mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1790 lines
47 KiB
C
1790 lines
47 KiB
C
/* Copyright (C) 2007-2012 Open Information Security Foundation
|
|
*
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
* the GNU General Public License version 2 as published by the Free
|
|
* Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* version 2 along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
* 02110-1301, USA.
|
|
*/
|
|
|
|
/**
|
|
* \ingroup httplayer
|
|
*
|
|
* @{
|
|
*/
|
|
|
|
|
|
/** \file
|
|
*
|
|
* \author Anoop Saldanha <anoopsaldanha@gmail.com>
|
|
*
|
|
* \brief Handle HTTP user agent match
|
|
*
|
|
*/
|
|
|
|
#include "suricata-common.h"
|
|
#include "suricata.h"
|
|
#include "decode.h"
|
|
|
|
#include "detect.h"
|
|
#include "detect-engine.h"
|
|
#include "detect-engine-mpm.h"
|
|
#include "detect-parse.h"
|
|
#include "detect-engine-state.h"
|
|
#include "detect-engine-content-inspection.h"
|
|
|
|
#include "flow-util.h"
|
|
#include "util-debug.h"
|
|
#include "util-print.h"
|
|
#include "flow.h"
|
|
|
|
#include "app-layer-parser.h"
|
|
|
|
#include "util-unittest.h"
|
|
#include "util-unittest-helper.h"
|
|
#include "app-layer.h"
|
|
#include "app-layer-htp.h"
|
|
#include "app-layer-protos.h"
|
|
|
|
#include "detect-engine-hua.h"
|
|
|
|
int DetectEngineRunHttpUAMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
|
|
HtpState *htp_state, uint8_t flags)
|
|
{
|
|
htp_tx_t *tx = NULL;
|
|
uint32_t cnt = 0;
|
|
int idx;
|
|
|
|
/* we need to lock because the buffers are not actually true buffers
|
|
* but are ones that point to a buffer given by libhtp */
|
|
FLOWLOCK_RDLOCK(f);
|
|
|
|
if (htp_state == NULL) {
|
|
SCLogDebug("no HTTP state");
|
|
goto end;
|
|
}
|
|
|
|
if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
|
|
SCLogDebug("HTP state has no conn(p)");
|
|
goto end;
|
|
}
|
|
|
|
idx = AppLayerTransactionGetInspectId(f);
|
|
if (idx == -1) {
|
|
goto end;
|
|
}
|
|
|
|
int size = (int)list_size(htp_state->connp->conn->transactions);
|
|
for (; idx < size; idx++) {
|
|
|
|
tx = list_get(htp_state->connp->conn->transactions, idx);
|
|
if (tx == NULL)
|
|
continue;
|
|
|
|
htp_header_t *h = (htp_header_t *)table_getc(tx->request_headers,
|
|
"User-Agent");
|
|
if (h == NULL) {
|
|
SCLogDebug("HTTP user agent header not present in this request");
|
|
continue;
|
|
}
|
|
|
|
cnt += HttpUAPatternSearch(det_ctx,
|
|
(uint8_t *)bstr_ptr(h->value),
|
|
bstr_len(h->value), flags);
|
|
}
|
|
|
|
end:
|
|
FLOWLOCK_UNLOCK(f);
|
|
return cnt;
|
|
}
|
|
|
|
/**
|
|
* \brief Do the http_user_agent content inspection for a signature.
|
|
*
|
|
* \param de_ctx Detection engine context.
|
|
* \param det_ctx Detection engine thread context.
|
|
* \param s Signature to inspect.
|
|
* \param f Flow.
|
|
* \param flags App layer flags.
|
|
* \param state App layer state.
|
|
*
|
|
* \retval 0 No match.
|
|
* \retval 1 Match.
