static int DNSUDPParserTest03 (void) { int result = 0; uint8_t buf[] = { 0x6F,0xB4,0x84,0x80,0x00,0x01,0x00,0x02,0x00,0x02,0x00,0x03,0x03,0x57,0x57,0x77, 0x0B,0x56,0x56,0x56,0x56,0x56,0x56,0x56,0x56,0x56,0x56,0x56,0x03,0x55,0x55,0x55, 0x02,0x79,0x79,0x00,0x00,0x01,0x00,0x01,0xC0,0x0C,0x00,0x05,0x00,0x01,0x00,0x00, 0x0E,0x10,0x00,0x02,0xC0,0x10,0xC0,0x34,0x00,0x01,0x00,0x01,0x00,0x00,0x0E,0x10, 0x00,0x04,0xC3,0xEA,0x04,0x19,0xC0,0x34,0x00,0x02,0x00,0x01,0x00,0x00,0x0E,0x10, 0x00,0x0A,0x03,0x6E,0x73,0x31,0x03,0x61,0x67,0x62,0xC0,0x20,0xC0,0x46,0x00,0x02, 0x00,0x01,0x00,0x00,0x0E,0x10,0x00,0x06,0x03,0x6E,0x73,0x32,0xC0,0x56,0xC0,0x52, 0x00,0x01,0x00,0x01,0x00,0x00,0x0E,0x10,0x00,0x04,0xC3,0xEA,0x04,0x0A,0xC0,0x68, 0x00,0x01,0x00,0x01,0x00,0x00,0x0E,0x10,0x00,0x04,0xC3,0xEA,0x05,0x14,0x00,0x00, 0x29,0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; size_t buflen = sizeof(buf); Flow *f = NULL; f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 53); if (f == NULL) goto end; f->proto = IPPROTO_UDP; f->alproto = ALPROTO_DNS; f->alstate = DNSStateAlloc(); int r = DNSUDPResponseParse(f, f->alstate, NULL, buf, buflen, NULL); if (r != 1) goto end; result = 1; end: UTHFreeFlow(f); return (result); }
/** * \test DetectFlowintTestPacket03Real * \brief Check the behaviour of isset/notset */ int DetectFlowintTestPacket03Real() { Packet *p = NULL; ThreadVars th_v; DetectEngineThreadCtx *det_ctx = NULL; memset(&th_v, 0, sizeof(th_v)); DetectEngineCtx *de_ctx = DetectEngineCtxInit(); FAIL_IF(de_ctx == NULL); de_ctx->flags |= DE_QUIET; char *sigs[3]; sigs[0] = "alert tcp any any -> any any (msg:\"check notset\"; content:\"GET\"; flowint: myvar, notset; flowint: myvar,=,0; flowint: other,=,10; sid:101;)"; sigs[1] = "alert tcp any any -> any any (msg:\"check isset\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: other,isset; sid:102;)"; sigs[2] = "alert tcp any any -> any any (msg:\"check notset\"; content:\"Unauthorized\"; flowint:lala,isset; sid:103;)"; FAIL_IF(UTHAppendSigs(de_ctx, sigs, 3) == 0); SCSigRegisterSignatureOrderingFuncs(de_ctx); SCSigOrderSignatures(de_ctx); SCSigSignatureOrderingModuleCleanup(de_ctx); SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v,(void *) de_ctx,(void *) &det_ctx); Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80); FAIL_IF(f == NULL); f->proto = IPPROTO_TCP; p = UTHBuildPacket((uint8_t *)"GET", 3, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); FAIL_IF(!PacketAlertCheck(p, 101)); UTHFreePacket(p); p = UTHBuildPacket((uint8_t *)"Unauthorized", 12, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); FAIL_IF(!PacketAlertCheck(p, 102)); FAIL_IF(PacketAlertCheck(p, 103)); UTHFreePacket(p); p = UTHBuildPacket((uint8_t *)"1", 1, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); FAIL_IF(PacketAlertCheck(p, 102)); FAIL_IF(PacketAlertCheck(p, 103)); UTHFreePacket(p); UTHFreeFlow(f); DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx); DetectEngineCtxFree(de_ctx); PASS; }
/** * \test Test the deallocation of app layer parser memory on occurance of * error in the parsing process. */ static int AppLayerParserTest01(void) { AppLayerParserBackupParserTable(); int result = 0; Flow *f = NULL; uint8_t testbuf[] = { 0x11 }; uint32_t testlen = sizeof(testbuf); TcpSession ssn; AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); memset(&ssn, 0, sizeof(ssn)); /* Register the Test protocol state and parser functions */ AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_TEST, STREAM_TOSERVER, TestProtocolParser); AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_TEST, TestProtocolStateAlloc, TestProtocolStateFree); f = UTHBuildFlow(AF_INET, "1.2.3.4", "4.3.2.1", 20, 40); if (f == NULL) goto end; f->protoctx = &ssn; f->alproto = ALPROTO_TEST; f->proto = IPPROTO_TCP; StreamTcpInitConfig(TRUE); FLOWLOCK_WRLOCK(f); int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_TEST, STREAM_TOSERVER | STREAM_EOF, testbuf, testlen); if (r != -1) { printf("returned %" PRId32 ", expected -1: ", r); FLOWLOCK_UNLOCK(f); goto end; } FLOWLOCK_UNLOCK(f); if (!(ssn.flags & STREAMTCP_FLAG_APP_LAYER_DISABLED)) { printf("flag should have been set, but is not: "); goto end; } result = 1; end: AppLayerParserRestoreParserTable(); StreamTcpFreeConfig(TRUE); UTHFreeFlow(f); return result; }
/** * \test Test the deallocation of app layer parser memory on occurance of * error in the parsing process for UDP. */ static int AppLayerParserTest02(void) { AppLayerParserBackupParserTable(); int result = 1; Flow *f = NULL; uint8_t testbuf[] = { 0x11 }; uint32_t testlen = sizeof(testbuf); AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); /* Register the Test protocol state and parser functions */ AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_TEST, STREAM_TOSERVER, TestProtocolParser); AppLayerParserRegisterStateFuncs(IPPROTO_UDP, ALPROTO_TEST, TestProtocolStateAlloc, TestProtocolStateFree); f = UTHBuildFlow(AF_INET, "1.2.3.4", "4.3.2.1", 20, 40); if (f == NULL) goto end; f->alproto = ALPROTO_TEST; f->proto = IPPROTO_UDP; f->protomap = FlowGetProtoMapping(f->proto); StreamTcpInitConfig(TRUE); FLOWLOCK_WRLOCK(f); int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_TEST, STREAM_TOSERVER | STREAM_EOF, testbuf, testlen); if (r != -1) { printf("returned %" PRId32 ", expected -1: \n", r); result = 0; FLOWLOCK_UNLOCK(f); goto end; } FLOWLOCK_UNLOCK(f); end: AppLayerParserRestoreParserTable(); StreamTcpFreeConfig(TRUE); UTHFreeFlow(f); return result; }
static int DNSUDPParserTest01 (void) { int result = 0; /* query: abcdefghijk.com * TTL: 86400 * serial 20130422 refresh 28800 retry 7200 exp 604800 min ttl 86400 * ns, hostmaster */ uint8_t buf[] = { 0x00, 0x3c, 0x85, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0b, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x03, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x0f, 0x00, 0x01, 0x00, 0x00, 0x06, 0x00, 0x01, 0x00, 0x01, 0x51, 0x80, 0x00, 0x25, 0x02, 0x6e, 0x73, 0x00, 0x0a, 0x68, 0x6f, 0x73, 0x74, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0xc0, 0x2f, 0x01, 0x33, 0x2a, 0x76, 0x00, 0x00, 0x70, 0x80, 0x00, 0x00, 0x1c, 0x20, 0x00, 0x09, 0x3a, 0x80, 0x00, 0x01, 0x51, 0x80}; size_t buflen = sizeof(buf); Flow *f = NULL; f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 53); if (f == NULL) goto end; f->proto = IPPROTO_UDP; f->alproto = ALPROTO_DNS; f->alstate = DNSStateAlloc(); int r = DNSUDPResponseParse(f, f->alstate, NULL, buf, buflen, NULL); if (r != 1) goto end; result = 1; end: UTHFreeFlow(f); return (result); }
