static int DNSUDPParserTest03 (void)
{
int result = 0;
uint8_t buf[] = {
0x6F,0xB4,0x84,0x80,0x00,0x01,0x00,0x02,0x00,0x02,0x00,0x03,0x03,0x57,0x57,0x77,
0x0B,0x56,0x56,0x56,0x56,0x56,0x56,0x56,0x56,0x56,0x56,0x56,0x03,0x55,0x55,0x55,
0x02,0x79,0x79,0x00,0x00,0x01,0x00,0x01,0xC0,0x0C,0x00,0x05,0x00,0x01,0x00,0x00,
0x0E,0x10,0x00,0x02,0xC0,0x10,0xC0,0x34,0x00,0x01,0x00,0x01,0x00,0x00,0x0E,0x10,
0x00,0x04,0xC3,0xEA,0x04,0x19,0xC0,0x34,0x00,0x02,0x00,0x01,0x00,0x00,0x0E,0x10,
0x00,0x0A,0x03,0x6E,0x73,0x31,0x03,0x61,0x67,0x62,0xC0,0x20,0xC0,0x46,0x00,0x02,
0x00,0x01,0x00,0x00,0x0E,0x10,0x00,0x06,0x03,0x6E,0x73,0x32,0xC0,0x56,0xC0,0x52,
0x00,0x01,0x00,0x01,0x00,0x00,0x0E,0x10,0x00,0x04,0xC3,0xEA,0x04,0x0A,0xC0,0x68,
0x00,0x01,0x00,0x01,0x00,0x00,0x0E,0x10,0x00,0x04,0xC3,0xEA,0x05,0x14,0x00,0x00,
0x29,0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
size_t buflen = sizeof(buf);
Flow *f = NULL;
f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 53);
if (f == NULL)
goto end;
f->proto = IPPROTO_UDP;
f->alproto = ALPROTO_DNS;
f->alstate = DNSStateAlloc();
int r = DNSUDPResponseParse(f, f->alstate, NULL, buf, buflen, NULL);
if (r != 1)
goto end;
result = 1;
end:
UTHFreeFlow(f);
return (result);
}
/**
* \test DetectFlowintTestPacket03Real
* \brief Check the behaviour of isset/notset
*/
int DetectFlowintTestPacket03Real()
{
Packet *p = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
memset(&th_v, 0, sizeof(th_v));
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF(de_ctx == NULL);
de_ctx->flags |= DE_QUIET;
char *sigs[3];
sigs[0] = "alert tcp any any -> any any (msg:\"check notset\"; content:\"GET\"; flowint: myvar, notset; flowint: myvar,=,0; flowint: other,=,10; sid:101;)";
sigs[1] = "alert tcp any any -> any any (msg:\"check isset\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: other,isset; sid:102;)";
sigs[2] = "alert tcp any any -> any any (msg:\"check notset\"; content:\"Unauthorized\"; flowint:lala,isset; sid:103;)";
FAIL_IF(UTHAppendSigs(de_ctx, sigs, 3) == 0);
SCSigRegisterSignatureOrderingFuncs(de_ctx);
SCSigOrderSignatures(de_ctx);
SCSigSignatureOrderingModuleCleanup(de_ctx);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v,(void *) de_ctx,(void *) &det_ctx);
Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1",
41424, 80);
FAIL_IF(f == NULL);
f->proto = IPPROTO_TCP;
p = UTHBuildPacket((uint8_t *)"GET", 3, IPPROTO_TCP);
FAIL_IF(p == NULL);
p->flow = f;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(!PacketAlertCheck(p, 101));
UTHFreePacket(p);
p = UTHBuildPacket((uint8_t *)"Unauthorized", 12, IPPROTO_TCP);
FAIL_IF(p == NULL);
p->flow = f;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(!PacketAlertCheck(p, 102));
FAIL_IF(PacketAlertCheck(p, 103));
UTHFreePacket(p);
p = UTHBuildPacket((uint8_t *)"1", 1, IPPROTO_TCP);
FAIL_IF(p == NULL);
p->flow = f;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(PacketAlertCheck(p, 102));
FAIL_IF(PacketAlertCheck(p, 103));
UTHFreePacket(p);
UTHFreeFlow(f);
DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx);
DetectEngineCtxFree(de_ctx);
PASS;
}
/**
* \test Test the deallocation of app layer parser memory on occurance of
* error in the parsing process.
