436 437/** \test Test the urilen option */ 438static int UriTestSig04(void) 439{ 440 int result = 0; 441 Flow f; 442 HtpState *http_state = NULL; 443 uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n" 444 "User-Agent: Mozilla/1.0\r\n" 445 "Cookie: hellocatch\r\n\r\n"; 446 uint32_t http_buf1_len = sizeof(http_buf1) - 1; 447 uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n" 448 "User-Agent: Mozilla/1.0\r\n" 449 "Cookie: hellocatch\r\n\r\n"; 450 uint32_t http_buf2_len = sizeof(http_buf2) - 1; 451 TcpSession ssn; 452 Packet *p = NULL; 453 Signature *s = NULL; 454 ThreadVars tv; 455 DetectEngineThreadCtx *det_ctx = NULL; 456 457 memset(&tv, 0, sizeof(ThreadVars)); 458 memset(&f, 0, sizeof(Flow)); 459 memset(&ssn, 0, sizeof(TcpSession)); 460 461 p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP); 462 463 FLOW_INITIALIZE(&f); 464 f.protoctx = (void *)&ssn; 465 f.flags |= FLOW_IPV4; 466 467 p->flow = &f; 468 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; 469 p->flowflags |= FLOW_PKT_TOSERVER; 470 p->flowflags |= FLOW_PKT_ESTABLISHED; 471 f.alproto = ALPROTO_HTTP; 472 473 StreamTcpInitConfig(TRUE); 474 475 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); 476 if (de_ctx == NULL) { 477 goto end; 478 } 479 de_ctx->mpm_matcher = MPM_B2G; 480 de_ctx->flags |= DE_QUIET; 481 482 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " 483 "(msg:\"Test urilen option\"; " 484 "urilen:>20; sid:1;)"); 485 if (s == NULL) { 486 goto end; 487 } 488 489 SigGroupBuild(de_ctx); 490 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); 491 492 int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len); 493 if (r != 0) { 494 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 495 goto end; 496 } 497 498 http_state = f.alstate; 499 if (http_state == NULL) { 500 printf("no http state: "); 501 goto end; 502 } 503 504 /* do detect */ 505 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 506 507 if (PacketAlertCheck(p, 1)) { 508 printf("sig 1 alerted, but it should not: "); 509 goto end; 510 } 511 512 DetectEngineStateReset(f.de_state); 513 514 r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); 515 if (r != 0) { 516 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 517 goto end; 518 } 519 520 http_state = f.alstate; 521 if (http_state == NULL) { 522 printf("no http state: "); 523 goto end; 524 } 525 526 /* do detect */ 527 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 528 529 if (PacketAlertCheck(p, 1)) { 530 printf("sig 1 alerted, but it should not: "); 531 goto end; 532 } 533 534 result = 1; 535 536end: 537 if (det_ctx != NULL) 538 DetectEngineThreadCtxDeinit(&tv, det_ctx); 539 if (de_ctx != NULL) 540 SigGroupCleanup(de_ctx); 541 if (de_ctx != NULL) 542 DetectEngineCtxFree(de_ctx); 543 544 StreamTcpFreeConfig(TRUE); 545 FLOW_DESTROY(&f); 546 UTHFreePacket(p); 547 return result; 548} 549 550/** \test Test the urilen option */ 551static int UriTestSig05(void) 552{ 553 int result = 0; 554 Flow f; 555 HtpState *http_state = NULL; 556 uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n" 557 "User-Agent: Mozilla/1.0\r\n" 558 "Cookie: hellocatch\r\n\r\n"; 559 uint32_t http_buf1_len = sizeof(http_buf1) - 1; 560 uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n" 561 "User-Agent: Mozilla/1.0\r\n" 562 "Cookie: hellocatch\r\n\r\n"; 563 uint32_t http_buf2_len = sizeof(http_buf2) - 1; 564 TcpSession ssn; 565 Packet *p = NULL; 566 Signature *s = NULL; 567 ThreadVars tv; 568 DetectEngineThreadCtx *det_ctx = NULL; 569 570 memset(&tv, 0, sizeof(ThreadVars)); 571 memset(&f, 0, sizeof(Flow)); 572 memset(&ssn, 0, sizeof(TcpSession)); 573 574 p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP); 575 576 FLOW_INITIALIZE(&f); 577 f.protoctx = (void *)&ssn; 578 f.flags |= FLOW_IPV4; 579 580 p->flow = &f; 581 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; 582 p->flowflags |= FLOW_PKT_TOSERVER; 583 p->flowflags |= FLOW_PKT_ESTABLISHED; 584 f.alproto = ALPROTO_HTTP; 585 586 StreamTcpInitConfig(TRUE); 587 588 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); 589 if (de_ctx == NULL) { 590 goto end; 591 } 592 de_ctx->mpm_matcher = MPM_B2G; 593 de_ctx->flags |= DE_QUIET; 594 595 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " 596 "(msg:\"Test urilen option\"; " 597 "urilen:>4; sid:1;)"); 598 if (s == NULL) { 599 goto end; 600 } 601 602 SigGroupBuild(de_ctx); 603 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); 604 605 int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len); 606 if (r != 0) { 607 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 608 goto end; 609 } 610 611 http_state = f.alstate; 612 if (http_state == NULL) { 613 printf("no http state: "); 614 goto end; 615 } 616 617 /* do detect */ 618 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 619 620 if (PacketAlertCheck(p, 1)) { 621 printf("sig 1 alerted, but it should not: "); 622 goto end; 623 } 624 625 DetectEngineStateReset(f.de_state); 626 627 r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); 628 if (r != 0) { 629 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 630 goto end; 631 } 632 633 http_state = f.alstate; 634 if (http_state == NULL) { 635 printf("no http state: "); 636 goto end; 637 } 638 639 /* do detect */ 640 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 641 642 if (!PacketAlertCheck(p, 1)) { 643 printf("sig 1 didnt alert with payload2, but it should: "); 644 goto end; 645 } 646 647 result = 1; 648 649end: 650 if (det_ctx != NULL) 651 DetectEngineThreadCtxDeinit(&tv, det_ctx); 652 if (de_ctx != NULL) 653 SigGroupCleanup(de_ctx); 654 if (de_ctx != NULL) 655 DetectEngineCtxFree(de_ctx); 656 657 StreamTcpFreeConfig(TRUE); 658 FLOW_DESTROY(&f); 659 UTHFreePacket(p); 660 return result; 661} 662 663/** \test Test the pcre /U option */ 664static int UriTestSig06(void) 665{ 666 int result = 0; 667 Flow f; 668 HtpState *http_state = NULL; 669 uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n" 670 "User-Agent: Mozilla/1.0\r\n" 671 "Cookie: hellocatch\r\n\r\n"; 672 uint32_t http_buf1_len = sizeof(http_buf1) - 1; 673 uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n" 674 "User-Agent: Mozilla/1.0\r\n" 675 "Cookie: hellocatch\r\n\r\n"; 676 uint32_t http_buf2_len = sizeof(http_buf2) - 1; 677 TcpSession ssn; 678 Packet *p = NULL; 679 Signature *s = NULL; 680 ThreadVars tv; 681 DetectEngineThreadCtx *det_ctx = NULL; 682 683 memset(&tv, 0, sizeof(ThreadVars)); 684 memset(&f, 0, sizeof(Flow)); 685 memset(&ssn, 0, sizeof(TcpSession)); 686 687 p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP); 688 689 FLOW_INITIALIZE(&f); 690 f.protoctx = (void *)&ssn; 691 f.flags |= FLOW_IPV4; 692 693 p->flow = &f; 694 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; 695 p->flowflags |= FLOW_PKT_TOSERVER; 696 p->flowflags |= FLOW_PKT_ESTABLISHED; 697 f.alproto = ALPROTO_HTTP; 698 699 StreamTcpInitConfig(TRUE); 700 701 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); 702 if (de_ctx == NULL) { 703 goto end; 704 } 705 de_ctx->mpm_matcher = MPM_B2G; 706 de_ctx->flags |= DE_QUIET; 707 708 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " 709 "(msg:\"Test pcre /U option\"; " 710 "pcre:/(oneself)+/U; sid:1;)"); 711 if (s == NULL) { 712 goto end; 713 } 714 715 SigGroupBuild(de_ctx); 716 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); 717 718 int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len); 719 if (r != 0) { 720 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 721 goto end; 722 } 723 724 http_state = f.alstate; 725 if (http_state == NULL) { 726 printf("no http state: "); 727 goto end; 728 } 729 730 /* do detect */ 731 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 732 733 if (PacketAlertCheck(p, 1)) { 734 printf("sig 1 alerted, but it should not: "); 735 goto end; 736 } 737 738 DetectEngineStateReset(f.de_state); 739 740 r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); 741 if (r != 0) { 742 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 743 goto end; 744 } 745 746 http_state = f.alstate; 747 if (http_state == NULL) { 748 printf("no http state: "); 749 goto end; 750 } 751 752 /* do detect */ 753 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 754 755 if (!PacketAlertCheck(p, 1)) { 756 printf("sig 1 didnt alert on payload2, but it should: "); 757 goto end; 758 } 759 760 result = 1; 761 762end: 763 if (det_ctx != NULL) 764 DetectEngineThreadCtxDeinit(&tv, det_ctx); 765 if (de_ctx != NULL) 766 SigGroupCleanup(de_ctx); 767 if (de_ctx != NULL) 768 DetectEngineCtxFree(de_ctx); 769 770 StreamTcpFreeConfig(TRUE); 771 FLOW_DESTROY(&f); 772 UTHFreePacket(p); 773 return result; 774} 775 776/** \test Test the pcre /U option in combination with urilen */ 777static int UriTestSig07(void) 778{ 779 int result = 0; 780 Flow f; 781 HtpState *http_state = NULL; 782 uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n" 783 "User-Agent: Mozilla/1.0\r\n" 784 "Cookie: hellocatch\r\n\r\n"; 785 uint32_t http_buf1_len = sizeof(http_buf1) - 1; 786 uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n" 787 "User-Agent: Mozilla/1.0\r\n" 788 "Cookie: hellocatch\r\n\r\n"; 789 uint32_t http_buf2_len = sizeof(http_buf2) - 1; 790 TcpSession ssn; 791 Packet *p = NULL; 792 Signature *s = NULL; 793 ThreadVars tv; 794 DetectEngineThreadCtx *det_ctx = NULL; 795 796 