aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Enforce flow direction for http_raw_header sigs. Fix unittests that missed the flow direction.

Browse Source
remotes/origin/master-1.2.x
Victor Julien 14 years ago
parent 80fb33c651
commit 02e1229565
5 changed files with 162 additions and 189 deletions
Show Stats Download Patch File Download Diff File

58
src/detect-engine-hrhd.c
Unescape Escape View File

@ -481,7 +481,7 @@ static int DetectEngineHttpRawHeaderTest01(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"one\"; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -570,7 +570,7 @@ static int DetectEngineHttpRawHeaderTest02(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"one\"; depth:15; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -659,7 +659,7 @@ static int DetectEngineHttpRawHeaderTest03(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:!\"one\"; depth:5; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -748,7 +748,7 @@ static int DetectEngineHttpRawHeaderTest04(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"one\"; depth:5; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -837,7 +837,7 @@ static int DetectEngineHttpRawHeaderTest05(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:!\"one\"; depth:15; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -926,7 +926,7 @@ static int DetectEngineHttpRawHeaderTest06(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"one\"; offset:10; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -1015,7 +1015,7 @@ static int DetectEngineHttpRawHeaderTest07(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:!\"one\"; offset:15; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -1104,7 +1104,7 @@ static int DetectEngineHttpRawHeaderTest08(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"one\"; offset:15; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -1193,7 +1193,7 @@ static int DetectEngineHttpRawHeaderTest09(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:!\"one\"; offset:10; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -1282,7 +1282,7 @@ static int DetectEngineHttpRawHeaderTest10(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"one\"; http_raw_header; content:\"three\"; http_raw_header; within:10; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -1371,7 +1371,7 @@ static int DetectEngineHttpRawHeaderTest11(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"one\"; http_raw_header; content:!\"three\"; http_raw_header; within:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -1460,7 +1460,7 @@ static int DetectEngineHttpRawHeaderTest12(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"one\"; http_raw_header; content:!\"three\"; http_raw_header; within:10; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -1549,7 +1549,7 @@ static int DetectEngineHttpRawHeaderTest13(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"one\"; http_raw_header; content:\"three\"; http_raw_header; within:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -1638,7 +1638,7 @@ static int DetectEngineHttpRawHeaderTest14(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"one\"; http_raw_header; content:\"five\"; http_raw_header; distance:7; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -1727,7 +1727,7 @@ static int DetectEngineHttpRawHeaderTest15(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"one\"; http_raw_header; content:!\"five\"; http_raw_header; distance:15; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -1816,7 +1816,7 @@ static int DetectEngineHttpRawHeaderTest16(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"one\"; http_raw_header; content:!\"five\"; http_raw_header; distance:7; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -1905,7 +1905,7 @@ static int DetectEngineHttpRawHeaderTest17(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"one\"; http_raw_header; content:\"five\"; http_raw_header; distance:15; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -1992,7 +1992,7 @@ static int DetectEngineHttpRawHeaderTest18(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"one\"; http_raw_header; content:\"five\"; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -2066,7 +2066,7 @@ static int DetectEngineHttpRawHeaderTest19(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"one\"; http_raw_header; fast_pattern; content:\"five\"; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -2149,7 +2149,7 @@ static int DetectEngineHttpRawHeaderTest20(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"(msg:\"http client body test\"; flow:to_server; "
"pcre:/body1/D; "
"content:!\"dummy\"; http_raw_header; within:7; "
"sid:1;)");
@ -2263,7 +2263,7 @@ static int DetectEngineHttpRawHeaderTest21(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"(msg:\"http client body test\"; flow:to_server; "
"pcre:/body1/D; "
"content:!\"dummy\"; within:7; http_raw_header; "
"sid:1;)");
@ -2377,7 +2377,7 @@ static int DetectEngineHttpRawHeaderTest22(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"(msg:\"http client body test\"; flow:to_server; "
"pcre:/body1/D; "
"content:!\"dummy\"; distance:3; http_raw_header; "
"sid:1;)");
@ -2491,7 +2491,7 @@ static int DetectEngineHttpRawHeaderTest23(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"(msg:\"http client body test\"; flow:to_server; "
"pcre:/body1/D; "
"content:!\"dummy\"; distance:13; http_raw_header; "
"sid:1;)");
@ -2605,7 +2605,7 @@ static int DetectEngineHttpRawHeaderTest24(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"(msg:\"http client body test\"; flow:to_server; "
"pcre:/body1/D; "
"content:\"dummy\"; within:15; http_raw_header; "
"sid:1;)");
@ -2719,7 +2719,7 @@ static int DetectEngineHttpRawHeaderTest25(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"(msg:\"http client body test\"; flow:to_server; "
"pcre:/body1/D; "
"content:\"dummy\"; within:10; http_raw_header; "
"sid:1;)");
@ -2833,7 +2833,7 @@ static int DetectEngineHttpRawHeaderTest26(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"(msg:\"http client body test\"; flow:to_server; "
"pcre:/body1/D; "
"content:\"dummy\"; distance:8; http_raw_header; "
"sid:1;)");
@ -2947,7 +2947,7 @@ static int DetectEngineHttpRawHeaderTest27(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"(msg:\"http client body test\"; flow:to_server; "
"pcre:/body1/D; "
"content:\"dummy\"; distance:14; http_raw_header; "
"sid:1;)");
@ -3067,7 +3067,7 @@ static int DetectEngineHttpRawHeaderTest28(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_client; "
"content:\"Content-Length: 6\"; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -3189,7 +3189,7 @@ static int DetectEngineHttpRawHeaderTest29(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_client; "
"content:\"Content-Length: 7\"; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)