/** \test TXT records in answer, bad txtlen */ static int DNSUDPParserTest05 (void) { int result = 0; uint8_t buf[] = { 0xc2,0x2f,0x81,0x80,0x00,0x01,0x00,0x01,0x00,0x01,0x00,0x01,0x0a,0x41,0x41,0x41, 0x41,0x41,0x4f,0x31,0x6b,0x51,0x41,0x05,0x3d,0x61,0x75,0x74,0x68,0x03,0x73,0x72, 0x76,0x06,0x74,0x75,0x6e,0x6e,0x65,0x6c,0x03,0x63,0x6f,0x6d,0x00,0x00,0x10,0x00, 0x01, /* answer record start */ 0xc0,0x0c,0x00,0x10,0x00,0x01,0x00,0x00,0x00,0x03,0x00,0x22, /* txt record starts: */ 0x40, /* <txt len 64 */ 0x41,0x68,0x76,0x4d,0x41,0x41,0x4f,0x31,0x6b,0x41,0x46, 0x45,0x35,0x54,0x45,0x39,0x51,0x54,0x6a,0x46,0x46,0x4e,0x30,0x39,0x52,0x4e,0x31, 0x6c,0x59,0x53,0x44,0x6b,0x00, /* <txt len 0 */ 0xc0,0x1d,0x00,0x02,0x00,0x01, 0x00,0x09,0x3a,0x80,0x00,0x09,0x06,0x69,0x6f,0x64,0x69,0x6e,0x65,0xc0,0x21,0xc0, 0x6b,0x00,0x01,0x00,0x01,0x00,0x09,0x3a,0x80,0x00,0x04,0x0a,0x1e,0x1c,0x5f }; size_t buflen = sizeof(buf); Flow *f = NULL; f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 53); if (f == NULL) goto end; f->proto = IPPROTO_UDP; f->alproto = ALPROTO_DNS; f->alstate = DNSStateAlloc(); int r = DNSUDPResponseParse(f, f->alstate, NULL, buf, buflen, NULL); if (r != -1) goto end; result = 1; end: UTHFreeFlow(f); return (result); }
int DetectAppLayerEventTest05(void) { int result = 0; ThreadVars tv; TcpReassemblyThreadCtx *ra_ctx = NULL; Packet *p = NULL; Flow *f = NULL; TcpSession ssn; TcpStream stream_ts, stream_tc; DetectEngineCtx *de_ctx = NULL; DetectEngineThreadCtx *det_ctx = NULL; uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n" "Host: 127.0.0.1\r\n" "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" "Accept-Language: en-us,en;q=0.5\r\n" "Accept-Encoding: gzip,deflate\r\n" "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" "Keep-Alive: 115\r\n" "Connection: keep-alive\r\n" "\r\n"; /* tls */ uint8_t buf_tc[] = { 0x16, 0x03, 0x01, 0x00, 0x86, 0x10, 0x00, 0x00, 0x82, 0x00, 0x80, 0xd3, 0x6f, 0x1f, 0x63, 0x82, 0x8d, 0x75, 0x77, 0x8c, 0x91, 0xbc, 0xa1, 0x3d, 0xbb, 0xe1, 0xb5, 0xd3, 0x31, 0x92, 0x59, 0x2b, 0x2c, 0x43, 0x96, 0xa3, 0xaa, 0x23, 0x92, 0xd0, 0x91, 0x2a, 0x5e, 0x10, 0x5b, 0xc8, 0xc1, 0xe2, 0xd3, 0x5c, 0x8b, 0x8c, 0x91, 0x9e, 0xc2, 0xf2, 0x9c, 0x3c, 0x4f, 0x37, 0x1e, 0x20, 0x5e, 0x33, 0xd5, 0xf0, 0xd6, 0xaf, 0x89, 0xf5, 0xcc, 0xb2, 0xcf, 0xc1, 0x60, 0x3a, 0x46, 0xd5, 0x4e, 0x2a, 0xb6, 0x6a, 0xb9, 0xfc, 0x32, 0x8b, 0xe0, 0x6e, 0xa0, 0xed, 0x25, 0xa0, 0xa4, 0x82, 0x81, 0x73, 0x90, 0xbf, 0xb5, 0xde, 0xeb, 0x51, 0x8d, 0xde, 0x5b, 0x6f, 0x94, 0xee, 0xba, 0xe5, 0x69, 0xfa, 0x1a, 0x80, 0x30, 0x54, 0xeb, 0x12, 0x01, 0xb9, 0xfe, 0xbf, 0x82, 0x95, 0x01, 0x7b, 0xb0, 0x97, 0x14, 0xc2, 0x06, 0x3c, 0x69, 0xfb, 0x1c, 0x66, 0x47, 0x17, 0xd9, 0x14, 0x03, 0x01, 0x00, 0x01, 0x01, 0x16, 0x03, 0x01, 0x00, 0x30, 0xf6, 0xbc, 0x0d, 0x6f, 0xe8, 0xbb, 0xaa, 0xbf, 0x14, 0xeb, 0x7b, 0xcc, 0x6c, 0x28, 0xb0, 0xfc, 0xa6, 0x01, 0x2a, 0x97, 0x96, 0x17, 0x5e, 0xe8, 0xb4, 0x4e, 0x78, 0xc9, 0x04, 0x65, 0x53, 0xb6, 0x93, 0x3d, 0xeb, 0x44, 0xee, 0x86, 0xf9, 0x80, 0x49, 0x45, 0x21, 0x34, 0xd1, 0xee, 0xc8, 0x9c, }; memset(&tv, 0, sizeof (ThreadVars)); memset(&ssn, 0, sizeof(TcpSession)); memset(&stream_ts, 0, sizeof(TcpStream)); memset(&stream_tc, 0, sizeof(TcpStream)); ssn.data_first_seen_dir = STREAM_TOSERVER; de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) goto end; de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(app-layer-event: applayer_mismatch_protocol_both_directions; " "sid:1;)"); if (de_ctx->sig_list == NULL) goto end; SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220); if (f == NULL) goto end; FLOW_INITIALIZE(f); f->protoctx = &ssn; f->proto = IPPROTO_TCP; f->flags |= FLOW_IPV4; p = PacketGetFromAlloc(); if (unlikely(p == NULL)) goto end; p->flow = f; p->src.family = AF_INET; p->dst.family = AF_INET; p->proto = IPPROTO_TCP; ra_ctx = StreamTcpReassembleInitThreadCtx(&tv); if (ra_ctx == NULL) goto end; StreamTcpInitConfig(TRUE); p->flowflags = FLOW_PKT_TOSERVER; if (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream_ts, buf_ts, sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0) { printf("AppLayerHandleTCPData failure\n"); goto end; } SigMatchSignatures(&tv, de_ctx, det_ctx, p); if (PacketAlertCheck(p, 1)) { printf("sid 1 matched but shouldn't have\n"); goto end; } p->flowflags = FLOW_PKT_TOCLIENT; if (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream_tc, buf_tc, sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0) { printf("AppLayerHandleTCPData failure\n"); goto end; } SigMatchSignatures(&tv, de_ctx, det_ctx, p); if (!PacketAlertCheck(p, 1)) { printf("sid 1 didn't match but should have\n"); goto end; } result = 1; end: return result; }
int DetectAppLayerEventTest04(void) { int result = 0; ThreadVars tv; TcpReassemblyThreadCtx *ra_ctx = NULL; Packet *p = NULL; Flow *f = NULL; TcpSession ssn; TcpStream stream_ts, stream_tc; DetectEngineCtx *de_ctx = NULL; DetectEngineThreadCtx *det_ctx = NULL; uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n" "Host: 127.0.0.1\r\n" "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" "Accept-Language: en-us,en;q=0.5\r\n" "Accept-Encoding: gzip,deflate\r\n" "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" "Keep-Alive: 115\r\n" "Connection: keep-alive\r\n" "\r\n"; uint8_t buf_tc[] = "XTTP/1.1 200 OK\r\n" "Date: Fri, 22 Oct 2010 12:31:08 GMT\r\n" "Server: Apache/2.2.15 (Unix) DAV/2\r\n" "Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT\r\n" "ETag: \"ab8486-2c-3e9564c23b600\"\r\n" "Accept-Ranges: bytes\r\n" "Content-Length: 44\r\n" "Keep-Alive: timeout=5, max=100\r\n" "Connection: Keep-Alive\r\n" "Content-Type: text/html\r\n" "\r\n" "<html><body><h1>It works!</h1></body></html>"; memset(&tv, 0, sizeof (ThreadVars)); memset(&ssn, 0, sizeof(TcpSession)); memset(&stream_ts, 0, sizeof(TcpStream)); memset(&stream_tc, 0, sizeof(TcpStream)); ssn.data_first_seen_dir = STREAM_TOSERVER; de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) goto end; de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(app-layer-event: applayer_detect_protocol_only_one_direction; " "sid:1;)"); if (de_ctx->sig_list == NULL) goto end; SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220); if (f == NULL) goto end; FLOW_INITIALIZE(f); f->protoctx = &ssn; f->proto = IPPROTO_TCP; f->flags |= FLOW_IPV4; p = PacketGetFromAlloc(); if (unlikely(p == NULL)) goto end; p->flow = f; p->src.family = AF_INET; p->dst.family = AF_INET; p->proto = IPPROTO_TCP; ra_ctx = StreamTcpReassembleInitThreadCtx(&tv); if (ra_ctx == NULL) goto end; StreamTcpInitConfig(TRUE); p->flowflags = FLOW_PKT_TOSERVER; if (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream_ts, buf_ts, sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0) { printf("AppLayerHandleTCPData failure\n"); goto end; } SigMatchSignatures(&tv, de_ctx, det_ctx, p); if (PacketAlertCheck(p, 1)) { printf("sid 1 matched but shouldn't have\n"); goto end; } p->flowflags = FLOW_PKT_TOCLIENT; if (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream_tc, buf_tc, sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0) { printf("AppLayerHandleTCPData failure\n"); goto end; } SigMatchSignatures(&tv, de_ctx, det_ctx, p); if (!PacketAlertCheck(p, 1)) { printf("sid 1 didn't match but should have\n"); goto end; } result = 1; end: return result; }