memset(&tv, 0, sizeof(ThreadVars)); 797 memset(&f, 0, sizeof(Flow)); 798 memset(&ssn, 0, sizeof(TcpSession)); 799 800 p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP); 801 802 FLOW_INITIALIZE(&f); 803 f.protoctx = (void *)&ssn; 804 f.flags |= FLOW_IPV4; 805 806 p->flow = &f; 807 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; 808 p->flowflags |= FLOW_PKT_TOSERVER; 809 p->flowflags |= FLOW_PKT_ESTABLISHED; 810 f.alproto = ALPROTO_HTTP; 811 812 StreamTcpInitConfig(TRUE); 813 814 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); 815 if (de_ctx == NULL) { 816 goto end; 817 } 818 de_ctx->mpm_matcher = MPM_B2G; 819 de_ctx->flags |= DE_QUIET; 820 821 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " 822 "(msg:\"Test pcre /U option with urilen \"; " 823 "pcre:/(one){2,}(self)?/U; urilen:3<>20; sid:1;)"); 824 if (s == NULL) { 825 goto end; 826 } 827 828 SigGroupBuild(de_ctx); 829 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); 830 831 int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len); 832 if (r != 0) { 833 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 834 goto end; 835 } 836 837 http_state = f.alstate; 838 if (http_state == NULL) { 839 printf("no http state: "); 840 goto end; 841 } 842 843 /* do detect */ 844 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 845 846 if (!PacketAlertCheck(p, 1)) { 847 printf("sig 1 didnt alert, but it should: "); 848 goto end; 849 } 850 851 DetectEngineStateReset(f.de_state); 852 853 r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); 854 if (r != 0) { 855 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 856 goto end; 857 } 858 859 http_state = f.alstate; 860 if (http_state == NULL) { 861 printf("no http state: "); 862 goto end; 863 } 864 865 /* do detect */ 866 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 867 868 if (!PacketAlertCheck(p, 1)) { 869 printf("sig 1 didnt alert with payload2, but it should: "); 870 goto end; 871 } 872 873 result = 1; 874 875end: 876 if (det_ctx != NULL) 877 DetectEngineThreadCtxDeinit(&tv, det_ctx); 878 if (de_ctx != NULL) 879 SigGroupCleanup(de_ctx); 880 if (de_ctx != NULL) 881 DetectEngineCtxFree(de_ctx); 882 883 StreamTcpFreeConfig(TRUE); 884 FLOW_DESTROY(&f); 885 UTHFreePacket(p); 886 return result; 887} 888 889/** \test Test the pcre /U option in combination with urilen */ 890static int UriTestSig08(void) 891{ 892 int result = 0; 893 Flow f; 894 HtpState *http_state = NULL; 895 uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n" 896 "User-Agent: Mozilla/1.0\r\n" 897 "Cookie: hellocatch\r\n\r\n"; 898 uint32_t http_buf1_len = sizeof(http_buf1) - 1; 899 uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n" 900 "User-Agent: Mozilla/1.0\r\n" 901 "Cookie: hellocatch\r\n\r\n"; 902 uint32_t http_buf2_len = sizeof(http_buf2) - 1; 903 TcpSession ssn; 904 Packet *p = NULL; 905 Signature *s = NULL; 906 ThreadVars tv; 907 DetectEngineThreadCtx *det_ctx = NULL; 908 909 memset(&tv, 0, sizeof(ThreadVars)); 910 memset(&f, 0, sizeof(Flow)); 911 memset(&ssn, 0, sizeof(TcpSession)); 912 913 p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP); 914 915 FLOW_INITIALIZE(&f); 916 f.protoctx = (void *)&ssn; 917 f.flags |= FLOW_IPV4; 918 919 p->flow = &f; 920 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; 921 p->flowflags |= FLOW_PKT_TOSERVER; 922 p->flowflags |= FLOW_PKT_ESTABLISHED; 923 f.alproto = ALPROTO_HTTP; 924 925 StreamTcpInitConfig(TRUE); 926 927 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); 928 if (de_ctx == NULL) { 929 goto end; 930 } 931 de_ctx->mpm_matcher = MPM_B2G; 932 de_ctx->flags |= DE_QUIET; 933 934 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " 935 "(msg:\"Test pcre /U option with urilen\"; " 936 "pcre:/(blabla){2,}(self)?/U; urilen:3<>20; sid:1;)"); 937 if (s == NULL) { 938 goto end; 939 } 940 941 SigGroupBuild(de_ctx); 942 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); 943 944 int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len); 945 if (r != 0) { 946 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 947 goto end; 948 } 949 950 http_state = f.alstate; 951 if (http_state == NULL) { 952 printf("no http state: "); 953 goto end; 954 } 955 956 /* do detect */ 957 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 958 959 if (PacketAlertCheck(p, 1)) { 960 printf("sig 1 alerted, but it should not: "); 961 goto end; 962 } 963 964 DetectEngineStateReset(f.de_state); 965 966 r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); 967 if (r != 0) { 968 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 969 goto end; 970 } 971 972 http_state = f.alstate; 973 if (http_state == NULL) { 