*/
static int AppLayerParserTest01(void)
{
AppLayerParserBackupParserTable();
int result = 0;
Flow *f = NULL;
uint8_t testbuf[] = { 0x11 };
uint32_t testlen = sizeof(testbuf);
TcpSession ssn;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&ssn, 0, sizeof(ssn));
/* Register the Test protocol state and parser functions */
AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_TEST, STREAM_TOSERVER,
TestProtocolParser);
AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_TEST,
TestProtocolStateAlloc, TestProtocolStateFree);
f = UTHBuildFlow(AF_INET, "1.2.3.4", "4.3.2.1", 20, 40);
if (f == NULL)
goto end;
f->protoctx = &ssn;
f->alproto = ALPROTO_TEST;
f->proto = IPPROTO_TCP;
StreamTcpInitConfig(TRUE);
FLOWLOCK_WRLOCK(f);
int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_TEST,
STREAM_TOSERVER | STREAM_EOF, testbuf,
testlen);
if (r != -1) {
printf("returned %" PRId32 ", expected -1: ", r);
FLOWLOCK_UNLOCK(f);
goto end;
}
FLOWLOCK_UNLOCK(f);
if (!(ssn.flags & STREAMTCP_FLAG_APP_LAYER_DISABLED)) {
printf("flag should have been set, but is not: ");
goto end;
}
result = 1;
end:
AppLayerParserRestoreParserTable();
StreamTcpFreeConfig(TRUE);
UTHFreeFlow(f);
return result;
}
/**
* \test Test the deallocation of app layer parser memory on occurance of
* error in the parsing process for UDP.
*/
static int AppLayerParserTest02(void)
{
AppLayerParserBackupParserTable();
int result = 1;
Flow *f = NULL;
uint8_t testbuf[] = { 0x11 };
uint32_t testlen = sizeof(testbuf);
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
/* Register the Test protocol state and parser functions */
AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_TEST, STREAM_TOSERVER,
TestProtocolParser);
AppLayerParserRegisterStateFuncs(IPPROTO_UDP, ALPROTO_TEST,
TestProtocolStateAlloc, TestProtocolStateFree);
f = UTHBuildFlow(AF_INET, "1.2.3.4", "4.3.2.1", 20, 40);
if (f == NULL)
goto end;
f->alproto = ALPROTO_TEST;
f->proto = IPPROTO_UDP;
f->protomap = FlowGetProtoMapping(f->proto);
StreamTcpInitConfig(TRUE);
FLOWLOCK_WRLOCK(f);
int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_TEST,
STREAM_TOSERVER | STREAM_EOF, testbuf,
testlen);
if (r != -1) {
printf("returned %" PRId32 ", expected -1: \n", r);
result = 0;
FLOWLOCK_UNLOCK(f);
goto end;
}
FLOWLOCK_UNLOCK(f);
end:
AppLayerParserRestoreParserTable();
StreamTcpFreeConfig(TRUE);
UTHFreeFlow(f);
return result;
}
static int DNSUDPParserTest01 (void)
{
int result = 0;
/* query: abcdefghijk.com
* TTL: 86400
* serial 20130422 refresh 28800 retry 7200 exp 604800 min ttl 86400
* ns, hostmaster */
uint8_t buf[] = { 0x00, 0x3c, 0x85, 0x00, 0x00, 0x01, 0x00, 0x00,
0x00, 0x01, 0x00, 0x00, 0x0b, 0x61, 0x62, 0x63,
0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
0x03, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x0f, 0x00,
0x01, 0x00, 0x00, 0x06, 0x00, 0x01, 0x00, 0x01,
0x51, 0x80, 0x00, 0x25, 0x02, 0x6e, 0x73, 0x00,
0x0a, 0x68, 0x6f, 0x73, 0x74, 0x6d, 0x61, 0x73,
0x74, 0x65, 0x72, 0xc0, 0x2f, 0x01, 0x33, 0x2a,
0x76, 0x00, 0x00, 0x70, 0x80, 0x00, 0x00, 0x1c,
0x20, 0x00, 0x09, 0x3a, 0x80, 0x00, 0x01, 0x51,
0x80};
size_t buflen = sizeof(buf);
Flow *f = NULL;
f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 53);
if (f == NULL)
goto end;
f->proto = IPPROTO_UDP;
f->alproto = ALPROTO_DNS;
f->alstate = DNSStateAlloc();
int r = DNSUDPResponseParse(f, f->alstate, NULL, buf, buflen, NULL);
if (r != 1)
goto end;
result = 1;
end:
UTHFreeFlow(f);
return (result);
}
/** \test TXT records in answer, bad txtlen */
static int DNSUDPParserTest05 (void)
{
int result = 0;
