|  |  |  | @ -138,9 +138,16 @@ static void DetectEngineBufferHttpHeaders(DetectEngineThreadCtx *det_ctx, Flow * | 
		
	
		
			
				|  |  |  |  |             size_t size1 = bstr_size(h->name); | 
		
	
		
			
				|  |  |  |  |             size_t size2 = bstr_size(h->value); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |             if (size1 == 6 && | 
		
	
		
			
				|  |  |  |  |                 SCMemcmpLowercase(bstr_ptr(h->name), "Cookie", 6) == 0) { | 
		
	
		
			
				|  |  |  |  |                 continue; | 
		
	
		
			
				|  |  |  |  |             if (flags & STREAM_TOSERVER) { | 
		
	
		
			
				|  |  |  |  |                 if (size1 == 6 && | 
		
	
		
			
				|  |  |  |  |                     SCMemcmpLowercase("cookie", bstr_ptr(h->name), 6)) { | 
		
	
		
			
				|  |  |  |  |                     continue; | 
		
	
		
			
				|  |  |  |  |                 } | 
		
	
		
			
				|  |  |  |  |             } else { | 
		
	
		
			
				|  |  |  |  |                 if (size1 == 10 && | 
		
	
		
			
				|  |  |  |  |                     SCMemcmpLowercase("set-cookie", bstr_ptr(h->name), 10) == 0) { | 
		
	
		
			
				|  |  |  |  |                     continue; | 
		
	
		
			
				|  |  |  |  |                 } | 
		
	
		
			
				|  |  |  |  |             } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |             /* the extra 4 bytes if for ": " and "\r\n" */ | 
		
	
	
		
			
				
					|  |  |  | @ -183,20 +190,6 @@ int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, | 
		
	
		
			
				|  |  |  |  |     uint32_t cnt = 0; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     if (det_ctx->hhd_buffers_list_len == 0) { | 
		
	
		
			
				|  |  |  |  |         FLOWLOCK_RDLOCK(f); | 
		
	
		
			
				|  |  |  |  |         DetectEngineBufferHttpHeaders(det_ctx, f, htp_state, | 
		
	
		
			
				|  |  |  |  |                                       (flags & STREAM_TOSERVER) ? STREAM_TOCLIENT : STREAM_TOSERVER); | 
		
	
		
			
				|  |  |  |  |         FLOWLOCK_UNLOCK(f); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |         for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) { | 
		
	
		
			
				|  |  |  |  |             cnt += HttpHeaderPatternSearch(det_ctx, | 
		
	
		
			
				|  |  |  |  |                                            det_ctx->hhd_buffers[i], | 
		
	
		
			
				|  |  |  |  |                                            det_ctx->hhd_buffers_len[i], | 
		
	
		
			
				|  |  |  |  |                                            flags); | 
		
	
		
			
				|  |  |  |  |         } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |         DetectEngineCleanHHDBuffers(det_ctx); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |         FLOWLOCK_RDLOCK(f); | 
		
	
		
			
				|  |  |  |  |         DetectEngineBufferHttpHeaders(det_ctx, f, htp_state, flags); | 
		
	
		
			
				|  |  |  |  |         FLOWLOCK_UNLOCK(f); | 
		
	
	
		
			
				
					|  |  |  | @ -214,32 +207,6 @@ int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, | 
		
	
		
			
				|  |  |  |  |                                            det_ctx->hhd_buffers_len[i], | 
		
	
		
			
				|  |  |  |  |                                            flags); | 
		
	
		
			
				|  |  |  |  |         } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |         uint16_t hhd_buffers_list_len = det_ctx->hhd_buffers_list_len; | 
		
	
		
			
				|  |  |  |  |         uint8_t **hhd_buffers = det_ctx->hhd_buffers; | 
		
	
		
			
				|  |  |  |  |         uint32_t *hhd_buffers_len = det_ctx->hhd_buffers_len; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |         det_ctx->hhd_buffers_list_len = 0; | 
		
	
		
			
				|  |  |  |  |         det_ctx->hhd_buffers = NULL; | 
		
	
		
			
				|  |  |  |  |         det_ctx->hhd_buffers_len = NULL; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |         FLOWLOCK_RDLOCK(f); | 
		
	
		
			
				|  |  |  |  |         DetectEngineBufferHttpHeaders(det_ctx, f, htp_state, | 
		
	
		
			
				|  |  |  |  |                                       (flags & STREAM_TOSERVER) ? STREAM_TOCLIENT : STREAM_TOSERVER); | 
		
	
		
			
				|  |  |  |  |         FLOWLOCK_UNLOCK(f); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |         for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) { | 
		
	
		
			
				|  |  |  |  |             cnt += HttpHeaderPatternSearch(det_ctx, | 
		
	
		
			
				|  |  |  |  |                                            det_ctx->hhd_buffers[i], | 
		
	
		
			
				|  |  |  |  |                                            det_ctx->hhd_buffers_len[i], | 
		
	
		
			
				|  |  |  |  |                                            flags); | 
		
	
		
			
				|  |  |  |  |         } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |         DetectEngineCleanHHDBuffers(det_ctx); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |         det_ctx->hhd_buffers_list_len = hhd_buffers_list_len; | 
		
