diff --git a/src/detect-engine-hcbd.c b/src/detect-engine-hcbd.c index d9e618dbca..e7a0fc3b1f 100644 --- a/src/detect-engine-hcbd.c +++ b/src/detect-engine-hcbd.c @@ -57,7 +57,7 @@ #include "app-layer-protos.h" /** - * \brief Run the actual payload match function for uricontent. + * \brief Run the actual payload match function for http request body. * * For accounting the last match in relative matching the * det_ctx->payload_offset int is used. @@ -66,8 +66,8 @@ * \param det_ctx Detection engine thread context. * \param s Signature to inspect. * \param sm SigMatch to inspect. - * \param payload Ptr to the uricontent payload to inspect. - * \param payload_len Length of the uricontent payload. + * \param payload Ptr to the request body to inspect. + * \param payload_len Length of the request body. * * \retval 0 no match. * \retval 1 match. @@ -252,15 +252,15 @@ match: * \param det_ctx Detection engine thread ctx. * \param f Pointer to the flow. * \param htp_state http state. - * \param call_mpm 1 if we are also to call the mpm no the buffered bodies or - * 0 if we to just buffer the bodies. * * \retval cnt The match count from the mpm call. If call_mpm is 0, the retval * is ignored. */ -static uint32_t DetectEngineInspectHttpClientBodyMpmInspect(DetectEngineThreadCtx *det_ctx, - Flow *f, HtpState *htp_state, - int call_mpm) { +static uint32_t DetectEngineInspectHttpClientBodyMpmInspect(DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *s, Flow *f, + HtpState *htp_state) +{ uint32_t cnt = 0; size_t idx = 0; htp_tx_t *tx = NULL; @@ -271,7 +271,8 @@ static uint32_t DetectEngineInspectHttpClientBodyMpmInspect(DetectEngineThreadCt /* if the buffer already exists, use it */ if (det_ctx->hcbd_buffers[i] != NULL) { - if (call_mpm) { + /* we only call the mpm if the hcbd mpm has been set */ + if (s->flags & SIG_FLAG_MPM_HCBDCONTENT) { cnt += HttpClientBodyPatternSearch(det_ctx, det_ctx->hcbd_buffers[i], det_ctx->hcbd_buffers_len[i]); @@ -279,7 +280,6 @@ static uint32_t DetectEngineInspectHttpClientBodyMpmInspect(DetectEngineThreadCt continue; } - tx = list_get(htp_state->connp->conn->transactions, idx); tx = list_get(htp_state->connp->conn->transactions, idx); if (tx == NULL) continue; @@ -314,11 +314,11 @@ static uint32_t DetectEngineInspectHttpClientBodyMpmInspect(DetectEngineThreadCt } uint8_t *chunks_buffer = NULL; - uint32_t chunks_buffer_len = 0; + int32_t chunks_buffer_len = 0; while (cur != NULL) { /* \todo Currently we limit the body length we inspect. We * should change to handling chunks statefully */ - if (chunks_buffer_len > 20000) + if (chunks_buffer_len > de_ctx->hcbd_buffer_limit) break; chunks_buffer_len += cur->len; if ( (chunks_buffer = SCRealloc(chunks_buffer, chunks_buffer_len)) == NULL) { @@ -332,8 +332,8 @@ static uint32_t DetectEngineInspectHttpClientBodyMpmInspect(DetectEngineThreadCt det_ctx->hcbd_buffers[i] = chunks_buffer; det_ctx->hcbd_buffers_len[i] = chunks_buffer_len; - /* carry out the mpm */ - if (call_mpm) + /* carry out the mpm if we have hcbd mpm set */ + if (s->flags & SIG_FLAG_MPM_HCBDCONTENT) cnt += HttpClientBodyPatternSearch(det_ctx, chunks_buffer, chunks_buffer_len); } /* else - if (htud->body.nchunks == 0) */ } /* for (idx = AppLayerTransactionGetInspectId(f); .. */ @@ -395,31 +395,34 @@ int DetectEngineInspectHttpClientBody(DetectEngineCtx *de_ctx, goto end; /* assign space to hold buffers. Each per transaction */ - det_ctx->hcbd_buffers = malloc(det_ctx->hcbd_buffers_list_len * sizeof(uint8_t *)); + det_ctx->hcbd_buffers = SCMalloc(det_ctx->hcbd_buffers_list_len * sizeof(uint8_t *)); if (det_ctx->hcbd_buffers == NULL) { SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); - exit(EXIT_FAILURE); + goto end; } memset(det_ctx->hcbd_buffers, 0, det_ctx->hcbd_buffers_list_len * sizeof(uint8_t *)); - det_ctx->hcbd_buffers_len = malloc(det_ctx->hcbd_buffers_list_len * sizeof(uint32_t)); + det_ctx->hcbd_buffers_len = SCMalloc(det_ctx->hcbd_buffers_list_len * sizeof(uint32_t)); if (det_ctx->hcbd_buffers_len == NULL) { SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); - exit(EXIT_FAILURE); + goto end; } memset(det_ctx->hcbd_buffers_len, 0, det_ctx->hcbd_buffers_list_len * sizeof(uint32_t)); } /* if (det_ctx->hcbd_buffers_list_len == 0) */ if (s->flags & SIG_FLAG_MPM_HCBDCONTENT) { if (det_ctx->de_mpm_scanned_hcbd == FALSE) { - uint32_t cnt = DetectEngineInspectHttpClientBodyMpmInspect(det_ctx, f, htp_state, 1); + uint32_t cnt = DetectEngineInspectHttpClientBodyMpmInspect(de_ctx, + det_ctx, s, + f, htp_state); if (cnt <= 0) det_ctx->de_have_hcbd = FALSE; det_ctx->de_mpm_scanned_hcbd = TRUE; } } else { - DetectEngineInspectHttpClientBodyMpmInspect(det_ctx, f, htp_state, 0); + DetectEngineInspectHttpClientBodyMpmInspect(de_ctx, det_ctx, s, f, + htp_state); } if (det_ctx->de_have_hcbd == FALSE && @@ -456,6 +459,28 @@ end: SCReturnInt(r); } +/** + * \brief Clean the hcbd buffers. + * + * \param det_ctx Pointer to the detection engine thread ctx. + */ +void DetectEngineCleanHCBDBuffers(DetectEngineThreadCtx *det_ctx) +{ + if (det_ctx->hcbd_buffers_list_len != 0) { + int i; + for (i = 0; i < det_ctx->hcbd_buffers_list_len; i++) { + if (det_ctx->hcbd_buffers[i] != NULL) + SCFree(det_ctx->hcbd_buffers[i]); + } + SCFree(det_ctx->hcbd_buffers); + det_ctx->hcbd_buffers = NULL; + det_ctx->hcbd_buffers_list_len = 0; + } + + return; +} + + /***********************************Unittests**********************************/ #ifdef UNITTESTS diff --git a/src/detect-engine-hcbd.h b/src/detect-engine-hcbd.h index 47a927773a..98d808aad1 100644 --- a/src/detect-engine-hcbd.h +++ b/src/detect-engine-hcbd.h @@ -23,8 +23,11 @@ #ifndef __DETECT_ENGINE_HCBD_H__ #define __DETECT_ENGINE_HCBD_H__ +#define ENGINE_HCBD_BUFFER_LIMIT 20000 + int DetectEngineInspectHttpClientBody(DetectEngineCtx *, DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *); +void DetectEngineCleanHCBDBuffers(DetectEngineThreadCtx *); void HttpClientBodyRegisterTests(void); #endif /* __DETECT_ENGINE_HCBD_H__ */ diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index a9b235ffef..bd970993c3 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -2330,8 +2330,9 @@ uint32_t DetectContentGetId(MpmPatternIdStore *ht, DetectContentData *co) { MpmPatternIdTableElmt *r = NULL; uint32_t id = 0; - e = malloc(sizeof(MpmPatternIdTableElmt)); + e = SCMalloc(sizeof(MpmPatternIdTableElmt)); BUG_ON(e == NULL); + memset(e, 0, sizeof(MpmPatternIdTableElmt)); e->pattern = SCMalloc(co->content_len); BUG_ON(e->pattern == NULL); memcpy(e->pattern, co->content, co->content_len); @@ -2379,7 +2380,7 @@ uint32_t DetectUricontentGetId(MpmPatternIdStore *ht, DetectContentData *co) { MpmPatternIdTableElmt *r = NULL; uint32_t id = 0; - e = malloc(sizeof(MpmPatternIdTableElmt)); + e = SCMalloc(sizeof(MpmPatternIdTableElmt)); BUG_ON(e == NULL); e->pattern = SCMalloc(co->content_len); BUG_ON(e->pattern == NULL); @@ -2438,7 +2439,7 @@ uint32_t DetectPatternGetId(MpmPatternIdStore *ht, void *ctx, uint8_t sm_type) MpmPatternIdTableElmt *r = NULL; PatIntId id = 0; - e = malloc(sizeof(MpmPatternIdTableElmt)); + e = SCMalloc(sizeof(MpmPatternIdTableElmt)); if (e == NULL) { SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); exit(EXIT_FAILURE); diff --git a/src/detect-engine.c b/src/detect-engine.c index e841b6ecf6..ebcc6f5e8d 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -35,6 +35,7 @@ #include "detect-engine-address.h" #include "detect-engine-port.h" #include "detect-engine-mpm.h" +#include "detect-engine-hcbd.h" #include "detect-engine-iponly.h" #include "detect-engine-tag.h" @@ -188,6 +189,7 @@ static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx) { const char *max_uniq_toserver_dp_groups_str = NULL; char *sgh_mpm_context = NULL; + char *hcbd_buffer_limit = NULL; ConfNode *de_ctx_custom = ConfGetNode("detect-engine"); ConfNode *opt = NULL; @@ -198,6 +200,9 @@ static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx) { de_ctx_profile = opt->head.tqh_first->val; } else if (strcmp(opt->val, "sgh-mpm-context") == 0) { sgh_mpm_context = opt->head.tqh_first->val; + } else if (strcmp(opt->val, + "http-client-request-body-buffer-limit") == 0) { + hcbd_buffer_limit = opt->head.tqh_first->val; } } } @@ -239,6 +244,14 @@ static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx) { } } + if (hcbd_buffer_limit == NULL) { + de_ctx->hcbd_buffer_limit = ENGINE_HCBD_BUFFER_LIMIT; + } else { + de_ctx->hcbd_buffer_limit = atoi(hcbd_buffer_limit); + if (de_ctx->hcbd_buffer_limit <= 0) + de_ctx->hcbd_buffer_limit = ENGINE_HCBD_BUFFER_LIMIT; + } + opt = NULL; switch (profile) { case ENGINE_PROFILE_LOW: diff --git a/src/detect-http-raw-header.c b/src/detect-http-raw-header.c new file mode 100644 index 0000000000..22d054d556 --- /dev/null +++ b/src/detect-http-raw-header.c @@ -0,0 +1,1580 @@ +/* Copyright (C) 2007-2010 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Pablo Rincon + * + * Implements support for http_raw_header keyword. + */ + +#include "suricata-common.h" +#include "threads.h" +#include "decode.h" + +#include "detect.h" +#include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-mpm.h" +#include "detect-engine-state.h" +#include "detect-content.h" + +#include "flow.h" +#include "flow-var.h" +#include "flow-util.h" + +#include "util-debug.h" +#include "util-unittest.h" +#include "util-unittest-helper.h" +#include "util-spm.h" +#include "util-print.h" + +#include "app-layer.h" + +#include +#include "app-layer-htp.h" +#include "detect-http-raw-header.h" +#include "stream-tcp.h" + +int DetectHttpRawHeaderMatch(ThreadVars *, DetectEngineThreadCtx *, Flow *, + uint8_t, void *, Signature *, SigMatch *); +int DetectHttpRawHeaderSetup(DetectEngineCtx *, Signature *, char *); +void DetectHttpRawHeaderRegisterTests(void); +void DetectHttpRawHeaderFree(void *); + +/** + * \brief Registers the keyword handlers for the "http_raw_header" keyword. + */ +void DetectHttpRawHeaderRegister(void) +{ + sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].name = "http_raw_header"; + sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].Match = NULL; + sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].AppLayerMatch = DetectHttpRawHeaderMatch; + sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].alproto = ALPROTO_HTTP; + sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].Setup = DetectHttpRawHeaderSetup; + sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].Free = DetectHttpRawHeaderFree; + sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].RegisterTests = DetectHttpRawHeaderRegisterTests; + + sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].flags |= SIGMATCH_PAYLOAD ; +} + +/** + * \brief App layer match function for the "http_raw_header" keyword. + * + * \param t Pointer to the ThreadVars instance. + * \param det_ctx Pointer to the DetectEngineThreadCtx. + * \param f Pointer to the flow. + * \param flags Pointer to the flags indicating the flow direction. + * \param state Pointer to the app layer state data. + * \param s Pointer to the Signature instance. + * \param m Pointer to the SigMatch. + * + * \retval 1 On Match. + * \retval 0 On no match. + */ +int DetectHttpRawHeaderMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, + Flow *f, uint8_t flags, void *state, Signature *s, + SigMatch *m) +{ + SCEnter(); + + int result = 0; + DetectContentData *hrhd = (DetectContentData *)m->ctx; + HtpState *htp_state = (HtpState *)state; + + SCMutexLock(&f->m); + + if (htp_state == NULL || htp_state->connp == NULL || + htp_state->connp->conn == NULL) { + SCLogDebug("No htp state, no match for http header data"); + goto end; + } + + htp_tx_t *tx = NULL; + bstr *headers = NULL; + size_t idx = 0; + + //htp_state->new_in_tx_index; + size_t l_size = list_size(htp_state->connp->conn->transactions); + for (idx = 0; idx < l_size; idx++) { + tx = list_get(htp_state->connp->conn->transactions, idx); + + if (tx == NULL) + continue; + + headers = htp_tx_get_request_headers_raw(tx); + if (headers == NULL) + continue; + + SCLogDebug("inspecting tx %p", tx); + + if (bstr_len(headers) > 0) { + /* call the case sensitive version if nocase has been specified in the sig */ + if (hrhd->flags & DETECT_CONTENT_NOCASE) { + result = (SpmNocaseSearch((uint8_t *)bstr_ptr(headers), bstr_len(headers), + hrhd->content, hrhd->content_len) != NULL); + } else { + result = (SpmSearch((uint8_t *)bstr_ptr(headers), bstr_len(headers), + hrhd->content, hrhd->content_len) != NULL); + } + } + } + + SCMutexUnlock(&f->m); + SCReturnInt(result ^ ((hrhd->flags & DETECT_CONTENT_NEGATED) ? 1 : 0)); + + end: + SCMutexUnlock(&f->m); + SCReturnInt(result); +} + +/** + * \brief this function clears the memory of http_raw_header modifier keyword + * + * \param ptr Pointer to the Detection Header Data + */ +void DetectHttpRawHeaderFree(void *ptr) +{ + DetectContentData *hrhd = (DetectContentData *)ptr; + if (hrhd == NULL) + return; + if (hrhd->content != NULL) + SCFree(hrhd->content); + SCFree(hrhd); + + return; +} + +/** + * \brief The setup function for the http_raw_header keyword for a signature. + * + * \param de_ctx Pointer to the detection engine context. + * \param s Pointer to signature for the current Signature being parsed + * from the rules. + * \param m Pointer to the head of the SigMatchs for the current rule + * being parsed. + * \param arg Pointer to the string holding the keyword value. + * + * \retval 0 On success + * \retval -1 On failure + */ +int DetectHttpRawHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) +{ + /* http_raw_header_data (hrhd) */ + DetectContentData *hrhd = NULL; + SigMatch *nm = NULL; + SigMatch *sm = NULL; + + if (arg != NULL && strcmp(arg, "") != 0) { + SCLogError(SC_ERR_INVALID_ARGUMENT, "http_raw_header supplied with no args"); + return -1; + } + + if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_header found inside the " + "rule, without any preceding content keywords"); + return -1; + } + + sm = DetectContentGetLastPattern(s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); + /* if still we are unable to find any content previous keywords, it is an + * invalid rule */ + if (sm == NULL) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_raw_header\" keyword " + "found inside the rule without a content context. " + "Please use a \"content\" keyword before using the " + "\"http_header\" keyword"); + return -1; + } + + if (((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { + SCLogWarning(SC_WARN_COMPATIBILITY, + "http_header cannot be used with \"fast_pattern\" currently." + "Unsetting fast_pattern on this modifier. Signature ==> %s", s->sig_str); + ((DetectContentData *)sm->ctx)->flags &= ~DETECT_CONTENT_FAST_PATTERN; + } + + /* http_header should not be used with the rawbytes rule */ + if (((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_RAWBYTES) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "http_header rule can not " + "be used with the rawbytes rule keyword"); + return -1; + } + + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords"); + goto error; + } + + /* setup the HttpHeaderData's data from content data structure's data */ + hrhd = SCMalloc(sizeof(DetectContentData)); + if (hrhd == NULL) { + SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); + exit(EXIT_FAILURE); + } + memset(hrhd, 0, sizeof(DetectContentData)); + + /* transfer the pattern details from the