|
|
*/
|
|
int DetectEngineInspectHttpUA(DetectEngineCtx *de_ctx,
|
|
DetectEngineThreadCtx *det_ctx,
|
|
Signature *s, Flow *f, uint8_t flags,
|
|
void *alstate)
|
|
{
|
|
SCEnter();
|
|
|
|
int r = 0;
|
|
HtpState *htp_state = NULL;
|
|
htp_tx_t *tx = NULL;
|
|
int idx;
|
|
|
|
FLOWLOCK_RDLOCK(f);
|
|
|
|
htp_state = (HtpState *)alstate;
|
|
if (htp_state == NULL) {
|
|
SCLogDebug("no HTTP state");
|
|
goto end;
|
|
}
|
|
|
|
if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
|
|
SCLogDebug("HTP state has no conn(p)");
|
|
goto end;
|
|
}
|
|
|
|
idx = AppLayerTransactionGetInspectId(f);
|
|
if (idx == -1) {
|
|
goto end;
|
|
}
|
|
|
|
int size = (int)list_size(htp_state->connp->conn->transactions);
|
|
for (; idx < size; idx++) {
|
|
tx = list_get(htp_state->connp->conn->transactions, idx);
|
|
if (tx == NULL)
|
|
continue;
|
|
|
|
htp_header_t *h = (htp_header_t *)table_getc(tx->request_headers,
|
|
"User-Agent");
|
|
if (h == NULL) {
|
|
SCLogDebug("HTTP user agent header not present in this request");
|
|
continue;
|
|
}
|
|
|
|
det_ctx->buffer_offset = 0;
|
|
det_ctx->discontinue_matching = 0;
|
|
det_ctx->inspection_recursion_counter = 0;
|
|
|
|
r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HUADMATCH],
|
|
f,
|
|
(uint8_t *)bstr_ptr(h->value),
|
|
bstr_len(h->value),
|
|
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HUAD, NULL);
|
|
if (r == 1) {
|
|
break;
|
|
}
|
|
}
|
|
|
|
end:
|
|
FLOWLOCK_UNLOCK(f);
|
|
SCReturnInt(r);
|
|
}
|
|
|
|
/***********************************Unittests**********************************/
|
|
|
|
#ifdef UNITTESTS
|
|
|
|
/**
|
|
* \test Test that the http_user_agent content matches against a http request
|
|
* which holds the content.
|
|
*/
|
|
static int DetectEngineHttpUATest01(void)
|
|
{
|
|
TcpSession ssn;
|
|
Packet *p = NULL;
|
|
ThreadVars th_v;
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
HtpState *http_state = NULL;
|
|
Flow f;
|
|
uint8_t http_buf[] =
|
|
"GET /index.html HTTP/1.0\r\n"
|
|
"User-Agent: CONNECT\r\n"
|
|
"Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
int result = 0;
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
memset(&f, 0, sizeof(f));
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
f.protoctx = (void *)&ssn;
|
|
f.flags |= FLOW_IPV4;
|
|
p->flow = &f;
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
"(msg:\"http user agent test\"; "
|
|
"content:\"CONNECT\"; http_user_agent; "
|
|
"sid:1;)");
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
SigGroupBuild(de_ctx);
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
|
|
if (r != 0) {
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
http_state = f.alstate;
|
|
if (http_state == NULL) {
|
|
printf("no http state: ");
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
/* do detect */
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
if (!(PacketAlertCheck(p, 1))) {
|
|
printf("sid 1 didn't match but should have: ");
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
if (de_ctx != NULL)
|
|
SigGroupCleanup(de_ctx);
|
|
if (de_ctx != NULL)
|
|
SigCleanSignatures(de_ctx);
|
|
if (de_ctx != NULL)
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
FLOW_DESTROY(&f);
|
|
UTHFreePackets(&p, 1);
|
|
return result;
|
|
}
|
|
|
|
/**
|
|
* \test Test that the http_user_agent content matches against a http request
|
|
* which holds the content.
|
|
*/
|
|
static int DetectEngineHttpUATest02(void)
|
|
{
|
|
TcpSession ssn;
|
|
Packet *p = NULL;
|
|
ThreadVars th_v;
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
HtpState *http_state = NULL;
|
|
Flow f;
|
|
uint8_t http_buf[] =
|
|
"CONNECT /index.html HTTP/1.0\r\n"
|
|
"User-Agent: CONNECT\r\n"
|
|
"Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
int result = 0;
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
memset(&f, 0, sizeof(f));
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
f.protoctx = (void *)&ssn;
|
|
f.flags |= FLOW_IPV4;
|
|
p->flow = &f;
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
"(msg:\"http user agent test\"; "
|
|
"content:\"CO\"; depth:4; http_user_agent; "
|
|
"sid:1;)");
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
SigGroupBuild(de_ctx);
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
|
|
if (r != 0) {
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
http_state = f.alstate;
|
|
if (http_state == NULL) {
|
|
printf("no http state: ");
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
/* do detect */
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
if (!(PacketAlertCheck(p, 1))) {
|
|
printf("sid 1 didn't match but should have: ");
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
if (de_ctx != NULL)
|
|
SigGroupCleanup(de_ctx);
|
|
if (de_ctx != NULL)
|
|
SigCleanSignatures(de_ctx);
|
|
if (de_ctx != NULL)
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
FLOW_DESTROY(&f);
|
|
UTHFreePackets(&p, 1);
|
|
return result;
|
|
}
|
|
|
|
/**
|
|
* \test Test that the http_user_agent content matches against a http request
|
|
* which holds the content.
