/** * Copyright (c) 2010 Open Information Security Foundation. * * \author Pablo Rincon */ #include "suricata-common.h" #include "threads.h" #include "decode.h" #include "detect.h" #include "detect-parse.h" #include "detect-engine.h" #include "detect-engine-mpm.h" #include "detect-content.h" #include "flow.h" #include "flow-var.h" #include "util-debug.h" #include "util-unittest.h" #include "util-spm.h" #include "app-layer.h" #include #include "app-layer-htp.h" #include "detect-http-header.h" #include "stream-tcp.h" int DetectHttpHeaderMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m); int DetectHttpHeaderSetup(DetectEngineCtx *, Signature *, char *); void DetectHttpHeaderRegisterTests(void); /** * \brief Registers the keyword handlers for the "http_header" keyword. */ void DetectHttpHeaderRegister(void) { sigmatch_table[DETECT_AL_HTTP_HEADER].name = "http_header"; sigmatch_table[DETECT_AL_HTTP_HEADER].Match = NULL; sigmatch_table[DETECT_AL_HTTP_HEADER].AppLayerMatch = DetectHttpHeaderMatch; sigmatch_table[DETECT_AL_HTTP_HEADER].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_AL_HTTP_HEADER].Setup = DetectHttpHeaderSetup; sigmatch_table[DETECT_AL_HTTP_HEADER].Free = NULL; sigmatch_table[DETECT_AL_HTTP_HEADER].RegisterTests = DetectHttpHeaderRegisterTests; sigmatch_table[DETECT_AL_HTTP_HEADER].flags |= SIGMATCH_PAYLOAD ; } /** * \brief App layer match function for the "http_header" keyword. * * \param t Pointer to the ThreadVars instance. * \param det_ctx Pointer to the DetectEngineThreadCtx. * \param f Pointer to the flow. * \param flags Pointer to the flags indicating the flow direction. * \param state Pointer to the app layer state data. * \param s Pointer to the Signature instance. * \param m Pointer to the SigMatch. * * \retval 1 On Match. * \retval 0 On no match. */ int DetectHttpHeaderMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m) { int result = 0; DetectHttpHeaderData *hcbd = (DetectHttpHeaderData *)m->ctx; HtpState *htp_state = (HtpState *)state; SCMutexLock(&f->m); if (htp_state == NULL || htp_state->connp == NULL || htp_state->connp->conn == NULL) { SCLogDebug("No htp state, no match at http header data"); goto end; } htp_tx_t *tx = NULL; bstr *headers = NULL; size_t idx = 0; for (idx = htp_state->new_in_tx_index; idx < list_size(htp_state->connp->conn->transactions); idx++) { tx = list_get(htp_state->connp->conn->transactions, idx); if (tx == NULL) continue; headers = htp_tx_get_request_headers_raw(tx); if (headers == NULL) continue; if (bstr_len(headers) > 0) { if (hcbd->flags & DETECT_AL_HTTP_HEADER_NOCASE) { result = (SpmNocaseSearch((uint8_t *)bstr_ptr(headers), bstr_len(headers), hcbd->content, hcbd->content_len) != NULL); /* call the case sensitive version if nocase has been specified in the sig */ } else { result = (SpmSearch((uint8_t *)bstr_ptr(headers), bstr_len(headers), hcbd->content, hcbd->content_len) != NULL); } } } SCMutexUnlock(&f->m); return result ^ ((hcbd->flags & DETECT_AL_HTTP_HEADER_NEGATED) ? 1 : 0); end: SCMutexUnlock(&f->m); return result; } /** * \brief The setup function for the http_header keyword for a signature. * * \param de_ctx Pointer to the detection engine context. * \param s Pointer to signature for the current Signature being parsed * from the rules. * \param m Pointer to the head of the SigMatchs for the current rule * being parsed. * \param arg Pointer to the string holding the keyword value. * * \retval 0 On success * \retval -1 On failure */ int DetectHttpHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { /* http_header_data (hcbd) */ DetectHttpHeaderData *hcbd = NULL; SigMatch *nm = NULL; SigMatch *sm = NULL; if (arg != NULL && strcmp(arg, "") != 0) { SCLogError(SC_ERR_INVALID_ARGUMENT, "http_header supplied with no " "args"); return -1; } if (s->pmatch_tail == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "http_header found inside the " "rule, without any preceding content keywords"); return -1; } sm = DetectContentGetLastPattern(s->pmatch_tail); /* if still we are unable to find any content previous keywords, it is an * invalid rule */ if (sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_header\" keyword " "found inside the rule without a content context. " "Please use a \"content\" keyword before using the " "\"http_header\" keyword"); return -1; } /* http_header should not be used with the rawbytes rule */ if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "http_header rule can not " "be used with the rawbytes rule keyword"); return -1; } if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords"); goto error; } /* setup the HttpHeaderData's data from content data structure's data */ hcbd = SCMalloc(sizeof(DetectHttpHeaderData)); if (hcbd == NULL) { SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc() failed"); goto error; } memset(hcbd, 0, sizeof(DetectHttpHeaderData)); /* transfer the pattern details from the content struct to the clientbody struct */ hcbd->content = ((DetectContentData *)sm->ctx)->content; hcbd->content_len = ((DetectContentData *)sm->ctx)->content_len; hcbd->flags |= (((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_NOCASE) ? DETECT_AL_HTTP_HEADER_NOCASE : 0; hcbd->flags |= (((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_NEGATED) ? DETECT_AL_HTTP_HEADER_NEGATED : 0; nm = SigMatchAlloc(); if (nm == NULL) { SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); goto error; } nm->type = DETECT_AL_HTTP_HEADER; nm->ctx = (void *)hcbd; /* pull the previous content from the pmatch list, append * the new match to the match list */ SigMatchReplaceContent(s, sm, nm); /* free the old content sigmatch, the content pattern memory * is taken over by the new sigmatch */ SCFree(sm->ctx); SCFree(sm); /* flag the signature to indicate that we scan the app layer data */ s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_HTTP; /* enable http request body callback in the http app layer parser */ AppLayerHtpEnableRequestBodyCallback(); return 0; error: if (hcbd != NULL) { if (hcbd->content != NULL) SCFree(hcbd->content); SCFree(hcbd); } if(nm != NULL) SCFree(sm); return -1; } /************************************Unittests*********************************/ #ifdef UNITTESTS #include "stream-tcp-reassemble.h" /** * \test Test that a signature containting a http_header is correctly parsed * and the keyword is registered. */ static int DetectHttpHeaderTest01(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; SigMatch *sm = NULL; de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) goto end; de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(msg:\"Testing http_header\"; " "content:one; http_header; sid:1;)"); if (de_ctx->sig_list != NULL) result = 1; else printf("Error parsing signature: "); sm = de_ctx->sig_list->match; if (sm != NULL) { result &= (sm->type == DETECT_AL_HTTP_HEADER); result &= (sm->next == NULL); } else { printf("Error updating content pattern to http_header pattern: "); } end: SigGroupCleanup(de_ctx); SigCleanSignatures(de_ctx); DetectEngineCtxFree(de_ctx); return result; } /** * \test Test that a signature containing an valid http_header entry is * parsed. */ static int DetectHttpHeaderTest02(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) goto end; de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(msg:\"Testing http_header\"; " "content:one; http_header:; sid:1;)"); if (de_ctx->sig_list != NULL) result = 1; else printf("Error parsing signature: "); end: SigGroupCleanup(de_ctx); SigCleanSignatures(de_ctx); DetectEngineCtxFree(de_ctx); return result; } /** * \test Test that an invalid signature containing no content but a http_header * is invalidated. */ static int DetectHttpHeaderTest03(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) goto end; de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(msg:\"Testing http_header\"; " "http_header; sid:1;)"); if (de_ctx->sig_list == NULL) result = 1; else