/src/detect-engine-uri.c
https://github.com/decanio/suricata-tilera · C · 3897 lines · 3009 code · 744 blank · 144 comment · 656 complexity · 33c718194613c083cfdf1a14767e0850 MD5 · raw file
Large files are truncated click here to view the full file
- /* Copyright (C) 2007-2010 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
- /** \file
- *
- * \author Victor Julien <victor@inliniac.net>
- * \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com>
- *
- * Based on detect-engine-uri.c
- */
- #include "suricata-common.h"
- #include "suricata.h"
- #include "decode.h"
- #include "detect.h"
- #include "detect-engine.h"
- #include "detect-parse.h"
- #include "detect-engine-state.h"
- #include "detect-engine-content-inspection.h"
- #include "flow-util.h"
- #include "util-debug.h"
- #include "util-print.h"
- #include "flow.h"
- #include "app-layer-parser.h"
- #include "util-unittest.h"
- #include "util-unittest-helper.h"
- #include "app-layer.h"
- #include "app-layer-htp.h"
- #include "app-layer-protos.h"
- /** \brief Do the content inspection & validation for a signature
- *
- * \param de_ctx Detection engine context
- * \param det_ctx Detection engine thread context
- * \param s Signature to inspect
- * \param sm SigMatch to inspect
- * \param f Flow
- * \param flags app layer flags
- * \param state App layer state
- *
- * \retval 0 no match
- * \retval 1 match
- */
- int DetectEngineInspectPacketUris(ThreadVars *tv,
- DetectEngineCtx *de_ctx,
- DetectEngineThreadCtx *det_ctx,
- Signature *s, Flow *f, uint8_t flags,
- void *alstate, int tx_id)
- {
- HtpState *htp_state = (HtpState *)alstate;
- htp_tx_t *tx = list_get(htp_state->connp->conn->transactions, tx_id);
- if (tx == NULL || tx->request_uri_normalized == NULL)
- return 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->buffer_offset = 0;
- det_ctx->inspection_recursion_counter = 0;
- //PrintRawDataFp(stdout, (uint8_t *)bstr_ptr(tx->request_uri_normalized),
- // bstr_len(tx->request_uri_normalized));
- /* Inspect all the uricontents fetched on each
- * transaction at the app layer */
- int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_UMATCH],
- f,
- (uint8_t *)bstr_ptr(tx->request_uri_normalized),
- bstr_len(tx->request_uri_normalized),
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_URI, NULL);
- if (r == 1) {
- return 1;
- }
- return 0;
- }
- /***********************************Unittests**********************************/
- #ifdef UNITTESTS
- /** \test Test a simple uricontent option */
- static int UriTestSig01(void)
- {
- int result = 0;
- Flow f;
- HtpState *http_state = NULL;
- uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf1_len = sizeof(http_buf1) - 1;
- uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf2_len = sizeof(http_buf2) - 1;
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars tv;
- DetectEngineThreadCtx *det_ctx = NULL;
- memset(&tv, 0, sizeof(ThreadVars));
- memset(&f, 0, sizeof(Flow));
- memset(&ssn, 0, sizeof(TcpSession));
- p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
- de_ctx->mpm_matcher = MPM_B2G;
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Test uricontent option\"; "
- "uricontent:\"one\"; sid:1;)");
- if (s == NULL) {
- goto end;
- }
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1)) {
- printf("sig 1 alerted, but it should not: ");
- goto end;
- }
- DetectEngineStateReset(f.de_state);
- r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- if (!PacketAlertCheck(p, 1)) {
- printf("sig 1 alerted, but it should not: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- result = 1;
- end:
- if (det_ctx != NULL)
- DetectEngineThreadCtxDeinit(&tv, det_ctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePacket(p);
- return result;
- }
- /** \test Test the pcre /U option */
- static int UriTestSig02(void)
- {
- int result = 0;
- Flow f;
- HtpState *http_state = NULL;
- uint8_t http_buf1[] = "POST /on HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf1_len = sizeof(http_buf1) - 1;
- uint8_t http_buf2[] = "POST /one HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf2_len = sizeof(http_buf2) - 1;
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars tv;
- DetectEngineThreadCtx *det_ctx = NULL;
- memset(&tv, 0, sizeof(ThreadVars));
- memset(&f, 0, sizeof(Flow));
- memset(&ssn, 0, sizeof(TcpSession));
- p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
- de_ctx->mpm_matcher = MPM_B2G;
