/** \test full overlap */
static int StreamTcpInlineTest01(void) {
SCEnter();
uint8_t payload1[] = "AAC"; /* packet */
uint8_t payload2[] = "ABC"; /* segment */
int result = 0;
TcpSegment *t = NULL;
Packet *p = UTHBuildPacketSrcDstPorts(payload1, sizeof(payload1)-1, IPPROTO_TCP, 1024, 80);
if (p == NULL || p->tcph == NULL) {
printf("generating test packet failed: ");
goto end;
}
p->tcph->th_seq = htonl(10000000UL);
t = SCMalloc(sizeof(TcpSegment));
if (t == NULL) {
printf("alloc TcpSegment failed: ");
goto end;
}
memset(t, 0x00, sizeof(TcpSegment));
t->payload = payload2;
t->payload_len = sizeof(payload2)-1;
t->seq = 10000000UL;
StreamTcpInlineSegmentReplacePacket(p, t);
if (!(p->flags & PKT_STREAM_MODIFIED)) {
printf("PKT_STREAM_MODIFIED pkt flag not set: ");
goto end;
}
if (memcmp(p->payload, t->payload, p->payload_len) != 0) {
printf("Packet:\n");
PrintRawDataFp(stdout,p->payload,p->payload_len);
printf("Segment:\n");
PrintRawDataFp(stdout,t->payload,t->payload_len);
printf("payloads didn't match: ");
goto end;
}
uint8_t *pkt = GET_PKT_DATA(p)+(GET_PKT_LEN(p)-sizeof(payload1)+1);
if (memcmp(pkt,payload2,sizeof(payload2)-1) != 0) {
PrintRawDataFp(stdout,pkt,3);
PrintRawDataFp(stdout,GET_PKT_DATA(p),GET_PKT_LEN(p));
goto end;
}
result = 1;
end:
if (p != NULL) {
UTHFreePacket(p);
}
if (t != NULL) {
SCFree(t);
}
SCReturnInt(result);
}
static int DetectTransformToSha256Test01(void)
{
const uint8_t *input = (const uint8_t *)" A B C D ";
uint32_t input_len = strlen((char *)input);
InspectionBuffer buffer;
InspectionBufferInit(&buffer, 8);
InspectionBufferSetup(&buffer, input, input_len);
PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
TransformToSha256(&buffer);
PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
InspectionBufferFree(&buffer);
PASS;
}
/**
* \brief This function is called to retrieve a ftp request
* \param ftp_state the ftp state structure for the parser
* \param input input line of the command
* \param input_len length of the request
* \param output the resulting output
*
* \retval 1 when the command is parsed, 0 otherwise
*/
static int FTPParseRequest(Flow *f, void *ftp_state,
AppLayerParserState *pstate,
uint8_t *input, uint32_t input_len,
void *local_data, AppLayerParserResult *output)
{
SCEnter();
/* PrintRawDataFp(stdout, input,input_len); */
uint32_t offset = 0;
if (pstate == NULL)
return -1;
//PrintRawDataFp(stdout, pstate->store, pstate->store_len);
const uint8_t delim[] = { 0x0D, 0x0A };
int r = AlpParseFieldByDelimiter(output, pstate, FTP_FIELD_REQUEST_LINE,
delim, sizeof(delim), input, input_len,
&offset);
if (r == 0) {
pstate->parse_field = 0;
return 0;
}
if (pstate->store_len)
PrintRawDataFp(stdout, pstate->store, pstate->store_len);
pstate->parse_field = 0;
return 1;
}
int DetectBase64DecodeDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s,
const SigMatch *sm, uint8_t *payload, uint32_t payload_len)
{
DetectBase64Decode *data = (DetectBase64Decode *)sm->ctx;
int decode_len;
#if 0
printf("Input data:\n");
PrintRawDataFp(stdout, payload, payload_len);
#endif
if (data->relative) {
payload += det_ctx->buffer_offset;
