|  |  |  | @ -2641,6 +2641,133 @@ end: | 
		
	
		
			
				|  |  |  |  |     return result; | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  | /* \test recursive relative byte test */ | 
		
	
		
			
				|  |  |  |  | static int DetectEngineHttpServerBodyFileDataTest03(void) | 
		
	
		
			
				|  |  |  |  | { | 
		
	
		
			
				|  |  |  |  |     TcpSession ssn; | 
		
	
		
			
				|  |  |  |  |     Packet *p1 = NULL; | 
		
	
		
			
				|  |  |  |  |     Packet *p2 = NULL; | 
		
	
		
			
				|  |  |  |  |     ThreadVars th_v; | 
		
	
		
			
				|  |  |  |  |     DetectEngineCtx *de_ctx = NULL; | 
		
	
		
			
				|  |  |  |  |     DetectEngineThreadCtx *det_ctx = NULL; | 
		
	
		
			
				|  |  |  |  |     HtpState *http_state = NULL; | 
		
	
		
			
				|  |  |  |  |     Flow f; | 
		
	
		
			
				|  |  |  |  |     uint8_t http_buf1[] = | 
		
	
		
			
				|  |  |  |  |         "GET /index.html HTTP/1.0\r\n" | 
		
	
		
			
				|  |  |  |  |         "Host: www.openinfosecfoundation.org\r\n" | 
		
	
		
			
				|  |  |  |  |         "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" | 
		
	
		
			
				|  |  |  |  |         "\r\n"; | 
		
	
		
			
				|  |  |  |  |     uint32_t http_len1 = sizeof(http_buf1) - 1; | 
		
	
		
			
				|  |  |  |  |     uint8_t http_buf2[] = | 
		
	
		
			
				|  |  |  |  |         "HTTP/1.0 200 ok\r\n" | 
		
	
		
			
				|  |  |  |  |         "Content-Type: text/html\r\n" | 
		
	
		
			
				|  |  |  |  |         "Content-Length: 33\r\n" | 
		
	
		
			
				|  |  |  |  |         "\r\n" | 
		
	
		
			
				|  |  |  |  |         "XYZ_klm_1234abcd_XYZ_klm_5678abcd"; | 
		
	
		
			
				|  |  |  |  |     uint32_t http_len2 = sizeof(http_buf2) - 1; | 
		
	
		
			
				|  |  |  |  |     int result = 0; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     memset(&th_v, 0, sizeof(th_v)); | 
		
	
		
			
				|  |  |  |  |     memset(&f, 0, sizeof(f)); | 
		
	
		
			
				|  |  |  |  |     memset(&ssn, 0, sizeof(ssn)); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); | 
		
	
		
			
				|  |  |  |  |     p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     FLOW_INITIALIZE(&f); | 
		
	
		
			
				|  |  |  |  |     f.protoctx = (void *)&ssn; | 
		
	
		
			
				|  |  |  |  |     f.flags |= FLOW_IPV4; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     p1->flow = &f; | 
		
	
		
			
				|  |  |  |  |     p1->flowflags |= FLOW_PKT_TOSERVER; | 
		
	
		
			
				|  |  |  |  |     p1->flowflags |= FLOW_PKT_ESTABLISHED; | 
		
	
		
			
				|  |  |  |  |     p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; | 
		
	
		
			
				|  |  |  |  |     p2->flow = &f; | 
		
	
		
			
				|  |  |  |  |     p2->flowflags |= FLOW_PKT_TOCLIENT; | 
		
	
		
			
				|  |  |  |  |     p2->flowflags |= FLOW_PKT_ESTABLISHED; | 
		
	
		
			
				|  |  |  |  |     p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; | 
		
	
		
			
				|  |  |  |  |     f.alproto = ALPROTO_HTTP; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     StreamTcpInitConfig(TRUE); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     de_ctx = DetectEngineCtxInit(); | 
		
	
		
			
				|  |  |  |  |     if (de_ctx == NULL) | 
		
	
		
			
				|  |  |  |  |         goto end; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     de_ctx->flags |= DE_QUIET; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any " | 
		
	
		
			
				|  |  |  |  |                                "(msg:\"match on 1st\"; " | 
		
	
		
			
				|  |  |  |  |                                "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; distance:4; byte_test:4,=,1234,-8,relative,string;" | 
		
	
		
			
				|  |  |  |  |                                "sid:1;)"))) | 
		
	
		
			
				|  |  |  |  |         goto end; | 
		
	
		
			
				|  |  |  |  |     if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any " | 
		
	
		
			
				|  |  |  |  |                                "(msg:\"match on 2nd\"; " | 
		
	
		
			
				|  |  |  |  |                                "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; distance:4; byte_test:4,=,5678,-8,relative,string;" | 
		
