diff --git a/src/detect-engine-hrhd.c b/src/detect-engine-hrhd.c index 945db9a727..ce926cde40 100644 --- a/src/detect-engine-hrhd.c +++ b/src/detect-engine-hrhd.c @@ -481,7 +481,7 @@ static int DetectEngineHttpRawHeaderTest01(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"one\"; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -570,7 +570,7 @@ static int DetectEngineHttpRawHeaderTest02(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"one\"; depth:15; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -659,7 +659,7 @@ static int DetectEngineHttpRawHeaderTest03(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:!\"one\"; depth:5; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -748,7 +748,7 @@ static int DetectEngineHttpRawHeaderTest04(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"one\"; depth:5; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -837,7 +837,7 @@ static int DetectEngineHttpRawHeaderTest05(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:!\"one\"; depth:15; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -926,7 +926,7 @@ static int DetectEngineHttpRawHeaderTest06(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"one\"; offset:10; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -1015,7 +1015,7 @@ static int DetectEngineHttpRawHeaderTest07(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:!\"one\"; offset:15; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -1104,7 +1104,7 @@ static int DetectEngineHttpRawHeaderTest08(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"one\"; offset:15; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -1193,7 +1193,7 @@ static int DetectEngineHttpRawHeaderTest09(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:!\"one\"; offset:10; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -1282,7 +1282,7 @@ static int DetectEngineHttpRawHeaderTest10(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"one\"; http_raw_header; content:\"three\"; http_raw_header; within:10; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -1371,7 +1371,7 @@ static int DetectEngineHttpRawHeaderTest11(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"one\"; http_raw_header; content:!\"three\"; http_raw_header; within:5; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -1460,7 +1460,7 @@ static int DetectEngineHttpRawHeaderTest12(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"one\"; http_raw_header; content:!\"three\"; http_raw_header; within:10; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -1549,7 +1549,7 @@ static int DetectEngineHttpRawHeaderTest13(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"one\"; http_raw_header; content:\"three\"; http_raw_header; within:5; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -1638,7 +1638,7 @@ static int DetectEngineHttpRawHeaderTest14(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"one\"; http_raw_header; content:\"five\"; http_raw_header; distance:7; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -1727,7 +1727,7 @@ static int DetectEngineHttpRawHeaderTest15(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"one\"; http_raw_header; content:!\"five\"; http_raw_header; distance:15; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -1816,7 +1816,7 @@ static int DetectEngineHttpRawHeaderTest16(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"one\"; http_raw_header; content:!\"five\"; http_raw_header; distance:7; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -1905,7 +1905,7 @@ static int DetectEngineHttpRawHeaderTest17(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"one\"; http_raw_header; content:\"five\"; http_raw_header; distance:15; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -1992,7 +1992,7 @@ static int DetectEngineHttpRawHeaderTest18(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"one\"; http_raw_header; content:\"five\"; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -2066,7 +2066,7 @@ static int DetectEngineHttpRawHeaderTest19(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"one\"; http_raw_header; fast_pattern; content:\"five\"; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -2149,7 +2149,7 @@ static int DetectEngineHttpRawHeaderTest20(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http client body test\"; " + "(msg:\"http client body test\"; flow:to_server; " "pcre:/body1/D; " "content:!\"dummy\"; http_raw_header; within:7; " "sid:1;)"); @@ -2263,7 +2263,7 @@ static int DetectEngineHttpRawHeaderTest21(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http client body test\"; " + "(msg:\"http client body test\"; flow:to_server; " "pcre:/body1/D; " "content:!\"dummy\"; within:7; http_raw_header; " "sid:1;)"); @@ -2377,7 +2377,7 @@ static int DetectEngineHttpRawHeaderTest22(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http client body test\"; " + "(msg:\"http client body test\"; flow:to_server; " "pcre:/body1/D; " "content:!\"dummy\"; distance:3; http_raw_header; " "sid:1;)"); @@ -2491,7 +2491,7 @@ static int DetectEngineHttpRawHeaderTest23(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http client body test\"; " + "(msg:\"http client body test\"; flow:to_server; " "pcre:/body1/D; " "content:!