|
|
|
@ -58,9 +58,11 @@
|
|
|
|
|
#include "detect-engine-hcbd.h"
|
|
|
|
|
#include "stream-tcp.h"
|
|
|
|
|
|
|
|
|
|
int DetectHttpClientBodySetup(DetectEngineCtx *, Signature *, char *);
|
|
|
|
|
void DetectHttpClientBodyRegisterTests(void);
|
|
|
|
|
void DetectHttpClientBodyFree(void *);
|
|
|
|
|
static int DetectHttpClientBodySetup(DetectEngineCtx *, Signature *, char *);
|
|
|
|
|
static void DetectHttpClientBodyRegisterTests(void);
|
|
|
|
|
static void DetectHttpClientBodyFree(void *);
|
|
|
|
|
static void DetectHttpClientBodySetupCallback(Signature *s);
|
|
|
|
|
static int g_http_client_body_buffer_id = 0;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Registers the keyword handlers for the "http_client_body" keyword.
|
|
|
|
@ -79,19 +81,27 @@ void DetectHttpClientBodyRegister(void)
|
|
|
|
|
sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].flags |= SIGMATCH_NOOPT ;
|
|
|
|
|
sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].flags |= SIGMATCH_PAYLOAD ;
|
|
|
|
|
|
|
|
|
|
DetectMpmAppLayerRegister("http_client_body", SIG_FLAG_TOSERVER,
|
|
|
|
|
DETECT_SM_LIST_HCBDMATCH, 2,
|
|
|
|
|
DetectAppLayerMpmRegister("http_client_body", SIG_FLAG_TOSERVER, 2,
|
|
|
|
|
PrefilterTxHttpRequestBodyRegister);
|
|
|
|
|
|
|
|
|
|
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
|
|
|
|
|
DETECT_SM_LIST_HCBDMATCH,
|
|
|
|
|
DetectAppLayerInspectEngineRegister2("http_client_body",
|
|
|
|
|
ALPROTO_HTTP, SIG_FLAG_TOSERVER,
|
|
|
|
|
DetectEngineInspectHttpClientBody);
|
|
|
|
|
|
|
|
|
|
DetectBufferTypeSetDescriptionByName("http_client_body",
|
|
|
|
|
"http request body");
|
|
|
|
|
|
|
|
|
|
DetectBufferTypeRegisterSetupCallback("http_client_body",
|
|
|
|
|
DetectHttpClientBodySetupCallback);
|
|
|
|
|
|
|
|
|
|
g_http_client_body_buffer_id = DetectBufferTypeGetByName("http_client_body");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void DetectHttpClientBodySetupCallback(Signature *s)
|
|
|
|
|
{
|
|
|
|
|
SCLogDebug("callback invoked by %u", s->id);
|
|
|
|
|
AppLayerHtpEnableRequestBodyCallback();
|
|
|
|
|
return;
|
|
|
|
|
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
@ -111,9 +121,9 @@ int DetectHttpClientBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
|
|
|
|
|
{
|
|
|
|
|
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
|
|
|
|
|
DETECT_AL_HTTP_CLIENT_BODY,
|
|
|
|
|
DETECT_SM_LIST_HCBDMATCH,
|
|
|
|
|
g_http_client_body_buffer_id,
|
|
|
|
|
ALPROTO_HTTP,
|
|
|
|
|
DetectHttpClientBodySetupCallback);
|
|
|
|
|
NULL);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
@ -141,6 +151,7 @@ void DetectHttpClientBodyFree(void *ptr)
|
|
|
|
|
|
|
|
|
|
#ifdef UNITTESTS
|
|
|
|
|
|
|
|
|
|
#include "detect-isdataat.h"
|
|
|
|
|
#include "stream-tcp-reassemble.h"
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
@ -1751,15 +1762,15 @@ int DetectHttpClientBodyTest22(void)
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectContentData *cd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
|
|
|
|
|
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
|
|
|
|
|
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
|
|
|
|
|
if (cd1->flags != 0 || memcmp(cd1->content, "one", cd1->content_len) != 0 ||
|
|
|
|
|
cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
|
|
|
|
|
hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
|
|
|
|
@ -1806,15 +1817,15 @@ int DetectHttpClientBodyTest23(void)
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
|
|
|
|
|
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
|
|
|
|
|
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
|
|
|
|
|
if (pd1->flags != 0 ||
|
|
|
|
|
cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
|
|
|
|
|
hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
|
|
|
|
@ -1860,15 +1871,15 @@ int DetectHttpClientBodyTest24(void)
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
|
|
|
|
|
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
|
|
|
|
|
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
|
|
|
|
|
if (pd1->flags != 0 ||
|
|
|
|
|
cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
|
|
|
|
|
hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
|
|
|
|
@ -1915,15 +1926,15 @@ int DetectHttpClientBodyTest25(void)
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
|
|
|
|
|
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
|
|
|
|
|
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
|
|
|
|
|
if (pd1->flags != DETECT_PCRE_RELATIVE_NEXT ||
|
|
|
|
|
cd2->flags != DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
|
|
|
|
@ -1971,15 +1982,15 @@ int DetectHttpClientBodyTest26(void)
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
|
|
|
|
|
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
|
|
|
|
|
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
|
|
|
|
|
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
|
|
|
|
|
cd2->flags != DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
|
|
|
|
@ -2054,15 +2065,15 @@ int DetectHttpClientBodyTest28(void)
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
|
|
|
|
|
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
|
|
|
|
|
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
|
|
|
|
|
