PageRenderTime 107ms CodeModel.GetById 4ms app.highlight 93ms RepoModel.GetById 1ms app.codeStats 1ms

/src/detect-engine-uri.c

https://github.com/decanio/suricata-tilera
C | 3897 lines | 3009 code | 744 blank | 144 comment | 656 complexity | 33c718194613c083cfdf1a14767e0850 MD5 | raw file

Large files files are truncated, but you can click here to view the full file

   1/* Copyright (C) 2007-2010 Open Information Security Foundation
   2 *
   3 * You can copy, redistribute or modify this Program under the terms of
   4 * the GNU General Public License version 2 as published by the Free
   5 * Software Foundation.
   6 *
   7 * This program is distributed in the hope that it will be useful,
   8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
   9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  10 * GNU General Public License for more details.
  11 *
  12 * You should have received a copy of the GNU General Public License
  13 * version 2 along with this program; if not, write to the Free Software
  14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  15 * 02110-1301, USA.
  16 */
  17
  18/** \file
  19 *
  20 *  \author Victor Julien <victor@inliniac.net>
  21 *  \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com>
  22 *
  23 *  Based on detect-engine-uri.c
  24 */
  25
  26#include "suricata-common.h"
  27#include "suricata.h"
  28#include "decode.h"
  29
  30#include "detect.h"
  31#include "detect-engine.h"
  32#include "detect-parse.h"
  33#include "detect-engine-state.h"
  34#include "detect-engine-content-inspection.h"
  35
  36#include "flow-util.h"
  37#include "util-debug.h"
  38#include "util-print.h"
  39#include "flow.h"
  40
  41#include "app-layer-parser.h"
  42
  43#include "util-unittest.h"
  44#include "util-unittest-helper.h"
  45#include "app-layer.h"
  46#include "app-layer-htp.h"
  47#include "app-layer-protos.h"
  48
  49/** \brief Do the content inspection & validation for a signature
  50 *
  51 *  \param de_ctx Detection engine context
  52 *  \param det_ctx Detection engine thread context
  53 *  \param s Signature to inspect
  54 *  \param sm SigMatch to inspect
  55 *  \param f Flow
  56 *  \param flags app layer flags
  57 *  \param state App layer state
  58 *
  59 *  \retval 0 no match
  60 *  \retval 1 match
  61 */
  62int DetectEngineInspectPacketUris(ThreadVars *tv,
  63                                  DetectEngineCtx *de_ctx,
  64                                  DetectEngineThreadCtx *det_ctx,
  65                                  Signature *s, Flow *f, uint8_t flags,
  66                                  void *alstate, int tx_id)
  67{
  68    HtpState *htp_state = (HtpState *)alstate;
  69
  70    htp_tx_t *tx = list_get(htp_state->connp->conn->transactions, tx_id);
  71    if (tx == NULL || tx->request_uri_normalized == NULL)
  72        return 0;
  73
  74    det_ctx->discontinue_matching = 0;
  75    det_ctx->buffer_offset = 0;
  76    det_ctx->inspection_recursion_counter = 0;
  77
  78    //PrintRawDataFp(stdout, (uint8_t *)bstr_ptr(tx->request_uri_normalized),
  79    //        bstr_len(tx->request_uri_normalized));
  80
  81    /* Inspect all the uricontents fetched on each
  82     * transaction at the app layer */
  83    int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_UMATCH],
  84                                          f,
  85                                          (uint8_t *)bstr_ptr(tx->request_uri_normalized),
  86                                          bstr_len(tx->request_uri_normalized),
  87                                          DETECT_ENGINE_CONTENT_INSPECTION_MODE_URI, NULL);
  88    if (r == 1) {
  89        return 1;
  90    }
  91
  92    return 0;
  93}
  94
  95/***********************************Unittests**********************************/
  96
  97#ifdef UNITTESTS
  98/** \test Test a simple uricontent option */
  99static int UriTestSig01(void)
 100{
 101    int result = 0;
 102    Flow f;
 103    HtpState *http_state = NULL;
 104    uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
 105        "User-Agent: Mozilla/1.0\r\n"
 106        "Cookie: hellocatch\r\n\r\n";
 107    uint32_t http_buf1_len = sizeof(http_buf1) - 1;
 108    uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
 109        "User-Agent: Mozilla/1.0\r\n"
 110        "Cookie: hellocatch\r\n\r\n";
 111    uint32_t http_buf2_len = sizeof(http_buf2) - 1;
 112    TcpSession ssn;
 113    Packet *p = NULL;
 114    Signature *s = NULL;
 115    ThreadVars tv;
 116    DetectEngineThreadCtx *det_ctx = NULL;
 117
 118    memset(&tv, 0, sizeof(ThreadVars));
 119    memset(&f, 0, sizeof(Flow));
 120    memset(&ssn, 0, sizeof(TcpSession));
 121
 122    p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
 123
 124    FLOW_INITIALIZE(&f);
 125    f.protoctx = (void *)&ssn;
 126    f.flags |= FLOW_IPV4;
 127
 128    p->flow = &f;
 129    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
 130    p->flowflags |= FLOW_PKT_TOSERVER;
 131    p->flowflags |= FLOW_PKT_ESTABLISHED;
 132    f.alproto = ALPROTO_HTTP;
 133
 134    StreamTcpInitConfig(TRUE);
 135
 136    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
 137    if (de_ctx == NULL) {
 138        goto end;
 139    }
 140    de_ctx->mpm_matcher = MPM_B2G;
 141    de_ctx->flags |= DE_QUIET;
 142
 143    s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
 144                                   "(msg:\"Test uricontent option\"; "
 145                                   "uricontent:\"one\"; sid:1;)");
 146    if (s == NULL) {
 147        goto end;
 148    }
 149
 150    SigGroupBuild(de_ctx);
 151    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
 152
 153    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
 154    if (r != 0) {
 155        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
 156        goto end;
 157    }
 158
 159    http_state = f.alstate;
 160    if (http_state == NULL) {
 161        printf("no http state: ");
 162        goto end;
 163    }
 164
 165    /* do detect */
 166    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
 167
 168    if (!PacketAlertCheck(p, 1)) {
 169        printf("sig 1 alerted, but it should not: ");
 170        goto end;
 171    }
 172
 173    DetectEngineStateReset(f.de_state);
 174
 175    r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
 176    if (r != 0) {
 177        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
 178        goto end;
 179    }
 180
 181    http_state = f.alstate;
 182    if (http_state == NULL) {
 183        printf("no http state: ");
 184        goto end;
 185    }
 186
 187    if (!PacketAlertCheck(p, 1)) {
 188        printf("sig 1 alerted, but it should not: ");
 189        goto end;
 190    }
 191
 192    /* do detect */
 193    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
 194
 195    result = 1;
 196
 197end:
 198    if (det_ctx != NULL)
 199        DetectEngineThreadCtxDeinit(&tv, det_ctx);
 200    if (de_ctx != NULL)
 201        SigGroupCleanup(de_ctx);
 202    if (de_ctx != NULL)