payload_len -= det_ctx->buffer_offset;
}
if (data->offset) {
if (data->offset >= payload_len) {
return 0;
}
payload = payload + data->offset;
payload_len -= data->offset;
}
decode_len = MIN(payload_len, data->bytes);
#if 0
printf("Decoding:\n");
PrintRawDataFp(stdout, payload, decode_len);
#endif
det_ctx->base64_decoded_len = DecodeBase64(det_ctx->base64_decoded,
payload, decode_len, 0);
SCLogDebug("Decoded %d bytes from base64 data.",
det_ctx->base64_decoded_len);
#if 0
if (det_ctx->base64_decoded_len) {
printf("Decoded data:\n");
PrintRawDataFp(stdout, det_ctx->base64_decoded,
det_ctx->base64_decoded_len);
}
#endif
return det_ctx->base64_decoded_len > 0;
}
static int DetectTransformCompressWhitespaceTest02(void)
{
const uint8_t *input = (const uint8_t *)" A B C D ";
uint32_t input_len = strlen((char *)input);
InspectionBuffer buffer;
InspectionBufferInit(&buffer, 8);
InspectionBufferSetup(&buffer, input, input_len);
PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
TransformDoubleWhitespace(&buffer);
PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
TransformDoubleWhitespace(&buffer);
PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
TransformCompressWhitespace(&buffer);
PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
InspectionBufferFree(&buffer);
PASS;
}
void DumpSegment(StreamingBuffer *sb, StreamingBufferSegment *seg)
{
const uint8_t *data = NULL;
uint32_t data_len = 0;
StreamingBufferSegmentGetData(sb, seg, &data, &data_len);
if (data && data_len) {
PrintRawDataFp(stdout, data, data_len);
}
}
/**
* \brief Function to log the PktVars in to alert-debug.log
*
* \param aft Pointer to AltertDebugLog Thread
* \param p Pointer to the packet
*
*/
static void AlertDebugLogPktVars(AlertDebugLogThread *aft, Packet *p)
{
PktVar *pv = p->pktvar;
while(pv != NULL) {
fprintf(aft->file_ctx->fp, "PKTVAR: %s\n", pv->name);
PrintRawDataFp(aft->file_ctx->fp, pv->value, pv->value_len);
pv = pv->next;
}
}
static int TransformDoubleWhitespace(InspectionBuffer *buffer)
{
const uint8_t *input = buffer->inspect;
const uint32_t input_len = buffer->inspect_len;
uint8_t output[input_len * 2]; // if all chars are whitespace this fits
uint8_t *oi = output, *os = output;
PrintRawDataFp(stdout, input, input_len);
for (uint32_t i = 0; i < input_len; i++) {
if (isspace(*input)) {
*oi++ = *input;
}
*oi++ = *input;
input++;
}
uint32_t output_size = oi - os;
PrintRawDataFp(stdout, output, output_size);
InspectionBufferCopy(buffer, os, output_size);
return 0;
}
/**
* \retval 1 data is the same
* \retval 0 data is different
*/
int StreamingBufferCompareRawData(const StreamingBuffer *sb,
const uint8_t *rawdata, uint32_t rawdata_len)
{
const uint8_t *sbdata = NULL;
uint32_t sbdata_len = 0;
uint64_t offset = 0;
StreamingBufferGetData(sb, &sbdata, &sbdata_len, &offset);
if (offset == 0 &&
sbdata && sbdata_len &&
sbdata_len == rawdata_len &&
memcmp(sbdata, rawdata, sbdata_len) == 0)
{
return 1;
}
SCLogInfo("sbdata_len %u, offset %u", sbdata_len, (uint)offset);
PrintRawDataFp(stdout, sbdata,sbdata_len);
return 0;
}
/**
* \brief Print the information and chunks of a Body