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Test pcre /U option\"; "
- "pcre:/one/U; sid:1;)");
- if (s == NULL) {
- goto end;
- }
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sig 1 alerted with payload2, but it should not: ");
- goto end;
- }
- DetectEngineStateReset(f.de_state);
- r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1)) {
- printf("sig 1 didnt alert, but it should: ");
- goto end;
- }
- result = 1;
- end:
- if (det_ctx != NULL)
- DetectEngineThreadCtxDeinit(&tv, det_ctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePacket(p);
- return result;
- }
- /** \test Test the pcre /U option */
- static int UriTestSig03(void)
- {
- int result = 0;
- Flow f;
- HtpState *http_state = NULL;
- uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf1_len = sizeof(http_buf1) - 1;
- uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf2_len = sizeof(http_buf2) - 1;
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars tv;
- DetectEngineThreadCtx *det_ctx = NULL;
- memset(&tv, 0, sizeof(ThreadVars));
- memset(&f, 0, sizeof(Flow));
- memset(&ssn, 0, sizeof(TcpSession));
- p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
- de_ctx->mpm_matcher = MPM_B2G;
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Test pcre /U option\"; "
- "pcre:/blah/U; sid:1;)");
- if (s == NULL) {
- goto end;
- }
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sig 1 alerted, but it should not: ");
- goto end;
- }
- DetectEngineStateReset(f.de_state);
- r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sig 1 alerted, but it should not: ");
- goto end;
- }
- result = 1;
- end:
- if (det_ctx != NULL)
- DetectEngineThreadCtxDeinit(&tv, det_ctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePacket(p);
- return result;
- }
- /** \test Test the urilen option */
- static int UriTestSig04(void)
- {
- int result = 0;
- Flow f;
- HtpState *http_state = NULL;
- uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf1_len = sizeof(http_buf1) - 1;
- uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf2_len = sizeof(http_buf2) - 1;
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars tv;
- DetectEngineThreadCtx *det_ctx = NULL;
- memset(&tv, 0, sizeof(ThreadVars));
- memset(&f, 0, sizeof(Flow));
- memset(&ssn, 0, sizeof(TcpSession));
- p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
- de_ctx->mpm_matcher = MPM_B2G;
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Test urilen option\"; "
- "urilen:>20; sid:1;)");
- if (s == NULL) {
- goto end;
- }
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sig 1 alerted, but it should not: ");
- goto end;
- }
- DetectEngineStateReset(f.de_state);
- r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sig 1 alerted, but it should not: ");
- goto end;
- }
- result = 1;
- end:
- if (det_ctx != NULL)
- DetectEngineThreadCtxDeinit(&tv, det_ctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePacket(p);
- return result;
- }
- /** \test Test the urilen option */
- static int UriTestSig05(void)
- {
- int result = 0;
- Flow f;
- HtpState *http_state = NULL;
- uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf1_len = sizeof(http_buf1) - 1;
- uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf2_len = sizeof(http_buf2) - 1;
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars tv;
- DetectEngineThreadCtx *det_ctx = NULL;
- memset(&tv, 0, sizeof(ThreadVars));
- memset(&f, 0, sizeof(Flow));
- memset(&ssn, 0, sizeof(TcpSession));
- p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
- de_ctx->mpm_matcher = MPM_B2G;
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Test urilen option\"; "
- "urilen:>4; sid:1;)");
- if (s == NULL) {
- goto end;
- }
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sig 1 alerted, but it should not: ");
- goto end;
- }
- DetectEngineStateReset(f.de_state);
- r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1)) {
- printf("sig 1 didnt alert with payload2, but it should: ");
- goto end;
- }
- result = 1;
- end:
- if (det_ctx != NULL)
- DetectEngineThreadCtxDeinit(&tv, det_ctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePacket(p);
- return result;
- }
- /** \test Test the pcre /U option */
- static int UriTestSig06(void)
- {
- int result = 0;
- Flow f;
- HtpState *http_state = NULL;
- uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf1_len = sizeof(http_buf1) - 1;
- uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf2_len = sizeof(http_buf2) - 1;