974 printf("no http state: "); 975 goto end; 976 } 977 978 /* do detect */ 979 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 980 981 if (PacketAlertCheck(p, 1)) { 982 printf("sig 1 alerted, but it should not: "); 983 goto end; 984 } 985 986 result = 1; 987 988end: 989 if (det_ctx != NULL) 990 DetectEngineThreadCtxDeinit(&tv, det_ctx); 991 if (de_ctx != NULL) 992 SigGroupCleanup(de_ctx); 993 if (de_ctx != NULL) 994 DetectEngineCtxFree(de_ctx); 995 996 StreamTcpFreeConfig(TRUE); 997 FLOW_DESTROY(&f); 998 UTHFreePacket(p); 999 return result; 1000} 1001 1002/** \test Test the pcre /U option in combination with urilen */ 1003static int UriTestSig09(void) 1004{ 1005 int result = 0; 1006 Flow f; 1007 HtpState *http_state = NULL; 1008 uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n" 1009 "User-Agent: Mozilla/1.0\r\n" 1010 "Cookie: hellocatch\r\n\r\n"; 1011 uint32_t http_buf1_len = sizeof(http_buf1) - 1; 1012 uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n" 1013 "User-Agent: Mozilla/1.0\r\n" 1014 "Cookie: hellocatch\r\n\r\n"; 1015 uint32_t http_buf2_len = sizeof(http_buf2) - 1; 1016 TcpSession ssn; 1017 Packet *p = NULL; 1018 Signature *s = NULL; 1019 ThreadVars tv; 1020 DetectEngineThreadCtx *det_ctx = NULL; 1021 1022 memset(&tv, 0, sizeof(ThreadVars)); 1023 memset(&f, 0, sizeof(Flow)); 1024 memset(&ssn, 0, sizeof(TcpSession)); 1025 1026 p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP); 1027 1028 FLOW_INITIALIZE(&f); 1029 f.protoctx = (void *)&ssn; 1030 f.flags |= FLOW_IPV4; 1031 1032 p->flow = &f; 1033 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; 1034 p->flowflags |= FLOW_PKT_TOSERVER; 1035 p->flowflags |= FLOW_PKT_ESTABLISHED; 1036 f.alproto = ALPROTO_HTTP; 1037 1038 StreamTcpInitConfig(TRUE); 1039 1040 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); 1041 if (de_ctx == NULL) { 1042 goto end; 1043 } 1044 de_ctx->mpm_matcher = MPM_B2G; 1045 de_ctx->flags |= DE_QUIET; 1046 1047 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " 1048 "(msg:\"Test pcre /U option with urilen \"; " 1049 "pcre:/(one){2,}(self)?/U; urilen:<2; sid:1;)"); 1050 if (s == NULL) { 1051 goto end; 1052 } 1053 1054 SigGroupBuild(de_ctx); 1055 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); 1056 1057 int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len); 1058 if (r != 0) { 1059 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 1060 goto end; 1061 } 1062 1063 http_state = f.alstate; 1064 if (http_state == NULL) { 1065 printf("no http state: "); 1066 goto end; 1067 } 1068 1069 /* do detect */ 1070 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 1071 1072 if (PacketAlertCheck(p, 1)) { 1073 printf("sig 1 alerted, but it should not: "); 1074 goto end; 1075 } 1076 1077 DetectEngineStateReset(f.de_state); 1078 1079 r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); 1080 if (r != 0) { 1081 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 1082 goto end; 1083 } 1084 1085 http_state = f.alstate; 1086 if (http_state == NULL) { 1087 printf("no http state: "); 1088 goto end; 1089 } 1090 1091 /* do detect */ 1092 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 1093 1094 if (PacketAlertCheck(p, 1)) { 1095 printf("sig 1 alerted, but it should not: "); 1096 goto end; 1097 } 1098 1099 result = 1; 1100 1101end: 1102 if (det_ctx != NULL) 1103 DetectEngineThreadCtxDeinit(&tv, det_ctx); 1104 if (de_ctx != NULL) 1105 SigGroupCleanup(de_ctx); 1106 if (de_ctx != NULL) 1107 DetectEngineCtxFree(de_ctx); 1108 1109 StreamTcpFreeConfig(TRUE); 1110 FLOW_DESTROY(&f); 1111 UTHFreePacket(p); 1112 return result; 1113} 1114 1115/** \test Test the uricontent option in combination with urilen */ 1116static int UriTestSig10(void) 1117{ 1118 int result = 0; 1119 Flow f; 1120 HtpState *http_state = NULL; 1121 uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n" 1122 "User-Agent: Mozilla/1.0\r\n" 1123 "Cookie: hellocatch\r\n\r\n"; 1124 uint32_t http_buf1_len = sizeof(http_buf1) - 1; 1125 uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n" 1126 "User-Agent: Mozilla/1.0\r\n" 1127 "Cookie: hellocatch\r\n\r\n"; 1128 uint32_t http_buf2_len = sizeof(http_buf2) - 1; 1129 TcpSession ssn; 1130 Packet *p = NULL; 1131 Signature *s = NULL; 1132 ThreadVars tv; 1133 DetectEngineThreadCtx *det_ctx = NULL; 1134 1135 memset(&tv, 0, sizeof(ThreadVars)); 1136 memset(&f, 0, sizeof(Flow)); 1137 memset(&ssn, 0, sizeof(TcpSession)); 1138 1139 p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP); 1140 1141 FLOW_INITIALIZE(&f); 1142 f.protoctx = (void *)&ssn; 1143 f.flags |= FLOW_IPV4; 1144 1145 p->flow = &f; 1146 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; 