* \param body pointer to the HtpBody holding the list
* \retval none
*/
void HtpBodyPrint(HtpBody *body)
{
if (SCLogDebugEnabled()||1) {
SCEnter();
if (body->first == NULL)
return;
HtpBodyChunk *cur = NULL;
SCLogDebug("--- Start body chunks at %p ---", body);
printf("--- Start body chunks at %p ---\n", body);
for (cur = body->first; cur != NULL; cur = cur->next) {
SCLogDebug("Body %p; data %p, len %"PRIu32, body, cur->data, (uint32_t)cur->len);
printf("Body %p; data %p, len %"PRIu32"\n", body, cur->data, (uint32_t)cur->len);
PrintRawDataFp(stdout, (uint8_t*)cur->data, cur->len);
}
SCLogDebug("--- End body chunks at %p ---", body);
}
}
TmEcode AlertDebugLogDecoderEvent(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
{
AlertDebugLogThread *aft = (AlertDebugLogThread *)data;
int i;
char timebuf[64];
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
SCMutexLock(&aft->file_ctx->fp_mutex);
fprintf(aft->file_ctx->fp, "+================\n");
fprintf(aft->file_ctx->fp, "TIME: %s\n", timebuf);
if (p->pcap_cnt > 0) {
fprintf(aft->file_ctx->fp, "PCAP PKT NUM: %"PRIu64"\n", p->pcap_cnt);
}
fprintf(aft->file_ctx->fp, "ALERT CNT: %" PRIu32 "\n", p->alerts.cnt);
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
fprintf(aft->file_ctx->fp, "ALERT MSG [%02d]: %s\n", i, pa->msg);
fprintf(aft->file_ctx->fp, "ALERT GID [%02d]: %" PRIu32 "\n", i, pa->gid);
fprintf(aft->file_ctx->fp, "ALERT SID [%02d]: %" PRIu32 "\n", i, pa->sid);
fprintf(aft->file_ctx->fp, "ALERT REV [%02d]: %" PRIu32 "\n", i, pa->rev);
fprintf(aft->file_ctx->fp, "ALERT CLASS [%02d]: %s\n", i, pa->class_msg);
fprintf(aft->file_ctx->fp, "ALERT PRIO [%02d]: %" PRIu32 "\n", i, pa->prio);
}
aft->file_ctx->alerts += p->alerts.cnt;
fprintf(aft->file_ctx->fp, "PACKET LEN: %" PRIu32 "\n", GET_PKT_LEN(p));
fprintf(aft->file_ctx->fp, "PACKET:\n");
PrintRawDataFp(aft->file_ctx->fp, GET_PKT_DATA(p), GET_PKT_LEN(p));
fflush(aft->file_ctx->fp);
SCMutexUnlock(&aft->file_ctx->fp_mutex);
return TM_ECODE_OK;
}
/**
* \brief Print the information and chunks of a Body
* \param body pointer to the HtpBody holding the list
* \retval none
*/
void HtpBodyPrint(HtpBody *body)
{
if (SCLogDebugEnabled()||1) {
SCEnter();
if (body->first == NULL)
return;
HtpBodyChunk *cur = NULL;
SCLogDebug("--- Start body chunks at %p ---", body);
printf("--- Start body chunks at %p ---\n", body);
for (cur = body->first; cur != NULL; cur = cur->next) {
const uint8_t *data = NULL;
uint32_t data_len = 0;
StreamingBufferSegmentGetData(body->sb, &cur->sbseg, &data, &data_len);
SCLogDebug("Body %p; data %p, len %"PRIu32, body, data, data_len);
printf("Body %p; data %p, len %"PRIu32"\n", body, data, data_len);
PrintRawDataFp(stdout, data, data_len);
}
SCLogDebug("--- End body chunks at %p ---", body);
}
}
/**
* \brief Do the content inspection & validation for a signature
*
* \param de_ctx Detection engine context
* \param det_ctx Detection engine thread context
* \param s Signature to inspect
* \param sm SigMatch to inspect
* \param f Flow
* \param flags app layer flags
* \param state App layer state
*
* \retval 0 no match.
* \retval 1 match.
* \retval 2 Sig can't match.