uint8_t buf[] = {
0xc2,0x2f,0x81,0x80,0x00,0x01,0x00,0x01,0x00,0x01,0x00,0x01,0x0a,0x41,0x41,0x41,
0x41,0x41,0x4f,0x31,0x6b,0x51,0x41,0x05,0x3d,0x61,0x75,0x74,0x68,0x03,0x73,0x72,
0x76,0x06,0x74,0x75,0x6e,0x6e,0x65,0x6c,0x03,0x63,0x6f,0x6d,0x00,0x00,0x10,0x00,
0x01,
/* answer record start */
0xc0,0x0c,0x00,0x10,0x00,0x01,0x00,0x00,0x00,0x03,0x00,0x22,
/* txt record starts: */
0x40, /* <txt len 64 */ 0x41,0x68,0x76,0x4d,0x41,0x41,0x4f,0x31,0x6b,0x41,0x46,
0x45,0x35,0x54,0x45,0x39,0x51,0x54,0x6a,0x46,0x46,0x4e,0x30,0x39,0x52,0x4e,0x31,
0x6c,0x59,0x53,0x44,0x6b,0x00, /* <txt len 0 */ 0xc0,0x1d,0x00,0x02,0x00,0x01,
0x00,0x09,0x3a,0x80,0x00,0x09,0x06,0x69,0x6f,0x64,0x69,0x6e,0x65,0xc0,0x21,0xc0,
0x6b,0x00,0x01,0x00,0x01,0x00,0x09,0x3a,0x80,0x00,0x04,0x0a,0x1e,0x1c,0x5f
};
size_t buflen = sizeof(buf);
Flow *f = NULL;
f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 53);
if (f == NULL)
goto end;
f->proto = IPPROTO_UDP;
f->alproto = ALPROTO_DNS;
f->alstate = DNSStateAlloc();
int r = DNSUDPResponseParse(f, f->alstate, NULL, buf, buflen, NULL);
if (r != -1)
goto end;
result = 1;
end:
UTHFreeFlow(f);
return (result);
}
int DetectAppLayerEventTest05(void)
{
int result = 0;
ThreadVars tv;
TcpReassemblyThreadCtx *ra_ctx = NULL;
Packet *p = NULL;
Flow *f = NULL;
TcpSession ssn;
TcpStream stream_ts, stream_tc;
DetectEngineCtx *de_ctx = NULL;
DetectEngineThreadCtx *det_ctx = NULL;
uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n"
"Host: 127.0.0.1\r\n"
"User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
"Accept-Language: en-us,en;q=0.5\r\n"
"Accept-Encoding: gzip,deflate\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
"Keep-Alive: 115\r\n"
"Connection: keep-alive\r\n"
"\r\n";
/* tls */
uint8_t buf_tc[] = {
0x16, 0x03, 0x01, 0x00, 0x86, 0x10, 0x00, 0x00,
0x82, 0x00, 0x80, 0xd3, 0x6f, 0x1f, 0x63, 0x82,
0x8d, 0x75, 0x77, 0x8c, 0x91, 0xbc, 0xa1, 0x3d,
0xbb, 0xe1, 0xb5, 0xd3, 0x31, 0x92, 0x59, 0x2b,
0x2c, 0x43, 0x96, 0xa3, 0xaa, 0x23, 0x92, 0xd0,
0x91, 0x2a, 0x5e, 0x10, 0x5b, 0xc8, 0xc1, 0xe2,
0xd3, 0x5c, 0x8b, 0x8c, 0x91, 0x9e, 0xc2, 0xf2,
0x9c, 0x3c, 0x4f, 0x37, 0x1e, 0x20, 0x5e, 0x33,
0xd5, 0xf0, 0xd6, 0xaf, 0x89, 0xf5, 0xcc, 0xb2,
0xcf, 0xc1, 0x60, 0x3a, 0x46, 0xd5, 0x4e, 0x2a,
0xb6, 0x6a, 0xb9, 0xfc, 0x32, 0x8b, 0xe0, 0x6e,
0xa0, 0xed, 0x25, 0xa0, 0xa4, 0x82, 0x81, 0x73,
0x90, 0xbf, 0xb5, 0xde, 0xeb, 0x51, 0x8d, 0xde,
0x5b, 0x6f, 0x94, 0xee, 0xba, 0xe5, 0x69, 0xfa,
0x1a, 0x80, 0x30, 0x54, 0xeb, 0x12, 0x01, 0xb9,
0xfe, 0xbf, 0x82, 0x95, 0x01, 0x7b, 0xb0, 0x97,
0x14, 0xc2, 0x06, 0x3c, 0x69, 0xfb, 0x1c, 0x66,
0x47, 0x17, 0xd9, 0x14, 0x03, 0x01, 0x00, 0x01,
0x01, 0x16, 0x03, 0x01, 0x00, 0x30, 0xf6, 0xbc,
0x0d, 0x6f, 0xe8, 0xbb, 0xaa, 0xbf, 0x14, 0xeb,
0x7b, 0xcc, 0x6c, 0x28, 0xb0, 0xfc, 0xa6, 0x01,
0x2a, 0x97, 0x96, 0x17, 0x5e, 0xe8, 0xb4, 0x4e,
0x78, 0xc9, 0x04, 0x65, 0x53, 0xb6, 0x93, 0x3d,
0xeb, 0x44, 0xee, 0x86, 0xf9, 0x80, 0x49, 0x45,
0x21, 0x34, 0xd1, 0xee, 0xc8, 0x9c,
};
memset(&tv, 0, sizeof (ThreadVars));
memset(&ssn, 0, sizeof(TcpSession));
memset(&stream_ts, 0, sizeof(TcpStream));
memset(&stream_tc, 0, sizeof(TcpStream));
ssn.data_first_seen_dir = STREAM_TOSERVER;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(app-layer-event: applayer_mismatch_protocol_both_directions; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);
if (f == NULL)
goto end;
FLOW_INITIALIZE(f);
f->protoctx = &ssn;
f->proto = IPPROTO_TCP;
f->flags |= FLOW_IPV4;
p = PacketGetFromAlloc();
if (unlikely(p == NULL))
goto end;
p->flow = f;
p->src.family = AF_INET;
p->dst.family = AF_INET;