\"dummy\"; distance:13; http_raw_header; " "sid:1;)"); @@ -2605,7 +2605,7 @@ static int DetectEngineHttpRawHeaderTest24(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http client body test\"; " + "(msg:\"http client body test\"; flow:to_server; " "pcre:/body1/D; " "content:\"dummy\"; within:15; http_raw_header; " "sid:1;)"); @@ -2719,7 +2719,7 @@ static int DetectEngineHttpRawHeaderTest25(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http client body test\"; " + "(msg:\"http client body test\"; flow:to_server; " "pcre:/body1/D; " "content:\"dummy\"; within:10; http_raw_header; " "sid:1;)"); @@ -2833,7 +2833,7 @@ static int DetectEngineHttpRawHeaderTest26(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http client body test\"; " + "(msg:\"http client body test\"; flow:to_server; " "pcre:/body1/D; " "content:\"dummy\"; distance:8; http_raw_header; " "sid:1;)"); @@ -2947,7 +2947,7 @@ static int DetectEngineHttpRawHeaderTest27(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http client body test\"; " + "(msg:\"http client body test\"; flow:to_server; " "pcre:/body1/D; " "content:\"dummy\"; distance:14; http_raw_header; " "sid:1;)"); @@ -3067,7 +3067,7 @@ static int DetectEngineHttpRawHeaderTest28(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_client; " "content:\"Content-Length: 6\"; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -3189,7 +3189,7 @@ static int DetectEngineHttpRawHeaderTest29(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_client; " "content:\"Content-Length: 7\"; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index a9bbfa4035..7d7286fbde 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -6555,18 +6555,6 @@ int DetectFastPatternTest219(void) return result; } - - - - - - - - - - - - /********* http_raw_header tests v *****/ int DetectFastPatternTest220(void) @@ -6578,8 +6566,8 @@ int DetectFastPatternTest220(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; " + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; " "content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; " "content:\"three\"; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) @@ -6615,8 +6603,8 @@ int DetectFastPatternTest221(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"/one/\"; fast_pattern:only; http_raw_header; " + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"/one/\"; fast_pattern:only; http_raw_header; " "msg:\"Testing fast_pattern\"; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; @@ -6652,8 +6640,8 @@ int DetectFastPatternTest222(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"oneoneone\"; fast_pattern:3,4; http_raw_header; " + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"oneoneone\"; fast_pattern:3,4; http_raw_header; " "msg:\"Testing fast_pattern\"; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; @@ -6685,8 +6673,8 @@ int DetectFastPatternTest223(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; fast_pattern:only; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; fast_pattern:only; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; @@ -6719,8 +6707,8 @@ int DetectFastPatternTest224(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"oneoneone\"; fast_pattern:3,4; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"oneoneone\"; fast_pattern:3,4; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; @@ -6752,8 +6740,8 @@ int DetectFastPatternTest225(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:only; http_raw_header; distance:10; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:only; http_raw_header; distance:10; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -6774,8 +6762,8 @@ int DetectFastPatternTest226(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"two\"; distance:10; fast_pattern:only; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; distance:10; fast_pattern:only; http_raw_header; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -6796,8 +6784,8 @@ int DetectFastPatternTest227(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:only; http_raw_header; within:10; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:only; http_raw_header; within:10; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -6818,8 +6806,8 @@ int DetectFastPatternTest228(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"two\"; within:10; fast_pattern:only; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; within:10; fast_pattern:only; http_raw_header; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -6840,8 +6828,8 @@ int DetectFastPatternTest229(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:only; http_raw_header; offset:10; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:only; http_raw_header; offset:10; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -6862,8 +6850,8 @@ int DetectFastPatternTest230(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"two\"; offset:10; fast_pattern:only; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; offset:10; fast_pattern:only; http_raw_header; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -6884,8 +6872,8 @@ int DetectFastPatternTest231(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:only; http_raw_header; depth:10; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:only; http_raw_header; depth:10; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -6906,8 +6894,8 @@ int DetectFastPatternTest232(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"two\"; depth:10; fast_pattern:only; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; depth:10; fast_pattern:only; http_raw_header; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -6928,8 +6916,8 @@ int DetectFastPatternTest233(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:!\"two\"; fast_pattern:only; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:!