	
		
			
				|  |  |  |  |                                "sid:2;)"))) | 
		
	
		
			
				|  |  |  |  |         goto end; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     SigGroupBuild(de_ctx); | 
		
	
		
			
				|  |  |  |  |     DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_len1); | 
		
	
		
			
				|  |  |  |  |     if (r != 0) { | 
		
	
		
			
				|  |  |  |  |         printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); | 
		
	
		
			
				|  |  |  |  |         result = 0; | 
		
	
		
			
				|  |  |  |  |         goto end; | 
		
	
		
			
				|  |  |  |  |     } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     http_state = f.alstate; | 
		
	
		
			
				|  |  |  |  |     if (http_state == NULL) { | 
		
	
		
			
				|  |  |  |  |         printf("no http state: \n"); | 
		
	
		
			
				|  |  |  |  |         result = 0; | 
		
	
		
			
				|  |  |  |  |         goto end; | 
		
	
		
			
				|  |  |  |  |     } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     /* do detect */ | 
		
	
		
			
				|  |  |  |  |     SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     if (PacketAlertCheck(p1, 1)) { | 
		
	
		
			
				|  |  |  |  |         printf("sid 1 matched but shouldn't have: "); | 
		
	
		
			
				|  |  |  |  |         goto end; | 
		
	
		
			
				|  |  |  |  |     } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2); | 
		
	
		
			
				|  |  |  |  |     if (r != 0) { | 
		
	
		
			
				|  |  |  |  |         printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); | 
		
	
		
			
				|  |  |  |  |         result = 0; | 
		
	
		
			
				|  |  |  |  |         goto end; | 
		
	
		
			
				|  |  |  |  |     } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     /* do detect */ | 
		
	
		
			
				|  |  |  |  |     SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     if (!PacketAlertCheck(p2, 1)) { | 
		
	
		
			
				|  |  |  |  |         printf("sid 1 did not match but should have: "); | 
		
	
		
			
				|  |  |  |  |         goto end; | 
		
	
		
			
				|  |  |  |  |     } | 
		
	
		
			
				|  |  |  |  |     if (!PacketAlertCheck(p2, 2)) { | 
		
	
		
			
				|  |  |  |  |         printf("sid 2 did not match but should have: "); | 
		
	
		
			
				|  |  |  |  |         goto end; | 
		
	
		
			
				|  |  |  |  |     } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     result = 1; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  | end: | 
		
	
		
			
				|  |  |  |  |     if (de_ctx != NULL) | 
		
	
		
			
				|  |  |  |  |         SigGroupCleanup(de_ctx); | 
		
	
		
			
				|  |  |  |  |     if (de_ctx != NULL) | 
		
	
		
			
				|  |  |  |  |         SigCleanSignatures(de_ctx); | 
		
	
		
			
				|  |  |  |  |     if (de_ctx != NULL) | 
		
	
		
			
				|  |  |  |  |         DetectEngineCtxFree(de_ctx); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     StreamTcpFreeConfig(TRUE); | 
		
	
		
			
				|  |  |  |  |     FLOW_DESTROY(&f); | 
		
	
		
			
				|  |  |  |  |     UTHFreePackets(&p1, 1); | 
		
	
		
			
				|  |  |  |  |     UTHFreePackets(&p2, 1); | 
		
	
		
			
				|  |  |  |  |     return result; | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  | #endif /* UNITTESTS */ | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  | void DetectEngineHttpServerBodyRegisterTests(void) | 
		
	
	
		
			
				
					|  |  |  | @ -2686,6 +2813,8 @@ void DetectEngineHttpServerBodyRegisterTests(void) | 
		
	
		
			
				|  |  |  |  |                    DetectEngineHttpServerBodyFileDataTest01, 1); | 
		
	
		
			
				|  |  |  |  |     UtRegisterTest("DetectEngineHttpServerBodyFileDataTest02", | 
		
	
		
			
				|  |  |  |  |                    DetectEngineHttpServerBodyFileDataTest02, 1); | 
		
	
		
			
				|  |  |  |  |     UtRegisterTest("DetectEngineHttpServerBodyFileDataTest03", | 
		
	
		
			
				|  |  |  |  |                    DetectEngineHttpServerBodyFileDataTest03, 1); | 
		
	
		
			
				|  |  |  |  | #endif /* UNITTESTS */ | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     return; | 
		
	
	
		
			
				
					|  |  |  | 
 |