|
|
*/
|
|
static int DetectEngineHttpUATest03(void)
|
|
{
|
|
TcpSession ssn;
|
|
Packet *p = NULL;
|
|
ThreadVars th_v;
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
HtpState *http_state = NULL;
|
|
Flow f;
|
|
uint8_t http_buf[] =
|
|
"CONNECT /index.html HTTP/1.0\r\n"
|
|
"User-Agent: CONNECT\r\n"
|
|
"Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
int result = 0;
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
memset(&f, 0, sizeof(f));
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
f.protoctx = (void *)&ssn;
|
|
f.flags |= FLOW_IPV4;
|
|
p->flow = &f;
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
"(msg:\"http_user_agent test\"; "
|
|
"content:!\"ECT\"; depth:4; http_user_agent; "
|
|
"sid:1;)");
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
SigGroupBuild(de_ctx);
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
|
|
if (r != 0) {
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
http_state = f.alstate;
|
|
if (http_state == NULL) {
|
|
printf("no http state: ");
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
/* do detect */
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
if (!(PacketAlertCheck(p, 1))) {
|
|
printf("sid 1 didn't match but should have: ");
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
if (de_ctx != NULL)
|
|
SigGroupCleanup(de_ctx);
|
|
if (de_ctx != NULL)
|
|
SigCleanSignatures(de_ctx);
|
|
if (de_ctx != NULL)
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
FLOW_DESTROY(&f);
|
|
UTHFreePackets(&p, 1);
|
|
return result;
|
|
}
|
|
|
|
/**
|
|
* \test Test that the http_user_agent content matches against a http request
|
|
* which holds the content.
|
|
*/
|
|
static int DetectEngineHttpUATest04(void)
|
|
{
|
|
TcpSession ssn;
|
|
Packet *p = NULL;
|
|
ThreadVars th_v;
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
HtpState *http_state = NULL;
|
|
Flow f;
|
|
uint8_t http_buf[] =
|
|
"CONNECT /index.html HTTP/1.0\r\n"
|
|
"User-Agent: CONNECT\r\n"
|
|
"Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
int result = 0;
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
memset(&f, 0, sizeof(f));
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
f.protoctx = (void *)&ssn;
|
|
f.flags |= FLOW_IPV4;
|
|
p->flow = &f;
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
"(msg:\"http user agent test\"; "
|
|
"content:\"ECT\"; depth:4; http_user_agent; "
|
|
"sid:1;)");
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
SigGroupBuild(de_ctx);
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
|
|
if (r != 0) {
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
http_state = f.alstate;
|
|
if (http_state == NULL) {
|
|
printf("no http state: ");
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
/* do detect */
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
if (PacketAlertCheck(p, 1)) {
|
|
printf("sid 1 matched but shouldn't have: ");
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
if (de_ctx != NULL)
|
|
SigGroupCleanup(de_ctx);
|
|
if (de_ctx != NULL)
|
|
SigCleanSignatures(de_ctx);
|
|
if (de_ctx != NULL)
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
FLOW_DESTROY(&f);
|
|
UTHFreePackets(&p, 1);
|
|
return result;
|
|
}
|
|
|
|
/**
|
|
* \test Test that the http_user_agent content matches against a http request
|
|
* which holds the content.
|
|
*/
|
|
static int DetectEngineHttpUATest05(void)
|
|
{
|
|
TcpSession ssn;
|
|
Packet *p = NULL;
|
|
ThreadVars th_v;
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
HtpState *http_state = NULL;
|
|
Flow f;
|
|
uint8_t http_buf[] =
|
|
"CONNECT /index.html HTTP/1.0\r\n"
|
|
"User-Agent: CONNECT\r\n"
|
|
"Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
int result = 0;
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
memset(&f, 0, sizeof(f));
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
f.protoctx = (void *)&ssn;
|
|
f.flags |= FLOW_IPV4;
|
|
p->flow = &f;
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
"(msg:\"http user agent test\"; "
|
|
"content:!\"CON\"; depth:4; http_user_agent; "
|
|
"sid:1;)");
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
SigGroupBuild(de_ctx);
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
|
|
if (r != 0) {
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
http_state = f.alstate;
|
|
if (http_state == NULL) {
|
|
printf("no http state: ");
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
/* do detect */
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
if (PacketAlertCheck(p, 1)) {
|
|
printf("sid 1 matched but shouldn't have: ");
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
if (de_ctx != NULL)
|
|
SigGroupCleanup(de_ctx);
|
|
if (de_ctx != NULL)
|
|
SigCleanSignatures(de_ctx);
|
|
if (de_ctx != NULL)
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
FLOW_DESTROY(&f);
|
|
UTHFreePackets(&p, 1);
|
|
return result;
|
|
}
|
|
|
|
/**
|
|
* \test Test that the http_user_agent content matches against a http request
|
|
* which holds the content.