p->proto = IPPROTO_TCP;
ra_ctx = StreamTcpReassembleInitThreadCtx(&tv);
if (ra_ctx == NULL)
goto end;
StreamTcpInitConfig(TRUE);
p->flowflags = FLOW_PKT_TOSERVER;
if (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream_ts, buf_ts,
sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0) {
printf("AppLayerHandleTCPData failure\n");
goto end;
}
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1)) {
printf("sid 1 matched but shouldn't have\n");
goto end;
}
p->flowflags = FLOW_PKT_TOCLIENT;
if (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream_tc, buf_tc,
sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0) {
printf("AppLayerHandleTCPData failure\n");
goto end;
}
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1)) {
printf("sid 1 didn't match but should have\n");
goto end;
}
result = 1;
end:
return result;
}
int DetectAppLayerEventTest04(void)
{
int result = 0;
ThreadVars tv;
TcpReassemblyThreadCtx *ra_ctx = NULL;
Packet *p = NULL;
Flow *f = NULL;
TcpSession ssn;
TcpStream stream_ts, stream_tc;
DetectEngineCtx *de_ctx = NULL;
DetectEngineThreadCtx *det_ctx = NULL;
uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n"
"Host: 127.0.0.1\r\n"
"User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
"Accept-Language: en-us,en;q=0.5\r\n"
"Accept-Encoding: gzip,deflate\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
"Keep-Alive: 115\r\n"
"Connection: keep-alive\r\n"
"\r\n";
uint8_t buf_tc[] = "XTTP/1.1 200 OK\r\n"
"Date: Fri, 22 Oct 2010 12:31:08 GMT\r\n"
"Server: Apache/2.2.15 (Unix) DAV/2\r\n"
"Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT\r\n"
"ETag: \"ab8486-2c-3e9564c23b600\"\r\n"
"Accept-Ranges: bytes\r\n"
"Content-Length: 44\r\n"
"Keep-Alive: timeout=5, max=100\r\n"
"Connection: Keep-Alive\r\n"
"Content-Type: text/html\r\n"
"\r\n"
"<html><body><h1>It works!</h1></body></html>";
memset(&tv, 0, sizeof (ThreadVars));
memset(&ssn, 0, sizeof(TcpSession));
memset(&stream_ts, 0, sizeof(TcpStream));
memset(&stream_tc, 0, sizeof(TcpStream));
ssn.data_first_seen_dir = STREAM_TOSERVER;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(app-layer-event: applayer_detect_protocol_only_one_direction; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);
if (f == NULL)
goto end;
FLOW_INITIALIZE(f);
f->protoctx = &ssn;
f->proto = IPPROTO_TCP;
f->flags |= FLOW_IPV4;
p = PacketGetFromAlloc();
if (unlikely(p == NULL))
goto end;
p->flow = f;
p->src.family = AF_INET;
p->dst.family = AF_INET;
p->proto = IPPROTO_TCP;
ra_ctx = StreamTcpReassembleInitThreadCtx(&tv);
if (ra_ctx == NULL)
goto end;
StreamTcpInitConfig(TRUE);
p->flowflags = FLOW_PKT_TOSERVER;
if (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream_ts, buf_ts,
sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0) {
printf("AppLayerHandleTCPData failure\n");
goto end;
}
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1)) {
printf("sid 1 matched but shouldn't have\n");
goto end;
}
p->flowflags = FLOW_PKT_TOCLIENT;
if (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream_tc, buf_tc,
sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0) {
printf("AppLayerHandleTCPData failure\n");
goto end;
}
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1)) {
printf("sid 1 didn't match but should have\n");
goto end;
}
result = 1;
end:
return result;
}
/** \test POST, but not multipart */
static int HTPFileParserTest07(void) {
int result = 0;
Flow *f = NULL;
uint8_t httpbuf1[] = "POST /filename HTTP/1.1\r\n"
"Host: www.server.lan\r\n"
"Content-Length: 11\r\n"
"\r\n";
uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
uint8_t httpbuf2[] = "FILECONTENT";
uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
TcpSession ssn;
HtpState *http_state = NULL;
memset(&ssn, 0, sizeof(ssn));
f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
if (f == NULL)
goto end;
f->protoctx = &ssn;
StreamTcpInitConfig(TRUE);
SCLogDebug("\n>>>> processing chunk 1 size %u <<<<\n", httplen1);
int r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_START, httpbuf1, httplen1);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
SCLogDebug("\n>>>> processing chunk 2 size %u <<<<\n", httplen2);
r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf2, httplen2);
if (r != 0) {
printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
http_state = f->alstate;
if (http_state == NULL) {
printf("no http state: ");
result = 0;
goto end;
}
htp_tx_t *tx = list_get(http_state->connp->conn->transactions, 0);
if (tx == NULL) {
goto end;
}
if (tx->request_method == NULL || memcmp(bstr_tocstr(tx->request_method), "POST", 4) != 0)
{
printf("expected method POST, got %s \n", bstr_tocstr(tx->request_method));
goto end;
}
if (http_state->files_ts == NULL || http_state->files_ts->tail == NULL ||
http_state->files_ts->tail->state != FILE_STATE_CLOSED) {
printf("state != FILE_STATE_CLOSED");
goto end;
}
if (http_state->files_ts->head->chunks_head->len != 11) {
printf("expected 11 but file is %u bytes instead: ",
http_state->files_ts->head->chunks_head->len);
PrintRawDataFp(stdout, http_state->files_ts->head->chunks_head->data,
http_state->files_ts->head->chunks_head->len);
goto end;
}
if (memcmp("FILECONTENT", http_state->files_ts->head->chunks_head->data,
http_state->files_ts->head->chunks_head->len) != 0) {
goto end;
}
result = 1;
end:
StreamTcpFreeConfig(TRUE);
if (http_state != NULL)
HTPStateFree(http_state);
UTHFreeFlow(f);
return result;
}
static int HTPFileParserTest04(void) {
int result = 0;
Flow *f = NULL;
uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
"Host: www.server.lan\r\n"
"Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
"Content-Length: 373\r\n"
"\r\n";
uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
uint8_t httpbuf2[] = "-----------------------------277531038314945\r\n"
"Content-Disposition: form-data; name=\"email\"\r\n"
"\r\n"
"[email protected]\r\n";
uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
uint8_t httpbuf3[] = "-----------------------------277531038314945\r\n"
"Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
"Content-Type: image/jpeg\r\n"
"\r\n";
uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
uint8_t httpbuf4[] = "file0123456789abcdefghijklmnopqrstuvwxyz";
uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
uint8_t httpbuf5[] = "content\r\n";
uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
uint8_t httpbuf6[] = "-----------------------------277531038314945--";
uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
TcpSession ssn;
HtpState *http_state = NULL;
memset(&ssn, 0, sizeof(ssn));
f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
if (f == NULL)
goto end;
f->protoctx = &ssn;
StreamTcpInitConfig(TRUE);
SCLogDebug("\n>>>> processing chunk 1 <<<<\n");
int r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_START, httpbuf1, httplen1);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
SCLogDebug("\n>>>> processing chunk 2 size %u <<<<\n", httplen2);
r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf2, httplen2);
if (r != 0) {
printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