194
src/detect-fast-pattern.c
Unescape Escape View File

@ -6555,18 +6555,6 @@ int DetectFastPatternTest219(void)
return result;
}
/********* http_raw_header tests v *****/
int DetectFastPatternTest220(void)
@ -6578,8 +6566,8 @@ int DetectFastPatternTest220(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; "
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; "
"content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; "
"content:\"three\"; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
@ -6615,8 +6603,8 @@ int DetectFastPatternTest221(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"/one/\"; fast_pattern:only; http_raw_header; "
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"/one/\"; fast_pattern:only; http_raw_header; "
"msg:\"Testing fast_pattern\"; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -6652,8 +6640,8 @@ int DetectFastPatternTest222(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"oneoneone\"; fast_pattern:3,4; http_raw_header; "
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"oneoneone\"; fast_pattern:3,4; http_raw_header; "
"msg:\"Testing fast_pattern\"; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -6685,8 +6673,8 @@ int DetectFastPatternTest223(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; fast_pattern:only; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; fast_pattern:only; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -6719,8 +6707,8 @@ int DetectFastPatternTest224(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"oneoneone\"; fast_pattern:3,4; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"oneoneone\"; fast_pattern:3,4; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -6752,8 +6740,8 @@ int DetectFastPatternTest225(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:only; http_raw_header; distance:10; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:only; http_raw_header; distance:10; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -6774,8 +6762,8 @@ int DetectFastPatternTest226(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"two\"; distance:10; fast_pattern:only; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; distance:10; fast_pattern:only; http_raw_header; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -6796,8 +6784,8 @@ int DetectFastPatternTest227(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:only; http_raw_header; within:10; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:only; http_raw_header; within:10; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -6818,8 +6806,8 @@ int DetectFastPatternTest228(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"two\"; within:10; fast_pattern:only; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; within:10; fast_pattern:only; http_raw_header; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -6840,8 +6828,8 @@ int DetectFastPatternTest229(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:only; http_raw_header; offset:10; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:only; http_raw_header; offset:10; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -6862,8 +6850,8 @@ int DetectFastPatternTest230(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"two\"; offset:10; fast_pattern:only; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; offset:10; fast_pattern:only; http_raw_header; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -6884,8 +6872,8 @@ int DetectFastPatternTest231(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:only; http_raw_header; depth:10; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:only; http_raw_header; depth:10; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -6906,8 +6894,8 @@ int DetectFastPatternTest232(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"two\"; depth:10; fast_pattern:only; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; depth:10; fast_pattern:only; http_raw_header; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -6928,8 +6916,8 @@ int DetectFastPatternTest233(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:!\"two\"; fast_pattern:only; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:!\"two\"; fast_pattern:only; http_raw_header; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -6950,8 +6938,8 @@ int DetectFastPatternTest234(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content: \"one\"; http_raw_header; content:\"two\"; http_raw_header; distance:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content: \"one\"; http_raw_header; content:\"two\"; http_raw_header; distance:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -6981,8 +6969,8 @@ int DetectFastPatternTest235(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; within:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; within:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
@ -7011,8 +6999,8 @@ int DetectFastPatternTest236(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; offset:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; offset:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
@ -7041,8 +7029,8 @@ int DetectFastPatternTest237(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; depth:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; depth:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
@ -7071,8 +7059,8 @@ int DetectFastPatternTest238(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:!\"one\"; fast_pattern; http_raw_header; content:\"two\"; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:!\"one\"; fast_pattern; http_raw_header; content:\"two\"; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