content struct to the clientbody struct */ + DetectContentData *cd = (DetectContentData *)sm->ctx; + hrhd->content = cd->content; + hrhd->content_len = cd->content_len; + hrhd->flags |= cd->flags & DETECT_CONTENT_NOCASE ? DETECT_CONTENT_NOCASE : 0; + hrhd->flags |= cd->flags & DETECT_CONTENT_NEGATED ? DETECT_CONTENT_NEGATED : 0; + //hrhd->id = ((DetectContentData *)sm->ctx)->id; + hrhd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, hrhd, DETECT_AL_HTTP_HEADER); + + nm = SigMatchAlloc(); + if (nm == NULL) { + SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); + goto error; + } + nm->type = DETECT_AL_HTTP_HEADER; + nm->ctx = (void *)hrhd; + + /* pull the previous content from the pmatch list, append + * the new match to the match list */ + SigMatchReplaceContent(s, sm, nm); + + /* free the old content sigmatch, the content pattern memory + * is taken over by the new sigmatch */ + BoyerMooreCtxDeInit(((DetectContentData *)sm->ctx)->bm_ctx); + SCFree(sm->ctx); + SCFree(sm); + + /* flag the signature to indicate that we scan the app layer data */ + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; + + return 0; + +error: + if (hrhd != NULL) + DetectHttpRawHeaderFree(hrhd); + if(nm != NULL) + SCFree(sm); + + return -1; +} + +/************************************Unittests*********************************/ + +#ifdef UNITTESTS + +#include "stream-tcp-reassemble.h" + +/** + * \test Test that a signature containting a http_header is correctly parsed + * and the keyword is registered. + */ +static int DetectHttpRawHeaderTest01(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + SigMatch *sm = NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing http_header\"; " + "content:one; http_header; sid:1;)"); + if (de_ctx->sig_list != NULL) { + result = 1; + } else { + printf("Error parsing signature: "); + goto end; + } + + sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_MATCH]; + if (sm != NULL) { + result &= (sm->type == DETECT_AL_HTTP_HEADER); + result &= (sm->next == NULL); + } else { + printf("Error updating content pattern to http_header pattern: "); + } + + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Test that a signature containing an valid http_header entry is + * parsed. + */ +static int DetectHttpRawHeaderTest02(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing http_header\"; " + "content:one; http_header:; sid:1;)"); + if (de_ctx->sig_list != NULL) + result = 1; + else + printf("Error parsing signature: "); + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Test that an invalid signature containing no content but a http_header + * is invalidated. + */ +static int DetectHttpRawHeaderTest03(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing http_header\"; " + "http_header; sid:1;)"); + if (de_ctx->sig_list == NULL) + result = 1; + else + printf("Error parsing signature: "); + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Test that an invalid signature containing a rawbytes along with a + * http_header is invalidated. + */ +static int DetectHttpRawHeaderTest04(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing http_header\"; " + "content:one; rawbytes; http_header; sid:1;)"); + if (de_ctx->sig_list == NULL) + result = 1; + else + printf("Error parsing signature: "); + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Test that an invalid signature containing a rawbytes along with a + * http_header is invalidated. + */ +static int DetectHttpRawHeaderTest05(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing http_header\"; " + "content:one; nocase; http_header; sid:1;)"); + if (de_ctx->sig_list != NULL) + result = 1; + else + printf("Error parsing signature: "); + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + *\test Test that the http_header content matches against a http request + * which holds the content. + */ +static int DetectHttpRawHeaderTest06(void) +{ + TcpSession ssn; + Packet *p = NULL; + ThreadVars th_v; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + HtpState *http_state = NULL; + Flow f; + uint8_t http_buf[] = + "GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 26\r\n" + "\r\n" + "This is dummy message body\r\n"; + uint32_t http_len = sizeof(http_buf) - 1; + int result = 0; + + memset(&th_v, 0, sizeof(th_v)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + p->flow = &f; + p->flowflags |= FLOW_PKT_TOSERVER; + p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; + f.alproto = ALPROTO_HTTP; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " + "(msg:\"http header test\"; " + "content:\"Content-Type: text/html\"; http_header; " + "sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + http_state = f.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; + if (http_state == NULL) { + printf("no http state: "); + result = 0; + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + + if (!