SCLogDebug("\n>>>> processing chunk 3 size %u <<<<\n", httplen3);
r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf3, httplen3);
if (r != 0) {
printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
SCLogDebug("\n>>>> processing chunk 4 size %u <<<<\n", httplen4);
r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf4, httplen4);
if (r != 0) {
printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
SCLogDebug("\n>>>> processing chunk 5 size %u <<<<\n", httplen5);
r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf5, httplen5);
if (r != 0) {
printf("toserver chunk 5 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
SCLogDebug("\n>>>> processing chunk 6 size %u <<<<\n", httplen6);
r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf6, httplen6);
if (r != 0) {
printf("toserver chunk 6 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
http_state = f->alstate;
if (http_state == NULL) {
printf("no http state: ");
result = 0;
goto end;
}
htp_tx_t *tx = list_get(http_state->connp->conn->transactions, 0);
if (tx == NULL) {
goto end;
}
if (tx->request_method == NULL || memcmp(bstr_tocstr(tx->request_method), "POST", 4) != 0)
{
printf("expected method POST, got %s: ", bstr_tocstr(tx->request_method));
goto end;
}
if (http_state->files_ts == NULL || http_state->files_ts->tail == NULL ||
http_state->files_ts->tail->state != FILE_STATE_CLOSED) {
goto end;
}
result = 1;
end:
StreamTcpFreeConfig(TRUE);
if (http_state != NULL)
HTPStateFree(http_state);
UTHFreeFlow(f);
return result;
}
/** \test filedata cut in two pieces */
static int HTPFileParserTest11(void) {
int result = 0;
Flow *f = NULL;
uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
"Host: www.server.lan\r\n"
"Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"
"Content-Length: 1102\r\n"
"\r\n";
uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
uint8_t httpbuf2[] = "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n";
uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
uint8_t httpbuf3[] = "Content-Disposition: form-data; name=\"PROGRESS_URL\"\r\n"
"\r\n"
"http://somserver.com/progress.php?UPLOAD_IDENTIFIER=XXXXXXXXX.XXXXXXXXXX.XXXXXXXX.XX.X\r\n"
"------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"
"Content-Disposition: form-data; name=\"DESTINATION_DIR\"\r\n"
"\r\n"
"10\r\n"
"------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"
"Content-Disposition: form-data; name=\"js_enabled\"\r\n"
"\r\n"
"1"
"------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"
"Content-Disposition: form-data; name=\"signature\"\r\n"
"\r\n"
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\r\n"
"------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"
"Content-Disposition: form-data; name=\"upload_files\"\r\n"
"\r\n"
"------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"
"Content-Disposition: form-data; name=\"terms\"\r\n"
"\r\n"
"1"
"------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"
"Content-Disposition: form-data; name=\"file[]\"\r\n"
"\r\n"
"------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"
"Content-Disposition: form-data; name=\"description[]\"\r\n"
"\r\n"
"------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"
"Content-Disposition: form-data; name=\"upload_file[]\"; filename=\"filename.doc\"\r\n"
"Content-Type: application/msword\r\n"
"\r\n"
"FILE";
uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
uint8_t httpbuf4[] = "CONTENT\r\n"
"------WebKitFormBoundaryBRDbP74mBhBxsIdo--";
uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
TcpSession ssn;
HtpState *http_state = NULL;