*/
int DetectEngineInspectHttpResponseLine(ThreadVars *tv,
DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx,
Signature *s, Flow *f, uint8_t flags,
void *alstate,
void *txv, uint64_t tx_id)
{
htp_tx_t *tx = (htp_tx_t *)txv;
if (tx->response_line == NULL) {
if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, txv, flags) > HTP_RESPONSE_LINE)
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
else
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
}
det_ctx->discontinue_matching = 0;
det_ctx->buffer_offset = 0;
det_ctx->inspection_recursion_counter = 0;
#if 0
PrintRawDataFp(stdout, (uint8_t *)bstr_ptr(tx->response_line),
bstr_len(tx->response_line));
#endif
/* run the inspection against the buffer */
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HTTP_RESLINEMATCH],
f,
bstr_ptr(tx->response_line),
bstr_len(tx->response_line),
0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
if (r == 1) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
} else {
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
}
}
/**
* \brief Decode the nodes/frames located at certain position/level
*
* \param ac pointer to the ASN1 ctx
* \param node_id node index at the asn1 stack of the ctx
*
* \retval byte of parser status
*/
uint8_t SCAsn1Decode(Asn1Ctx *ac, uint16_t node_id) {
Asn1Node *node = NULL;
uint8_t ret = 0;
/* while remaining data, and no fatal error, or end, or max stack frames */
while (ac->iter < ac->end
&& !(ac->parser_status & ASN1_STATUS_DONE)
&& ac->cur_frame < asn1_max_frames_config)
{
/* Prepare a new frame */
if (SCAsn1CtxNewFrame(ac, node_id) == NULL)
break;
ac->cur_frame = node_id;
node = ASN1CTX_GET_NODE(ac, node_id);
SCLogDebug("ASN1 Getting ID, cur:%x remaining %"PRIu32, (uint8_t)*ac->iter, (uint32_t)(ac->end - ac->iter));
/* Get identifier/tag */
ret = SCAsn1DecodeIdentifier(ac);
if (ret == ASN1_PARSER_ERR) {
SCLogDebug("Error parsing identifier");
node->flags |= ASN1_BER_EVENT_INVALID_ID;
ac->ctx_flags |= node->flags;
break;
}
SCLogDebug("ASN1 Getting LEN");
/* Get length of content */
ret = SCAsn1DecodeLength(ac);
if (ret == ASN1_PARSER_ERR) {
SCLogDebug("Error parsing length");
node->flags |= ASN1_BER_EVENT_INVALID_LEN;
ac->ctx_flags |= node->flags;
break;
}
if ( !(node->flags & ASN1_NODE_IS_EOC)) {
SCLogDebug("ASN1 Getting CONTENT");
/* Inspect content */
ret = SCAsn1DecodeContent(ac);
if (ret == ASN1_PARSER_ERR) {
SCLogDebug("Error parsing content");
break;
}
/* Skip to the next record (if any) */
if (node->id.tag_type != ASN1_TAG_TYPE_CONSTRUCTED)
/* Is primitive, skip it all (no need to decode it)*/
ac->iter += node->data.len;
}
/* Check if we are done with data */
ret = SCAsn1CheckBounds(ac);
if (ret == ASN1_PARSER_ERR) {
ac->parser_status |= ASN1_STATUS_DONE;
/* There's no more data available */
ret = ASN1_PARSER_OK;
break;
}
#if 0
printf("Tag Num: %"PRIu32", Tag Type: %"PRIu8", Class:%"PRIu8", Length: %"PRIu32"\n", node->id.tag_num, node->id.tag_type, node->id.class_tag, node->len.len);
printf("Data: \n");
PrintRawDataFp(stdout, node->data.ptr, node->len.len);
printf(" -- EOD --\n");
#endif
/* Stack flags/events here, so we have the resume at the ctx flags */
ac->ctx_flags |= node->flags;
/* Check if it's not a primitive type,
* then we need to decode contents */
if (node->id.tag_type == ASN1_TAG_TYPE_CONSTRUCTED) {
ret = SCAsn1Decode(ac, node_id + 1);
} /* Else we have reached a primitive type and stop the recursion,
* look if we have other branches at the same level */
/* But first check if it's a constructed node, and the sum of child
* lengths was more than the length of this frame
* this would mean that we have an overflow at the attributes */
if (ac->iter > node->data.ptr + node->data.len + 1) {