\"two\"; fast_pattern:only; http_raw_header; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -6950,8 +6938,8 @@ int DetectFastPatternTest234(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content: \"one\"; http_raw_header; content:\"two\"; http_raw_header; distance:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content: \"one\"; http_raw_header; content:\"two\"; http_raw_header; distance:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; @@ -6981,8 +6969,8 @@ int DetectFastPatternTest235(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; within:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; within:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; @@ -7011,8 +6999,8 @@ int DetectFastPatternTest236(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; offset:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; offset:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; @@ -7041,8 +7029,8 @@ int DetectFastPatternTest237(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; depth:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; depth:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; @@ -7071,8 +7059,8 @@ int DetectFastPatternTest238(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:!\"one\"; fast_pattern; http_raw_header; content:\"two\"; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:!\"one\"; fast_pattern; http_raw_header; content:\"two\"; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; @@ -7102,8 +7090,8 @@ int DetectFastPatternTest239(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"two\"; http_raw_header; content:!\"one\"; fast_pattern; http_raw_header; distance:20; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"two\"; http_raw_header; content:!\"one\"; fast_pattern; http_raw_header; distance:20; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -7124,8 +7112,8 @@ int DetectFastPatternTest240(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"two\"; http_raw_header; content:!\"one\"; fast_pattern; http_raw_header; within:20; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"two\"; http_raw_header; content:!\"one\"; fast_pattern; http_raw_header; within:20; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -7146,8 +7134,8 @@ int DetectFastPatternTest241(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"two\"; http_raw_header; content:!\"one\"; fast_pattern; http_raw_header; offset:20; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"two\"; http_raw_header; content:!\"one\"; fast_pattern; http_raw_header; offset:20; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -7168,8 +7156,8 @@ int DetectFastPatternTest242(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"two\"; http_raw_header; content:!\"one\"; fast_pattern; http_raw_header; depth:20; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"two\"; http_raw_header; content:!\"one\"; fast_pattern; http_raw_header; depth:20; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -7190,8 +7178,8 @@ int DetectFastPatternTest243(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; @@ -7220,8 +7208,8 @@ int DetectFastPatternTest244(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; distance:30; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; distance:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; @@ -7250,8 +7238,8 @@ int DetectFastPatternTest245(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; within:30; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; within:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; @@ -7280,8 +7268,8 @@ int DetectFastPatternTest246(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; offset:30; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; offset:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; @@ -7310,8 +7298,8 @@ int DetectFastPatternTest247(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; depth:30; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; depth:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; @@ -7340,8 +7328,8 @@ int DetectFastPatternTest248(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; distance:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; distance:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; @@ -7370,8 +7358,8 @@ int DetectFastPatternTest249(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; within:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; within:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; @@ -7400,8 +7388,8 @@ int DetectFastPatternTest250(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; offset:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; offset:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; @@ -7430,8 +7418,8 @@ int DetectFastPatternTest251(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; depth:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; depth:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; @@ -7463,8 +7451,8 @@ int DetectFastPatternTest252(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:65977,4; http_raw_header; content:\"three\"; http_raw_header; distance:10; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:65977,4; http_raw_header; content:\"three\"; http_raw_header; distance:10; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -7485,8 +7473,8 @@ int DetectFastPatternTest253(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,65977; http_raw_header; content:\"three\"; distance:10; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,65977; http_raw_header; content:\"three\"; distance:10; http_raw_header; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -7507,8 +7495,8 @@ int