|
|
*/
|
|
static int DetectEngineHttpUATest06(void)
|
|
{
|
|
TcpSession ssn;
|
|
Packet *p = NULL;
|
|
ThreadVars th_v;
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
HtpState *http_state = NULL;
|
|
Flow f;
|
|
uint8_t http_buf[] =
|
|
"CONNECT /index.html HTTP/1.0\r\n"
|
|
"User-Agent: CONNECT\r\n"
|
|
"Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
int result = 0;
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
memset(&f, 0, sizeof(f));
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
f.protoctx = (void *)&ssn;
|
|
f.flags |= FLOW_IPV4;
|
|
p->flow = &f;
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
"(msg:\"http user agent test\"; "
|
|
"content:\"ECT\"; offset:3; http_user_agent; "
|
|
"sid:1;)");
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
SigGroupBuild(de_ctx);
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
|
|
if (r != 0) {
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
http_state = f.alstate;
|
|
if (http_state == NULL) {
|
|
printf("no http state: ");
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
/* do detect */
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
if (!(PacketAlertCheck(p, 1))) {
|
|
printf("sid 1 didn't match but should have: ");
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
if (de_ctx != NULL)
|
|
SigGroupCleanup(de_ctx);
|
|
if (de_ctx != NULL)
|
|
SigCleanSignatures(de_ctx);
|
|
if (de_ctx != NULL)
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
FLOW_DESTROY(&f);
|
|
UTHFreePackets(&p, 1);
|
|
return result;
|
|
}
|
|
|
|
/**
|
|
* \test Test that the http_user_agent content matches against a http request
|
|
* which holds the content.
|
|
*/
|
|
static int DetectEngineHttpUATest07(void)
|
|
{
|
|
TcpSession ssn;
|
|
Packet *p = NULL;
|
|
ThreadVars th_v;
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
HtpState *http_state = NULL;
|
|
Flow f;
|
|
uint8_t http_buf[] =
|
|
"CONNECT /index.html HTTP/1.0\r\n"
|
|
"User-Agent: CONNECT\r\n"
|
|
"Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
int result = 0;
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
memset(&f, 0, sizeof(f));
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
f.protoctx = (void *)&ssn;
|
|
f.flags |= FLOW_IPV4;
|
|
p->flow = &f;
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
"(msg:\"http user agent test\"; "
|
|
"content:!\"CO\"; offset:3; http_user_agent; "
|
|
"sid:1;)");
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
SigGroupBuild(de_ctx);
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
|
|
if (r != 0) {
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
http_state = f.alstate;
|
|
if (http_state == NULL) {
|
|
printf("no http state: ");
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
/* do detect */
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
if (!(PacketAlertCheck(p, 1))) {
|
|
printf("sid 1 didn't match but should have: ");
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
if (de_ctx != NULL)
|
|
SigGroupCleanup(de_ctx);
|
|
if (de_ctx != NULL)
|
|
SigCleanSignatures(de_ctx);
|
|
if (de_ctx != NULL)
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
FLOW_DESTROY(&f);
|
|
UTHFreePackets(&p, 1);
|
|
return result;
|
|
}
|
|
|
|
/**
|
|
* \test Test that the http_user_agent content matches against a http request
|
|
* which holds the content.
|
|
*/
|
|
static int DetectEngineHttpUATest08(void)
|
|
{
|
|
TcpSession ssn;
|
|
Packet *p = NULL;
|
|
ThreadVars th_v;
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
HtpState *http_state = NULL;
|
|
Flow f;
|
|
uint8_t http_buf[] =
|
|
"CONNECT /index.html HTTP/1.0\r\n"
|
|
"User-Agent: CONNECT\r\n"
|
|
"Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
int result = 0;
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
memset(&f, 0, sizeof(f));
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
f.protoctx = (void *)&ssn;
|
|
f.flags |= FLOW_IPV4;
|
|
p->flow = &f;
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
"(msg:\"http user agent test\"; "
|
|
"content:!\"ECT\"; offset:3; http_user_agent; "
|
|
"sid:1;)");
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
SigGroupBuild(de_ctx);
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
|
|
if (r != 0) {
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
http_state = f.alstate;
|
|
if (http_state == NULL) {
|
|
printf("no http state: ");
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
/* do detect */
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
if (PacketAlertCheck(p, 1)) {
|
|
printf("sid 1 matched but shouldn't have: ");
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
if (de_ctx != NULL)
|
|
SigGroupCleanup(de_ctx);
|
|
if (de_ctx != NULL)
|
|
SigCleanSignatures(de_ctx);
|
|
if (de_ctx != NULL)
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
FLOW_DESTROY(&f);
|
|
UTHFreePackets(&p, 1);
|
|
return result;
|
|
}
|
|
|
|
/**
|
|
* \test Test that the http_user_agent content matches against a http request
|
|
* which holds the content.