/* We decoded more length on this frame */
}
node_id = ac->cur_frame + 1;
}
return ret;
}
/** \test POST, but not multipart */
static int HTPFileParserTest07(void) {
int result = 0;
Flow *f = NULL;
uint8_t httpbuf1[] = "POST /filename HTTP/1.1\r\n"
"Host: www.server.lan\r\n"
"Content-Length: 11\r\n"
"\r\n";
uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
uint8_t httpbuf2[] = "FILECONTENT";
uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
TcpSession ssn;
HtpState *http_state = NULL;
memset(&ssn, 0, sizeof(ssn));
f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
if (f == NULL)
goto end;
f->protoctx = &ssn;
StreamTcpInitConfig(TRUE);
SCLogDebug("\n>>>> processing chunk 1 size %u <<<<\n", httplen1);
int r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_START, httpbuf1, httplen1);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
SCLogDebug("\n>>>> processing chunk 2 size %u <<<<\n", httplen2);
r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf2, httplen2);
if (r != 0) {
printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
http_state = f->alstate;
if (http_state == NULL) {
printf("no http state: ");
result = 0;
goto end;
}
htp_tx_t *tx = list_get(http_state->connp->conn->transactions, 0);
if (tx == NULL) {
goto end;
}
if (tx->request_method == NULL || memcmp(bstr_tocstr(tx->request_method), "POST", 4) != 0)
{
printf("expected method POST, got %s \n", bstr_tocstr(tx->request_method));
goto end;
}
if (http_state->files_ts == NULL || http_state->files_ts->tail == NULL ||
http_state->files_ts->tail->state != FILE_STATE_CLOSED) {
printf("state != FILE_STATE_CLOSED");
goto end;
}
if (http_state->files_ts->head->chunks_head->len != 11) {
printf("expected 11 but file is %u bytes instead: ",
http_state->files_ts->head->chunks_head->len);
PrintRawDataFp(stdout, http_state->files_ts->head->chunks_head->data,
http_state->files_ts->head->chunks_head->len);
goto end;
}
if (memcmp("FILECONTENT", http_state->files_ts->head->chunks_head->data,
http_state->files_ts->head->chunks_head->len) != 0) {
goto end;
}
result = 1;
end:
StreamTcpFreeConfig(TRUE);
if (http_state != NULL)
HTPStateFree(http_state);
UTHFreeFlow(f);
return result;
}
/** \test filedata cut in two pieces */
static int HTPFileParserTest11(void) {
int result = 0;
Flow *f = NULL;
uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
"Host: www.server.lan\r\n"
"Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"
"Content-Length: 1102\r\n"
"\r\n";
uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
uint8_t httpbuf2[] = "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n";
uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
uint8_t httpbuf3[] = "Content-Disposition: form-data; name=\"PROGRESS_URL\"\r\n"
"\r\n"
"http://somserver.com/progress.php?UPLOAD_IDENTIFIER=XXXXXXXXX.XXXXXXXXXX.XXXXXXXX.XX.X\r\n"
"------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"
"Content-Disposition: form-data; name=\"DESTINATION_DIR\"\r\n"
"\r\n"
"10\r\n"
"------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"
"Content-Disposition: form-data; name=\"js_enabled\"\r\n"
"\r\n"
"1"
"------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"
"Content-Disposition: form-data; name=\"signature\"\r\n"
"\r\n"
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\r\n"
"------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"
"Content-Disposition: form-data; name=\"upload_files\"\r\n"
"\r\n"
"------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"
"Content-Disposition: form-data; name=\"terms\"\r\n"
"\r\n"
"1"
"------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"
"Content-Disposition: form-data; name=\"file[]\"\r\n"
"\r\n"