DetectFastPatternTest254(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:65534,4; http_raw_header; content:\"three\"; http_raw_header; distance:10; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; fast_pattern:65534,4; http_raw_header; content:\"three\"; http_raw_header; distance:10; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -7529,8 +7517,8 @@ int DetectFastPatternTest255(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; @@ -7560,8 +7548,8 @@ int DetectFastPatternTest256(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; distance:10; content:\"three\"; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; distance:10; content:\"three\"; http_raw_header; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -7582,8 +7570,8 @@ int DetectFastPatternTest257(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; within:10; content:\"three\"; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; within:10; content:\"three\"; http_raw_header; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -7604,8 +7592,8 @@ int DetectFastPatternTest258(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; offset:10; content:\"three\"; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; offset:10; content:\"three\"; http_raw_header; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -7626,8 +7614,8 @@ int DetectFastPatternTest259(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; depth:10; content:\"three\"; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; depth:10; content:\"three\"; http_raw_header; sid:1;)"); if (de_ctx->sig_list != NULL) goto end; @@ -7648,8 +7636,8 @@ int DetectFastPatternTest260(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; @@ -7670,24 +7658,6 @@ int DetectFastPatternTest260(void) return result; } - - - - - - - - - - - - - - - - - - int DetectFastPatternTest261(void) { DetectEngineCtx *de_ctx = NULL; diff --git a/src/detect-http-raw-header.c b/src/detect-http-raw-header.c index 14d445fa61..58f120a3b1 100644 --- a/src/detect-http-raw-header.c +++ b/src/detect-http-raw-header.c @@ -231,7 +231,7 @@ static int DetectHttpRawHeaderTest01(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " - "(msg:\"Testing http_header\"; " + "(msg:\"Testing http_header\"; flow:to_server; " "content:\"one\"; http_raw_header; sid:1;)"); if (de_ctx->sig_list != NULL) { result = 1; @@ -273,7 +273,7 @@ static int DetectHttpRawHeaderTest02(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " - "(msg:\"Testing http_header\"; " + "(msg:\"Testing http_header\"; flow:to_server; " "content:\"one\"; http_raw_header:; sid:1;)"); if (de_ctx->sig_list != NULL) result = 1; @@ -303,7 +303,7 @@ static int DetectHttpRawHeaderTest03(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " - "(msg:\"Testing http_header\"; " + "(msg:\"Testing http_header\"; flow:to_server; " "http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) result = 1; @@ -333,7 +333,7 @@ static int DetectHttpRawHeaderTest04(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " - "(msg:\"Testing http_header\"; " + "(msg:\"Testing http_header\"; flow:to_server; " "content:\"one\"; rawbytes; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) result = 1; @@ -363,7 +363,7 @@ static int DetectHttpRawHeaderTest05(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " - "(msg:\"Testing http_header\"; " + "(msg:\"Testing http_header\"; flow:to_server; " "content:\"one\"; nocase; http_raw_header; sid:1;)"); if (de_ctx->sig_list != NULL) result = 1; @@ -426,7 +426,7 @@ static int DetectHttpRawHeaderTest06(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"Content-Type: text/html\"; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -529,7 +529,7 @@ static int DetectHttpRawHeaderTest07(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"Mozilla\"; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -646,7 +646,7 @@ static int DetectHttpRawHeaderTest08(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"Gecko/20091221 Firefox/3.5.7\"; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -764,7 +764,7 @@ static int DetectHttpRawHeaderTest09(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"Firefox/3.5.7|0D 0A|Content\"; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -882,7 +882,7 @@ static int DetectHttpRawHeaderTest10(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"firefox/3.5.7|0D 0A|content\"; nocase; http_raw_header;" "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -992,7 +992,7 @@ static int DetectHttpRawHeaderTest11(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:!\"lalalalala\"; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -1086,7 +1086,7 @@ static int DetectHttpRawHeaderTest12(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:!\"User-Agent: Mozilla/5.0 \"; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -1181,7 +1181,7 @@ static int DetectHttpRawHeaderTest13(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http header test\"; " + "(msg:\"http header test\"; flow:to_server; " "content:\"Host: www.openinfosecfoundation.org\"; http_raw_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) @@ -1236,8 +1236,8 @@ int DetectHttpRawHeaderTest14(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; content:\"one\"; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; content:\"one\"; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) { printf("de_ctx->sig_list == NULL\n"); goto end; @@ -1275,8 +1275,8 @@ int DetectHttpRawHeaderTest15(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"one\"; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"one\"; sid:1;)"); if (de_ctx->sig_list == NULL) { printf("de_ctx->sig_list == NULL\n"); goto end; @@ -1314,8 +1314,8 @@ int