printf("Error parsing signature: "); end: SigGroupCleanup(de_ctx); SigCleanSignatures(de_ctx); DetectEngineCtxFree(de_ctx); return result; } /** * \test Test that an invalid signature containing a rawbytes along with a * http_header is invalidated. */ static int DetectHttpHeaderTest04(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) goto end; de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(msg:\"Testing http_header\"; " "content:one; rawbytes; http_header; sid:1;)"); if (de_ctx->sig_list == NULL) result = 1; else printf("Error parsing signature: "); end: SigGroupCleanup(de_ctx); SigCleanSignatures(de_ctx); DetectEngineCtxFree(de_ctx); return result; } /** * \test Test that an invalid signature containing a rawbytes along with a * http_header is invalidated. */ static int DetectHttpHeaderTest05(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) goto end; de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(msg:\"Testing http_header\"; " "content:one; nocase; http_header; sid:1;)"); if (de_ctx->sig_list != NULL) result = 1; else printf("Error parsing signature: "); end: SigGroupCleanup(de_ctx); SigCleanSignatures(de_ctx); DetectEngineCtxFree(de_ctx); return result; } /** *\test Test that the http_header content matches against a http request * which holds the content. */ static int DetectHttpHeaderTest06(void) { TcpSession ssn; Packet p; ThreadVars th_v; DetectEngineCtx *de_ctx = NULL; DetectEngineThreadCtx *det_ctx = NULL; HtpState *http_state = NULL; Flow f; uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n" "Host: www.openinfosecfoundation.org\r\n" "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" "Content-Type: text/html\r\n" "Content-Length: 26\r\n" "\r\n" "This is dummy message body\r\n"; uint32_t http_len = sizeof(http_buf) - 1; int result = 0; memset(&th_v, 0, sizeof(th_v)); memset(&p, 0, sizeof(Packet)); memset(&f, 0, sizeof(f)); memset(&ssn, 0, sizeof(ssn)); p.src.family = AF_INET; p.dst.family = AF_INET; p.payload = NULL; p.payload_len = 0; p.proto = IPPROTO_TCP; f.protoctx = (void *)&ssn; f.src.family = AF_INET; f.dst.family = AF_INET; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; ssn.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); StreamL7DataPtrInit(&ssn); de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) goto end; de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " "(msg:\"http header test\"; " "content:\"Content-Type: text/html\"; http_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) goto end; SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } http_state = ssn.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; if (http_state == NULL) { printf("no http state: "); result = 0; goto end; } /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); if (!(PacketAlertCheck(&p, 1))) { printf("sid 1 didn't match but should have: "); goto end; } result = 1; end: if (de_ctx != NULL) SigGroupCleanup(de_ctx); if (de_ctx != NULL) SigCleanSignatures(de_ctx); if (de_ctx != NULL) DetectEngineCtxFree(de_ctx); StreamL7DataPtrFree(&ssn); StreamTcpFreeConfig(TRUE); return result; } /** *\test Test that the http_header content matches against a http request * which holds the content. */ static int DetectHttpHeaderTest07(void) { TcpSession ssn; Packet p1; Packet p2; ThreadVars th_v; DetectEngineCtx *de_ctx = NULL; DetectEngineThreadCtx *det_ctx = NULL; HtpState *http_state = NULL; Flow f; uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n" "Host: www.openinfosecfoundation.org\r\n" "User-Agent: Mozi"; uint8_t http2_buf[] = "lla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\nContent-Type: text/html\r\n" "Content-Length: 67\r\n" "\r\n" "This is dummy message body1"; uint32_t http1_len = sizeof(http1_buf) - 1; uint32_t http2_len = sizeof(http2_buf) - 1; int result = 0; memset(&th_v, 0, sizeof(th_v)); memset(&p1, 0, sizeof(Packet)); memset(&p2, 0, sizeof(Packet)); memset(&f, 0, sizeof(f)); memset(&ssn, 0, sizeof(ssn)); p1.src.family = AF_INET; p1.dst.family = AF_INET; p1.payload = NULL; p1.payload_len = 0; p1.proto = IPPROTO_TCP; p2.src.family = AF_INET; p2.dst.family = AF_INET; p2.payload = NULL; p2.payload_len = 0; p2.proto = IPPROTO_TCP; f.protoctx = (void *)&ssn; f.src.family = AF_INET; f.dst.family = AF_INET; p1.flow = &f; p1.flowflags |= FLOW_PKT_TOSERVER; p2.flow = &f; p2.flowflags |= FLOW_PKT_TOSERVER; ssn.