"------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"
"Content-Disposition: form-data; name=\"description[]\"\r\n"
"\r\n"
"------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"
"Content-Disposition: form-data; name=\"upload_file[]\"; filename=\"filename.doc\"\r\n"
"Content-Type: application/msword\r\n"
"\r\n"
"FILE";
uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
uint8_t httpbuf4[] = "CONTENT\r\n"
"------WebKitFormBoundaryBRDbP74mBhBxsIdo--";
uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
TcpSession ssn;
HtpState *http_state = NULL;
memset(&ssn, 0, sizeof(ssn));
f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
if (f == NULL)
goto end;
f->protoctx = &ssn;
StreamTcpInitConfig(TRUE);
SCLogDebug("\n>>>> processing chunk 1 <<<<\n");
int r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_START, httpbuf1, httplen1);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
goto end;
}
SCLogDebug("\n>>>> processing chunk 2 size %u <<<<\n", httplen2);
r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER, httpbuf2, httplen2);
if (r != 0) {
printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
goto end;
}
SCLogDebug("\n>>>> processing chunk 3 size %u <<<<\n", httplen3);
r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER, httpbuf3, httplen3);
if (r != 0) {
printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
goto end;
}
SCLogDebug("\n>>>> processing chunk 4 size %u <<<<\n", httplen4);
r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf4, httplen4);
if (r != 0) {
printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
goto end;
}
http_state = f->alstate;
if (http_state == NULL) {
printf("no http state: ");
goto end;
}
AppLayerDecoderEvents *decoder_events = AppLayerGetDecoderEventsForFlow(f);
if (decoder_events != NULL) {
printf("app events: ");
goto end;
}
htp_tx_t *tx = list_get(http_state->connp->conn->transactions, 0);
if (tx == NULL) {
goto end;
}
if (tx->request_method == NULL || memcmp(bstr_tocstr(tx->request_method), "POST", 4) != 0)
{
printf("expected method POST, got %s \n", bstr_tocstr(tx->request_method));
goto end;
}
if (http_state->files_ts == NULL || http_state->files_ts->tail == NULL ||
http_state->files_ts->tail->state != FILE_STATE_CLOSED) {
printf("state != FILE_STATE_CLOSED: ");
goto end;
}
if (http_state->files_ts->head->chunks_head->len != 11) {
printf("expected 11 but file is %u bytes instead: ",
http_state->files_ts->head->chunks_head->len);
PrintRawDataFp(stdout, http_state->files_ts->head->chunks_head->data,
http_state->files_ts->head->chunks_head->len);
goto end;
}
if (memcmp("FILECONTENT", http_state->files_ts->head->chunks_head->data,
http_state->files_ts->head->chunks_head->len) != 0) {
goto end;
}
result = 1;
end:
StreamTcpFreeConfig(TRUE);
if (http_state != NULL)
HTPStateFree(http_state);
UTHFreeFlow(f);
return result;
}
TmEcode AlertDebugLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
{
AlertDebugLogThread *aft = (AlertDebugLogThread *)data;
int i;
char timebuf[64];
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
aft->file_ctx->alerts += p->alerts.cnt;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
SCMutexLock(&aft->file_ctx->fp_mutex);
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
char srcip[46], dstip[46];
inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
fprintf(aft->file_ctx->fp, "%s [**] [%" PRIu32 ":%" PRIu32 ":%" PRIu32 "] %s [**] [Classification: fixme] [Priority: %" PRIu32 "] {%" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "\n",
timebuf, pa->gid, pa->sid, pa->rev, pa->msg, pa->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
}
fprintf(aft->file_ctx->fp, "FLOW: to_server: %s, to_client: %s\n",