1147 p->flowflags |= FLOW_PKT_TOSERVER; 1148 p->flowflags |= FLOW_PKT_ESTABLISHED; 1149 f.alproto = ALPROTO_HTTP; 1150 1151 StreamTcpInitConfig(TRUE); 1152 1153 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); 1154 if (de_ctx == NULL) { 1155 goto end; 1156 } 1157 de_ctx->mpm_matcher = MPM_B2G; 1158 de_ctx->flags |= DE_QUIET; 1159 1160 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " 1161 "(msg:\"Test uricontent with urilen option\"; " 1162 "uricontent:\"one\"; urilen:<2; sid:1;)"); 1163 if (s == NULL) { 1164 goto end; 1165 } 1166 1167 SigGroupBuild(de_ctx); 1168 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); 1169 1170 int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len); 1171 if (r != 0) { 1172 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 1173 goto end; 1174 } 1175 1176 http_state = f.alstate; 1177 if (http_state == NULL) { 1178 printf("no http state: "); 1179 goto end; 1180 } 1181 1182 /* do detect */ 1183 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 1184 1185 if (PacketAlertCheck(p, 1)) { 1186 printf("sig 1 alerted, but it should not: "); 1187 goto end; 1188 } 1189 1190 DetectEngineStateReset(f.de_state); 1191 1192 r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); 1193 if (r != 0) { 1194 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 1195 goto end; 1196 } 1197 1198 http_state = f.alstate; 1199 if (http_state == NULL) { 1200 printf("no http state: "); 1201 goto end; 1202 } 1203 1204 /* do detect */ 1205 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 1206 1207 if (PacketAlertCheck(p, 1)) { 1208 printf("sig 1 alerted, but it should not: "); 1209 goto end; 1210 } 1211 1212 result = 1; 1213 1214end: 1215 if (det_ctx != NULL) 1216 DetectEngineThreadCtxDeinit(&tv, det_ctx); 1217 if (de_ctx != NULL) 1218 SigGroupCleanup(de_ctx); 1219 if (de_ctx != NULL) 1220 DetectEngineCtxFree(de_ctx); 1221 1222 StreamTcpFreeConfig(TRUE); 1223 FLOW_DESTROY(&f); 1224 UTHFreePacket(p); 1225 return result; 1226} 1227 1228/** \test Test content, uricontent, urilen, pcre /U options */ 1229static int UriTestSig11(void) 1230{ 1231 int result = 0; 1232 Flow f; 1233 HtpState *http_state = NULL; 1234 uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n" 1235 "User-Agent: Mozilla/1.0\r\n" 1236 "Cookie: hellocatch\r\n\r\n"; 1237 uint32_t http_buf1_len = sizeof(http_buf1) - 1; 1238 uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n" 1239 "User-Agent: Mozilla/1.0\r\n" 1240 "Cookie: hellocatch\r\n\r\n"; 1241 uint32_t http_buf2_len = sizeof(http_buf2) - 1; 1242 TcpSession ssn; 1243 Packet *p = NULL; 1244 Signature *s = NULL; 1245 ThreadVars tv; 1246 DetectEngineThreadCtx *det_ctx = NULL; 1247 1248 memset(&tv, 0, sizeof(ThreadVars)); 1249 memset(&f, 0, sizeof(Flow)); 1250 memset(&ssn, 0, sizeof(TcpSession)); 1251 1252 p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP); 1253 1254 FLOW_INITIALIZE(&f); 1255 f.protoctx = (void *)&ssn; 1256 f.flags |= FLOW_IPV4; 1257 1258 p->flow = &f; 1259 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; 1260 p->flowflags |= FLOW_PKT_TOSERVER; 1261 p->flowflags |= FLOW_PKT_ESTABLISHED; 1262 f.alproto = ALPROTO_HTTP; 1263 1264 StreamTcpInitConfig(TRUE); 1265 1266 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); 1267 if (de_ctx == NULL) { 1268 goto end; 1269 } 1270 de_ctx->mpm_matcher = MPM_B2G; 1271 de_ctx->flags |= DE_QUIET; 1272 1273 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " 1274 "(msg:\"Test content, uricontent, pcre /U and urilen options\"; " 1275 "content:\"one\"; uricontent:\"one\"; pcre:/(one){2,}(self)?/U;" 1276 "urilen:<2; sid:1;)"); 1277 if (s == NULL) { 1278 goto end; 1279 } 1280 1281 SigGroupBuild(de_ctx); 1282 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); 1283 1284 int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len); 1285 if (r != 0) { 1286 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 1287 goto end; 1288 } 1289 1290 http_state = f.alstate; 1291 if (http_state == NULL) { 1292 printf("no http state: "); 1293 goto end; 1294 } 1295 1296 /* do detect */ 1297 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 1298 1299 if (PacketAlertCheck(p, 1)) { 1300 printf("sig 1 alerted, but it should not: "); 1301 goto end; 1302 } 1303 1304 DetectEngineStateReset(f.de_state); 1305 1306 r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); 1307 if (r != 0) { 1308 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 1309 goto end; 1310 } 1311 1312 http_state = f.alstate; 1313 if (http_state == NULL) { 1314 printf("no http state: "); 1315 goto end; 1316 } 1317 1318 /* do detect */ 1319 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 