|
|
*/
|
|
static int DetectEngineHttpUATest09(void)
|
|
{
|
|
TcpSession ssn;
|
|
Packet *p = NULL;
|
|
ThreadVars th_v;
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
HtpState *http_state = NULL;
|
|
Flow f;
|
|
uint8_t http_buf[] =
|
|
"CONNECT /index.html HTTP/1.0\r\n"
|
|
"User-Agent: CONNECT\r\n"
|
|
"Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
int result = 0;
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
memset(&f, 0, sizeof(f));
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
f.protoctx = (void *)&ssn;
|
|
f.flags |= FLOW_IPV4;
|
|
p->flow = &f;
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
"(msg:\"http user agent test\"; "
|
|
"content:\"CON\"; offset:3; http_user_agent; "
|
|
"sid:1;)");
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
SigGroupBuild(de_ctx);
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
|
|
if (r != 0) {
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
http_state = f.alstate;
|
|
if (http_state == NULL) {
|
|
printf("no http state: ");
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
/* do detect */
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
if (PacketAlertCheck(p, 1)) {
|
|
printf("sid 1 matched but shouldn't have: ");
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
if (de_ctx != NULL)
|
|
SigGroupCleanup(de_ctx);
|
|
if (de_ctx != NULL)
|
|
SigCleanSignatures(de_ctx);
|
|
if (de_ctx != NULL)
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
FLOW_DESTROY(&f);
|
|
UTHFreePackets(&p, 1);
|
|
return result;
|
|
}
|
|
|
|
/**
|
|
* \test Test that the http_user_agent content matches against a http request
|
|
* which holds the content.
|
|
*/
|
|
static int DetectEngineHttpUATest10(void)
|
|
{
|
|
TcpSession ssn;
|
|
Packet *p = NULL;
|
|
ThreadVars th_v;
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
HtpState *http_state = NULL;
|
|
Flow f;
|
|
uint8_t http_buf[] =
|
|
"CONNECT /index.html HTTP/1.0\r\n"
|
|
"User-Agent: CONNECT\r\n"
|
|
"Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
int result = 0;
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
memset(&f, 0, sizeof(f));
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
f.protoctx = (void *)&ssn;
|
|
f.flags |= FLOW_IPV4;
|
|
p->flow = &f;
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
"(msg:\"http_user_agent test\"; "
|
|
"content:\"CO\"; http_user_agent; "
|
|
"content:\"EC\"; within:4; http_user_agent; "
|
|
"sid:1;)");
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
SigGroupBuild(de_ctx);
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
|
|
if (r != 0) {
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
http_state = f.alstate;
|
|
if (http_state == NULL) {
|
|
printf("no http state: ");
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
/* do detect */
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
if (!PacketAlertCheck(p, 1)) {
|
|
printf("sid 1 didn't match but should have: ");
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
if (de_ctx != NULL)
|
|
SigGroupCleanup(de_ctx);
|
|
if (de_ctx != NULL)
|
|
SigCleanSignatures(de_ctx);
|
|
if (de_ctx != NULL)
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
FLOW_DESTROY(&f);
|
|
UTHFreePackets(&p, 1);
|
|
return result;
|
|
}
|
|
|
|
/**
|
|
* \test Test that the http_user_agent content matches against a http request
|
|
* which holds the content.