p->flowflags & FLOW_PKT_TOSERVER ? "TRUE" : "FALSE",
p->flowflags & FLOW_PKT_TOCLIENT ? "TRUE" : "FALSE");
if (p->flow != NULL) {
SCMutexLock(&p->flow->m);
CreateTimeString(&p->flow->startts, timebuf, sizeof(timebuf));
fprintf(aft->file_ctx->fp, "FLOW Start TS: %s\n",timebuf);
fprintf(aft->file_ctx->fp, "FLOW PKTS TODST: %"PRIu32"\n",p->flow->todstpktcnt);
fprintf(aft->file_ctx->fp, "FLOW PKTS TOSRC: %"PRIu32"\n",p->flow->tosrcpktcnt);
fprintf(aft->file_ctx->fp, "FLOW Total Bytes: %"PRIu64"\n",p->flow->bytecnt);
fprintf(aft->file_ctx->fp, "FLOW IPONLY SET: TOSERVER: %s, TOCLIENT: %s\n",
p->flow->flags & FLOW_TOSERVER_IPONLY_SET ? "TRUE" : "FALSE",
p->flow->flags & FLOW_TOCLIENT_IPONLY_SET ? "TRUE" : "FALSE");
fprintf(aft->file_ctx->fp, "FLOW ACTION: DROP: %s, PASS %s\n",
p->flow->flags & FLOW_ACTION_DROP ? "TRUE" : "FALSE",
p->flow->flags & FLOW_ACTION_PASS ? "TRUE" : "FALSE");
fprintf(aft->file_ctx->fp, "FLOW NOINSPECTION: PACKET: %s, PAYLOAD: %s, APP_LAYER: %s\n",
p->flow->flags & FLOW_NOPACKET_INSPECTION ? "TRUE" : "FALSE",
p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE",
p->flow->alflags & FLOW_AL_NO_APPLAYER_INSPECTION ? "TRUE" : "FALSE");
fprintf(aft->file_ctx->fp, "FLOW APP_LAYER: DETECTED: %s, PROTO %"PRIu16"\n",
p->flow->alflags & FLOW_AL_PROTO_DETECT_DONE ? "TRUE" : "FALSE", p->flow->alproto);
AlertDebugLogFlowVars(aft, p);
AlertDebugLogFlowBits(aft, p);
SCMutexUnlock(&p->flow->m);
}
AlertDebugLogPktVars(aft, p);
fprintf(aft->file_ctx->fp, "PACKET LEN: %" PRIu32 "\n", GET_PKT_LEN(p));
fprintf(aft->file_ctx->fp, "PACKET:\n");
PrintRawDataFp(aft->file_ctx->fp, GET_PKT_DATA(p), GET_PKT_LEN(p));
fflush(aft->file_ctx->fp);
SCMutexUnlock(&aft->file_ctx->fp_mutex);
return TM_ECODE_OK;
}
TmEcode AlertDebugLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
{
AlertDebugLogThread *aft = (AlertDebugLogThread *)data;
int i;
char timebuf[64];
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
SCMutexLock(&aft->file_ctx->fp_mutex);
fprintf(aft->file_ctx->fp, "+================\n");
fprintf(aft->file_ctx->fp, "TIME: %s\n", timebuf);
if (p->pcap_cnt > 0) {
fprintf(aft->file_ctx->fp, "PCAP PKT NUM: %"PRIu64"\n", p->pcap_cnt);
}
fprintf(aft->file_ctx->fp, "ALERT CNT: %" PRIu32 "\n", p->alerts.cnt);
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
fprintf(aft->file_ctx->fp, "ALERT MSG [%02d]: %s\n", i, pa->msg);
fprintf(aft->file_ctx->fp, "ALERT GID [%02d]: %" PRIu32 "\n", i, pa->gid);
fprintf(aft->file_ctx->fp, "ALERT SID [%02d]: %" PRIu32 "\n", i, pa->sid);
fprintf(aft->file_ctx->fp, "ALERT REV [%02d]: %" PRIu32 "\n", i, pa->rev);
fprintf(aft->file_ctx->fp, "ALERT CLASS [%02d]: %s\n", i, pa->class_msg);
fprintf(aft->file_ctx->fp, "ALERT PRIO [%02d]: %" PRIu32 "\n", i, pa->prio);
}
char srcip[16], dstip[16];
inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
fprintf(aft->file_ctx->fp, "SRC IP: %s\n", srcip);
fprintf(aft->file_ctx->fp, "DST IP: %s\n", dstip);
fprintf(aft->file_ctx->fp, "PROTO: %" PRIu32 "\n", IPV4_GET_IPPROTO(p));
if (PKT_IS_TCP(p) || PKT_IS_UDP(p)) {
fprintf(aft->file_ctx->fp, "SRC PORT: %" PRIu32 "\n", p->sp);
fprintf(aft->file_ctx->fp, "DST PORT: %" PRIu32 "\n", p->dp);
if (PKT_IS_TCP(p)) {
fprintf(aft->file_ctx->fp, "TCP SEQ: %"PRIu32"\n", TCP_GET_SEQ(p));
fprintf(aft->file_ctx->fp, "TCP ACK: %"PRIu32"\n", TCP_GET_ACK(p));
}
}
/* flow stuff */
fprintf(aft->file_ctx->fp, "FLOW: to_server: %s, to_client: %s\n",
p->flowflags & FLOW_PKT_TOSERVER ? "TRUE" : "FALSE",
p->flowflags & FLOW_PKT_TOCLIENT ? "TRUE" : "FALSE");
if (p->flow != NULL) {
SCMutexLock(&p->flow->m);
CreateTimeString(&p->flow->startts, timebuf, sizeof(timebuf));
fprintf(aft->file_ctx->fp, "FLOW Start TS: %s\n",timebuf);