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); StreamL7DataPtrInit(&ssn); de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) goto end; de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " "(msg:\"http header test\"; " "content:Mozilla; http_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) goto end; SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http1_buf, http1_len); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } http_state = ssn.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; if (http_state == NULL) { printf("no http state: "); result = 0; goto end; } /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1); if ( (PacketAlertCheck(&p1, 1))) { printf("sid 1 didn't match but should have: "); goto end; } r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http2_buf, http2_len); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2); if (!(PacketAlertCheck(&p2, 1))) { printf("sid 1 didn't match but should have: "); goto end; } result = 1; end: if (de_ctx != NULL) SigGroupCleanup(de_ctx); if (de_ctx != NULL) SigCleanSignatures(de_ctx); if (de_ctx != NULL) DetectEngineCtxFree(de_ctx); StreamL7DataPtrFree(&ssn); StreamTcpFreeConfig(TRUE); return result; } /** *\test Test that the http_header content matches against a http request * which holds the content. */ static int DetectHttpHeaderTest08(void) { TcpSession ssn; Packet p1; Packet p2; ThreadVars th_v; DetectEngineCtx *de_ctx = NULL; DetectEngineThreadCtx *det_ctx = NULL; HtpState *http_state = NULL; Flow f; uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n" "Host: www.openinfosecfoundation.org\r\n"; uint8_t http2_buf[] = "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" "Content-Type: text/html\r\n" "Content-Length: 67\r\n" "\r\n"; uint32_t http1_len = sizeof(http1_buf) - 1; uint32_t http2_len = sizeof(http2_buf) - 1; int result = 0; memset(&th_v, 0, sizeof(th_v)); memset(&p1, 0, sizeof(Packet)); memset(&p2, 0, sizeof(Packet)); memset(&f, 0, sizeof(f)); memset(&ssn, 0, sizeof(ssn)); p1.src.family = AF_INET; p1.dst.family = AF_INET; p1.payload = NULL; p1.payload_len = 0; p1.proto = IPPROTO_TCP; p2.src.family = AF_INET; p2.dst.family = AF_INET; p2.payload = NULL; p2.payload_len = 0; p2.proto = IPPROTO_TCP; f.protoctx = (void *)&ssn; f.src.family = AF_INET; f.dst.family = AF_INET; p1.flow = &f; p1.flowflags |= FLOW_PKT_TOSERVER; p2.flow = &f; p2.flowflags |= FLOW_PKT_TOSERVER; ssn.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); StreamL7DataPtrInit(&ssn); de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) goto end; de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " "(msg:\"http header test\"; " "content:\"Gecko/20091221 Firefox/3.5.7\"; http_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) goto end; SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http1_buf, http1_len); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } http_state = ssn.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; if (http_state == NULL) { printf("no http state: "); result = 0; goto end; } /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1); if ((PacketAlertCheck(&p1, 1))) { printf("sid 1 didn't match but should have: "); goto end; } r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http2_buf, http2_len); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2); if (!