|
|
*/
|
|
static int DetectEngineHttpUATest11(void)
|
|
{
|
|
TcpSession ssn;
|
|
Packet *p = NULL;
|
|
ThreadVars th_v;
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
HtpState *http_state = NULL;
|
|
Flow f;
|
|
uint8_t http_buf[] =
|
|
"CONNECT /index.html HTTP/1.0\r\n"
|
|
"User-Agent: CONNECT\r\n"
|
|
"Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
int result = 0;
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
memset(&f, 0, sizeof(f));
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
f.protoctx = (void *)&ssn;
|
|
f.flags |= FLOW_IPV4;
|
|
p->flow = &f;
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
"(msg:\"http user agent test\"; "
|
|
"content:\"CO\"; http_user_agent; "
|
|
"content:!\"EC\"; within:3; http_user_agent; "
|
|
"sid:1;)");
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
SigGroupBuild(de_ctx);
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
|
|
if (r != 0) {
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
http_state = f.alstate;
|
|
if (http_state == NULL) {
|
|
printf("no http state: ");
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
/* do detect */
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
if (!PacketAlertCheck(p, 1)) {
|
|
printf("sid 1 didn't match but should have: ");
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
if (de_ctx != NULL)
|
|
SigGroupCleanup(de_ctx);
|
|
if (de_ctx != NULL)
|
|
SigCleanSignatures(de_ctx);
|
|
if (de_ctx != NULL)
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
FLOW_DESTROY(&f);
|
|
UTHFreePackets(&p, 1);
|
|
return result;
|
|
}
|
|
|
|
/**
|
|
* \test Test that the http_user_agent content matches against a http request
|
|
* which holds the content.
|
|
*/
|
|
static int DetectEngineHttpUATest12(void)
|
|
{
|
|
TcpSession ssn;
|
|
Packet *p = NULL;
|
|
ThreadVars th_v;
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
HtpState *http_state = NULL;
|
|
Flow f;
|
|
uint8_t http_buf[] =
|
|
"CONNECT /index.html HTTP/1.0\r\n"
|
|
"User-Agent: CONNECT\r\n"
|
|
"Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
int result = 0;
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
memset(&f, 0, sizeof(f));
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
f.protoctx = (void *)&ssn;
|
|
f.flags |= FLOW_IPV4;
|
|
p->flow = &f;
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
"(msg:\"http_user_agent test\"; "
|
|
"content:\"CO\"; http_user_agent; "
|
|
"content:\"EC\"; within:3; http_user_agent; "
|
|
"sid:1;)");
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
SigGroupBuild(de_ctx);
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
|
|
if (r != 0) {
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
http_state = f.alstate;
|
|
if (http_state == NULL) {
|
|
printf("no http state: ");
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
/* do detect */
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
if (PacketAlertCheck(p, 1)) {
|
|
printf("sid 1 matched but shouldn't have: ");
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
if (de_ctx != NULL)
|
|
SigGroupCleanup(de_ctx);
|
|
if (de_ctx != NULL)
|
|
SigCleanSignatures(de_ctx);
|
|
if (de_ctx != NULL)
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
FLOW_DESTROY(&f);
|
|
UTHFreePackets(&p, 1);
|
|
return result;
|
|
}
|
|
|
|
/**
|
|
* \test Test that the http_user_agent content matches against a http request
|
|
* which holds the content.
|
|
*/
|
|
static int DetectEngineHttpUATest13(void)
|
|
{
|
|
TcpSession ssn;
|
|
Packet *p = NULL;
|
|
ThreadVars th_v;
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
HtpState *http_state = NULL;
|
|
Flow f;
|
|
uint8_t http_buf[] =
|
|
"CONNECT /index.html HTTP/1.0\r\n"
|
|
"User-Agent: CONNECT\r\n"
|
|
"Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
int result = 0;
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
memset(&f, 0, sizeof(f));
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
f.protoctx = (void *)&ssn;
|
|
f.flags |= FLOW_IPV4;
|
|
p->flow = &f;
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
"(msg:\"http user agent test\"; "
|
|
"content:\"CO\"; http_user_agent; "
|
|
"content:!\"EC\"; within:4; http_user_agent; "
|
|
"sid:1;)");
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
SigGroupBuild(de_ctx);
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
|
|
if (r != 0) {
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
http_state = f.alstate;
|
|
if (http_state == NULL) {
|
|
printf("no http state: ");
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
/* do detect */
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
if (PacketAlertCheck(p, 1)) {
|
|
printf("sid 1 matched but shouldn't have: ");
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
if (de_ctx != NULL)
|
|
SigGroupCleanup(de_ctx);
|
|
if (de_ctx != NULL)
|
|
SigCleanSignatures(de_ctx);
|
|
if (de_ctx != NULL)
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
FLOW_DESTROY(&f);
|
|
UTHFreePackets(&p, 1);
|
|
return result;
|
|
}
|
|
|
|
/**
|
|
* \test Test that the http_user_agent content matches against a http request
|
|
* which holds the content.