(PacketAlertCheck(p, 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; +end: + if (de_ctx != NULL) + SigGroupCleanup(de_ctx); + if (de_ctx != NULL) + SigCleanSignatures(de_ctx); + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + UTHFreePackets(&p, 1); + return result; +} + +/** + *\test Test that the http_header content matches against a http request + * which holds the content. + */ +static int DetectHttpRawHeaderTest07(void) +{ + TcpSession ssn; + Packet *p1 = NULL; + Packet *p2 = NULL; + ThreadVars th_v; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + HtpState *http_state = NULL; + Flow f; + uint8_t http1_buf[] = + "GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozi"; + uint8_t http2_buf[] = + "lla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\nContent-Type: text/html\r\n" + "Content-Length: 67\r\n" + "\r\n" + "This is dummy message body1"; + uint32_t http1_len = sizeof(http1_buf) - 1; + uint32_t http2_len = sizeof(http2_buf) - 1; + int result = 0; + + + memset(&th_v, 0, sizeof(th_v)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + p1->flow = &f; + p1->flowflags |= FLOW_PKT_TOSERVER; + p1->flowflags |= FLOW_PKT_ESTABLISHED; + p1->flags |= PKT_HAS_FLOW; + p2->flow = &f; + p2->flowflags |= FLOW_PKT_TOSERVER; + p2->flowflags |= FLOW_PKT_ESTABLISHED; + p2->flags |= PKT_HAS_FLOW; + f.alproto = ALPROTO_HTTP; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " + "(msg:\"http header test\"; " + "content:Mozilla; http_header; " + "sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http1_buf, http1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + http_state = f.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; + if (http_state == NULL) { + printf("no http state: "); + result = 0; + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); + + if ( (PacketAlertCheck(p1, 1))) { + printf("sid 1 matched but shouldn't have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http2_buf, http2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); + + if (!(PacketAlertCheck(p2, 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; +end: + if (de_ctx != NULL) + SigGroupCleanup(de_ctx); + if (de_ctx != NULL) + SigCleanSignatures(de_ctx); + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + UTHFreePackets(&p1, 1); + UTHFreePackets(&p2, 1); + return result; +} + +/** + *\test Test that the http_header content matches against a http request + * which holds the content. + */ +static int DetectHttpRawHeaderTest08(void) +{ + TcpSession ssn; + Packet *p1 = NULL; + Packet *p2 = NULL; + ThreadVars th_v; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + HtpState *http_state = NULL; + Flow f; + uint8_t http1_buf[] = + "GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n"; + uint8_t http2_buf[] = + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 67\r\n" + "\r\n"; + uint32_t http1_len = sizeof(http1_buf) - 1; + uint32_t http2_len = sizeof(http2_buf) - 1; + int result = 0; + + memset(&th_v, 0, sizeof(th_v)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + p1->flow = &f; + p1->flowflags |= FLOW_PKT_TOSERVER; + p1->flowflags |= FLOW_PKT_ESTABLISHED; + p1->flags |= PKT_HAS_FLOW; + p2->flow = &f; + p2->flowflags |= FLOW_PKT_TOSERVER; + p2->flowflags |= FLOW_PKT_ESTABLISHED; + p2->flags |= PKT_HAS_FLOW; + f.alproto = ALPROTO_HTTP; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " + "(msg:\"http header test\"; " + "content:\"Gecko/20091221 Firefox/3.5.7\"; http_header; " + "sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http1_buf, http1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + http_state = f.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; + if (http_state == NULL) { + printf("no http state: "); + result = 0; + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); + + if ((PacketAlertCheck(p1, 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http2_buf, http2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); + + if (!(PacketAlertCheck(p2, 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; +end: + if (de_ctx != NULL) + SigGroupCleanup(de_ctx); + if (de_ctx != NULL) + SigCleanSignatures(de_ctx); + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + UTHFreePackets(&p1, 1); + UTHFreePackets(&p2, 1); + return result; +} + +/** + *\test Test that the http_header content matches against a http request + * which holds the content, against a cross boundary present pattern. + */ +static int DetectHttpRawHeaderTest09(void) +{ + TcpSession ssn; + Packet *p1 = NULL; + Packet *p2 = NULL; + ThreadVars th_v; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + HtpState *http_state = NULL; + Flow f; + uint8_t http1_buf[] = + "GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"; + uint8_t http2_buf[] = + "Content-Type: text/html\r\n" + "Content-Length: 67\r\n" + "\r\n" + "This is dummy body\r\n"; + uint32_t http1_len = sizeof(http1_buf) - 1; + uint32_t http2_len = sizeof(http2_buf) - 1; + int result = 0; + + memset(&th_v, 0, sizeof(th_v)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + p1->flow = &f; + p1->flowflags |= FLOW_PKT_TOSERVER; + p1->flowflags |= FLOW_PKT_ESTABLISHED; + p1->flags |= PKT_HAS_FLOW; + p2->flow = &f; + p2->flowflags |= FLOW_PKT_TOSERVER; + p2->flowflags |= FLOW_PKT_ESTABLISHED; + p2->flags |= PKT_HAS_FLOW; + f.alproto = ALPROTO_HTTP; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " + "(msg:\"http header test\"; " + "content:\"Firefox/3.5.7|0D 0A|Content\"; http_header; " + "sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http1_buf, http1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + http_state = f.