DetectHttpRawHeaderTest16(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; content:\"one\"; content:\"one\"; http_raw_header; content:\"one\"; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; content:\"one\"; content:\"one\"; http_raw_header; content:\"one\"; sid:1;)"); if (de_ctx->sig_list == NULL) { printf("de_ctx->sig_list == NULL\n"); goto end; @@ -1353,8 +1353,8 @@ int DetectHttpRawHeaderTest17(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; content:\"one\"; content:\"one\"; content:\"one\"; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; content:\"one\"; content:\"one\"; content:\"one\"; sid:1;)"); if (de_ctx->sig_list == NULL) { printf("de_ctx->sig_list == NULL\n"); goto end; @@ -1392,8 +1392,8 @@ int DetectHttpRawHeaderTest18(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; " + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; " "content:\"one\"; content:\"one\"; http_raw_header; content:\"one\"; sid:1;)"); if (de_ctx->sig_list == NULL) { printf("de_ctx->sig_list == NULL\n"); @@ -1433,8 +1433,8 @@ int DetectHttpRawHeaderTest19(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; " + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; " "content:\"one\"; content:\"one\"; http_raw_header; content:\"two\"; sid:1;)"); if (de_ctx->sig_list == NULL) { printf("de_ctx->sig_list == NULL\n"); @@ -1474,8 +1474,8 @@ int DetectHttpRawHeaderTest20(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; " + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; " "content:\"two\"; distance:0; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) { printf("de_ctx->sig_list == NULL\n"); @@ -1518,8 +1518,8 @@ int DetectHttpRawHeaderTest21(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; " + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; " "content:\"two\"; within:5; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) { printf("de_ctx->sig_list == NULL\n"); @@ -1562,8 +1562,8 @@ int DetectHttpRawHeaderTest22(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; within:5; http_raw_header; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; within:5; http_raw_header; sid:1;)"); if (de_ctx->sig_list != NULL) { printf("de_ctx->sig_list != NULL\n"); goto end; @@ -1586,8 +1586,8 @@ int DetectHttpRawHeaderTest23(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_raw_header; within:5; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; http_raw_header; within:5; sid:1;)"); if (de_ctx->sig_list != NULL) { printf("de_ctx->sig_list != NULL\n"); goto end; @@ -1610,8 +1610,8 @@ int DetectHttpRawHeaderTest24(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; within:5; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"one\"; within:5; sid:1;)"); if (de_ctx->sig_list != NULL) { printf("de_ctx->sig_list != NULL\n"); goto end; @@ -1634,8 +1634,8 @@ int DetectHttpRawHeaderTest25(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(pcre:/one/D; " + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; pcre:/one/D; " "content:\"two\"; within:5; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) { printf("de_ctx->sig_list == NULL\n"); @@ -1685,8 +1685,8 @@ int DetectHttpRawHeaderTest26(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"two\"; http_raw_header; " + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; content:\"two\"; http_raw_header; " "pcre:/one/DR; sid:1;)"); if (de_ctx->sig_list == NULL) { printf("de_ctx->sig_list == NULL\n"); @@ -1736,8 +1736,8 @@ int DetectHttpRawHeaderTest27(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(pcre:/one/D; " + de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " + "(flow:to_server; pcre:/one/D; " "content:\"two\"; distance:5; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) { printf("de_ctx->sig_list == NULL\n"); diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index be9737403d..00fab28efc 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -931,7 +931,7 @@ int DetectIsdataatTestParse11(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(msg:\"Testing bytejump_body\"; " - "content:\"one\"; http_raw_header; " + "flow:to_server; content:\"one\"; http_raw_header; " "isdataat:!4,relative; sid:1;)"); if (de_ctx->sig_list == NULL) { goto end; diff --git a/src/detect-parse.c b/src/detect-parse.c index c65507c6b5..30e3087ac7 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -1360,20 +1360,23 @@ static int SigValidate(Signature *s) { } } -#ifndef UNITTESTS /** \todo HACK... this fails 72 unittests, no time to fix them now */ -#ifndef HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) { if ((s->flags & (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) == (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) { - SCLogError(SC_ERR_INVALID_SIGNATURE,"http_raw_header signature without a flow direction. See issue #389."); + SCLogError(SC_ERR_INVALID_SIGNATURE,"http_raw_header signature " + "without a flow direction. Use flow:to_server for " + "inspecting request headers or flow:to_client for " + "inspecting response headers."); SCReturnInt(0); } +#ifndef HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW if (s->flags & SIG_FLAG_TOCLIENT) { - SCLogError(SC_ERR_INVALID_SIGNATURE,"http_raw_header signature with to_client flow direction. See issue #389."); + SCLogError(SC_ERR_INVALID_SIGNATURE,"http_raw_header signature with " + "to_client flow direction. See issues #389 and #397. Update " + "libhtp to at least 0.2.7."); SCReturnInt(0); } +#endif /* HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW */ } -#endif -#endif if (s->alproto == ALPROTO_DCERPC) { /* \todo We haven't covered dce rpc cases now. They need special