|
|
*/
|
|
static int DetectEngineHttpUATest14(void)
|
|
{
|
|
TcpSession ssn;
|
|
Packet *p = NULL;
|
|
ThreadVars th_v;
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
HtpState *http_state = NULL;
|
|
Flow f;
|
|
uint8_t http_buf[] =
|
|
"CONNECT /index.html HTTP/1.0\r\n"
|
|
"User-Agent: CONNECT\r\n"
|
|
"Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
int result = 0;
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
memset(&f, 0, sizeof(f));
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
f.protoctx = (void *)&ssn;
|
|
f.flags |= FLOW_IPV4;
|
|
p->flow = &f;
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
"(msg:\"http_user_agent test\"; "
|
|
"content:\"CO\"; http_user_agent; "
|
|
"content:\"EC\"; distance:2; http_user_agent; "
|
|
"sid:1;)");
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
SigGroupBuild(de_ctx);
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
|
|
if (r != 0) {
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
http_state = f.alstate;
|
|
if (http_state == NULL) {
|
|
printf("no http state: ");
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
/* do detect */
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
if (!PacketAlertCheck(p, 1)) {
|
|
printf("sid 1 didn't match but should have: ");
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
if (de_ctx != NULL)
|
|
SigGroupCleanup(de_ctx);
|
|
if (de_ctx != NULL)
|
|
SigCleanSignatures(de_ctx);
|
|
if (de_ctx != NULL)
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
FLOW_DESTROY(&f);
|
|
UTHFreePackets(&p, 1);
|
|
return result;
|
|
}
|
|
|
|
/**
|
|
* \test Test that the http_user_agent content matches against a http request
|
|
* which holds the content.
|
|
*/
|
|
static int DetectEngineHttpUATest15(void)
|
|
{
|
|
TcpSession ssn;
|
|
Packet *p = NULL;
|
|
ThreadVars th_v;
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
HtpState *http_state = NULL;
|
|
Flow f;
|
|
uint8_t http_buf[] =
|
|
"CONNECT /index.html HTTP/1.0\r\n"
|
|
"User-Agent: CONNECT\r\n"
|
|
"Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
int result = 0;
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
memset(&f, 0, sizeof(f));
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
f.protoctx = (void *)&ssn;
|
|
f.flags |= FLOW_IPV4;
|
|
p->flow = &f;
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
"(msg:\"http user agent test\"; "
|
|
"content:\"CO\"; http_user_agent; "
|
|
"content:!\"EC\"; distance:3; http_user_agent; "
|
|
"sid:1;)");
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
SigGroupBuild(de_ctx);
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
|
|
if (r != 0) {
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
http_state = f.alstate;
|
|
if (http_state == NULL) {
|
|
printf("no http state: ");
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
/* do detect */
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
if (!PacketAlertCheck(p, 1)) {
|
|
printf("sid 1 didn't match but should have: ");
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
if (de_ctx != NULL)
|
|
SigGroupCleanup(de_ctx);
|
|
if (de_ctx != NULL)
|
|
SigCleanSignatures(de_ctx);
|
|
if (de_ctx != NULL)
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
FLOW_DESTROY(&f);
|
|
UTHFreePackets(&p, 1);
|
|
return result;
|
|
}
|
|
|
|
/**
|
|
* \test Test that the http_user_agent content matches against a http request
|
|
* which holds the content.
|
|
*/
|
|
static int DetectEngineHttpUATest16(void)
|
|
{
|
|
TcpSession ssn;
|
|
Packet *p = NULL;
|
|
ThreadVars th_v;
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
HtpState *http_state = NULL;
|
|
Flow f;
|
|
uint8_t http_buf[] =
|
|
"CONNECT /index.html HTTP/1.0\r\n"
|
|
"User-Agent: CONNECT\r\n"
|
|
"Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
int result = 0;
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
memset(&f, 0, sizeof(f));
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
f.protoctx = (void *)&ssn;
|
|
f.flags |= FLOW_IPV4;
|
|
p->flow = &f;
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
"(msg:\"http user agent test\"; "
|
|
"content:\"CO\"; http_user_agent; "
|
|
"content:\"EC\"; distance:3; http_user_agent; "
|
|
"sid:1;)");
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
SigGroupBuild(de_ctx);
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
|
|
if (r != 0) {
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
http_state = f.alstate;
|
|
if (http_state == NULL) {
|
|
printf("no http state: ");
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
/* do detect */
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
if (PacketAlertCheck(p, 1)) {
|
|
printf("sid 1 matched but shouldn't have: ");
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
if (de_ctx != NULL)
|
|
SigGroupCleanup(de_ctx);
|
|
if (de_ctx != NULL)
|
|
SigCleanSignatures(de_ctx);
|
|
if (de_ctx != NULL)
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
FLOW_DESTROY(&f);
|
|
UTHFreePackets(&p, 1);
|
|
return result;
|
|
}
|
|
|
|
/**
|
|
* \test Test that the http_user_agent content matches against a http request
|
|
* which holds the content.
|
|
*/
|
|
static int DetectEngineHttpUATest17(void)
|
|
{
|
|
TcpSession ssn;
|
|
Packet *p = NULL;
|
|
ThreadVars th_v;
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
HtpState *http_state = NULL;
|
|
Flow f;
|
|
uint8_t http_buf[] =
|
|
"CONNECT /index.html HTTP/1.0\r\n"
|
|
"User-Agent: CONNECT\r\n"
|
|
"Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
int result = 0;
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
memset(&f, 0, sizeof(f));
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
f.protoctx = (void *)&ssn;
|
|
f.flags |= FLOW_IPV4;
|
|
p->flow = &f;
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
"(msg:\"http_user_agent test\"; "
|
|
"content:\"CO\"; http_user_agent; "
|
|
"content:!\"EC\"; distance:2; http_user_agent; "
|
|
"sid:1;)");
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
SigGroupBuild(de_ctx);
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
|
|
if (r != 0) {
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
http_state = f.alstate;
|
|
if (http_state == NULL) {
|
|
printf("no http state: ");
|
|
result = 0;
|
|
goto end;
|
|
}
|
|
|
|
/* do detect */
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
if (PacketAlertCheck(p, 1)) {
|
|
printf("sid 1 matched but shouldn't have: ");
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
if (de_ctx != NULL)
|
|
SigGroupCleanup(de_ctx);
|
|
if (de_ctx != NULL)
|
|
SigCleanSignatures(de_ctx);
|
|
if (de_ctx != NULL)
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
FLOW_DESTROY(&f);
|
|
UTHFreePackets(&p, 1);
|
|
return result;
|
|
}
|
|
|
|
#endif /* UNITTESTS */
|
|
|
|
void DetectEngineHttpUARegisterTests(void)
|
|
{
|
|
|
|
#ifdef UNITTESTS
|
|
UtRegisterTest("DetectEngineHttpUATest01",
|
|
DetectEngineHttpUATest01, 1);
|
|
UtRegisterTest("DetectEngineHttpUATest02",
|
|
DetectEngineHttpUATest02, 1);
|
|
UtRegisterTest("DetectEngineHttpUATest03",
|
|
DetectEngineHttpUATest03, 1);
|
|
UtRegisterTest("DetectEngineHttpUATest04",
|
|
DetectEngineHttpUATest04, 1);
|
|
UtRegisterTest("DetectEngineHttpUATest05",
|
|
DetectEngineHttpUATest05, 1);
|
|
UtRegisterTest("DetectEngineHttpUATest06",
|
|
DetectEngineHttpUATest06, 1);
|
|
UtRegisterTest("DetectEngineHttpUATest07",
|
|
DetectEngineHttpUATest07, 1);
|
|
UtRegisterTest("DetectEngineHttpUATest08",
|
|
DetectEngineHttpUATest08, 1);
|
|
UtRegisterTest("DetectEngineHttpUATest09",
|
|
DetectEngineHttpUATest09, 1);
|
|
UtRegisterTest("DetectEngineHttpUATest10",
|
|
DetectEngineHttpUATest10, 1);
|
|
UtRegisterTest("DetectEngineHttpUATest11",
|
|
DetectEngineHttpUATest11, 1);
|
|
UtRegisterTest("DetectEngineHttpUATest12",
|
|
DetectEngineHttpUATest12, 1);
|
|
UtRegisterTest("DetectEngineHttpUATest13",
|
|
DetectEngineHttpUATest13, 1);
|
|
UtRegisterTest("DetectEngineHttpUATest14",
|
|
DetectEngineHttpUATest14, 1);
|
|
UtRegisterTest("DetectEngineHttpUATest15",
|
|
DetectEngineHttpUATest15, 1);
|
|
UtRegisterTest("DetectEngineHttpUATest16",
|
|
DetectEngineHttpUATest16, 1);
|
|
UtRegisterTest("DetectEngineHttpUATest17",
|
|
DetectEngineHttpUATest17, 1);
|
|
#endif /* UNITTESTS */
|
|
|
|
return;
|
|
}
|
|
/**
|
|
* @}
|
|
*/
|