@ -7102,8 +7090,8 @@ int DetectFastPatternTest239(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"two\"; http_raw_header; content:!\"one\"; fast_pattern; http_raw_header; distance:20; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"two\"; http_raw_header; content:!\"one\"; fast_pattern; http_raw_header; distance:20; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -7124,8 +7112,8 @@ int DetectFastPatternTest240(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"two\"; http_raw_header; content:!\"one\"; fast_pattern; http_raw_header; within:20; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"two\"; http_raw_header; content:!\"one\"; fast_pattern; http_raw_header; within:20; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -7146,8 +7134,8 @@ int DetectFastPatternTest241(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"two\"; http_raw_header; content:!\"one\"; fast_pattern; http_raw_header; offset:20; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"two\"; http_raw_header; content:!\"one\"; fast_pattern; http_raw_header; offset:20; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -7168,8 +7156,8 @@ int DetectFastPatternTest242(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"two\"; http_raw_header; content:!\"one\"; fast_pattern; http_raw_header; depth:20; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"two\"; http_raw_header; content:!\"one\"; fast_pattern; http_raw_header; depth:20; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -7190,8 +7178,8 @@ int DetectFastPatternTest243(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
@ -7220,8 +7208,8 @@ int DetectFastPatternTest244(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; distance:30; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; distance:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
@ -7250,8 +7238,8 @@ int DetectFastPatternTest245(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; within:30; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; within:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
@ -7280,8 +7268,8 @@ int DetectFastPatternTest246(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; offset:30; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; offset:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
@ -7310,8 +7298,8 @@ int DetectFastPatternTest247(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; depth:30; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; depth:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
@ -7340,8 +7328,8 @@ int DetectFastPatternTest248(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; distance:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; distance:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
@ -7370,8 +7358,8 @@ int DetectFastPatternTest249(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; within:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; within:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
@ -7400,8 +7388,8 @@ int DetectFastPatternTest250(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; offset:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; offset:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
@ -7430,8 +7418,8 @@ int DetectFastPatternTest251(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; depth:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; depth:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
@ -7463,8 +7451,8 @@ int DetectFastPatternTest252(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:65977,4; http_raw_header; content:\"three\"; http_raw_header; distance:10; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:65977,4; http_raw_header; content:\"three\"; http_raw_header; distance:10; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -7485,8 +7473,8 @@ int DetectFastPatternTest253(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,65977; http_raw_header; content:\"three\"; distance:10; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,65977; http_raw_header; content:\"three\"; distance:10; http_raw_header; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -7507,8 +7495,8 @@ int DetectFastPatternTest254(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:65534,4; http_raw_header; content:\"three\"; http_raw_header; distance:10; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:65534,4; http_raw_header; content:\"three\"; http_raw_header; distance:10; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -7529,8 +7517,8 @@ int DetectFastPatternTest255(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
@ -7560,8 +7548,8 @@ int DetectFastPatternTest256(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; distance:10; content:\"three\"; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; distance:10; content:\"three\"; http_raw_header; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -7582,8 +7570,8 @@ int DetectFastPatternTest257(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; within:10; content:\"three\"; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; within:10; content:\"three\"; http_raw_header; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -7604,8 +7592,8 @@ int DetectFastPatternTest258(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; offset:10; content:\"three\"; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; offset:10; content:\"three\"; http_raw_header; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -7626,8 +7614,8 @@ int DetectFastPatternTest259(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; depth:10; content:\"three\"; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; depth:10; content:\"three\"; http_raw_header; sid:1;)");
if (de_ctx->sig_list != NULL)
goto end;
@ -7648,8 +7636,8 @@ int DetectFastPatternTest260(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
@ -7670,24 +7658,6 @@ int DetectFastPatternTest260(void)
return result;
}
int DetectFastPatternTest261(void)
{
DetectEngineCtx *de_ctx = NULL;