1320 1321 if (PacketAlertCheck(p, 1)) { 1322 printf("sig 1 alerted, but it should not: "); 1323 goto end; 1324 } 1325 1326 result = 1; 1327 1328end: 1329 if (det_ctx != NULL) 1330 DetectEngineThreadCtxDeinit(&tv, det_ctx); 1331 if (de_ctx != NULL) 1332 SigGroupCleanup(de_ctx); 1333 if (de_ctx != NULL) 1334 DetectEngineCtxFree(de_ctx); 1335 1336 StreamTcpFreeConfig(TRUE); 1337 FLOW_DESTROY(&f); 1338 UTHFreePacket(p); 1339 return result; 1340} 1341 1342/** \test Test uricontent, urilen, pcre /U options */ 1343static int UriTestSig12(void) 1344{ 1345 int result = 0; 1346 Flow f; 1347 HtpState *http_state = NULL; 1348 uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n" 1349 "User-Agent: Mozilla/1.0\r\n" 1350 "Cookie: hellocatch\r\n\r\n"; 1351 uint32_t http_buf1_len = sizeof(http_buf1) - 1; 1352 uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n" 1353 "User-Agent: Mozilla/1.0\r\n" 1354 "Cookie: hellocatch\r\n\r\n"; 1355 uint32_t http_buf2_len = sizeof(http_buf2) - 1; 1356 TcpSession ssn; 1357 Packet *p = NULL; 1358 Signature *s = NULL; 1359 ThreadVars tv; 1360 DetectEngineThreadCtx *det_ctx = NULL; 1361 1362 memset(&tv, 0, sizeof(ThreadVars)); 1363 memset(&f, 0, sizeof(Flow)); 1364 memset(&ssn, 0, sizeof(TcpSession)); 1365 1366 p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP); 1367 1368 FLOW_INITIALIZE(&f); 1369 f.protoctx = (void *)&ssn; 1370 f.flags |= FLOW_IPV4; 1371 1372 p->flow = &f; 1373 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; 1374 p->flowflags |= FLOW_PKT_TOSERVER; 1375 p->flowflags |= FLOW_PKT_ESTABLISHED; 1376 f.alproto = ALPROTO_HTTP; 1377 1378 StreamTcpInitConfig(TRUE); 1379 1380 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); 1381 if (de_ctx == NULL) { 1382 goto end; 1383 } 1384 de_ctx->mpm_matcher = MPM_B2G; 1385 de_ctx->flags |= DE_QUIET; 1386 1387 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " 1388 "(msg:\"Test pcre /U, uricontent and urilen option\"; " 1389 "uricontent:\"one\"; " 1390 "pcre:/(one)+self/U; urilen:>2; sid:1;)"); 1391 if (s == NULL) { 1392 goto end; 1393 } 1394 1395 SigGroupBuild(de_ctx); 1396 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); 1397 1398 int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len); 1399 if (r != 0) { 1400 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 1401 goto end; 1402 } 1403 1404 http_state = f.alstate; 1405 if (http_state == NULL) { 1406 printf("no http state: "); 1407 goto end; 1408 } 1409 1410 /* do detect */ 1411 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 1412 1413 if (PacketAlertCheck(p, 1)) { 1414 printf("sig 1 alerted, but it should not: "); 1415 goto end; 1416 } 1417 1418 DetectEngineStateReset(f.de_state); 1419 1420 r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); 1421 if (r != 0) { 1422 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 1423 goto end; 1424 } 1425 1426 http_state = f.alstate; 1427 if (http_state == NULL) { 1428 printf("no http state: "); 1429 goto end; 1430 } 1431 1432 /* do detect */ 1433 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 1434 1435 if (!PacketAlertCheck(p, 1)) { 1436 printf("sig 1 didnt alert with payload2, but it should: "); 1437 goto end; 1438 } 1439 1440 result = 1; 1441 1442end: 1443 if (det_ctx != NULL) 1444 DetectEngineThreadCtxDeinit(&tv, det_ctx); 1445 if (de_ctx != NULL) 1446 SigGroupCleanup(de_ctx); 1447 if (de_ctx != NULL) 1448 DetectEngineCtxFree(de_ctx); 1449 1450 StreamTcpFreeConfig(TRUE); 1451 FLOW_DESTROY(&f); 1452 UTHFreePacket(p); 1453 return result; 1454} 1455 1456/** \test Test uricontent, urilen */ 1457static int UriTestSig13(void) 1458{ 1459 int result = 0; 1460 Flow f; 1461 HtpState *http_state = NULL; 1462 uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n" 1463 "User-Agent: Mozilla/1.0\r\n" 1464 "Cookie: hellocatch\r\n\r\n"; 1465 uint32_t http_buf1_len = sizeof(http_buf1) - 1; 1466 uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n" 1467 "User-Agent: Mozilla/1.0\r\n" 1468 "Cookie: hellocatch\r\n\r\n"; 1469 uint32_t http_buf2_len = sizeof(http_buf2) - 1; 1470 TcpSession ssn; 1471 Packet *p = NULL; 1472 Signature *s = NULL; 1473 ThreadVars tv; 1474 DetectEngineThreadCtx *det_ctx = NULL; 1475 1476 memset(&tv, 0, sizeof(ThreadVars)); 1477 memset(&f, 0, sizeof(Flow)); 1478 memset(&ssn, 0, sizeof(TcpSession)); 1479 1480 p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP); 1481 1482 FLOW_INITIALIZE(&f); 1483 f.protoctx = (void *)&ssn; 1484 f.flags |= FLOW_IPV4; 1485 1486 p->flow = &f; 1487 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; 1488 p->flowflags |= FLOW_PKT_TOSERVER; 1489 p->flowflags |= FLOW_PKT_ESTABLISHED; 1490 f.alproto = ALPROTO_HTTP; 1491 1492 StreamTcpInitConfig(TRUE); 1493 1494 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); 1495 if (de_ctx == NULL) { 1496 goto end; 1497 } 1498 de_ctx->mpm_matcher = MPM_B2G; 1499 de_ctx->flags |= DE_QUIET; 1500 1501 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " 1502 "(msg:\"Test urilen option\"; " 1503 "urilen:>2; uricontent:\"one\"; sid:1;)"); 1504 if (s == NULL) { 1505 goto end; 1506 } 1507 1508 SigGroupBuild(de_ctx); 1509 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); 1510 1511 int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len); 1512 if (r != 0) { 1513 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 1514 goto end; 1515 } 1516 1517 http_state = f.alstate; 1518 if (http_state == NULL) { 1519 printf("no http state: "); 1520 goto end; 1521 } 1522 1523 /* do detect */ 1524 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 1525 1526 if (!PacketAlertCheck(p, 1)) { 1527 printf("sig 1 didnt alert with pkt, but it should: "); 1528 goto end; 1529 } 1530 1531 DetectEngineStateReset(f.de_state); 1532 1533 r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); 1534 if (r != 0) { 1535 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 1536 goto end; 1537 } 1538 1539 http_state = f.alstate; 1540 if (http_state == NULL) { 1541 printf("no http state: "); 1542 goto end; 1543 } 1544 1545 /* do detect */ 1546 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 1547 1548 1549 if (!PacketAlertCheck(p, 1)) { 1550 printf("sig 1 didnt alert with payload2, but it should: "); 1551 goto end; 1552 } 1553 1554 result = 1; 1555 1556end: 1557 if (det_ctx != NULL) 1558 DetectEngineThreadCtxDeinit(&tv, det_ctx); 1559 if (de_ctx != NULL) 1560 SigGroupCleanup(de_ctx); 1561 if (de_ctx != NULL) 1562 DetectEngineCtxFree(de_ctx); 1563 1564 StreamTcpFreeConfig(TRUE); 1565 FLOW_DESTROY(&f); 1566 UTHFreePacket(p); 1567 return result; 1568} 1569 1570/** \test Test uricontent, pcre /U */ 1571static int UriTestSig14(void) 1572{ 1573 int result = 0; 1574 Flow f; 1575 HtpState *http_state = NULL; 1576 uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n" 1577 "User-Agent: Mozilla/1.0\r\n" 1578 "Cookie: hellocatch\r\n\r\n"; 1579 uint32_t http_buf1_len = sizeof(http_buf1) - 1; 1580 uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n" 1581 "User-Agent: Mozilla/1.0\r\n" 1582 "Cookie: hellocatch\r\n\r\n"; 1583 uint32_t http_buf2_len = sizeof(http_buf2) - 1; 1584 TcpSession ssn; 1585 Packet *p = NULL; 1586 Signature *s = NULL; 1587 ThreadVars tv; 1588 DetectEngineThreadCtx *det_ctx = NULL; 1589 1590 memset(&tv, 0, sizeof(ThreadVars)); 1591 memset(&f, 0, sizeof(Flow)); 1592 memset(&ssn, 0, sizeof(TcpSession)); 1593 1594 p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP); 1595 1596 FLOW_INITIALIZE(&f); 1597 f.protoctx = (void *)&ssn; 1598 f.flags |= FLOW_IPV4; 1599 1600 p->flow = &f; 1601 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; 1602 p->flowflags |= FLOW_PKT_TOSERVER; 1603 p->flowflags |= FLOW_PKT_ESTABLISHED; 1604 f.alproto = ALPROTO_HTTP; 1605 1606 StreamTcpInitConfig(TRUE); 1607 1608 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); 1609 if (de_ctx == NULL) { 1610 goto end; 1611 } 1612 de_ctx->mpm_matcher = MPM_B2G; 1613 de_ctx->flags |= DE_QUIET; 1614 1615 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " 1616 "(msg:\"Test uricontent option\"; " 1617 "uricontent:\"one\"; pcre:/one(self)?/U;sid:1;)"); 1618 if (s == NULL) { 1619 goto end; 1620 } 1621 1622 SigGroupBuild(de_ctx); 1623 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); 1624 1625 int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len); 1626 if (r != 0) { 1627 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 1628 goto end; 1629 } 1630 1631 http_state = f.alstate; 1632 if (http_state == NULL) { 1633 printf("no http state: "); 1634 goto end; 1635 } 1636 1637 /* do detect */ 1638 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 1639 1640 if (!PacketAlertCheck(p, 1)) { 1641 printf("sig 1 didnt alert with pkt, but it should: "); 1642 goto end; 1643 } 1644 1645 DetectEngineStateReset(f.de_state); 1646 1647 r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); 1648 if (r != 0) { 1649 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 1650 goto end; 1651 } 1652 1653 http_state = f.alstate; 1654 if (http_state == NULL) { 1655 printf("no http state: "); 1656 goto end; 1657 } 1658 1659 /* do detect */ 1660 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 1661 1662 1663 if (!PacketAlertCheck(p, 1)) { 1664 printf("sig 1 didnt alert with payload2, but it should: "); 1665 goto end; 1666 } 1667 1668 result = 1; 1669 1670end: 1671 if (det_ctx != NULL) 1672 DetectEngineThreadCtxDeinit(&tv, det_ctx); 1673 if (de_ctx != NULL) 1674 SigGroupCleanup(de_ctx); 1675 if (de_ctx != NULL) 1676 DetectEngineCtxFree(de_ctx); 1677 1678 StreamTcpFreeConfig(TRUE); 1679 FLOW_DESTROY(&f); 1680 UTHFreePacket(p); 1681 return result; 1682} 1683 1684/** \test Test pcre /U with anchored regex (bug 155) */ 1685static int UriTestSig15(void) 1686{ 1687 int result = 0; 1688 Flow f; 1689 HtpState *http_state = NULL; 1690 uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n" 1691 "User-Agent: Mozilla/1.0\r\n" 1692 "Cookie: hellocatch\r\n\r\n"; 1693 uint32_t http_buf1_len = sizeof(http_buf1) - 1; 1694 uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n" 1695 "User-Agent: Mozilla/1.0\r\n" 1696 "Cookie: hellocatch\r\n\r\n"; 1697 uint32_t http_buf2_len = sizeof(http_buf2) - 1; 1698 TcpSession ssn; 1699 Packet *p = NULL; 1700 Signature *s = NULL; 1701 ThreadVars tv; 1702 DetectEngineThreadCtx *det_ctx = NULL; 1703 1704 memset(&tv, 0, sizeof(ThreadVars)); 1705 memset(&f, 0, sizeof(Flow)); 1706 memset(&ssn, 0, sizeof(TcpSession)); 1707 1708 p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP); 1709 1710 FLOW_INITIALIZE(&f); 1711 f.protoctx = (void *)&ssn; 1712 f.flags |= FLOW_IPV4; 1713 1714 p->flow = &f; 1715 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; 1716 p->flowflags |= FLOW_PKT_TOSERVER; 1717 p->flowflags |= FLOW_PKT_ESTABLISHED; 1718 f.alproto = ALPROTO_HTTP; 1719 1720 StreamTcpInitConfig(TRUE); 1721 1722 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); 1723 if (de_ctx == NULL) { 1724 goto end; 1725 } 1726 de_ctx->mpm_matcher = MPM_B2G; 1727 de_ctx->flags |= DE_QUIET; 1728 1729 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " 1730 "(msg:\"Test uricontent option\"; " 1731 "uricontent:\"one\"; pcre:/^\\/one(self)?$/U;sid:1;)"); 1732 if (s == NULL) { 1733 goto end; 1734 } 1735 1736 SigGroupBuild(de_ctx); 1737 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); 1738 1739 int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len); 1740 if (r != 0) { 1741 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 1742 goto end; 1743 } 1744 1745 http_state = f.alstate; 1746 if (http_state == NULL) { 1747 printf("no http state: "); 1748 goto end; 1749 } 1750 1751 /* do detect */ 1752 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 1753 1754 if (!PacketAlertCheck(p, 1)) { 1755 printf("sig 1 didnt alert with pkt, but it should: "); 1756 goto end; 1757 } 1758 1759 DetectEngineStateReset(f.de_state); 1760 1761 r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); 1762 if (r != 0) { 1763 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); 1764 goto end; 1765 } 1766 1767 http_state = f.alstate; 1768 if (http_state == NULL) { 1769 printf("no http state: "); 1770 goto end; 1771 } 1772 1773 /* do detect */ 1774 SigMatchSignatures(&tv, de_ctx, det_ctx, p); 1775 1776 1777 if (!PacketAlertCheck(p, 1)) { 1778 printf("sig 1 didnt alert with payload2, but it should: "); 1779 goto end; 1780 } 1781 1782 result = 1; 1783 1784end: 1785 if (det_ctx != NULL) 1786 DetectEngineThreadCtxDeinit(&tv, det_ctx); 1787 if (de_ctx != NULL) 1788 SigGroupCleanup(de_ctx); 1789 if (de_ctx != NULL) 1790 DetectEngineCtxFree(de_ctx); 1791 1792 StreamTcpFreeConfig(TRUE); 1793 FLOW_DESTROY(&f); 1794 UTHFreePacket(p); 1795 return result; 1796} 1797 1798/** \test Test pcre /U with anchored regex (bug 155) */ 1799static int UriTestSig16(void) 1800{ 1801 int result = 0; 1802 Flow f; 1803 HtpState *http_state = NULL; 1804 uint8_t http_buf1[] = "POST /search?q=123&aq=7123abcee HTTP/1.0\r\n" 1805 "User-Agent: Mozilla/1.0/\r\n" 1806 "Host: 1.2.3.4\r\n\r\n"; 1807 uint32_t http_buf1_len = sizeof(http_buf1) - 1; 1808 uint8_t http_buf2[] = "POST /search?q=123&aq=7123abcee HTTP/1.0\r\n" 1809 "User-Agent: Mozilla/1.0\r\n" 1810 "Cookie: hellocatch\r\n\r\n"; 1811 uint32_t http_buf2_len = sizeof(http_buf2) - 1; 1812 TcpSession ssn; 1813 Packet *p = NULL; 1814 Signature *s = NULL; 1815 ThreadVars tv; 1816 DetectEngineThreadCtx *det_ctx = NULL; 1817 1818 memset(&tv, 0, sizeof(ThreadVars)); 1819 memset(&f, 0, sizeof(Flow)); 1820 memset(&ssn, 0, sizeof(TcpSession)); 1821 1822 p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP); 1823 1824 FLOW_INITIALIZE(&f); 1825 f.protoctx = (void *)&ssn; 1826 f.flags |= FLOW_IPV4; 1827 1828 p->flow = &f; 1829 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; 1830 p->flowflags |= FLOW_PKT_TOSERVER; 1831 p->flowflags |= FLOW_PKT_ESTABLISHED; 1832 f.alproto = ALPROTO_HTTP; 1833 1834 StreamTcpInitConfig(TRUE); 1835 1836 DetectE…
Large files files are truncated, but you can click here to view the full file