/** \test POST, but not multipart */ static int HTPFileParserTest07(void) { int result = 0; Flow *f = NULL; uint8_t httpbuf1[] = "POST /filename HTTP/1.1\r\n" "Host: www.server.lan\r\n" "Content-Length: 11\r\n" "\r\n"; uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */ uint8_t httpbuf2[] = "FILECONTENT"; uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */ TcpSession ssn; HtpState *http_state = NULL; memset(&ssn, 0, sizeof(ssn)); f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80); if (f == NULL) goto end; f->protoctx = &ssn; StreamTcpInitConfig(TRUE); SCLogDebug("\n>>>> processing chunk 1 size %u <<<<\n", httplen1); int r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_START, httpbuf1, httplen1); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } SCLogDebug("\n>>>> processing chunk 2 size %u <<<<\n", httplen2); r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf2, httplen2); if (r != 0) { printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } http_state = f->alstate; if (http_state == NULL) { printf("no http state: "); result = 0; goto end; } htp_tx_t *tx = list_get(http_state->connp->conn->transactions, 0); if (tx == NULL) { goto end; } if (tx->request_method == NULL || memcmp(bstr_tocstr(tx->request_method), "POST", 4) != 0) { printf("expected method POST, got %s \n", bstr_tocstr(tx->request_method)); goto end; } if (http_state->files_ts == NULL || http_state->files_ts->tail == NULL || http_state->files_ts->tail->state != FILE_STATE_CLOSED) { printf("state != FILE_STATE_CLOSED"); goto end; } if (http_state->files_ts->head->chunks_head->len != 11) { printf("expected 11 but file is %u bytes instead: ", http_state->files_ts->head->chunks_head->len); PrintRawDataFp(stdout, http_state->files_ts->head->chunks_head->data, http_state->files_ts->head->chunks_head->len); goto end; } if (memcmp("FILECONTENT", http_state->files_ts->head->chunks_head->data, http_state->files_ts->head->chunks_head->len) != 0) { goto end; } result = 1; end: StreamTcpFreeConfig(TRUE); if (http_state != NULL) HTPStateFree(http_state); UTHFreeFlow(f); return result; }
static int HTPFileParserTest04(void) { int result = 0; Flow *f = NULL; uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n" "Host: www.server.lan\r\n" "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n" "Content-Length: 373\r\n" "\r\n"; uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */ uint8_t httpbuf2[] = "-----------------------------277531038314945\r\n" "Content-Disposition: form-data; name=\"email\"\r\n" "\r\n" "[email protected]\r\n"; uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */ uint8_t httpbuf3[] = "-----------------------------277531038314945\r\n" "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n" "Content-Type: image/jpeg\r\n" "\r\n"; uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */ uint8_t httpbuf4[] = "file0123456789abcdefghijklmnopqrstuvwxyz"; uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */ uint8_t httpbuf5[] = "content\r\n"; uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */ uint8_t httpbuf6[] = "-----------------------------277531038314945--"; uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */ TcpSession ssn; HtpState *http_state = NULL; memset(&ssn, 0, sizeof(ssn)); f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80); if (f == NULL) goto end; f->protoctx = &ssn; StreamTcpInitConfig(TRUE); SCLogDebug("\n>>>> processing chunk 1 <<<<\n"); int r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_START, httpbuf1, httplen1); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } SCLogDebug("\n>>>> processing chunk 2 size %u <<<<\n", httplen2); r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf2, httplen2); if (r != 0) { printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } SCLogDebug("\n>>>> processing chunk 3 size %u <<<<\n", httplen3); r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf3, httplen3); if (r != 0) { printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } SCLogDebug("\n>>>> processing chunk 4 size %u <<<<\n", httplen4); r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf4, httplen4); if (r != 0) { printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } SCLogDebug("\n>>>> processing chunk 5 size %u <<<<\n", httplen5); r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf5, httplen5); if (r != 0) { printf("toserver chunk 5 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } SCLogDebug("\n>>>> processing chunk 6 size %u <<<<\n", httplen6); r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf6, httplen6); if (r != 0) { printf("toserver chunk 6 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } http_state = f->alstate; if (http_state == NULL) { printf("no http state: "); result = 0; goto end; } htp_tx_t *tx = list_get(http_state->connp->conn->transactions, 0); if (tx == NULL) { goto end; } if (tx->request_method == NULL || memcmp(bstr_tocstr(tx->request_method), "POST", 4) != 0) { printf("expected method POST, got %s: ", bstr_tocstr(tx->request_method)); goto end; } if (http_state->files_ts == NULL || http_state->files_ts->tail == NULL || http_state->files_ts->tail->state != FILE_STATE_CLOSED) { goto end; } result = 1; end: StreamTcpFreeConfig(TRUE); if (http_state != NULL) HTPStateFree(http_state); UTHFreeFlow(f); return result; }
/** \test filedata cut in two pieces */ static int HTPFileParserTest11(void) { int result = 0; Flow *f = NULL; uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n" "Host: www.server.lan\r\n" "Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n" "Content-Length: 1102\r\n" "\r\n"; uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */ uint8_t httpbuf2[] = "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"; uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */ uint8_t httpbuf3[] = "Content-Disposition: form-data; name=\"PROGRESS_URL\"\r\n" "\r\n" "http://somserver.com/progress.php?UPLOAD_IDENTIFIER=XXXXXXXXX.XXXXXXXXXX.XXXXXXXX.XX.X\r\n" "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n" "Content-Disposition: form-data; name=\"DESTINATION_DIR\"\r\n" "\r\n" "10\r\n" "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n" "Content-Disposition: form-data; name=\"js_enabled\"\r\n" "\r\n" "1" "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n" "Content-Disposition: form-data; name=\"signature\"\r\n" "\r\n" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\r\n" "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n" "Content-Disposition: form-data; name=\"upload_files\"\r\n" "\r\n" "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n" "Content-Disposition: form-data; name=\"terms\"\r\n" "\r\n" "1" "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n" "Content-Disposition: form-data; name=\"file[]\"\r\n" "\r\n" "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n" "Content-Disposition: form-data; name=\"description[]\"\r\n" "\r\n" "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n" "Content-Disposition: form-data; name=\"upload_file[]\"; filename=\"filename.doc\"\r\n" "Content-Type: application/msword\r\n" "\r\n" "FILE"; uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */ uint8_t httpbuf4[] = "CONTENT\r\n" "------WebKitFormBoundaryBRDbP74mBhBxsIdo--"; uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */ TcpSession ssn; HtpState *http_state = NULL; memset(&ssn, 0, sizeof(ssn)); f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80); if (f == NULL) goto end; f->protoctx = &ssn; StreamTcpInitConfig(TRUE); SCLogDebug("\n>>>> processing chunk 1 <<<<\n"); int r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_START, httpbuf1, httplen1); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); goto end; } SCLogDebug("\n>>>> processing chunk 2 size %u <<<<\n", httplen2); r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER, httpbuf2, httplen2); if (r != 0) { printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r); goto end; } SCLogDebug("\n>>>> processing chunk 3 size %u <<<<\n", httplen3); r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER, httpbuf3, httplen3); if (r != 0) { printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r); goto end; } SCLogDebug("\n>>>> processing chunk 4 size %u <<<<\n", httplen4); r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf4, httplen4); if (r != 0) { printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r); goto end; } http_state = f->alstate; if (http_state == NULL) { printf("no http state: "); goto end; } AppLayerDecoderEvents *decoder_events = AppLayerGetDecoderEventsForFlow(f); if (decoder_events != NULL) { printf("app events: "); goto end; } htp_tx_t *tx = list_get(http_state->connp->conn->transactions, 0); if (tx == NULL) { goto end; } if (tx->request_method == NULL || memcmp(bstr_tocstr(tx->request_method), "POST", 4) != 0) { printf("expected method POST, got %s \n", bstr_tocstr(tx->request_method)); goto end; } if (http_state->files_ts == NULL || http_state->files_ts->tail == NULL || http_state->files_ts->tail->state != FILE_STATE_CLOSED) { printf("state != FILE_STATE_CLOSED: "); goto end; } if (http_state->files_ts->head->chunks_head->len != 11) { printf("expected 11 but file is %u bytes instead: ", http_state->files_ts->head->chunks_head->len); PrintRawDataFp(stdout, http_state->files_ts->head->chunks_head->data, http_state->files_ts->head->chunks_head->len); goto end; } if (memcmp("FILECONTENT", http_state->files_ts->head->chunks_head->data, http_state->files_ts->head->chunks_head->len) != 0) { goto end; } result = 1; end: StreamTcpFreeConfig(TRUE); if (http_state != NULL) HTPStateFree(http_state); UTHFreeFlow(f); return result; }
/** \test empty entries */ static int HTPFileParserTest10(void) { int result = 0; Flow *f = NULL; uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n" "Host: www.server.lan\r\n" "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n" "Content-Length: 337\r\n" "\r\n"; uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */ uint8_t httpbuf2[] = "-----------------------------277531038314945\r\n" "\r\n"; uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */ uint8_t httpbuf3[] = "-----------------------------277531038314945\r\n" "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n" "Somereallylongheaderstr: with a good value\r\n" "\r\n"; uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */ uint8_t httpbuf4[] = "filecontent\r\n" "-----------------------------277531038314945--"; uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */ TcpSession ssn; HtpState *http_state = NULL; memset(&ssn, 0, sizeof(ssn)); f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80); if (f == NULL) goto end; f->protoctx = &ssn; StreamTcpInitConfig(TRUE); SCLogDebug("\n>>>> processing chunk 1 <<<<\n"); int