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; + if (http_state == NULL) { + printf("no http state: "); + result = 0; + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); + + if ((PacketAlertCheck(p1, 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http2_buf, http2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); + + if (!(PacketAlertCheck(p2, 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; +end: + if (de_ctx != NULL) + SigGroupCleanup(de_ctx); + if (de_ctx != NULL) + SigCleanSignatures(de_ctx); + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + UTHFreePackets(&p1, 1); + UTHFreePackets(&p2, 1); + return result; +} + +/** + *\test Test that the http_header content matches against a http request + * against a case insensitive pattern. + */ +static int DetectHttpRawHeaderTest10(void) +{ + TcpSession ssn; + Packet *p1 = NULL; + Packet *p2 = NULL; + ThreadVars th_v; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + HtpState *http_state = NULL; + Flow f; + uint8_t http1_buf[] = + "GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"; + uint8_t http2_buf[] = + "Content-Type: text/html\r\n" + "Content-Length: 67\r\n" + "\r\n" + "This is dummy body"; + uint32_t http1_len = sizeof(http1_buf) - 1; + uint32_t http2_len = sizeof(http2_buf) - 1; + int result = 0; + + memset(&th_v, 0, sizeof(th_v)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + p1->flow = &f; + p1->flowflags |= FLOW_PKT_TOSERVER; + p1->flowflags |= FLOW_PKT_ESTABLISHED; + p1->flags |= PKT_HAS_FLOW; + p2->flow = &f; + p2->flowflags |= FLOW_PKT_TOSERVER; + p2->flowflags |= FLOW_PKT_ESTABLISHED; + p2->flags |= PKT_HAS_FLOW; + f.alproto = ALPROTO_HTTP; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " + "(msg:\"http header test\"; " + "content:\"firefox/3.5.7|0D 0A|content\"; nocase; http_header;" + "sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http1_buf, http1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + http_state = f.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; + if (http_state == NULL) { + printf("no http state: "); + result = 0; + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); + + if ((PacketAlertCheck(p1, 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http2_buf, http2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); + + if (!(PacketAlertCheck(p2, 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; +end: + if (de_ctx != NULL) + SigGroupCleanup(de_ctx); + if (de_ctx != NULL) + SigCleanSignatures(de_ctx); + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + UTHFreePackets(&p1, 1); + UTHFreePackets(&p2, 1); + return result; +} + +/** + *\test Test that the negated http_header content matches against a + * http request which doesn't hold the content. + */ +static int DetectHttpRawHeaderTest11(void) +{ + TcpSession ssn; + Packet *p = NULL; + ThreadVars th_v; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + HtpState *http_state = NULL; + Flow f; + uint8_t http_buf[] = + "GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 26\r\n" + "\r\n" + "This is dummy message body\r\n"; + uint32_t http_len = sizeof(http_buf) - 1; + int result = 0; + + memset(&th_v, 0, sizeof(th_v)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + p->flow = &f; + p->flowflags |= FLOW_PKT_TOSERVER; + p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; + f.alproto = ALPROTO_HTTP; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " + "(msg:\"http header test\"; " + "content:!lalalalala; http_header; " + "sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + http_state = f.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; + if (http_state == NULL) { + printf("no http state: "); + result = 0; + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + + if (!(PacketAlertCheck(p, 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; +end: + if (de_ctx != NULL) + SigGroupCleanup(de_ctx); + if (de_ctx != NULL) + SigCleanSignatures(de_ctx); + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + UTHFreePackets(&p, 1); + return result; +} + +/** + *\test Negative test that the negated http_header content matches against a + * http request which holds hold the content. + */ +static int DetectHttpRawHeaderTest12(void) +{ + TcpSession ssn; + Packet *p = NULL; + ThreadVars th_v; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + HtpState *http_state = NULL; + Flow f; + uint8_t http_buf[] = + "GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 26\r\n" + "\r\n" + "This is dummy message body\r\n"; + uint32_t http_len = sizeof(http_buf) - 1; + int result = 0; + + memset(&th_v, 0, sizeof(th_v)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + p->flow = &f; + p->flowflags |= FLOW_PKT_TOSERVER; + p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; + f.alproto = ALPROTO_HTTP; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " + "(msg:\"http header test\"; " + "content:!