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
|
|
|
|
|
cd2->flags != DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
|
|
|
|
@ -2109,13 +2120,13 @@ int DetectHttpClientBodyTest29(void)
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
|
|
|
|
|
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
|
|
|
|
|
if (hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
|
|
|
|
|
memcmp(hcbd1->content, "one", hcbd1->content_len) != 0 ||
|
|
|
|
|
hcbd2->flags != DETECT_CONTENT_DISTANCE ||
|
|
|
|
@ -2153,13 +2164,13 @@ int DetectHttpClientBodyTest30(void)
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
|
|
|
|
|
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
|
|
|
|
|
if (hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
|
|
|
|
|
memcmp(hcbd1->content, "one", hcbd1->content_len) != 0 ||
|
|
|
|
|
hcbd2->flags != DETECT_CONTENT_WITHIN ||
|
|
|
|
@ -2269,21 +2280,21 @@ int DetectHttpClientBodyTest34(void)
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH] == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->type != DETECT_CONTENT ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->type != DETECT_PCRE) {
|
|
|
|
|
if (de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id] == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->type != DETECT_CONTENT ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->type != DETECT_PCRE) {
|
|
|
|
|
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
|
|
|
|
|
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
|
|
|
|
|
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
|
|
|
|
|
hcbd2->flags != DETECT_CONTENT_WITHIN ||
|
|
|
|
|
memcmp(hcbd2->content, "two", hcbd2->content_len) != 0) {
|
|
|
|
@ -2320,21 +2331,21 @@ int DetectHttpClientBodyTest35(void)
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH] == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->type != DETECT_PCRE ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->type != DETECT_CONTENT) {
|
|
|
|
|
if (de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id] == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->type != DETECT_PCRE ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->type != DETECT_CONTENT) {
|
|
|
|
|
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
|
|
|
|
|
DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
|
|
|
|
|
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
|
|
|
|
|
DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
|
|
|
|
|
if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
|
|
|
|
|
hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
|
|
|
|
|
memcmp(hcbd1->content, "two", hcbd1->content_len) != 0) {
|
|
|
|
@ -2371,21 +2382,21 @@ int DetectHttpClientBodyTest36(void)
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH] == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->type != DETECT_CONTENT ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->type != DETECT_PCRE) {
|
|
|
|
|
if (de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id] == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->type != DETECT_CONTENT ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->type != DETECT_PCRE) {
|
|
|
|
|
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
|
|
|
|
|
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
|
|
|
|
|
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
|
|
|
|
|
hcbd2->flags != DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
memcmp(hcbd2->content, "two", hcbd2->content_len) != 0) {
|
|
|
|
@ -2400,6 +2411,31 @@ int DetectHttpClientBodyTest36(void)
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpClientBodyIsdataatParseTest(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
|
|
|
|
|
FAIL_IF_NULL(de_ctx);
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
|
|
|
|
|
Signature *s = DetectEngineAppendSig(de_ctx,
|
|
|
|
|
"alert tcp any any -> any any ("
|
|
|
|
|
"content:\"one\"; http_client_body; "
|
|
|
|
|
"isdataat:!4,relative; sid:1;)");
|
|
|
|
|
FAIL_IF_NULL(s);
|
|
|
|
|
|
|
|
|
|
SigMatch *sm = s->init_data->smlists_tail[g_http_client_body_buffer_id];
|
|
|
|
|
FAIL_IF_NULL(sm);
|
|
|
|
|
FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
|
|
|
|
|
|
|
|
|
|
DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
|
|
|
|
|
FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
|
|
|
|
|
FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
|
|
|
|
|
FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
|
|
|
|
|
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
PASS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif /* UNITTESTS */
|
|
|
|
|
|
|
|
|
|
void DetectHttpClientBodyRegisterTests(void)
|
|
|
|
@ -2436,6 +2472,10 @@ void DetectHttpClientBodyRegisterTests(void)
|
|
|
|
|
UtRegisterTest("DetectHttpClientBodyTest34", DetectHttpClientBodyTest34);
|
|
|
|
|
UtRegisterTest("DetectHttpClientBodyTest35", DetectHttpClientBodyTest35);
|
|
|
|
|
UtRegisterTest("DetectHttpClientBodyTest36", DetectHttpClientBodyTest36);
|
|
|
|
|
|
|
|
|
|
UtRegisterTest("DetectHttpClientBodyIsdataatParseTest",
|
|
|
|
|
DetectHttpClientBodyIsdataatParseTest);
|
|
|
|
|
|
|
|
|
|
#endif /* UNITTESTS */
|
|
|
|
|
|
|
|
|
|
return;
|
|
|
|
|