r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_START, httpbuf1, httplen1); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } SCLogDebug("\n>>>> processing chunk 2 size %u <<<<\n", httplen2); r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf2, httplen2); if (r != 0) { printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } SCLogDebug("\n>>>> processing chunk 3 size %u <<<<\n", httplen3); r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf3, httplen3); if (r != 0) { printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } SCLogDebug("\n>>>> processing chunk 4 size %u <<<<\n", httplen4); r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf4, httplen4); if (r != 0) { printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } http_state = f->alstate; if (http_state == NULL) { printf("no http state: "); result = 0; goto end; } AppLayerDecoderEvents *decoder_events = AppLayerGetDecoderEventsForFlow(f); if (decoder_events != NULL) { printf("app events: "); goto end; } result = 1; end: StreamTcpFreeConfig(TRUE); if (http_state != NULL) HTPStateFree(http_state); UTHFreeFlow(f); return result; }
/** * \test DetectFlowintTestPacket02Real * \brief like DetectFlowintTestPacket01Real but using isset/notset keywords */ static int DetectFlowintTestPacket02Real() { Packet *p = NULL; ThreadVars th_v; DetectEngineThreadCtx *det_ctx = NULL; memset(&th_v, 0, sizeof(th_v)); DetectEngineCtx *de_ctx = DetectEngineCtxInit(); FAIL_IF(de_ctx == NULL); de_ctx->flags |= DE_QUIET; char *sigs[5]; sigs[0] = "alert tcp any any -> any any (msg:\"Setting a flowint counter\"; content:\"GET\"; flowint: myvar, notset; flowint:maxvar,notset; flowint: myvar,=,1; flowint: maxvar,=,6; sid:101;)"; sigs[1] = "alert tcp any any -> any any (msg:\"Adding to flowint counter\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: myvar,+,2; sid:102;)"; sigs[2] = "alert tcp any any -> any any (msg:\"if the flowint counter is 3 create a new counter\"; content:\"Unauthorized\"; flowint: myvar, isset; flowint: myvar,==,3; flowint:cntpackets,notset; flowint: cntpackets, =, 0; sid:103;)"; sigs[3] = "alert tcp any any -> any any (msg:\"and count the rest of the packets received without generating alerts!!!\"; flowint: cntpackets,isset; flowint: cntpackets, +, 1; noalert;sid:104;)"; sigs[4] = "alert tcp any any -> any any (msg:\" and fire this when it reach 6\"; flowint: cntpackets, isset; flowint: maxvar,isset; flowint: cntpackets, ==, maxvar; sid:105;)"; FAIL_IF(UTHAppendSigs(de_ctx, sigs, 5) == 0); SCSigRegisterSignatureOrderingFuncs(de_ctx); SCSigOrderSignatures(de_ctx); SCSigSignatureOrderingModuleCleanup(de_ctx); SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v,(void *) de_ctx,(void *) &det_ctx); Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80); FAIL_IF(f == NULL); f->proto = IPPROTO_TCP; p = UTHBuildPacket((uint8_t *)"GET", 3, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); FAIL_IF(!PacketAlertCheck(p, 101)); UTHFreePacket(p); p = UTHBuildPacket((uint8_t *)"Unauthorized", 12, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); FAIL_IF(!PacketAlertCheck(p, 102)); FAIL_IF(!PacketAlertCheck(p, 103)); UTHFreePacket(p); p = UTHBuildPacket((uint8_t *)"1", 1, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); UTHFreePacket(p); p = UTHBuildPacket((uint8_t *)"X", 1, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); FAIL_IF(!PacketAlertCheck(p, 105)); UTHFreePacket(p); UTHFreeFlow(f); DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx); DetectEngineCtxFree(de_ctx); PASS; }