 203        DetectEngineCtxFree(de_ctx);
 204
 205    StreamTcpFreeConfig(TRUE);
 206    FLOW_DESTROY(&f);
 207    UTHFreePacket(p);
 208    return result;
 209}
 210
 211/** \test Test the pcre /U option */
 212static int UriTestSig02(void)
 213{
 214    int result = 0;
 215    Flow f;
 216    HtpState *http_state = NULL;
 217    uint8_t http_buf1[] = "POST /on HTTP/1.0\r\n"
 218        "User-Agent: Mozilla/1.0\r\n"
 219        "Cookie: hellocatch\r\n\r\n";
 220    uint32_t http_buf1_len = sizeof(http_buf1) - 1;
 221    uint8_t http_buf2[] = "POST /one HTTP/1.0\r\n"
 222        "User-Agent: Mozilla/1.0\r\n"
 223        "Cookie: hellocatch\r\n\r\n";
 224    uint32_t http_buf2_len = sizeof(http_buf2) - 1;
 225    TcpSession ssn;
 226    Packet *p = NULL;
 227    Signature *s = NULL;
 228    ThreadVars tv;
 229    DetectEngineThreadCtx *det_ctx = NULL;
 230
 231    memset(&tv, 0, sizeof(ThreadVars));
 232    memset(&f, 0, sizeof(Flow));
 233    memset(&ssn, 0, sizeof(TcpSession));
 234
 235    p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
 236
 237    FLOW_INITIALIZE(&f);
 238    f.protoctx = (void *)&ssn;
 239    f.flags |= FLOW_IPV4;
 240
 241    p->flow = &f;
 242    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
 243    p->flowflags |= FLOW_PKT_TOSERVER;
 244    p->flowflags |= FLOW_PKT_ESTABLISHED;
 245    f.alproto = ALPROTO_HTTP;
 246
 247    StreamTcpInitConfig(TRUE);
 248
 249    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
 250    if (de_ctx == NULL) {
 251        goto end;
 252    }
 253    de_ctx->mpm_matcher = MPM_B2G;
 254    de_ctx->flags |= DE_QUIET;
 255
 256    s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
 257                                   "(msg:\"Test pcre /U option\"; "
 258                                   "pcre:/one/U; sid:1;)");
 259    if (s == NULL) {
 260        goto end;
 261    }
 262
 263    SigGroupBuild(de_ctx);
 264    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
 265
 266    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
 267    if (r != 0) {
 268        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
 269        goto end;
 270    }
 271
 272    http_state = f.alstate;
 273    if (http_state == NULL) {
 274        printf("no http state: ");
 275        goto end;
 276    }
 277
 278    /* do detect */
 279    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
 280
 281    if (PacketAlertCheck(p, 1)) {
 282        printf("sig 1 alerted with payload2, but it should not: ");
 283        goto end;
 284    }
 285
 286    DetectEngineStateReset(f.de_state);
 287
 288    r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
 289    if (r != 0) {
 290        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
 291        goto end;
 292    }
 293
 294    http_state = f.alstate;
 295    if (http_state == NULL) {
 296        printf("no http state: ");
 297        goto end;
 298    }
 299
 300    /* do detect */
 301    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
 302
 303    if (!PacketAlertCheck(p, 1)) {
 304        printf("sig 1 didnt alert, but it should: ");
 305        goto end;
 306    }
 307
 308    result = 1;
 309
 310end:
 311    if (det_ctx != NULL)
 312        DetectEngineThreadCtxDeinit(&tv, det_ctx);
 313    if (de_ctx != NULL)
 314        SigGroupCleanup(de_ctx);
 315    if (de_ctx != NULL)
 316        DetectEngineCtxFree(de_ctx);
 317
 318    StreamTcpFreeConfig(TRUE);
 319    FLOW_DESTROY(&f);
 320    UTHFreePacket(p);
 321    return result;
 322}
 323
 324/** \test Test the pcre /U option */
 325static int UriTestSig03(void)
 326{
 327    int result = 0;
 328    Flow f;
 329    HtpState *http_state = NULL;
 330    uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
 331        "User-Agent: Mozilla/1.0\r\n"
 332        "Cookie: hellocatch\r\n\r\n";
 333    uint32_t http_buf1_len = sizeof(http_buf1) - 1;
 334    uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
 335        "User-Agent: Mozilla/1.0\r\n"
 336        "Cookie: hellocatch\r\n\r\n";
 337    uint32_t http_buf2_len = sizeof(http_buf2) - 1;
 338    TcpSession ssn;
 339    Packet *p = NULL;
 340    Signature *s = NULL;
 341    ThreadVars tv;
 342    DetectEngineThreadCtx *det_ctx = NULL;
 343
 344    memset(&tv, 0, sizeof(ThreadVars));
 345    memset(&f, 0, sizeof(Flow));
 346    memset(&ssn, 0, sizeof(TcpSession));
 347
 348    p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
 349
 350    FLOW_INITIALIZE(&f);
 351    f.protoctx = (void *)&ssn;
 352    f.flags |= FLOW_IPV4;
 353
 354    p->flow = &f;
 355    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
 356    p->flowflags |= FLOW_PKT_TOSERVER;
 357    p->flowflags |= FLOW_PKT_ESTABLISHED;
 358    f.alproto = ALPROTO_HTTP;
 359
 360    StreamTcpInitConfig(TRUE);
 361
 362    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
 363    if (de_ctx == NULL) {
 364        goto end;
 365    }
 366    de_ctx->mpm_matcher = MPM_B2G;
 367    de_ctx->flags |= DE_QUIET;
 368
 369    s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
 370                                   "(msg:\"Test pcre /U option\"; "
 371                                   "pcre:/blah/U; sid:1;)");
 372    if (s == NULL) {
 373        goto end;
 374    }
 375
 376    SigGroupBuild(de_ctx);
 377    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
 378
 379    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
 380    if (r != 0) {
 381        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
 382        goto end;
 383    }
 384
 385    http_state = f.alstate;
 386    if (http_state == NULL) {
 387        printf("no http state: ");
 388        goto end;
 389    }
 390
 391    /* do detect */
 392    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
 393
 394    if (PacketAlertCheck(p, 1)) {
 395        printf("sig 1 alerted, but it should not: ");
 396        goto end;
 397    }
 398
 399    DetectEngineStateReset(f.de_state);
 400
 401    r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
 402    if (r != 0) {
 403        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
 404        goto end;
 405    }
 406
 407    http_state = f.alstate;
 408    if (http_state == NULL) {
 409        printf("no http state: ");
 410        goto end;
 411    }
 412
 413    /* do detect */
 414    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
 415
 416    if (PacketAlertCheck(p, 1)) {
 417        printf("sig 1 alerted, but it should not: ");
 418        goto end;
 419    }
 420
 421    result = 1;
 422
 423end:
 424    if (det_ctx != NULL)
 425        DetectEngineThreadCtxDeinit(&tv, det_ctx);
 426    if (de_ctx != NULL)
 427        SigGroupCleanup(de_ctx);
 428    if (de_ctx != NULL)
 429        DetectEngineCtxFree(de_ctx);
 430
 431    StreamTcpFreeConfig(TRUE);
 432    FLOW_DESTROY(&f);
 433    UTHFreePacket(p);
 434    return result;
 435}
 436
 437/** \test Test the urilen option */
 438static int UriTestSig04(void)
 439{
 440    int result = 0;
 441    Flow f;
 442    HtpState *http_state = NULL;