\"User-Agent: Mozilla/5.0 \"; http_header; " + "sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + http_state = f.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; + if (http_state == NULL) { + printf("no http state: "); + result = 0; + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + + if ((PacketAlertCheck(p, 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; +end: + if (de_ctx != NULL) + SigGroupCleanup(de_ctx); + if (de_ctx != NULL) + SigCleanSignatures(de_ctx); + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + UTHFreePackets(&p, 1); + return result; +} + +/** + *\test Test that the http_header content matches against a http request + * which holds the content. + */ +static int DetectHttpRawHeaderTest13(void) +{ + TcpSession ssn; + Packet *p = NULL; + ThreadVars th_v; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + HtpState *http_state = NULL; + Flow f; + uint8_t http_buf[] = + "GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 100\r\n" + "\r\n" + "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n"; + uint32_t http_len = sizeof(http_buf) - 1; + int result = 0; + + memset(&th_v, 0, sizeof(th_v)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + + p->flow = &f; + p->flowflags |= FLOW_PKT_TOSERVER; + p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; + f.alproto = ALPROTO_HTTP; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " + "(msg:\"http header test\"; " + "content:\"Host: www.openinfosecfoundation.org\"; http_header; " + "sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + http_state = f.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; + if (http_state == NULL) { + printf("no http state: "); + result = 0; + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + + if (!(PacketAlertCheck(p, 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; +end: + if (de_ctx != NULL) + SigGroupCleanup(de_ctx); + if (de_ctx != NULL) + SigCleanSignatures(de_ctx); + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + UTHFreePackets(&p, 1); + return result; +} + +int DetectHttpRawHeaderTest14(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(content:one; content:one; http_header; sid:1;)"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) { + printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_AMATCH] == NULL) { + printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_AMATCH] == NULL\n"); + goto end; + } + + DetectContentData *cd = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; + DetectContentData *hrhd = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_AMATCH]->ctx; + if (cd->id == hrhd->id) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectHttpRawHeaderTest15(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(content:one; http_header; content:one; sid:1;)"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) { + printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_AMATCH] == NULL) { + printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_AMATCH] == NULL\n"); + goto end; + } + + DetectContentData *cd = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; + DetectContentData *hrhd = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_AMATCH]->ctx; + if (cd->id == hrhd->id) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectHttpRawHeaderTest16(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(content:one; content:one; content:one; http_header; content:one; sid:1;)"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) { + printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_AMATCH] == NULL) { + printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_AMATCH] == NULL\n"); + goto end; + } + + DetectContentData *cd = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; + DetectContentData *hrhd = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_AMATCH]->ctx; + if (cd->id != 0 || hrhd->id != 1) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectHttpRawHeaderTest17(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(content:one; http_header; content:one; content:one; content:one; sid:1;)"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) { + printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_AMATCH] == NULL) { + printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_AMATCH] == NULL\n"); + goto end; + } + + DetectContentData *cd = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; + DetectContentData *hrhd = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_AMATCH]->ctx; + if (cd->id != 1 || hrhd->id != 0) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectHttpRawHeaderTest18(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(content:one; http_header; " + "content:one; content:one; http_header; content:one; sid:1;)"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) { + printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_AMATCH] == NULL) { + printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_AMATCH] == NULL\n"); + goto end; + } + + DetectContentData *cd = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; + DetectContentData *hrhd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_AMATCH]->ctx; + DetectContentData *hrhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_AMATCH]->prev->ctx; + if (cd->id != 1 || hrhd1->id != 0 || hrhd2->id != 0) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectHttpRawHeaderTest19(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(content:one; http_header; " + "content:one; content:one; http_header; content:two; sid:1;)"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) { + printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_AMATCH] == NULL) { + printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_AMATCH] == NULL\n"); + goto end; + } + + DetectContentData *cd = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; + DetectContentData *hrhd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_AMATCH]->ctx; + DetectContentData *hrhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_AMATCH]->prev->ctx; + if (cd->id != 2 || hrhd1->id != 0 || hrhd2->id != 0) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +#endif /* UNITTESTS */ + +void DetectHttpRawHeaderRegisterTests(void) +{ +#ifdef UNITTESTS + UtRegisterTest("DetectHttpRawHeaderTest01", DetectHttpRawHeaderTest01, 1); + UtRegisterTest("DetectHttpRawHeaderTest02", DetectHttpRawHeaderTest02, 1); + UtRegisterTest("DetectHttpRawHeaderTest03", DetectHttpRawHeaderTest03, 1); + UtRegisterTest("DetectHttpRawHeaderTest04", DetectHttpRawHeaderTest04, 1); + UtRegisterTest("DetectHttpRawHeaderTest05", DetectHttpRawHeaderTest05, 1); + UtRegisterTest("DetectHttpRawHeaderTest06", DetectHttpRawHeaderTest06, 1); + UtRegisterTest("DetectHttpRawHeaderTest07", DetectHttpRawHeaderTest07, 1); + UtRegisterTest("DetectHttpRawHeaderTest08", DetectHttpRawHeaderTest08, 1); + UtRegisterTest("DetectHttpRawHeaderTest09", DetectHttpRawHeaderTest09, 1); + UtRegisterTest("DetectHttpRawHeaderTest10", DetectHttpRawHeaderTest10, 1); + UtRegisterTest("DetectHttpRawHeaderTest11", DetectHttpRawHeaderTest11, 1); + UtRegisterTest("DetectHttpRawHeaderTest12", DetectHttpRawHeaderTest12, 1); + UtRegisterTest("DetectHttpRawHeaderTest13", DetectHttpRawHeaderTest13, 1); + UtRegisterTest("DetectHttpRawHeaderTest14", DetectHttpRawHeaderTest14, 1); + UtRegisterTest("DetectHttpRawHeaderTest15", DetectHttpRawHeaderTest15, 1); + UtRegisterTest("DetectHttpRawHeaderTest16", DetectHttpRawHeaderTest16, 1); + UtRegisterTest("DetectHttpRawHeaderTest17", DetectHttpRawHeaderTest17, 1); + UtRegisterTest("DetectHttpRawHeaderTest18", DetectHttpRawHeaderTest18, 1); + UtRegisterTest("DetectHttpRawHeaderTest19", DetectHttpRawHeaderTest19, 1); +#endif /* UNITTESTS */ + + return; +} diff --git a/src/detect-http-raw-header.h b/src/detect-http-raw-header.h new file mode 100644 index 0000000000..5327b5b815 --- /dev/null +++ b/src/detect-http-raw-header.h @@ -0,0 +1,30 @@ +/* Copyright (C) 2007-2010 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Pablo Rincon + */ + +#ifndef __DETECT_HTTP_HEADER_H__ +#define __DETECT_HTTP_HEADER_H__ + +void DetectHttpHeaderRegister(void); +void DetectHttpRawHeaderRegister(void); + +#endif /* __DETECT_HTTP_HEADER_H__ */ diff --git a/src/detect.c b/src/detect.c index 2b1e473c37..b7646db517 100644 --- a/src/detect.c +++ b/src/detect.c @@ -114,6 +114,7 @@ #include "detect-http-header.h" #include "detect-http-uri.h" #include "detect-http-stat-msg.h" +#include "detect-engine-hcbd.h" #include "util-rule-vars.h" @@ -1309,16 +1310,7 @@ end: PacketPatternCleanup(th_v, det_ctx); //} - if (det_ctx->hcbd_buffers_list_len != 0) { - int i; - for (i = 0; i < det_ctx->hcbd_buffers_list_len; i++) { - if (det_ctx->hcbd_buffers[i] != NULL) - SCFree(det_ctx->hcbd_buffers[i]); - } - SCFree(det_ctx->hcbd_buffers); - det_ctx->hcbd_buffers = NULL; - det_ctx->hcbd_buffers_list_len = 0; - } + DetectEngineCleanHCBDBuffers(det_ctx); /* store the found sgh (or NULL) in the flow to save us from looking it * up again for the next packet. Also return any stream chunk we processed diff --git a/src/detect.h b/src/detect.h index 4bc067a81f..e1175f3aea 100644 --- a/src/detect.h +++ b/src/detect.h @@ -609,6 +609,8 @@ typedef struct DetectEngineCtx_ { /* maximum recursion depth for content inspection */ int inspection_recursion_limit; + int hcbd_buffer_limit; + /* array containing all sgh's in use so we can loop * through it in Stage4. */ struct SigGroupHead_ **sgh_array; diff --git a/suricata.yaml b/suricata.yaml index f805e55957..9538723080 100644 --- a/suricata.yaml +++ b/suricata.yaml @@ -110,6 +110,9 @@ engine-analysis: # might end up taking too much time in the content inspection code. # If the argument specified is 0, the engine uses an internally defined # default limit. On not specifying a value, we use no limits on the recursion. +# +# The option http-client-body-buffer-limit, is used to specify the buffer +# limit for http request body we inspect. detect-engine: - profile: medium - custom-values: @@ -123,6 +126,7 @@ detect-engine: toserver_dp_groups: 25 - sgh-mpm-context: auto - inspection-recursion-limit: 3000 + - http-client-request-body-buffer-limit: 20000 # Suricata is multi-threaded. Here the threading can be influenced. threading: