diff --git a/src/detect-engine-dcepayload.c b/src/detect-engine-dcepayload.c index a745389904..173224dee6 100644 --- a/src/detect-engine-dcepayload.c +++ b/src/detect-engine-dcepayload.c @@ -107,14 +107,15 @@ static int DoInspectDcePayload(DetectEngineCtx *de_ctx, uint32_t offset = 0; uint32_t depth = stub_len; uint32_t prev_offset = 0; /**< used in recursive searching */ + uint32_t prev_payload_offset = det_ctx->payload_offset; do { if (cd->flags & DETECT_CONTENT_DISTANCE || cd->flags & DETECT_CONTENT_WITHIN) { - SCLogDebug("det_ctx->payload_offset %"PRIu32, - det_ctx->payload_offset); + SCLogDebug("prev_payload_offset %"PRIu32, + prev_payload_offset); - offset = det_ctx->payload_offset; + offset = prev_payload_offset; depth = stub_len; if (cd->flags & DETECT_CONTENT_DISTANCE) { @@ -129,18 +130,18 @@ static int DoInspectDcePayload(DetectEngineCtx *de_ctx, } if (cd->flags & DETECT_CONTENT_WITHIN) { - if ((int32_t)depth > (int32_t)(det_ctx->payload_offset + cd->within)) { - depth = det_ctx->payload_offset + cd->within; + if ((int32_t)depth > (int32_t)(prev_payload_offset + cd->within)) { + depth = prev_payload_offset + cd->within; } - SCLogDebug("cd->within %"PRIi32", det_ctx->payload_offset " + SCLogDebug("cd->within %"PRIi32", prev_payload_offset " "%"PRIu32", depth %"PRIu32, cd->within, - det_ctx->payload_offset, depth); + prev_payload_offset, depth); } if (cd->depth != 0) { - if ((cd->depth + det_ctx->payload_offset) < depth) { - depth = det_ctx->payload_offset + cd->depth; + if ((cd->depth + prev_payload_offset) < depth) { + depth = prev_payload_offset + cd->depth; } SCLogDebug("cd->depth %"PRIu32", depth %"PRIu32, @@ -161,6 +162,7 @@ static int DoInspectDcePayload(DetectEngineCtx *de_ctx, /* set offset */ offset = cd->offset; + prev_payload_offset = 0; } /* update offset with prev_offset if we're searching for @@ -240,6 +242,7 @@ static int DoInspectDcePayload(DetectEngineCtx *de_ctx, /* set the previous match offset to the start of this match + 1 */ prev_offset += (match_offset - (cd->content_len - 1)); + prev_offset -= (prev_payload_offset); SCLogDebug("trying to see if there is another match after " "prev_offset %"PRIu32, prev_offset); } @@ -7403,6 +7406,306 @@ end: return result; } +/** + * \test Test the working of consecutive relative matches. + */ +int DcePayloadTest21(void) +{ + int result = 0; + + uint8_t request1[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00, + 0x6e, 0x6f, 0x77, 0x20, 0x74, 0x68, 0x69, 0x73, /* "now this" */ + 0x20, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x62, /* " is is b" */ + 0x69, 0x67, 0x20, 0x62, 0x69, 0x67, 0x20, 0x73, /* "ig big s" */ + 0x74, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x6e, 0x6f, /* "tring no" */ + 0x77 }; /* "w" */ + uint32_t request1_len = sizeof(request1); + + TcpSession ssn; + Packet p; + ThreadVars tv; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + Flow f; + int r; + + char *sig1 = "alert tcp any any -> any any " + "(msg:\"testing dce consecutive relative matches\"; dce_stub_data; " + "content:this; content:is; within:6; content:big; within:8; " + "content:string; within:8; sid:1;)"; + + Signature *s; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&f, 0, sizeof(Flow)); + memset(&ssn, 0, sizeof(TcpSession)); + + memset(&p, 0, sizeof(Packet)); + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = NULL; + p.payload_len = 0; + p.proto = IPPROTO_TCP; + p.flow = &f; + p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + f.alproto = ALPROTO_DCERPC; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, sig1); + s = de_ctx->sig_list; + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); + + /* request 1 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p); + if (!(PacketAlertCheck(&p, 1))) { + printf("sid 1 didn't match but should have for packet: "); + goto end; + } + + result = 1; + +end: + if (de_ctx != NULL) { + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + } + + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + + return result; +} + +/** + * \test Test the working of consecutive relative matches. + */ +int DcePayloadTest22(void) +{ + int result = 0; + + uint8_t request1[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00, + 0x6e, 0x6f, 0x77, 0x20, 0x74, 0x68, 0x69, 0x73, /* "now this" */ + 0x20, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x69, /* " is is i" */ + 0x73, 0x20, 0x62, 0x69, 0x67, 0x20, 0x62, 0x69, /* "s big bi" */ + 0x67, 0x20, 0x62, 0x69, 0x67, 0x20, 0x73, 0x74, /* "g big st" */ + 0x72, 0x69, 0x6e, 0x67, 0x20, 0x6e, 0x6f, 0x77 }; /* "ring now" */ + uint32_t request1_len = sizeof(request1); + + TcpSession ssn; + Packet p; + ThreadVars tv; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + Flow f; + int r; + + char *sig1 = "alert tcp any any -> any any " + "(msg:\"testing dce consecutive relative matches\"; dce_stub_data; " + "content:this; content:is; within:9; content:big; within:12; " + "content:string; within:8; sid:1;)"; + + Signature *s; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&f, 0, sizeof(Flow)); + memset(&ssn, 0, sizeof(TcpSession)); + + memset(&p, 0, sizeof(Packet)); + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = NULL; + p.payload_len = 0; + p.proto = IPPROTO_TCP; + p.flow = &f; + p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + f.alproto = ALPROTO_DCERPC; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, sig1); + s = de_ctx->sig_list; + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); + + /* request 1 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p); + if (!(PacketAlertCheck(&p, 1))) { + printf("sid 1 didn't match but should have for packet: "); + goto end; + } + + result = 1; + +end: + if (de_ctx != NULL) { + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + } + + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + + return result; +} + +/** + * \test Test the working of consecutive relative matches. + */ +int DcePayloadTest23(void) +{ + int result = 0; + + uint8_t request1[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00, + 0x74, 0x68, 0x69, 0x73, 0x20, 0x74, 0x68, 0x69, /* "this thi" */ + 0x73, 0x20, 0x6e, 0x6f, 0x77, 0x20, 0x69, 0x73, /* "s now is" */ + 0x20, 0x69, 0x73, 0x20, 0x20, 0x20, 0x20, 0x20, /* " is " */ + 0x62, 0x69, 0x67, 0x20, 0x73, 0x74, 0x72, 0x69, /* "big stri" */ + 0x6e, 0x67, 0x20, 0x6e, 0x6f, 0x77 }; /* "ng now" */ + uint32_t request1_len = sizeof(request1); + + TcpSession ssn; + Packet p; + ThreadVars tv; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + Flow f; + int r; + + char *sig1 = "alert tcp any any -> any any " + "(msg:\"testing dce consecutive relative matches\"; dce_stub_data; " + "content:now; content:this; content:is; within:12; content:big; within:8; " + "content:string; within:8; sid:1;)"; + + Signature *s; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&f, 0, sizeof(Flow)); + memset(&ssn, 0, sizeof(TcpSession)); + + memset(&p, 0, sizeof(Packet)); + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = NULL; + p.payload_len = 0; + p.proto = IPPROTO_TCP; + p.flow = &f; + p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + f.alproto = ALPROTO_DCERPC; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, sig1); + s = de_ctx->sig_list; + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); + + /* request 1 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p); + if (!(PacketAlertCheck(&p, 1))) { + printf("sid 1 didn't match but should have for packet: "); + goto end; + } + + result = 1; + +end: + if (de_ctx != NULL) { + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + } + + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + + return result; +} + #endif /* UNITTESTS */ void DcePayloadRegisterTests(void) @@ -7429,6 +7732,9 @@ void DcePayloadRegisterTests(void) UtRegisterTest("DcePayloadTest18", DcePayloadTest18, 1); UtRegisterTest("DcePayloadTest19", DcePayloadTest19, 1); UtRegisterTest("DcePayloadTest20", DcePayloadTest20, 1); + UtRegisterTest("DcePayloadTest21", DcePayloadTest21, 1); + UtRegisterTest("DcePayloadTest22", DcePayloadTest22, 1); + UtRegisterTest("DcePayloadTest23", DcePayloadTest23, 1); #endif /* UNITTESTS */ return; diff --git a/src/detect-engine-uri.c b/src/detect-engine-uri.c index 7e58cda469..ac8a6f8f76 100644 --- a/src/detect-engine-uri.c +++ b/src/detect-engine-uri.c @@ -103,13 +103,14 @@ static int DoInspectPacketUri(DetectEngineCtx *de_ctx, uint32_t offset = 0; uint32_t depth = payload_len; uint32_t prev_offset = 0; /**< used in recursive searching */ + uint32_t prev_payload_offset = det_ctx->payload_offset; do { if (ud->flags & DETECT_URICONTENT_DISTANCE || ud->flags & DETECT_URICONTENT_WITHIN) { - SCLogDebug("det_ctx->uricontent_payload_offset %"PRIu32, det_ctx->uricontent_payload_offset); + SCLogDebug("prev_payload_offset %"PRIu32, prev_payload_offset); - offset = det_ctx->payload_offset; + offset = prev_payload_offset; depth = payload_len; if (ud->flags & DETECT_URICONTENT_DISTANCE) { @@ -123,17 +124,17 @@ static int DoInspectPacketUri(DetectEngineCtx *de_ctx, } if (ud->flags & DETECT_URICONTENT_WITHIN) { - if ((int32_t)depth > (int32_t)(det_ctx->payload_offset + ud->within)) { - depth = det_ctx->payload_offset + ud->within; + if ((int32_t)depth > (int32_t)(prev_payload_offset + ud->within)) { + depth = prev_payload_offset + ud->within; } - SCLogDebug("ud->within %"PRIi32", det_ctx->payload_offset %"PRIu32", depth %"PRIu32, - ud->within, det_ctx->payload_offset, depth); + SCLogDebug("ud->within %"PRIi32", prev_payload_offset %"PRIu32", depth %"PRIu32, + ud->within, prev_payload_offset, depth); } if (ud->depth != 0) { - if ((ud->depth + det_ctx->payload_offset) < depth) { - depth = det_ctx->payload_offset + ud->depth; + if ((ud->depth + prev_payload_offset) < depth) { + depth = prev_payload_offset + ud->depth; } SCLogDebug("ud->depth %"PRIu32", depth %"PRIu32, ud->depth, depth); @@ -151,6 +152,7 @@ static int DoInspectPacketUri(DetectEngineCtx *de_ctx, /* set offset */ offset = ud->offset; + prev_payload_offset = 0; } /* update offset with prev_offset if we're searching for @@ -222,6 +224,7 @@ static int DoInspectPacketUri(DetectEngineCtx *de_ctx, /* set the previous match offset to the start of this match + 1 */ prev_offset += (match_offset - (ud->uricontent_len - 1)); + prev_offset -= (prev_payload_offset); SCLogDebug("trying to see if there is another match after prev_offset %"PRIu32, prev_offset); } @@ -2301,6 +2304,289 @@ end: return result; } +/** + * \test Test multiple relative contents + */ +static int UriTestSig17(void) +{ + int result = 0; + uint8_t *http_buf = (uint8_t *)"POST /now_this_is_is_big_big_string_now HTTP/1.0\r\n" + "User-Agent: Mozilla/1.0\r\n"; + uint32_t http_buf_len = strlen((char *)http_buf); + Flow f; + TcpSession ssn; + HtpState *http_state = NULL; + Packet p; + ThreadVars tv; + DetectEngineThreadCtx *det_ctx = NULL; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&p, 0, sizeof(Packet)); + memset(&f, 0, sizeof(Flow)); + memset(&ssn, 0, sizeof(TcpSession)); + + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = http_buf; + p.payload_len = http_buf_len; + p.proto = IPPROTO_TCP; + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + + p.flow = &f; + p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; + f.alproto = ALPROTO_HTTP; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + de_ctx->mpm_matcher = MPM_B2G; + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"test multiple relative uricontents\"; " + "uricontent:this; uricontent:is; within:6; " + "uricontent:big; within:8; " + "uricontent:string; within:8; sid:1;)"); + if (de_ctx->sig_list == NULL) { + goto end; + } + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); + + int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_buf_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + goto end; + } + + http_state = f.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; + if (http_state == NULL) { + printf("no http state: "); + goto end; + } + + /* do detect */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) { + printf("sig 1 alerted, but it should not: "); + goto end; + } + + result = 1; + +end: + if (det_ctx != NULL) + DetectEngineThreadCtxDeinit(&tv, det_ctx); + if (de_ctx != NULL) + SigGroupCleanup(de_ctx); + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + return result; +} + +/** + * \test Test multiple relative contents + */ +static int UriTestSig18(void) +{ + int result = 0; + uint8_t *http_buf = (uint8_t *)"POST /now_this_is_is_is_big_big_big_string_now HTTP/1.0\r\n" + "User-Agent: Mozilla/1.0\r\n"; + uint32_t http_buf_len = strlen((char *)http_buf); + Flow f; + TcpSession ssn; + HtpState *http_state = NULL; + Packet p; + ThreadVars tv; + DetectEngineThreadCtx *det_ctx = NULL; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&p, 0, sizeof(Packet)); + memset(&f, 0, sizeof(Flow)); + memset(&ssn, 0, sizeof(TcpSession)); + + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = http_buf; + p.payload_len = http_buf_len; + p.proto = IPPROTO_TCP; + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + + p.flow = &f; + p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; + f.alproto = ALPROTO_HTTP; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + de_ctx->mpm_matcher = MPM_B2G; + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"test multiple relative uricontents\"; " + "uricontent:this; uricontent:is; within:9; " + "uricontent:big; within:12; " + "uricontent:string; within:8; sid:1;)"); + if (de_ctx->sig_list == NULL) { + goto end; + } + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); + + int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_buf_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + goto end; + } + + http_state = f.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; + if (http_state == NULL) { + printf("no http state: "); + goto end; + } + + /* do detect */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) { + printf("sig 1 alerted, but it should not: "); + goto end; + } + + result = 1; + +end: + if (det_ctx != NULL) + DetectEngineThreadCtxDeinit(&tv, det_ctx); + if (de_ctx != NULL) + SigGroupCleanup(de_ctx); + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + return result; +} + +/** + * \test Test multiple relative contents + */ +static int UriTestSig19(void) +{ + int result = 0; + uint8_t *http_buf = (uint8_t *)"POST /this_this_now_is_is_____big_string_now HTTP/1.0\r\n" + "User-Agent: Mozilla/1.0\r\n"; + uint32_t http_buf_len = strlen((char *)http_buf); + Flow f; + TcpSession ssn; + HtpState *http_state = NULL; + Packet p; + ThreadVars tv; + DetectEngineThreadCtx *det_ctx = NULL; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&p, 0, sizeof(Packet)); + memset(&f, 0, sizeof(Flow)); + memset(&ssn, 0, sizeof(TcpSession)); + + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = http_buf; + p.payload_len = http_buf_len; + p.proto = IPPROTO_TCP; + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + + p.flow = &f; + p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; + f.alproto = ALPROTO_HTTP; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + de_ctx->mpm_matcher = MPM_B2G; + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"test multiple relative uricontents\"; " + "uricontent:now; uricontent:this; " + "uricontent:is; within:12; " + "uricontent:big; within:8; " + "uricontent:string; within:8; sid:1;)"); + if (de_ctx->sig_list == NULL) { + goto end; + } + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); + + int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_buf_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + goto end; + } + + http_state = f.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; + if (http_state == NULL) { + printf("no http state: "); + goto end; + } + + /* do detect */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) { + printf("sig 1 alerted, but it should not: "); + goto end; + } + + result = 1; + +end: + if (det_ctx != NULL) + DetectEngineThreadCtxDeinit(&tv, det_ctx); + if (de_ctx != NULL) + SigGroupCleanup(de_ctx); + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + return result; +} + #endif /* UNITTESTS */ void UriRegisterTests(void) @@ -2323,6 +2609,9 @@ void UriRegisterTests(void) UtRegisterTest("UriTestSig14", UriTestSig14, 1); UtRegisterTest("UriTestSig15", UriTestSig15, 1); UtRegisterTest("UriTestSig16", UriTestSig16, 1); + UtRegisterTest("UriTestSig17", UriTestSig17, 1); + UtRegisterTest("UriTestSig18", UriTestSig18, 1); + UtRegisterTest("UriTestSig19", UriTestSig19, 1); #endif /* UNITTESTS */ return;