 443    uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
 444        "User-Agent: Mozilla/1.0\r\n"
 445        "Cookie: hellocatch\r\n\r\n";
 446    uint32_t http_buf1_len = sizeof(http_buf1) - 1;
 447    uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
 448        "User-Agent: Mozilla/1.0\r\n"
 449        "Cookie: hellocatch\r\n\r\n";
 450    uint32_t http_buf2_len = sizeof(http_buf2) - 1;
 451    TcpSession ssn;
 452    Packet *p = NULL;
 453    Signature *s = NULL;
 454    ThreadVars tv;
 455    DetectEngineThreadCtx *det_ctx = NULL;
 456
 457    memset(&tv, 0, sizeof(ThreadVars));
 458    memset(&f, 0, sizeof(Flow));
 459    memset(&ssn, 0, sizeof(TcpSession));
 460
 461    p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
 462
 463    FLOW_INITIALIZE(&f);
 464    f.protoctx = (void *)&ssn;
 465    f.flags |= FLOW_IPV4;
 466
 467    p->flow = &f;
 468    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
 469    p->flowflags |= FLOW_PKT_TOSERVER;
 470    p->flowflags |= FLOW_PKT_ESTABLISHED;
 471    f.alproto = ALPROTO_HTTP;
 472
 473    StreamTcpInitConfig(TRUE);
 474
 475    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
 476    if (de_ctx == NULL) {
 477        goto end;
 478    }
 479    de_ctx->mpm_matcher = MPM_B2G;
 480    de_ctx->flags |= DE_QUIET;
 481
 482    s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
 483                                   "(msg:\"Test urilen option\"; "
 484                                   "urilen:>20; sid:1;)");
 485    if (s == NULL) {
 486        goto end;
 487    }
 488
 489    SigGroupBuild(de_ctx);
 490    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
 491
 492    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
 493    if (r != 0) {
 494        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
 495        goto end;
 496    }
 497
 498    http_state = f.alstate;
 499    if (http_state == NULL) {
 500        printf("no http state: ");
 501        goto end;
 502    }
 503
 504    /* do detect */
 505    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
 506
 507    if (PacketAlertCheck(p, 1)) {
 508        printf("sig 1 alerted, but it should not: ");
 509        goto end;
 510    }
 511
 512    DetectEngineStateReset(f.de_state);
 513
 514    r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
 515    if (r != 0) {
 516        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
 517        goto end;
 518    }
 519
 520    http_state = f.alstate;
 521    if (http_state == NULL) {
 522        printf("no http state: ");
 523        goto end;
 524    }
 525
 526    /* do detect */
 527    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
 528
 529    if (PacketAlertCheck(p, 1)) {
 530        printf("sig 1 alerted, but it should not: ");
 531        goto end;
 532    }
 533
 534    result = 1;
 535
 536end:
 537    if (det_ctx != NULL)
 538        DetectEngineThreadCtxDeinit(&tv, det_ctx);
 539    if (de_ctx != NULL)
 540        SigGroupCleanup(de_ctx);
 541    if (de_ctx != NULL)
 542        DetectEngineCtxFree(de_ctx);
 543
 544    StreamTcpFreeConfig(TRUE);
 545    FLOW_DESTROY(&f);
 546    UTHFreePacket(p);
 547    return result;
 548}
 549
 550/** \test Test the urilen option */
 551static int UriTestSig05(void)
 552{
 553    int result = 0;
 554    Flow f;
 555    HtpState *http_state = NULL;
 556    uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
 557        "User-Agent: Mozilla/1.0\r\n"
 558        "Cookie: hellocatch\r\n\r\n";
 559    uint32_t http_buf1_len = sizeof(http_buf1) - 1;
 560    uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
 561        "User-Agent: Mozilla/1.0\r\n"
 562        "Cookie: hellocatch\r\n\r\n";
 563    uint32_t http_buf2_len = sizeof(http_buf2) - 1;
 564    TcpSession ssn;
 565    Packet *p = NULL;
 566    Signature *s = NULL;
 567    ThreadVars tv;
 568    DetectEngineThreadCtx *det_ctx = NULL;
 569
 570    memset(&tv, 0, sizeof(ThreadVars));
 571    memset(&f, 0, sizeof(Flow));
 572    memset(&ssn, 0, sizeof(TcpSession));
 573
 574    p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
 575
 576    FLOW_INITIALIZE(&f);
 577    f.protoctx = (void *)&ssn;
 578    f.flags |= FLOW_IPV4;
 579
 580    p->flow = &f;
 581    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
 582    p->flowflags |= FLOW_PKT_TOSERVER;
 583    p->flowflags |= FLOW_PKT_ESTABLISHED;
 584    f.alproto = ALPROTO_HTTP;
 585
 586    StreamTcpInitConfig(TRUE);
 587
 588    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
 589    if (de_ctx == NULL) {
 590        goto end;
 591    }
 592    de_ctx->mpm_matcher = MPM_B2G;
 593    de_ctx->flags |= DE_QUIET;
 594
 595    s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
 596                                   "(msg:\"Test urilen option\"; "
 597                                   "urilen:>4; sid:1;)");
 598    if (s == NULL) {
 599        goto end;
 600    }
 601
 602    SigGroupBuild(de_ctx);
 603    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
 604
 605    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
 606    if (r != 0) {
 607        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
 608        goto end;
 609    }
 610
 611    http_state = f.alstate;
 612    if (http_state == NULL) {
 613        printf("no http state: ");
 614        goto end;
 615    }
 616
 617    /* do detect */
 618    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
 619
 620    if (PacketAlertCheck(p, 1)) {
 621        printf("sig 1 alerted, but it should not: ");
 622        goto end;
 623    }
 624
 625    DetectEngineStateReset(f.de_state);
 626
 627    r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
 628    if (r != 0) {
 629        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
 630        goto end;
 631    }
 632
 633    http_state = f.alstate;
 634    if (http_state == NULL) {
 635        printf("no http state: ");
 636        goto end;
 637    }
 638
 639    /* do detect */
 640    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
 641
 642    if (!PacketAlertCheck(p, 1)) {
 643        printf("sig 1 didnt alert with payload2, but it should: ");
 644        goto end;
 645    }
 646
 647    result = 1;
 648
 649end:
 650    if (det_ctx != NULL)
 651        DetectEngineThreadCtxDeinit(&tv, det_ctx);
 652    if (de_ctx != NULL)
 653        SigGroupCleanup(de_ctx);
 654    if (de_ctx != NULL)
 655        DetectEngineCtxFree(de_ctx);
 656
 657    StreamTcpFreeConfig(TRUE);
 658    FLOW_DESTROY(&f);
 659    UTHFreePacket(p);
 660    return result;
 661}
 662
 663/** \test Test the pcre /U option */
 664static int UriTestSig06(void)
 665{
 666    int result = 0;
 667    Flow f;
 668    HtpState *http_state = NULL;
 669    uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
 670        "User-Agent: Mozilla/1.0\r\n"
 671        "Cookie: hellocatch\r\n\r\n";
 672    uint32_t http_buf1_len = sizeof(http_buf1) - 1;
 673    uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
 674        "User-Agent: Mozilla/1.0\r\n"
 675        "Cookie: hellocatch\r\n\r\n";