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars tv;
- DetectEngineThreadCtx *det_ctx = NULL;
- memset(&tv, 0, sizeof(ThreadVars));
- memset(&f, 0, sizeof(Flow));
- memset(&ssn, 0, sizeof(TcpSession));
- p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
- de_ctx->mpm_matcher = MPM_B2G;
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Test pcre /U option\"; "
- "pcre:/(oneself)+/U; sid:1;)");
- if (s == NULL) {
- goto end;
- }
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sig 1 alerted, but it should not: ");
- goto end;
- }
- DetectEngineStateReset(f.de_state);
- r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1)) {
- printf("sig 1 didnt alert on payload2, but it should: ");
- goto end;
- }
- result = 1;
- end:
- if (det_ctx != NULL)
- DetectEngineThreadCtxDeinit(&tv, det_ctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePacket(p);
- return result;
- }
- /** \test Test the pcre /U option in combination with urilen */
- static int UriTestSig07(void)
- {
- int result = 0;
- Flow f;
- HtpState *http_state = NULL;
- uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf1_len = sizeof(http_buf1) - 1;
- uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf2_len = sizeof(http_buf2) - 1;
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars tv;
- DetectEngineThreadCtx *det_ctx = NULL;
- memset(&tv, 0, sizeof(ThreadVars));
- memset(&f, 0, sizeof(Flow));
- memset(&ssn, 0, sizeof(TcpSession));
- p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
- de_ctx->mpm_matcher = MPM_B2G;
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Test pcre /U option with urilen \"; "
- "pcre:/(one){2,}(self)?/U; urilen:3<>20; sid:1;)");
- if (s == NULL) {
- goto end;
- }
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1)) {
- printf("sig 1 didnt alert, but it should: ");
- goto end;
- }
- DetectEngineStateReset(f.de_state);
- r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1)) {
- printf("sig 1 didnt alert with payload2, but it should: ");
- goto end;
- }
- result = 1;
- end:
- if (det_ctx != NULL)
- DetectEngineThreadCtxDeinit(&tv, det_ctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePacket(p);
- return result;
- }
- /** \test Test the pcre /U option in combination with urilen */
- static int UriTestSig08(void)
- {
- int result = 0;
- Flow f;
- HtpState *http_state = NULL;
- uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf1_len = sizeof(http_buf1) - 1;
- uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf2_len = sizeof(http_buf2) - 1;
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars tv;
- DetectEngineThreadCtx *det_ctx = NULL;
- memset(&tv, 0, sizeof(ThreadVars));
- memset(&f, 0, sizeof(Flow));
- memset(&ssn, 0, sizeof(TcpSession));
- p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
- de_ctx->mpm_matcher = MPM_B2G;
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Test pcre /U option with urilen\"; "
- "pcre:/(blabla){2,}(self)?/U; urilen:3<>20; sid:1;)");
- if (s == NULL) {
- goto end;
- }
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sig 1 alerted, but it should not: ");
- goto end;
- }
- DetectEngineStateReset(f.de_state);
- r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sig 1 alerted, but it should not: ");
- goto end;
- }
- result = 1;
- end:
- if (det_ctx != NULL)
- DetectEngineThreadCtxDeinit(&tv, det_ctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePacket(p);
- return result;
- }
- /** \test Test the pcre /U option in combination with urilen */
- static int UriTestSig09(void)
- {
- int result = 0;
- Flow f;
- HtpState *http_state = NULL;
- uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf1_len = sizeof(http_buf1) - 1;
- uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf2_len = sizeof(http_buf2) - 1;
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars tv;
- DetectEngineThreadCtx *det_ctx = NULL;
- memset(&tv, 0, sizeof(ThreadVars));
- memset(&f, 0, sizeof(Flow));
- memset(&ssn, 0, sizeof(TcpSession));
- p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
- de_ctx->mpm_matcher = MPM_B2G;
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Test pcre /U option with urilen \"; "
- "pcre:/(one){2,}(self)?/U; urilen:<2; sid:1;)");
- if (s == NULL) {
- goto end;
- }
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sig 1 alerted, but it should not: ");
- goto end;
- }
- DetectEngineStateReset(f.de_state);