memset(&ssn, 0, sizeof(ssn));
f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
if (f == NULL)
goto end;
f->protoctx = &ssn;
StreamTcpInitConfig(TRUE);
SCLogDebug("\n>>>> processing chunk 1 <<<<\n");
int r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_START, httpbuf1, httplen1);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
goto end;
}
SCLogDebug("\n>>>> processing chunk 2 size %u <<<<\n", httplen2);
r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER, httpbuf2, httplen2);
if (r != 0) {
printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
goto end;
}
SCLogDebug("\n>>>> processing chunk 3 size %u <<<<\n", httplen3);
r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER, httpbuf3, httplen3);
if (r != 0) {
printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
goto end;
}
SCLogDebug("\n>>>> processing chunk 4 size %u <<<<\n", httplen4);
r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf4, httplen4);
if (r != 0) {
printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
goto end;
}
http_state = f->alstate;
if (http_state == NULL) {
printf("no http state: ");
goto end;
}
AppLayerDecoderEvents *decoder_events = AppLayerGetDecoderEventsForFlow(f);
if (decoder_events != NULL) {
printf("app events: ");
goto end;
}
htp_tx_t *tx = list_get(http_state->connp->conn->transactions, 0);
if (tx == NULL) {
goto end;
}
if (tx->request_method == NULL || memcmp(bstr_tocstr(tx->request_method), "POST", 4) != 0)
{
printf("expected method POST, got %s \n", bstr_tocstr(tx->request_method));
goto end;
}
if (http_state->files_ts == NULL || http_state->files_ts->tail == NULL ||
http_state->files_ts->tail->state != FILE_STATE_CLOSED) {
printf("state != FILE_STATE_CLOSED: ");
goto end;
}
if (http_state->files_ts->head->chunks_head->len != 11) {
printf("expected 11 but file is %u bytes instead: ",
http_state->files_ts->head->chunks_head->len);
PrintRawDataFp(stdout, http_state->files_ts->head->chunks_head->data,
http_state->files_ts->head->chunks_head->len);
goto end;
}
if (memcmp("FILECONTENT", http_state->files_ts->head->chunks_head->data,
http_state->files_ts->head->chunks_head->len) != 0) {
goto end;
}
result = 1;
end:
StreamTcpFreeConfig(TRUE);
if (http_state != NULL)
HTPStateFree(http_state);
UTHFreeFlow(f);
return result;
}
/** \test empty entries */
static int HTPFileParserTest10(void) {
int result = 0;
Flow *f = NULL;
uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
"Host: www.server.lan\r\n"
"Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
"Content-Length: 337\r\n"
"\r\n";
uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
uint8_t httpbuf2[] = "-----------------------------277531038314945\r\n"
"\r\n";
uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
uint8_t httpbuf3[] = "-----------------------------277531038314945\r\n"
"Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
"Somereallylongheaderstr: with a good value\r\n"
"\r\n";
uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
uint8_t httpbuf4[] = "filecontent\r\n"
"-----------------------------277531038314945--";
uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
TcpSession ssn;
HtpState *http_state = NULL;
memset(&ssn, 0, sizeof(ssn));
f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
if (f == NULL)
goto end;
f->protoctx = &ssn;
StreamTcpInitConfig(TRUE);
SCLogDebug("\n>>>> processing chunk 1 <<<<\n");
int r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_START, httpbuf1, httplen1);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