82
src/detect-http-raw-header.c
Unescape Escape View File

@ -231,7 +231,7 @@ static int DetectHttpRawHeaderTest01(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing http_header\"; "
"(msg:\"Testing http_header\"; flow:to_server; "
"content:\"one\"; http_raw_header; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 1;
@ -273,7 +273,7 @@ static int DetectHttpRawHeaderTest02(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing http_header\"; "
"(msg:\"Testing http_header\"; flow:to_server; "
"content:\"one\"; http_raw_header:; sid:1;)");
if (de_ctx->sig_list != NULL)
result = 1;
@ -303,7 +303,7 @@ static int DetectHttpRawHeaderTest03(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing http_header\"; "
"(msg:\"Testing http_header\"; flow:to_server; "
"http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
result = 1;
@ -333,7 +333,7 @@ static int DetectHttpRawHeaderTest04(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing http_header\"; "
"(msg:\"Testing http_header\"; flow:to_server; "
"content:\"one\"; rawbytes; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
result = 1;
@ -363,7 +363,7 @@ static int DetectHttpRawHeaderTest05(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing http_header\"; "
"(msg:\"Testing http_header\"; flow:to_server; "
"content:\"one\"; nocase; http_raw_header; sid:1;)");
if (de_ctx->sig_list != NULL)
result = 1;
@ -426,7 +426,7 @@ static int DetectHttpRawHeaderTest06(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"Content-Type: text/html\"; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -529,7 +529,7 @@ static int DetectHttpRawHeaderTest07(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"Mozilla\"; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -646,7 +646,7 @@ static int DetectHttpRawHeaderTest08(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"Gecko/20091221 Firefox/3.5.7\"; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -764,7 +764,7 @@ static int DetectHttpRawHeaderTest09(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"Firefox/3.5.7|0D 0A|Content\"; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -882,7 +882,7 @@ static int DetectHttpRawHeaderTest10(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"firefox/3.5.7|0D 0A|content\"; nocase; http_raw_header;"
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -992,7 +992,7 @@ static int DetectHttpRawHeaderTest11(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:!\"lalalalala\"; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -1086,7 +1086,7 @@ static int DetectHttpRawHeaderTest12(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:!\"User-Agent: Mozilla/5.0 \"; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -1181,7 +1181,7 @@ static int DetectHttpRawHeaderTest13(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"(msg:\"http header test\"; flow:to_server; "
"content:\"Host: www.openinfosecfoundation.org\"; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
@ -1236,8 +1236,8 @@ int DetectHttpRawHeaderTest14(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; content:\"one\"; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; content:\"one\"; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1275,8 +1275,8 @@ int DetectHttpRawHeaderTest15(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"one\"; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1314,8 +1314,8 @@ int DetectHttpRawHeaderTest16(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; content:\"one\"; content:\"one\"; http_raw_header; content:\"one\"; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; content:\"one\"; content:\"one\"; http_raw_header; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1353,8 +1353,8 @@ int DetectHttpRawHeaderTest17(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; content:\"one\"; content:\"one\"; content:\"one\"; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; content:\"one\"; content:\"one\"; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1392,8 +1392,8 @@ int DetectHttpRawHeaderTest18(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; "
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; "
"content:\"one\"; content:\"one\"; http_raw_header; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
@ -1433,8 +1433,8 @@ int DetectHttpRawHeaderTest19(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; "
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; "
"content:\"one\"; content:\"one\"; http_raw_header; content:\"two\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
@ -1474,8 +1474,8 @@ int DetectHttpRawHeaderTest20(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; "
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; "
"content:\"two\"; distance:0; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
@ -1518,8 +1518,8 @@ int DetectHttpRawHeaderTest21(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; "
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; "
"content:\"two\"; within:5; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
@ -1562,8 +1562,8 @@ int DetectHttpRawHeaderTest22(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; within:5; http_raw_header; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; within:5; http_raw_header; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
@ -1586,8 +1586,8 @@ int DetectHttpRawHeaderTest23(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_raw_header; within:5; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; http_raw_header; within:5; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
@ -1610,8 +1610,8 @@ int DetectHttpRawHeaderTest24(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; within:5; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; within:5; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
@ -1634,8 +1634,8 @@ int DetectHttpRawHeaderTest25(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(pcre:/one/D; "
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; pcre:/one/D; "
"content:\"two\"; within:5; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
@ -1685,8 +1685,8 @@ int DetectHttpRawHeaderTest26(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"two\"; http_raw_header; "
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"two\"; http_raw_header; "
"pcre:/one/DR; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
@ -1736,8 +1736,8 @@ int DetectHttpRawHeaderTest27(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(pcre:/one/D; "
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; pcre:/one/D; "
"content:\"two\"; distance:5; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");

2
src/detect-isdataat.c
Unescape Escape View File

@ -931,7 +931,7 @@ int DetectIsdataatTestParse11(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:\"one\"; http_raw_header; "
"flow:to_server; content:\"one\"; http_raw_header; "
"isdataat:!4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;

15
src/detect-parse.c
Unescape Escape View File

@ -1360,20 +1360,23 @@ static int SigValidate(Signature *s) {
}
}
#ifndef UNITTESTS /** \todo HACK... this fails 72 unittests, no time to fix them now */
#ifndef HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) {
if ((s->flags & (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) == (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) {
SCLogError(SC_ERR_INVALID_SIGNATURE,"http_raw_header signature without a flow direction. See issue #389.");
SCLogError(SC_ERR_INVALID_SIGNATURE,"http_raw_header signature "
"without a flow direction. Use flow:to_server for "
"inspecting request headers or flow:to_client for "
"inspecting response headers.");
SCReturnInt(0);
}
#ifndef HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
if (s->flags & SIG_FLAG_TOCLIENT) {
SCLogError(SC_ERR_INVALID_SIGNATURE,"http_raw_header signature with to_client flow direction. See issue #389.");
SCLogError(SC_ERR_INVALID_SIGNATURE,"http_raw_header signature with "
"to_client flow direction. See issues #389 and #397. Update "
"libhtp to at least 0.2.7.");
SCReturnInt(0);
}
#endif /* HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW */
}
#endif
#endif
if (s->alproto == ALPROTO_DCERPC) {
/* \todo We haven't covered dce rpc cases now. They need special

Write Preview
Loading…
Cancel
Save