- r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sig 1 alerted, but it should not: ");
- goto end;
- }
- result = 1;
- end:
- if (det_ctx != NULL)
- DetectEngineThreadCtxDeinit(&tv, det_ctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePacket(p);
- return result;
- }
- /** \test Test the uricontent option in combination with urilen */
- static int UriTestSig10(void)
- {
- int result = 0;
- Flow f;
- HtpState *http_state = NULL;
- uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf1_len = sizeof(http_buf1) - 1;
- uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf2_len = sizeof(http_buf2) - 1;
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars tv;
- DetectEngineThreadCtx *det_ctx = NULL;
- memset(&tv, 0, sizeof(ThreadVars));
- memset(&f, 0, sizeof(Flow));
- memset(&ssn, 0, sizeof(TcpSession));
- p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
- de_ctx->mpm_matcher = MPM_B2G;
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Test uricontent with urilen option\"; "
- "uricontent:\"one\"; urilen:<2; sid:1;)");
- if (s == NULL) {
- goto end;
- }
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sig 1 alerted, but it should not: ");
- goto end;
- }
- DetectEngineStateReset(f.de_state);
- r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sig 1 alerted, but it should not: ");
- goto end;
- }
- result = 1;
- end:
- if (det_ctx != NULL)
- DetectEngineThreadCtxDeinit(&tv, det_ctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePacket(p);
- return result;
- }
- /** \test Test content, uricontent, urilen, pcre /U options */
- static int UriTestSig11(void)
- {
- int result = 0;
- Flow f;
- HtpState *http_state = NULL;
- uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf1_len = sizeof(http_buf1) - 1;
- uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf2_len = sizeof(http_buf2) - 1;
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars tv;
- DetectEngineThreadCtx *det_ctx = NULL;
- memset(&tv, 0, sizeof(ThreadVars));
- memset(&f, 0, sizeof(Flow));
- memset(&ssn, 0, sizeof(TcpSession));
- p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
- de_ctx->mpm_matcher = MPM_B2G;
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Test content, uricontent, pcre /U and urilen options\"; "
- "content:\"one\"; uricontent:\"one\"; pcre:/(one){2,}(self)?/U;"
- "urilen:<2; sid:1;)");
- if (s == NULL) {
- goto end;
- }
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sig 1 alerted, but it should not: ");
- goto end;
- }
- DetectEngineStateReset(f.de_state);
- r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sig 1 alerted, but it should not: ");
- goto end;
- }
- result = 1;
- end:
- if (det_ctx != NULL)
- DetectEngineThreadCtxDeinit(&tv, det_ctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePacket(p);
- return result;
- }
- /** \test Test uricontent, urilen, pcre /U options */
- static int UriTestSig12(void)
- {
- int result = 0;
- Flow f;
- HtpState *http_state = NULL;
- uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf1_len = sizeof(http_buf1) - 1;
- uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf2_len = sizeof(http_buf2) - 1;
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars tv;
- DetectEngineThreadCtx *det_ctx = NULL;
- memset(&tv, 0, sizeof(ThreadVars));
- memset(&f, 0, sizeof(Flow));
- memset(&ssn, 0, sizeof(TcpSession));
- p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
- de_ctx->mpm_matcher = MPM_B2G;
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Test pcre /U, uricontent and urilen option\"; "
- "uricontent:\"one\"; "
- "pcre:/(one)+self/U; urilen:>2; sid:1;)");
- if (s == NULL) {
- goto end;
- }
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- printf("sig 1 alerted, but it should not: ");
- goto end;
- }
- DetectEngineStateReset(f.de_state);
- r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1)) {
- printf("sig 1 didnt alert with payload2, but it should: ");
- goto end;
- }
- result = 1;
- end:
- if (det_ctx != NULL)
- DetectEngineThreadCtxDeinit(&tv, det_ctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePacket(p);
- return result;
- }
- /** \test Test uricontent, urilen */
- static int UriTestSig13(void)
- {
- int result = 0;
- Flow f;
- HtpState *http_state = NULL;
- uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf1_len = sizeof(http_buf1) - 1;
- uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf2_len = sizeof(http_buf2) - 1;
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars tv;
- DetectEngineThreadCtx *det_ctx = NULL;
- memset(&tv, 0, sizeof(ThreadVars));
- memset(&f, 0, sizeof(Flow));
- memset(&ssn, 0, sizeof(TcpSession));
- p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
- de_ctx->mpm_matcher = MPM_B2G;
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Test urilen option\"; "
- "urilen:>2; uricontent:\"one\"; sid:1;)");
- if (s == NULL) {
- goto end;
- }
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1)) {
- printf("sig 1 didnt alert with pkt, but it should: ");
- goto end;
- }
- DetectEngineStateReset(f.de_state);
- r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1)) {
- printf("sig 1 didnt alert with payload2, but it should: ");
- goto end;
- }
- result = 1;
- end:
- if (det_ctx != NULL)
- DetectEngineThreadCtxDeinit(&tv, det_ctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePacket(p);
- return result;
- }
- /** \test Test uricontent, pcre /U */
- static int UriTestSig14(void)
- {
- int result = 0;
- Flow f;
- HtpState *http_state = NULL;
- uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf1_len = sizeof(http_buf1) - 1;
- uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf2_len = sizeof(http_buf2) - 1;
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars tv;
- DetectEngineThreadCtx *det_ctx = NULL;
- memset(&tv, 0, sizeof(ThreadVars));
- memset(&f, 0, sizeof(Flow));
- memset(&ssn, 0, sizeof(TcpSession));
- p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
- de_ctx->mpm_matcher = MPM_B2G;
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Test uricontent option\"; "
- "uricontent:\"one\"; pcre:/one(self)?/U;sid:1;)");
- if (s == NULL) {
- goto end;
- }
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1)) {
- printf("sig 1 didnt alert with pkt, but it should: ");
- goto end;
- }
- DetectEngineStateReset(f.de_state);
- r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1)) {
- printf("sig 1 didnt alert with payload2, but it should: ");
- goto end;
- }
- result = 1;
- end:
- if (det_ctx != NULL)
- DetectEngineThreadCtxDeinit(&tv, det_ctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePacket(p);
- return result;
- }
- /** \test Test pcre /U with anchored regex (bug 155) */
- static int UriTestSig15(void)
- {
- int result = 0;
- Flow f;
- HtpState *http_state = NULL;
- uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf1_len = sizeof(http_buf1) - 1;
- uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf2_len = sizeof(http_buf2) - 1;
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars tv;
- DetectEngineThreadCtx *det_ctx = NULL;
- memset(&tv, 0, sizeof(ThreadVars));
- memset(&f, 0, sizeof(Flow));
- memset(&ssn, 0, sizeof(TcpSession));
- p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
- de_ctx->mpm_matcher = MPM_B2G;
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Test uricontent option\"; "
- "uricontent:\"one\"; pcre:/^\\/one(self)?$/U;sid:1;)");
- if (s == NULL) {
- goto end;
- }
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
- int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1)) {
- printf("sig 1 didnt alert with pkt, but it should: ");
- goto end;
- }
- DetectEngineStateReset(f.de_state);
- r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- goto end;
- }
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1)) {
- printf("sig 1 didnt alert with payload2, but it should: ");
- goto end;
- }
- result = 1;
- end:
- if (det_ctx != NULL)
- DetectEngineThreadCtxDeinit(&tv, det_ctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePacket(p);
- return result;
- }
- /** \test Test pcre /U with anchored regex (bug 155) */
- static int UriTestSig16(void)
- {
- int result = 0;
- Flow f;
- HtpState *http_state = NULL;
- uint8_t http_buf1[] = "POST /search?q=123&aq=7123abcee HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0/\r\n"
- "Host: 1.2.3.4\r\n\r\n";
- uint32_t http_buf1_len = sizeof(http_buf1) - 1;
- uint8_t http_buf2[] = "POST /search?q=123&aq=7123abcee HTTP/1.0\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "Cookie: hellocatch\r\n\r\n";
- uint32_t http_buf2_len = sizeof(http_buf2) - 1;
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars tv;
- DetectEngineThreadCtx *det_ctx = NULL;
- memset(&tv, 0, sizeof(ThreadVars));
- memset(&f, 0, sizeof(Flow));
- memset(&ssn, 0, sizeof(TcpSession));
- p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- f.alproto = ALPROTO_HTTP;
- StreamTcpInitConfig(TRUE);
- DetectE…