(PacketAlertCheck(&p2, 1))) { printf("sid 1 didn't match but should have: "); goto end; } result = 1; end: if (de_ctx != NULL) SigGroupCleanup(de_ctx); if (de_ctx != NULL) SigCleanSignatures(de_ctx); if (de_ctx != NULL) DetectEngineCtxFree(de_ctx); StreamL7DataPtrFree(&ssn); StreamTcpFreeConfig(TRUE); return result; } /** *\test Test that the http_header content matches against a http request * which holds the content, against a cross boundary present pattern. */ static int DetectHttpHeaderTest09(void) { TcpSession ssn; Packet p1; Packet p2; ThreadVars th_v; DetectEngineCtx *de_ctx = NULL; DetectEngineThreadCtx *det_ctx = NULL; HtpState *http_state = NULL; Flow f; uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n" "Host: www.openinfosecfoundation.org\r\n" "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"; uint8_t http2_buf[] = "Content-Type: text/html\r\n" "Content-Length: 67\r\n" "\r\n" "This is dummy body\r\n"; uint32_t http1_len = sizeof(http1_buf) - 1; uint32_t http2_len = sizeof(http2_buf) - 1; int result = 0; memset(&th_v, 0, sizeof(th_v)); memset(&p1, 0, sizeof(Packet)); memset(&p2, 0, sizeof(Packet)); memset(&f, 0, sizeof(f)); memset(&ssn, 0, sizeof(ssn)); p1.src.family = AF_INET; p1.dst.family = AF_INET; p1.payload = NULL; p1.payload_len = 0; p1.proto = IPPROTO_TCP; p2.src.family = AF_INET; p2.dst.family = AF_INET; p2.payload = NULL; p2.payload_len = 0; p2.proto = IPPROTO_TCP; f.protoctx = (void *)&ssn; f.src.family = AF_INET; f.dst.family = AF_INET; p1.flow = &f; p1.flowflags |= FLOW_PKT_TOSERVER; p2.flow = &f; p2.flowflags |= FLOW_PKT_TOSERVER; ssn.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); StreamL7DataPtrInit(&ssn); de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) goto end; de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " "(msg:\"http header test\"; " "content:\"Firefox/3.5.7|0D 0A|Content\"; http_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) goto end; SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http1_buf, http1_len); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } http_state = ssn.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; if (http_state == NULL) { printf("no http state: "); result = 0; goto end; } /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1); if ((PacketAlertCheck(&p1, 1))) { printf("sid 1 didn't match but should have: "); goto end; } r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http2_buf, http2_len); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2); if (!(PacketAlertCheck(&p2, 1))) { printf("sid 1 didn't match but should have: "); goto end; } result = 1; end: if (de_ctx != NULL) SigGroupCleanup(de_ctx); if (de_ctx != NULL) SigCleanSignatures(de_ctx); if (de_ctx != NULL) DetectEngineCtxFree(de_ctx); StreamL7DataPtrFree(&ssn); StreamTcpFreeConfig(TRUE); return result; } /** *\test Test that the http_header content matches against a http request * against a case insensitive pattern. */ static int DetectHttpHeaderTest10(void) { TcpSession ssn; Packet p1; Packet p2; ThreadVars th_v; DetectEngineCtx *de_ctx = NULL; DetectEngineThreadCtx *det_ctx = NULL; HtpState *http_state = NULL; Flow f; uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n" "Host: www.openinfosecfoundation.org\r\n" "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"; uint8_t http2_buf[] = "Content-Type: text/html\r\n" "Content-Length: 67\r\n" "\r\n" "This is dummy body"; uint32_t http1_len = sizeof(http1_buf) - 1; uint32_t http2_len = sizeof(http2_buf) - 1; int result = 0; memset(&th_v, 0, sizeof(th_v)); memset(&p1, 0, sizeof(Packet)); memset(&p2, 0, sizeof(Packet)); memset(&f, 0, sizeof(f)); memset(&ssn, 0, sizeof(ssn)); p1.src.family = AF_INET; p1.dst.family = AF_INET; p1.payload = NULL; p1.payload_len = 0; p1.proto = IPPROTO_TCP; p2.src.family = AF_INET; p2.dst.family = AF_INET; p2.payload = NULL; p2.payload_len = 0; p2.proto = IPPROTO_TCP; f.protoctx = (void *)&ssn; f.src.family = AF_INET; f.dst.family = AF_INET; p1.flow = &f; p1.flowflags |= FLOW_PKT_TOSERVER; p2.flow = &f; p2.flowflags |= FLOW_PKT_TOSERVER; ssn.