 676    uint32_t http_buf2_len = sizeof(http_buf2) - 1;
 677    TcpSession ssn;
 678    Packet *p = NULL;
 679    Signature *s = NULL;
 680    ThreadVars tv;
 681    DetectEngineThreadCtx *det_ctx = NULL;
 682
 683    memset(&tv, 0, sizeof(ThreadVars));
 684    memset(&f, 0, sizeof(Flow));
 685    memset(&ssn, 0, sizeof(TcpSession));
 686
 687    p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
 688
 689    FLOW_INITIALIZE(&f);
 690    f.protoctx = (void *)&ssn;
 691    f.flags |= FLOW_IPV4;
 692
 693    p->flow = &f;
 694    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
 695    p->flowflags |= FLOW_PKT_TOSERVER;
 696    p->flowflags |= FLOW_PKT_ESTABLISHED;
 697    f.alproto = ALPROTO_HTTP;
 698
 699    StreamTcpInitConfig(TRUE);
 700
 701    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
 702    if (de_ctx == NULL) {
 703        goto end;
 704    }
 705    de_ctx->mpm_matcher = MPM_B2G;
 706    de_ctx->flags |= DE_QUIET;
 707
 708    s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
 709                                   "(msg:\"Test pcre /U option\"; "
 710                                   "pcre:/(oneself)+/U; sid:1;)");
 711    if (s == NULL) {
 712        goto end;
 713    }
 714
 715    SigGroupBuild(de_ctx);
 716    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
 717
 718    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
 719    if (r != 0) {
 720        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
 721        goto end;
 722    }
 723
 724    http_state = f.alstate;
 725    if (http_state == NULL) {
 726        printf("no http state: ");
 727        goto end;
 728    }
 729
 730    /* do detect */
 731    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
 732
 733    if (PacketAlertCheck(p, 1)) {
 734        printf("sig 1 alerted, but it should not: ");
 735        goto end;
 736    }
 737
 738    DetectEngineStateReset(f.de_state);
 739
 740    r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
 741    if (r != 0) {
 742        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
 743        goto end;
 744    }
 745
 746    http_state = f.alstate;
 747    if (http_state == NULL) {
 748        printf("no http state: ");
 749        goto end;
 750    }
 751
 752    /* do detect */
 753    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
 754
 755    if (!PacketAlertCheck(p, 1)) {
 756        printf("sig 1 didnt alert on payload2, but it should: ");
 757        goto end;
 758    }
 759
 760    result = 1;
 761
 762end:
 763    if (det_ctx != NULL)
 764        DetectEngineThreadCtxDeinit(&tv, det_ctx);
 765    if (de_ctx != NULL)
 766        SigGroupCleanup(de_ctx);
 767    if (de_ctx != NULL)
 768        DetectEngineCtxFree(de_ctx);
 769
 770    StreamTcpFreeConfig(TRUE);
 771    FLOW_DESTROY(&f);
 772    UTHFreePacket(p);
 773    return result;
 774}
 775
 776/** \test Test the pcre /U option in combination with urilen */
 777static int UriTestSig07(void)
 778{
 779    int result = 0;
 780    Flow f;
 781    HtpState *http_state = NULL;
 782    uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
 783        "User-Agent: Mozilla/1.0\r\n"
 784        "Cookie: hellocatch\r\n\r\n";
 785    uint32_t http_buf1_len = sizeof(http_buf1) - 1;
 786    uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
 787        "User-Agent: Mozilla/1.0\r\n"
 788        "Cookie: hellocatch\r\n\r\n";
 789    uint32_t http_buf2_len = sizeof(http_buf2) - 1;
 790    TcpSession ssn;
 791    Packet *p = NULL;
 792    Signature *s = NULL;
 793    ThreadVars tv;
 794    DetectEngineThreadCtx *det_ctx = NULL;
 795
 796    memset(&tv, 0, sizeof(ThreadVars));
 797    memset(&f, 0, sizeof(Flow));
 798    memset(&ssn, 0, sizeof(TcpSession));
 799
 800    p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
 801
 802    FLOW_INITIALIZE(&f);
 803    f.protoctx = (void *)&ssn;
 804    f.flags |= FLOW_IPV4;
 805
 806    p->flow = &f;
 807    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
 808    p->flowflags |= FLOW_PKT_TOSERVER;
 809    p->flowflags |= FLOW_PKT_ESTABLISHED;
 810    f.alproto = ALPROTO_HTTP;
 811
 812    StreamTcpInitConfig(TRUE);
 813
 814    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
 815    if (de_ctx == NULL) {
 816        goto end;
 817    }
 818    de_ctx->mpm_matcher = MPM_B2G;
 819    de_ctx->flags |= DE_QUIET;
 820
 821    s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
 822                                   "(msg:\"Test pcre /U option with urilen \"; "
 823                                   "pcre:/(one){2,}(self)?/U; urilen:3<>20; sid:1;)");
 824    if (s == NULL) {
 825        goto end;
 826    }
 827
 828    SigGroupBuild(de_ctx);
 829    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
 830
 831    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
 832    if (r != 0) {
 833        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
 834        goto end;
 835    }
 836
 837    http_state = f.alstate;
 838    if (http_state == NULL) {
 839        printf("no http state: ");
 840        goto end;
 841    }
 842
 843    /* do detect */
 844    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
 845
 846    if (!PacketAlertCheck(p, 1)) {
 847        printf("sig 1 didnt alert, but it should: ");
 848        goto end;
 849    }
 850
 851    DetectEngineStateReset(f.de_state);
 852
 853    r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
 854    if (r != 0) {
 855        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
 856        goto end;
 857    }
 858
 859    http_state = f.alstate;
 860    if (http_state == NULL) {
 861        printf("no http state: ");
 862        goto end;
 863    }
 864
 865    /* do detect */
 866    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
 867
 868    if (!PacketAlertCheck(p, 1)) {
 869        printf("sig 1 didnt alert with payload2, but it should: ");
 870        goto end;
 871    }
 872
 873    result = 1;
 874
 875end:
 876    if (det_ctx != NULL)
 877        DetectEngineThreadCtxDeinit(&tv, det_ctx);
 878    if (de_ctx != NULL)
 879        SigGroupCleanup(de_ctx);
 880    if (de_ctx != NULL)
 881        DetectEngineCtxFree(de_ctx);
 882
 883    StreamTcpFreeConfig(TRUE);
 884    FLOW_DESTROY(&f);
 885    UTHFreePacket(p);
 886    return result;
 887}
 888
 889/** \test Test the pcre /U option in combination with urilen */
 890static int UriTestSig08(void)
 891{
 892    int result = 0;
 893    Flow f;
 894    HtpState *http_state = NULL;
 895    uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
 896        "User-Agent: Mozilla/1.0\r\n"
 897        "Cookie: hellocatch\r\n\r\n";
 898    uint32_t http_buf1_len = sizeof(http_buf1) - 1;
 899    uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
 900        "User-Agent: Mozilla/1.0\r\n"
 901        "Cookie: hellocatch\r\n\r\n";
 902    uint32_t http_buf2_len = sizeof(http_buf2) - 1;
 903    TcpSession ssn;
 904    Packet *p = NULL;
 905    Signature *s = NULL;
 906    ThreadVars tv;
 907    DetectEngineThreadCtx *det_ctx = NULL;
 908
 909    memset(&tv, 0, sizeof(ThreadVars));
 910    memset(&f, 0, sizeof(Flow));
 911    memset(&ssn, 0, sizeof(TcpSession));
 912
 913    p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
 914
 915    FLOW_INITIALIZE(&f);
 916    f.protoctx = (void *)&ssn;
 917    f.flags |= FLOW_IPV4;
 918
 919    p->flow = &f;
 920    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
 921    p->flowflags |= FLOW_PKT_TOSERVER;
 922    p->flowflags |= FLOW_PKT_ESTABLISHED;
 923    f.alproto = ALPROTO_HTTP;
 924
 925    StreamTcpInitConfig(TRUE);
 926
 927    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
 928    if (de_ctx == NULL) {
 929        goto end;
 930    }
 931    de_ctx->mpm_matcher = MPM_B2G;
 932    de_ctx->flags |= DE_QUIET;
 933
 934    s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
 935                                   "(msg:\"Test pcre /U option with urilen\"; "
 936                                   "pcre:/(blabla){2,}(self)?/U; urilen:3<>20; sid:1;)");
 937    if (s == NULL) {
 938        goto end;
 939    }
 940
 941    SigGroupBuild(de_ctx);
 942    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
 943
 944    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
 945    if (r != 0) {
 946        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
 947        goto end;
 948    }
 949
 950    http_state = f.alstate;
 951    if (http_state == NULL) {
 952        printf("no http state: ");
 953        goto end;
 954    }
 955
 956    /* do detect */
 957    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
 958
 959    if (PacketAlertCheck(p, 1)) {
 960        printf("sig 1 alerted, but it should not: ");
 961        goto end;
 962    }
 963
 964    DetectEngineStateReset(f.de_state);
 965
 966    r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
 967    if (r != 0) {
 968        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
 969        goto end;
 970    }
 971
 972    http_state = f.alstate;
 973    if (http_state == NULL) {
 974        printf("no http state: ");
 975        goto end;
 976    }
 977
 978    /* do detect */
 979    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
 980
 981    if (PacketAlertCheck(p, 1)) {
 982        printf("sig 1 alerted, but it should not: ");
 983        goto end;
 984    }
 985
 986    result = 1;
 987
 988end:
 989    if (det_ctx != NULL)
 990        DetectEngineThreadCtxDeinit(&tv, det_ctx);
 991    if (de_ctx != NULL)
 992        SigGroupCleanup(de_ctx);
 993    if (de_ctx != NULL)
 994        DetectEngineCtxFree(de_ctx);
 995
 996    StreamTcpFreeConfig(TRUE);
 997    FLOW_DESTROY(&f);
 998    UTHFreePacket(p);
 999    return result;
1000}
1001
1002/** \test Test the pcre /U option in combination with urilen */
1003static int UriTestSig09(void)
1004{
1005    int result = 0;
1006    Flow f;
1007    HtpState *http_state = NULL;
1008    uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
1009        "User-Agent: Mozilla/1.0\r\n"
1010        "Cookie: hellocatch\r\n\r\n";
1011    uint32_t http_buf1_len = sizeof(http_buf1) - 1;
1012    uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
1013        "User-Agent: Mozilla/1.0\r\n"
1014        "Cookie: hellocatch\r\n\r\n";
1015    uint32_t http_buf2_len = sizeof(http_buf2) - 1;
1016    TcpSession ssn;
1017    Packet *p = NULL;
1018    Signature *s = NULL;
1019    ThreadVars tv;
1020    DetectEngineThreadCtx *det_ctx = NULL;
1021
1022    memset(&tv, 0, sizeof(ThreadVars));
1023    memset(&f, 0, sizeof(Flow));
1024    memset(&ssn, 0, sizeof(TcpSession));
1025
1026    p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
1027
1028    FLOW_INITIALIZE(&f);
1029    f.protoctx = (void *)&ssn;
1030    f.flags |= FLOW_IPV4;
1031
1032    p->flow = &f;
1033    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1034    p->flowflags |= FLOW_PKT_TOSERVER;
1035    p->flowflags |= FLOW_PKT_ESTABLISHED;
1036    f.alproto = ALPROTO_HTTP;
1037
1038    StreamTcpInitConfig(TRUE);
1039
1040    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1041    if (de_ctx == NULL) {
1042        goto end;
1043    }
1044    de_ctx->mpm_matcher = MPM_B2G;
1045    de_ctx->flags |= DE_QUIET;
1046
1047    s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1048                                   "(msg:\"Test pcre /U option with urilen \"; "
1049                                   "pcre:/(one){2,}(self)?/U; urilen:<2; sid:1;)");
1050    if (s == NULL) {
1051        goto end;
1052    }
1053
1054    SigGroupBuild(de_ctx);
1055    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1056
1057    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
1058    if (r != 0) {
1059        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1060        goto end;
1061    }
1062
1063    http_state = f.alstate;
1064    if (http_state == NULL) {
1065        printf("no http state: ");
1066        goto end;
1067    }
1068
1069    /* do detect */
1070    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1071
1072    if (PacketAlertCheck(p, 1)) {
1073        printf("sig 1 alerted, but it should not: ");
1074        goto end;
1075    }
1076
1077    DetectEngineStateReset(f.de_state);
1078
1079    r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
1080    if (r != 0) {
1081        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1082        goto end;
1083    }
1084
1085    http_state = f.alstate;
1086    if (http_state == NULL) {
1087        printf("no http state: ");
1088        goto end;
1089    }
1090
1091    /* do detect */
1092    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1093
1094    if (PacketAlertCheck(p, 1)) {
1095        printf("sig 1 alerted, but it should not: ");
1096        goto end;
1097    }
1098
1099    result = 1;
1100
1101end:
1102    if (det_ctx != NULL)
1103        DetectEngineThreadCtxDeinit(&tv, det_ctx);
1104    if (de_ctx != NULL)
1105        SigGroupCleanup(de_ctx);
1106    if (de_ctx != NULL)
1107        DetectEngineCtxFree(de_ctx);
1108
1109    StreamTcpFreeConfig(TRUE);
1110    FLOW_DESTROY(&f);
1111    UTHFreePacket(p);
1112    return result;
1113}
1114
1115/** \test Test the uricontent option in combination with urilen */
1116static int UriTestSig10(void)
1117{
1118    int result = 0;
1119    Flow f;
1120    HtpState *http_state = NULL;
1121    uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
1122        "User-Agent: Mozilla/1.0\r\n"
1123        "Cookie: hellocatch\r\n\r\n";
1124    uint32_t http_buf1_len = sizeof(http_buf1) - 1;
1125    uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
1126        "User-Agent: Mozilla/1.0\r\n"
1127        "Cookie: hellocatch\r\n\r\n";
1128    uint32_t http_buf2_len = sizeof(http_buf2) - 1;
1129    TcpSession ssn;
1130    Packet *p = NULL;
1131    Signature *s = NULL;
1132    ThreadVars tv;
1133    DetectEngineThreadCtx *det_ctx = NULL;
1134
1135    memset(&tv, 0, sizeof(ThreadVars));
1136    memset(&f, 0, sizeof(Flow));
1137    memset(&ssn, 0, sizeof(TcpSession));
1138
1139    p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
1140
1141    FLOW_INITIALIZE(&f);
1142    f.protoctx = (void *)&ssn;
1143    f.flags |= FLOW_IPV4;
1144
1145    p->flow = &f;
1146    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1147    p->flowflags |= FLOW_PKT_TOSERVER;
1148    p->flowflags |= FLOW_PKT_ESTABLISHED;
1149    f.alproto = ALPROTO_HTTP;
1150
1151    StreamTcpInitConfig(TRUE);
1152
1153    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1154    if (de_ctx == NULL) {
1155        goto end;
1156    }
1157    de_ctx->mpm_matcher = MPM_B2G;
1158    de_ctx->flags |= DE_QUIET;
1159
1160    s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1161                                   "(msg:\"Test uricontent with urilen option\"; "
1162                                   "uricontent:\"one\"; urilen:<2; sid:1;)");
1163    if (s == NULL) {
1164        goto end;
1165    }
1166
1167    SigGroupBuild(de_ctx);
1168    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1169
1170    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
1171    if (r != 0) {
1172        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1173        goto end;
1174    }
1175
1176    http_state = f.alstate;
1177    if (http_state == NULL) {
1178        printf("no http state: ");
1179        goto end;
1180    }
1181
1182    /* do detect */
1183    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1184
1185    if (PacketAlertCheck(p, 1)) {
1186        printf("sig 1 alerted, but it should not: ");
1187        goto end;
1188    }
1189
1190    DetectEngineStateReset(f.de_state);
1191
1192    r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
1193    if (r != 0) {
1194        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1195        goto end;
1196    }
1197
1198    http_state = f.alstate;
1199    if (http_state == NULL) {
1200        printf("no http state: ");
1201        goto end;
1202    }
1203
1204    /* do detect */
1205    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1206
1207    if (PacketAlertCheck(p, 1)) {
1208        printf("sig 1 alerted, but it should not: ");
1209        goto end;
1210    }
1211
1212    result = 1;
1213
1214end:
1215    if (det_ctx != NULL)
1216        DetectEngineThreadCtxDeinit(&tv, det_ctx);
1217    if (de_ctx != NULL)
1218        SigGroupCleanup(de_ctx);
1219    if (de_ctx != NULL)
1220        DetectEngineCtxFree(de_ctx);
1221
1222    StreamTcpFreeConfig(TRUE);
1223    FLOW_DESTROY(&f);
1224    UTHFreePacket(p);
1225    return result;
1226}
1227
1228/** \test Test content, uricontent, urilen, pcre /U options */
1229static int UriTestSig11(void)
1230{
1231    int result = 0;
1232    Flow f;
1233    HtpState *http_state = NULL;
1234    uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
1235        "User-Agent: Mozilla/1.0\r\n"
1236        "Cookie: hellocatch\r\n\r\n";
1237    uint32_t http_buf1_len = sizeof(http_buf1) - 1;
1238    uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
1239        "User-Agent: Mozilla/1.0\r\n"
1240        "Cookie: hellocatch\r\n\r\n";
1241    uint32_t http_buf2_len = sizeof(http_buf2) - 1;
1242    TcpSession ssn;
1243    Packet *p = NULL;
1244    Signature *s = NULL;
1245    ThreadVars tv;
1246    DetectEngineThreadCtx *det_ctx = NULL;
1247
1248    memset(&tv, 0, sizeof(ThreadVars));
1249    memset(&f, 0, sizeof(Flow));
1250    memset(&ssn, 0, sizeof(TcpSession));
1251
1252    p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
1253
1254    FLOW_INITIALIZE(&f);
1255    f.protoctx = (void *)&ssn;
1256    f.flags |= FLOW_IPV4;
1257
1258    p->flow = &f;
1259    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1260    p->flowflags |= FLOW_PKT_TOSERVER;
1261    p->flowflags |= FLOW_PKT_ESTABLISHED;
1262    f.alproto = ALPROTO_HTTP;
1263
1264    StreamTcpInitConfig(TRUE);
1265
1266    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1267    if (de_ctx == NULL) {
1268        goto end;
1269    }
1270    de_ctx->mpm_matcher = MPM_B2G;
1271    de_ctx->flags |= DE_QUIET;
1272
1273    s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1274                                   "(msg:\"Test content, uricontent, pcre /U and urilen options\"; "
1275                                   "content:\"one\"; uricontent:\"one\"; pcre:/(one){2,}(self)?/U;"
1276                                   "urilen:<2; sid:1;)");
1277    if (s == NULL) {
1278        goto end;
1279    }
1280
1281    SigGroupBuild(de_ctx);
1282    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1283
1284    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
1285    if (r != 0) {
1286        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1287        goto end;
1288    }
1289
1290    http_state = f.alstate;
1291    if (http_state == NULL) {
1292        printf("no http state: ");
1293        goto end;
1294    }
1295
1296    /* do detect */
1297    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1298
1299    if (PacketAlertCheck(p, 1)) {
1300        printf("sig 1 alerted, but it should not: ");
1301        goto end;
1302    }
1303
1304    DetectEngineStateReset(f.de_state);
1305
1306    r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
1307    if (r != 0) {
1308        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1309        goto end;
1310    }
1311
1312    http_state = f.alstate;
1313    if (http_state == NULL) {
1314        printf("no http state: ");
1315        goto end;
1316    }
1317
1318    /* do detect */
1319    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1320
1321    if (PacketAlertCheck(p, 1)) {
1322        printf("sig 1 alerted, but it should not: ");
1323        goto end;
1324    }
1325
1326    result = 1;
1327
1328end:
1329    if (det_ctx != NULL)
1330        DetectEngineThreadCtxDeinit(&tv, det_ctx);
1331    if (de_ctx != NULL)
1332        SigGroupCleanup(de_ctx);
1333    if (de_ctx != NULL)
1334        DetectEngineCtxFree(de_ctx);
1335
1336    StreamTcpFreeConfig(TRUE);
1337    FLOW_DESTROY(&f);
1338    UTHFreePacket(p);
1339    return result;
1340}
1341
1342/** \test Test uricontent, urilen, pcre /U options */
1343static int UriTestSig12(void)
1344{
1345    int result = 0;
1346    Flow f;
1347    HtpState *http_state = NULL;
1348    uint8_t http_buf1[] = "POST /oneoneoneone HTTP/1.0\r\n"
1349        "User-Agent: Mozilla/1.0\r\n"
1350        "Cookie: hellocatch\r\n\r\n";
1351    uint32_t http_buf1_len = sizeof(http_buf1) - 1;
1352    uint8_t http_buf2[] = "POST /oneoneself HTTP/1.0\r\n"
1353        "User-Agent: Mozilla/1.0\r\n"
1354        "Cookie: hellocatch\r\n\r\n";
1355    uint32_t http_buf2_len = sizeof(http_buf2) - 1;
1356    TcpSession ssn;
1357    Packet *p = NULL;
1358    Signature *s = NULL;
1359    ThreadVars tv;
1360    DetectEngineThreadCtx *det_ctx = NULL;
1361
1362    memset(&tv, 0, sizeof(ThreadVars));
1363    memset(&f, 0, sizeof(Flow));
1364    memset(&ssn, 0, sizeof(TcpSession));
1365
1366    p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
1367
1368    FLOW_INITIALIZE(&f);
1369    f.protoctx = (void *)&ssn;
1370    f.flags |= FLOW_IPV4;
1371
1372    p->flow = &f;
1373    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1374    p->flowflags |= FLOW_PKT_TOSERVER;
1375    p->flowflags |= FLOW_PKT_ESTABLISHED;
1376    f.alproto = ALPROTO_HTTP;
1377
1378    StreamTcpInitConfig(TRUE);
1379
1380    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1381    if (de_ctx == NULL) {
1382        goto end;
1383    }
1384    de_ctx->mpm_matcher = MPM_B2G;
1385    de_ctx->flags |= DE_QUIET;
1386
1387    s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1388                                   "(msg:\"Test pcre /U, uricontent and urilen option\"; "
1389                                   "uricontent:\"one\"; "
1390                                   "pcre:/(one)+self/U; urilen:>2; sid:1;)");
1391    if (s == NULL) {
1392        goto end;
1393    }
1394
1395    SigGroupBuild(de_ctx);
1396    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1397
1398    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
1399    if (r != 0) {
1400        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1401        goto end;
1402    }
1403
1404    http_state = f.alstate;
1405    if (http_state == NULL) {
1406        printf("no http state: ");
1407        goto end;
1408    }
1409
1410    /* do detect */
1411    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1412
1413    if (PacketAlertCheck(p, 1)) {
1414        printf("sig 1 alerted, but it should not: ");
1415        goto end;
1416    }
1417
1418    DetectEngineStateReset(f.de_state);
1419
1420    r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
1421    if (r != 0) {
1422        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1423        goto end;
1424    }
1425
1426    http_state = f.alstate;
1427    if (http_state == NULL) {
1428        printf("no http state: ");
1429        goto end;
1430    }
1431
1432    /* do detect */
1433    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1434
1435    if (!PacketAlertCheck(p, 1)) {
1436        printf("sig 1 didnt alert with payload2, but it should: ");
1437        goto end;
1438    }
1439
1440    result = 1;
1441
1442end:
1443    if (det_ctx != NULL)
1444        DetectEngineThreadCtxDeinit(&tv, det_ctx);
1445    if (de_ctx != NULL)
1446        SigGroupCleanup(de_ctx);
1447    if (de_ctx != NULL)
1448        DetectEngineCtxFree(de_ctx);
1449
1450    StreamTcpFreeConfig(TRUE);
1451    FLOW_DESTROY(&f);
1452    UTHFreePacket(p);
1453    return result;
1454}
1455
1456/** \test Test uricontent, urilen */
1457static int UriTestSig13(void)
1458{
1459    int result = 0;
1460    Flow f;
1461    HtpState *http_state = NULL;
1462    uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
1463        "User-Agent: Mozilla/1.0\r\n"
1464        "Cookie: hellocatch\r\n\r\n";
1465    uint32_t http_buf1_len = sizeof(http_buf1) - 1;
1466    uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
1467        "User-Agent: Mozilla/1.0\r\n"
1468        "Cookie: hellocatch\r\n\r\n";
1469    uint32_t http_buf2_len = sizeof(http_buf2) - 1;
1470    TcpSession ssn;
1471    Packet *p = NULL;
1472    Signature *s = NULL;
1473    ThreadVars tv;
1474    DetectEngineThreadCtx *det_ctx = NULL;
1475
1476    memset(&tv, 0, sizeof(ThreadVars));
1477    memset(&f, 0, sizeof(Flow));
1478    memset(&ssn, 0, sizeof(TcpSession));
1479
1480    p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
1481
1482    FLOW_INITIALIZE(&f);
1483    f.protoctx = (void *)&ssn;
1484    f.flags |= FLOW_IPV4;
1485
1486    p->flow = &f;
1487    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1488    p->flowflags |= FLOW_PKT_TOSERVER;
1489    p->flowflags |= FLOW_PKT_ESTABLISHED;
1490    f.alproto = ALPROTO_HTTP;
1491
1492    StreamTcpInitConfig(TRUE);
1493
1494    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1495    if (de_ctx == NULL) {
1496        goto end;
1497    }
1498    de_ctx->mpm_matcher = MPM_B2G;
1499    de_ctx->flags |= DE_QUIET;
1500
1501    s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1502                                   "(msg:\"Test urilen option\"; "
1503                                   "urilen:>2; uricontent:\"one\"; sid:1;)");
1504    if (s == NULL) {
1505        goto end;
1506    }
1507
1508    SigGroupBuild(de_ctx);
1509    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1510
1511    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
1512    if (r != 0) {
1513        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1514        goto end;
1515    }
1516
1517    http_state = f.alstate;
1518    if (http_state == NULL) {
1519        printf("no http state: ");
1520        goto end;
1521    }
1522
1523    /* do detect */
1524    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1525
1526    if (!PacketAlertCheck(p, 1)) {
1527        printf("sig 1 didnt alert with pkt, but it should: ");
1528        goto end;
1529    }
1530
1531    DetectEngineStateReset(f.de_state);
1532
1533    r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
1534    if (r != 0) {
1535        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1536        goto end;
1537    }
1538
1539    http_state = f.alstate;
1540    if (http_state == NULL) {
1541        printf("no http state: ");
1542        goto end;
1543    }
1544
1545    /* do detect */
1546    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1547
1548
1549    if (!PacketAlertCheck(p, 1)) {
1550        printf("sig 1 didnt alert with payload2, but it should: ");
1551        goto end;
1552    }
1553
1554    result = 1;
1555
1556end:
1557    if (det_ctx != NULL)
1558        DetectEngineThreadCtxDeinit(&tv, det_ctx);
1559    if (de_ctx != NULL)
1560        SigGroupCleanup(de_ctx);
1561    if (de_ctx != NULL)
1562        DetectEngineCtxFree(de_ctx);
1563
1564    StreamTcpFreeConfig(TRUE);
1565    FLOW_DESTROY(&f);
1566    UTHFreePacket(p);
1567    return result;
1568}
1569
1570/** \test Test uricontent, pcre /U */
1571static int UriTestSig14(void)
1572{
1573    int result = 0;
1574    Flow f;
1575    HtpState *http_state = NULL;
1576    uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
1577        "User-Agent: Mozilla/1.0\r\n"
1578        "Cookie: hellocatch\r\n\r\n";
1579    uint32_t http_buf1_len = sizeof(http_buf1) - 1;
1580    uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
1581        "User-Agent: Mozilla/1.0\r\n"
1582        "Cookie: hellocatch\r\n\r\n";
1583    uint32_t http_buf2_len = sizeof(http_buf2) - 1;
1584    TcpSession ssn;
1585    Packet *p = NULL;
1586    Signature *s = NULL;
1587    ThreadVars tv;
1588    DetectEngineThreadCtx *det_ctx = NULL;
1589
1590    memset(&tv, 0, sizeof(ThreadVars));
1591    memset(&f, 0, sizeof(Flow));
1592    memset(&ssn, 0, sizeof(TcpSession));
1593
1594    p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
1595
1596    FLOW_INITIALIZE(&f);
1597    f.protoctx = (void *)&ssn;
1598    f.flags |= FLOW_IPV4;
1599
1600    p->flow = &f;
1601    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1602    p->flowflags |= FLOW_PKT_TOSERVER;
1603    p->flowflags |= FLOW_PKT_ESTABLISHED;
1604    f.alproto = ALPROTO_HTTP;