fprintf(aft->file_ctx->fp, "FLOW PKTS TODST: %"PRIu32"\n",p->flow->todstpktcnt);
fprintf(aft->file_ctx->fp, "FLOW PKTS TOSRC: %"PRIu32"\n",p->flow->tosrcpktcnt);
fprintf(aft->file_ctx->fp, "FLOW Total Bytes: %"PRIu64"\n",p->flow->bytecnt);
fprintf(aft->file_ctx->fp, "FLOW IPONLY SET: TOSERVER: %s, TOCLIENT: %s\n",
p->flow->flags & FLOW_TOSERVER_IPONLY_SET ? "TRUE" : "FALSE",
p->flow->flags & FLOW_TOCLIENT_IPONLY_SET ? "TRUE" : "FALSE");
fprintf(aft->file_ctx->fp, "FLOW ACTION: DROP: %s, PASS %s\n",
p->flow->flags & FLOW_ACTION_DROP ? "TRUE" : "FALSE",
p->flow->flags & FLOW_ACTION_PASS ? "TRUE" : "FALSE");
fprintf(aft->file_ctx->fp, "FLOW NOINSPECTION: PACKET: %s, PAYLOAD: %s, APP_LAYER: %s\n",
p->flow->flags & FLOW_NOPACKET_INSPECTION ? "TRUE" : "FALSE",
p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE",
p->flow->alflags & FLOW_AL_NO_APPLAYER_INSPECTION ? "TRUE" : "FALSE");
fprintf(aft->file_ctx->fp, "FLOW APP_LAYER: DETECTED: %s, PROTO %"PRIu16"\n",
p->flow->alflags & FLOW_AL_PROTO_DETECT_DONE ? "TRUE" : "FALSE", p->flow->alproto);
AlertDebugLogFlowVars(aft, p);
AlertDebugLogFlowBits(aft, p);
SCMutexUnlock(&p->flow->m);
}
AlertDebugLogPktVars(aft, p);
/* any stuff */
/* Sig details? */
aft->file_ctx->alerts += p->alerts.cnt;
fprintf(aft->file_ctx->fp, "PACKET LEN: %" PRIu32 "\n", GET_PKT_LEN(p));
fprintf(aft->file_ctx->fp, "PACKET:\n");
PrintRawDataFp(aft->file_ctx->fp, GET_PKT_DATA(p), GET_PKT_LEN(p));
fflush(aft->file_ctx->fp);
SCMutexUnlock(&aft->file_ctx->fp_mutex);
return TM_ECODE_OK;
}
void Dump(StreamingBuffer *sb)
{
PrintRawDataFp(stdout, sb->buf, sb->buf_offset);
}
/**
* \brief Compare the shared data portion of two segments
*
* If no data is shared, 0 will be returned.
*
* \param seg1 first segment
* \param seg2 second segment
*
* \retval 0 shared data is the same (or no data is shared)
* \retval 1 shared data is different
*/
int StreamTcpInlineSegmentCompare(TcpSegment *seg1, TcpSegment *seg2) {
SCEnter();
if (seg1 == NULL || seg2 == NULL) {
SCReturnInt(0);
}
if (SEQ_EQ(seg1->seq, seg2->seq) && seg1->payload_len == seg2->payload_len) {
int r = SCMemcmp(seg1->payload, seg2->payload, seg1->payload_len);
#if 0
if (r) {
PrintRawDataFp(stdout,seg1->payload,seg1->payload_len);
PrintRawDataFp(stdout,seg2->payload,seg2->payload_len);
}
#endif
SCReturnInt(r);
} else if (SEQ_GT(seg1->seq, (seg2->seq + seg2->payload_len))) {
SCReturnInt(0);
} else if (SEQ_GT(seg2->seq, (seg1->seq + seg1->payload_len))) {
SCReturnInt(0);
} else {
SCLogDebug("seg1 %u (%u), seg2 %u (%u)", seg1->seq,
seg1->payload_len, seg2->seq, seg2->payload_len);
uint32_t seg1_end = seg1->seq + seg1->payload_len;
uint32_t seg2_end = seg2->seq + seg2->payload_len;
SCLogDebug("seg1_end %u, seg2_end %u", seg1_end, seg2_end);
#if 0
SCLogDebug("seg1");
PrintRawDataFp(stdout,seg1->payload,seg1->payload_len);
SCLogDebug("seg2");
PrintRawDataFp(stdout,seg2->payload,seg2->payload_len);
#endif
/* get the minimal seg*_end */
uint32_t end = (SEQ_GT(seg1_end, seg2_end)) ? seg2_end : seg1_end;
/* and the max seq */
uint32_t seq = (SEQ_LT(seg1->seq, seg2->seq)) ? seg2->seq : seg1->seq;
SCLogDebug("seq %u, end %u", seq, end);
uint16_t seg1_off = seq - seg1->seq;
uint16_t seg2_off = seq - seg2->seq;
SCLogDebug("seg1_off %u, seg2_off %u", seg1_off, seg2_off);
uint32_t range = end - seq;
SCLogDebug("range %u", range);
BUG_ON(range > 65536);
if (range) {
int r = SCMemcmp(seg1->payload+seg1_off, seg2->payload+seg2_off, range);
#if 0
if (r) {
PrintRawDataFp(stdout,seg1->payload+seg1_off,range);
PrintRawDataFp(stdout,seg2->payload+seg2_off,range);
PrintRawDataFp(stdout,seg1->payload,seg1->payload_len);
PrintRawDataFp(stdout,seg2->payload,seg2->payload_len);
}
#endif
SCReturnInt(r);
}
SCReturnInt(0);
}
}