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); StreamL7DataPtrInit(&ssn); de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) goto end; de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " "(msg:\"http header test\"; " "content:\"firefox/3.5.7|0D 0A|content\"; nocase; http_header;" "sid:1;)"); if (de_ctx->sig_list == NULL) goto end; SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http1_buf, http1_len); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } http_state = ssn.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; if (http_state == NULL) { printf("no http state: "); result = 0; goto end; } /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1); if ((PacketAlertCheck(&p1, 1))) { printf("sid 1 didn't match but should have: "); goto end; } r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http2_buf, http2_len); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2); if (!(PacketAlertCheck(&p2, 1))) { printf("sid 1 didn't match but should have: "); goto end; } result = 1; end: if (de_ctx != NULL) SigGroupCleanup(de_ctx); if (de_ctx != NULL) SigCleanSignatures(de_ctx); if (de_ctx != NULL) DetectEngineCtxFree(de_ctx); StreamL7DataPtrFree(&ssn); StreamTcpFreeConfig(TRUE); return result; } /** *\test Test that the negated http_header content matches against a * http request which doesn't hold the content. */ static int DetectHttpHeaderTest11(void) { TcpSession ssn; Packet p; ThreadVars th_v; DetectEngineCtx *de_ctx = NULL; DetectEngineThreadCtx *det_ctx = NULL; HtpState *http_state = NULL; Flow f; uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n" "Host: www.openinfosecfoundation.org\r\n" "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" "Content-Type: text/html\r\n" "Content-Length: 26\r\n" "\r\n" "This is dummy message body\r\n"; uint32_t http_len = sizeof(http_buf) - 1; int result = 0; memset(&th_v, 0, sizeof(th_v)); memset(&p, 0, sizeof(Packet)); memset(&f, 0, sizeof(f)); memset(&ssn, 0, sizeof(ssn)); p.src.family = AF_INET; p.dst.family = AF_INET; p.payload = NULL; p.payload_len = 0; p.proto = IPPROTO_TCP; f.protoctx = (void *)&ssn; f.src.family = AF_INET; f.dst.family = AF_INET; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; ssn.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); StreamL7DataPtrInit(&ssn); de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) goto end; de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " "(msg:\"http header test\"; " "content:!lalalalala; http_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) goto end; SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } http_state = ssn.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; if (http_state == NULL) { printf("no http state: "); result = 0; goto end; } /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); if (!(PacketAlertCheck(&p, 1))) { printf("sid 1 didn't match but should have: "); goto end; } result = 1; end: if (de_ctx != NULL) SigGroupCleanup(de_ctx); if (de_ctx != NULL) SigCleanSignatures(de_ctx); if (de_ctx != NULL) DetectEngineCtxFree(de_ctx); StreamL7DataPtrFree(&ssn); StreamTcpFreeConfig(TRUE); return result; } /** *\test Negative test that the negated http_header content matches against a * http request which holds hold the content. */ static int DetectHttpHeaderTest12(void) { TcpSession ssn; Packet p; ThreadVars th_v; DetectEngineCtx *de_ctx = NULL; DetectEngineThreadCtx *det_ctx = NULL; HtpState *http_state = NULL; Flow f; uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n" "Host: www.openinfosecfoundation.org\r\n" "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" "Content-Type: text/html\r\n" "Content-Length: 26\r\n" "\r\n" "This is dummy message body\r\n"; uint32_t http_len = sizeof(http_buf) - 1; int result = 0; memset(&th_v, 0, sizeof(th_v)); memset(&p, 0, sizeof(Packet)); memset(&f, 0, sizeof(f)); memset(&ssn, 0, sizeof(ssn)); p.src.family = AF_INET; p.dst.family = AF_INET; p.payload = NULL; p.payload_len = 0; p.proto = IPPROTO_TCP; f.protoctx = (void *)&ssn; f.src.family = AF_INET; f.dst.family = AF_INET; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; ssn.