1605
1606    StreamTcpInitConfig(TRUE);
1607
1608    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1609    if (de_ctx == NULL) {
1610        goto end;
1611    }
1612    de_ctx->mpm_matcher = MPM_B2G;
1613    de_ctx->flags |= DE_QUIET;
1614
1615    s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1616                                   "(msg:\"Test uricontent option\"; "
1617                                   "uricontent:\"one\"; pcre:/one(self)?/U;sid:1;)");
1618    if (s == NULL) {
1619        goto end;
1620    }
1621
1622    SigGroupBuild(de_ctx);
1623    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1624
1625    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
1626    if (r != 0) {
1627        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1628        goto end;
1629    }
1630
1631    http_state = f.alstate;
1632    if (http_state == NULL) {
1633        printf("no http state: ");
1634        goto end;
1635    }
1636
1637    /* do detect */
1638    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1639
1640    if (!PacketAlertCheck(p, 1)) {
1641        printf("sig 1 didnt alert with pkt, but it should: ");
1642        goto end;
1643    }
1644
1645    DetectEngineStateReset(f.de_state);
1646
1647    r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
1648    if (r != 0) {
1649        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1650        goto end;
1651    }
1652
1653    http_state = f.alstate;
1654    if (http_state == NULL) {
1655        printf("no http state: ");
1656        goto end;
1657    }
1658
1659    /* do detect */
1660    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1661
1662
1663    if (!PacketAlertCheck(p, 1)) {
1664        printf("sig 1 didnt alert with payload2, but it should: ");
1665        goto end;
1666    }
1667
1668    result = 1;
1669
1670end:
1671    if (det_ctx != NULL)
1672        DetectEngineThreadCtxDeinit(&tv, det_ctx);
1673    if (de_ctx != NULL)
1674        SigGroupCleanup(de_ctx);
1675    if (de_ctx != NULL)
1676        DetectEngineCtxFree(de_ctx);
1677
1678    StreamTcpFreeConfig(TRUE);
1679    FLOW_DESTROY(&f);
1680    UTHFreePacket(p);
1681    return result;
1682}
1683
1684/** \test Test pcre /U with anchored regex (bug 155) */
1685static int UriTestSig15(void)
1686{
1687    int result = 0;
1688    Flow f;
1689    HtpState *http_state = NULL;
1690    uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
1691        "User-Agent: Mozilla/1.0\r\n"
1692        "Cookie: hellocatch\r\n\r\n";
1693    uint32_t http_buf1_len = sizeof(http_buf1) - 1;
1694    uint8_t http_buf2[] = "POST /oneself HTTP/1.0\r\n"
1695        "User-Agent: Mozilla/1.0\r\n"
1696        "Cookie: hellocatch\r\n\r\n";
1697    uint32_t http_buf2_len = sizeof(http_buf2) - 1;
1698    TcpSession ssn;
1699    Packet *p = NULL;
1700    Signature *s = NULL;
1701    ThreadVars tv;
1702    DetectEngineThreadCtx *det_ctx = NULL;
1703
1704    memset(&tv, 0, sizeof(ThreadVars));
1705    memset(&f, 0, sizeof(Flow));
1706    memset(&ssn, 0, sizeof(TcpSession));
1707
1708    p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
1709
1710    FLOW_INITIALIZE(&f);
1711    f.protoctx = (void *)&ssn;
1712    f.flags |= FLOW_IPV4;
1713
1714    p->flow = &f;
1715    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1716    p->flowflags |= FLOW_PKT_TOSERVER;
1717    p->flowflags |= FLOW_PKT_ESTABLISHED;
1718    f.alproto = ALPROTO_HTTP;
1719
1720    StreamTcpInitConfig(TRUE);
1721
1722    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1723    if (de_ctx == NULL) {
1724        goto end;
1725    }
1726    de_ctx->mpm_matcher = MPM_B2G;
1727    de_ctx->flags |= DE_QUIET;
1728
1729    s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1730                                   "(msg:\"Test uricontent option\"; "
1731                                   "uricontent:\"one\"; pcre:/^\\/one(self)?$/U;sid:1;)");
1732    if (s == NULL) {
1733        goto end;
1734    }
1735
1736    SigGroupBuild(de_ctx);
1737    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1738
1739    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_buf1_len);
1740    if (r != 0) {
1741        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1742        goto end;
1743    }
1744
1745    http_state = f.alstate;
1746    if (http_state == NULL) {
1747        printf("no http state: ");
1748        goto end;
1749    }
1750
1751    /* do detect */
1752    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1753
1754    if (!PacketAlertCheck(p, 1)) {
1755        printf("sig 1 didnt alert with pkt, but it should: ");
1756        goto end;
1757    }
1758
1759    DetectEngineStateReset(f.de_state);
1760
1761    r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len);
1762    if (r != 0) {
1763        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1764        goto end;
1765    }
1766
1767    http_state = f.alstate;
1768    if (http_state == NULL) {
1769        printf("no http state: ");
1770        goto end;
1771    }
1772
1773    /* do detect */
1774    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1775
1776
1777    if (!PacketAlertCheck(p, 1)) {
1778        printf("sig 1 didnt alert with payload2, but it should: ");
1779        goto end;
1780    }
1781
1782    result = 1;
1783
1784end:
1785    if (det_ctx != NULL)
1786        DetectEngineThreadCtxDeinit(&tv, det_ctx);
1787    if (de_ctx != NULL)
1788        SigGroupCleanup(de_ctx);
1789    if (de_ctx != NULL)
1790        DetectEngineCtxFree(de_ctx);
1791
1792    StreamTcpFreeConfig(TRUE);
1793    FLOW_DESTROY(&f);
1794    UTHFreePacket(p);
1795    return result;
1796}
1797
1798/** \test Test pcre /U with anchored regex (bug 155) */
1799static int UriTestSig16(void)
1800{
1801    int result = 0;
1802    Flow f;
1803    HtpState *http_state = NULL;
1804    uint8_t http_buf1[] = "POST /search?q=123&aq=7123abcee HTTP/1.0\r\n"
1805        "User-Agent: Mozilla/1.0/\r\n"
1806        "Host: 1.2.3.4\r\n\r\n";
1807    uint32_t http_buf1_len = sizeof(http_buf1) - 1;
1808    uint8_t http_buf2[] = "POST /search?q=123&aq=7123abcee HTTP/1.0\r\n"
1809        "User-Agent: Mozilla/1.0\r\n"
1810        "Cookie: hellocatch\r\n\r\n";
1811    uint32_t http_buf2_len = sizeof(http_buf2) - 1;
1812    TcpSession ssn;
1813    Packet *p = NULL;
1814    Signature *s = NULL;
1815    ThreadVars tv;
1816    DetectEngineThreadCtx *det_ctx = NULL;
1817
1818    memset(&tv, 0, sizeof(ThreadVars));
1819    memset(&f, 0, sizeof(Flow));
1820    memset(&ssn, 0, sizeof(TcpSession));
1821
1822    p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
1823
1824    FLOW_INITIALIZE(&f);
1825    f.protoctx = (void *)&ssn;
1826    f.flags |= FLOW_IPV4;
1827
1828    p->flow = &f;
1829    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1830    p->flowflags |= FLOW_PKT_TOSERVER;
1831    p->flowflags |= FLOW_PKT_ESTABLISHED;
1832    f.alproto = ALPROTO_HTTP;
1833
1834    StreamTcpInitConfig(TRUE);
1835
1836    DetectE

Large files files are truncated, but you can click here to view the full file