SCLogDebug("\n>>>> processing chunk 2 size %u <<<<\n", httplen2);
r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf2, httplen2);
if (r != 0) {
printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
SCLogDebug("\n>>>> processing chunk 3 size %u <<<<\n", httplen3);
r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf3, httplen3);
if (r != 0) {
printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
SCLogDebug("\n>>>> processing chunk 4 size %u <<<<\n", httplen4);
r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf4, httplen4);
if (r != 0) {
printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
http_state = f->alstate;
if (http_state == NULL) {
printf("no http state: ");
result = 0;
goto end;
}
AppLayerDecoderEvents *decoder_events = AppLayerGetDecoderEventsForFlow(f);
if (decoder_events != NULL) {
printf("app events: ");
goto end;
}
result = 1;
end:
StreamTcpFreeConfig(TRUE);
if (http_state != NULL)
HTPStateFree(http_state);
UTHFreeFlow(f);
return result;
}
/**
* \test DetectFlowintTestPacket02Real
* \brief like DetectFlowintTestPacket01Real but using isset/notset keywords
*/
static int DetectFlowintTestPacket02Real()
{
Packet *p = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
memset(&th_v, 0, sizeof(th_v));
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF(de_ctx == NULL);
de_ctx->flags |= DE_QUIET;
char *sigs[5];
sigs[0] = "alert tcp any any -> any any (msg:\"Setting a flowint counter\"; content:\"GET\"; flowint: myvar, notset; flowint:maxvar,notset; flowint: myvar,=,1; flowint: maxvar,=,6; sid:101;)";
sigs[1] = "alert tcp any any -> any any (msg:\"Adding to flowint counter\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: myvar,+,2; sid:102;)";
sigs[2] = "alert tcp any any -> any any (msg:\"if the flowint counter is 3 create a new counter\"; content:\"Unauthorized\"; flowint: myvar, isset; flowint: myvar,==,3; flowint:cntpackets,notset; flowint: cntpackets, =, 0; sid:103;)";
sigs[3] = "alert tcp any any -> any any (msg:\"and count the rest of the packets received without generating alerts!!!\"; flowint: cntpackets,isset; flowint: cntpackets, +, 1; noalert;sid:104;)";
sigs[4] = "alert tcp any any -> any any (msg:\" and fire this when it reach 6\"; flowint: cntpackets, isset; flowint: maxvar,isset; flowint: cntpackets, ==, maxvar; sid:105;)";
FAIL_IF(UTHAppendSigs(de_ctx, sigs, 5) == 0);
SCSigRegisterSignatureOrderingFuncs(de_ctx);
SCSigOrderSignatures(de_ctx);
SCSigSignatureOrderingModuleCleanup(de_ctx);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v,(void *) de_ctx,(void *) &det_ctx);
Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1",
41424, 80);
FAIL_IF(f == NULL);
f->proto = IPPROTO_TCP;
p = UTHBuildPacket((uint8_t *)"GET", 3, IPPROTO_TCP);
FAIL_IF(p == NULL);
p->flow = f;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(!PacketAlertCheck(p, 101));
UTHFreePacket(p);
p = UTHBuildPacket((uint8_t *)"Unauthorized", 12, IPPROTO_TCP);
FAIL_IF(p == NULL);
p->flow = f;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(!PacketAlertCheck(p, 102));
FAIL_IF(!PacketAlertCheck(p, 103));
UTHFreePacket(p);
p = UTHBuildPacket((uint8_t *)"1", 1, IPPROTO_TCP);
FAIL_IF(p == NULL);
p->flow = f;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
UTHFreePacket(p);
p = UTHBuildPacket((uint8_t *)"X", 1, IPPROTO_TCP);
FAIL_IF(p == NULL);
p->flow = f;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(!PacketAlertCheck(p, 105));
UTHFreePacket(p);
UTHFreeFlow(f);
DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx);
DetectEngineCtxFree(de_ctx);
PASS;
}