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); StreamL7DataPtrInit(&ssn); de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) goto end; de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " "(msg:\"http header test\"; " "content:!\"User-Agent: Mozilla/5.0 \"; http_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) goto end; SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } http_state = ssn.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; if (http_state == NULL) { printf("no http state: "); result = 0; goto end; } /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); if ((PacketAlertCheck(&p, 1))) { printf("sid 1 didn't match but should have: "); goto end; } result = 1; end: if (de_ctx != NULL) SigGroupCleanup(de_ctx); if (de_ctx != NULL) SigCleanSignatures(de_ctx); if (de_ctx != NULL) DetectEngineCtxFree(de_ctx); StreamL7DataPtrFree(&ssn); StreamTcpFreeConfig(TRUE); return result; } /** *\test Test that the http_header content matches against a http request * which holds the content. */ static int DetectHttpHeaderTest13(void) { TcpSession ssn; Packet p; ThreadVars th_v; DetectEngineCtx *de_ctx = NULL; DetectEngineThreadCtx *det_ctx = NULL; HtpState *http_state = NULL; Flow f; uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n" "Host: www.openinfosecfoundation.org\r\n" "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" "Content-Type: text/html\r\n" "Content-Length: 100\r\n" "\r\n" "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n"; uint32_t http_len = sizeof(http_buf) - 1; int result = 0; memset(&th_v, 0, sizeof(th_v)); memset(&p, 0, sizeof(Packet)); memset(&f, 0, sizeof(f)); memset(&ssn, 0, sizeof(ssn)); p.src.family = AF_INET; p.dst.family = AF_INET; p.payload = NULL; p.payload_len = 0; p.proto = IPPROTO_TCP; f.protoctx = (void *)&ssn; f.src.family = AF_INET; f.dst.family = AF_INET; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; ssn.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); StreamL7DataPtrInit(&ssn); de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) goto end; de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " "(msg:\"http header test\"; " "content:\"Host: www.openinfosecfoundation.org\"; http_header; " "sid:1;)"); if (de_ctx->sig_list == NULL) goto end; SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } http_state = ssn.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; if (http_state == NULL) { printf("no http state: "); result = 0; goto end; } /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); if (!(PacketAlertCheck(&p, 1))) { printf("sid 1 didn't match but should have: "); goto end; } result = 1; end: if (de_ctx != NULL) SigGroupCleanup(de_ctx); if (de_ctx != NULL) SigCleanSignatures(de_ctx); if (de_ctx != NULL) DetectEngineCtxFree(de_ctx); StreamL7DataPtrFree(&ssn); StreamTcpFreeConfig(TRUE); return result; } #endif /* UNITTESTS */ void DetectHttpHeaderRegisterTests(void) { #ifdef UNITTESTS UtRegisterTest("DetectHttpHeaderTest01", DetectHttpHeaderTest01, 1); UtRegisterTest("DetectHttpHeaderTest02", DetectHttpHeaderTest02, 1); UtRegisterTest("DetectHttpHeaderTest03", DetectHttpHeaderTest03, 1); UtRegisterTest("DetectHttpHeaderTest04", DetectHttpHeaderTest04, 1); UtRegisterTest("DetectHttpHeaderTest05", DetectHttpHeaderTest05, 1); UtRegisterTest("DetectHttpHeaderTest06", DetectHttpHeaderTest06, 1); UtRegisterTest("DetectHttpHeaderTest07", DetectHttpHeaderTest07, 1); UtRegisterTest("DetectHttpHeaderTest08", DetectHttpHeaderTest08, 1); UtRegisterTest("DetectHttpHeaderTest09", DetectHttpHeaderTest09, 1); UtRegisterTest("DetectHttpHeaderTest10", DetectHttpHeaderTest10, 1); UtRegisterTest("DetectHttpHeaderTest11", DetectHttpHeaderTest11, 1); UtRegisterTest("DetectHttpHeaderTest12", DetectHttpHeaderTest12, 1); UtRegisterTest("DetectHttpHeaderTest13", DetectHttpHeaderTest13, 1); #endif /* UNITTESTS */ return; }