	
		
			
				|  |  |  |  |         det_ctx->hhd_buffers = hhd_buffers; | 
		
	
		
			
				|  |  |  |  |         det_ctx->hhd_buffers_len = hhd_buffers_len; | 
		
	
		
			
				|  |  |  |  |     } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     return cnt; | 
		
	
	
		
			
				
					|  |  |  | @ -3173,6 +3140,126 @@ static int DetectEngineHttpHeaderTest30(void) | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  | #endif /* #if 0 */ | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  | static int DetectEngineHttpHeaderTest30(void) | 
		
	
		
			
				|  |  |  |  | { | 
		
	
		
			
				|  |  |  |  |     TcpSession ssn; | 
		
	
		
			
				|  |  |  |  |     Packet *p1 = NULL; | 
		
	
		
			
				|  |  |  |  |     Packet *p2 = NULL; | 
		
	
		
			
				|  |  |  |  |     ThreadVars th_v; | 
		
	
		
			
				|  |  |  |  |     DetectEngineCtx *de_ctx = NULL; | 
		
	
		
			
				|  |  |  |  |     DetectEngineThreadCtx *det_ctx = NULL; | 
		
	
		
			
				|  |  |  |  |     HtpState *http_state = NULL; | 
		
	
		
			
				|  |  |  |  |     Flow f; | 
		
	
		
			
				|  |  |  |  |     uint8_t http_buf1[] = | 
		
	
		
			
				|  |  |  |  |         "GET /index.html HTTP/1.0\r\n" | 
		
	
		
			
				|  |  |  |  |         "Host: www.openinfosecfoundation.org\r\n" | 
		
	
		
			
				|  |  |  |  |         "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" | 
		
	
		
			
				|  |  |  |  |         "\r\n"; | 
		
	
		
			
				|  |  |  |  |     uint32_t http_buf1_len = sizeof(http_buf1) - 1; | 
		
	
		
			
				|  |  |  |  |     uint8_t http_buf2[] = | 
		
	
		
			
				|  |  |  |  |         "HTTP/1.0 200 ok\r\n" | 
		
	
		
			
				|  |  |  |  |         "Set-Cookie: dummycookieset\r\n" | 
		
	
		
			
				|  |  |  |  |         "Content-Type: text/html\r\n" | 
		
	
		
			
				|  |  |  |  |         "Content-Length: 6\r\n" | 
		
	
		
			
				|  |  |  |  |         "\r\n" | 
		
	
		
			
				|  |  |  |  |         "abcdef"; | 
		
	
		
			
				|  |  |  |  |     uint32_t http_buf2_len = sizeof(http_buf2) - 1; | 
		
	
		
			
				|  |  |  |  |     int result = 0; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     memset(&th_v, 0, sizeof(th_v)); | 
		
	
		
			
				|  |  |  |  |     memset(&f, 0, sizeof(f)); | 
		
	
		
			
				|  |  |  |  |     memset(&ssn, 0, sizeof(ssn)); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); | 
		
	
		
			
				|  |  |  |  |     p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     FLOW_INITIALIZE(&f); | 
		
	
		
			
				|  |  |  |  |     f.protoctx = (void *)&ssn; | 
		
	
		
			
				|  |  |  |  |     f.flags |= FLOW_IPV4; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     p1->flow = &f; | 
		
	
		
			
				|  |  |  |  |     p1->flowflags |= FLOW_PKT_TOSERVER; | 
		
	
		
			
				|  |  |  |  |     p1->flowflags |= FLOW_PKT_ESTABLISHED; | 
		
	
		
			
				|  |  |  |  |     p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; | 
		
	
		
			
				|  |  |  |  |     p2->flow = &f; | 
		
	
		
			
				|  |  |  |  |     p2->flowflags |= FLOW_PKT_TOCLIENT; | 
		
	
		
			
				|  |  |  |  |     p2->flowflags |= FLOW_PKT_ESTABLISHED; | 
		
	
		
			
				|  |  |  |  |     p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; | 
		
	
		
			
				|  |  |  |  |     f.alproto = ALPROTO_HTTP; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     StreamTcpInitConfig(TRUE); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     de_ctx = DetectEngineCtxInit(); | 
		
	
		
			
				|  |  |  |  |     if (de_ctx == NULL) | 
		
	
		
			
				|  |  |  |  |         goto end; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     de_ctx->flags |= DE_QUIET; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " | 
		
	
		
			
				|  |  |  |  |                                "(msg:\"http header test\"; " | 
		
	
		
			
				|  |  |  |  |                                "content:\"dummycookieset\"; http_header; " | 
		
	
		
			
				|  |  |  |  |                                "sid:1;)"); | 
		
	
		
			
				|  |  |  |  |     if (de_ctx->sig_list == NULL) | 
		
	
		
			
				|  |  |  |  |         goto end; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     SigGroupBuild(de_ctx); | 
		
	
		
			
				|  |  |  |  |     DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, | 
		
	
		
			
				|  |  |  |  |                           http_buf1_len); | 
		
	
		
			
				|  |  |  |  |     if (r != 0) { | 
		
	
		
			
				|  |  |  |  |         printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); | 
		
	
		
			
				|  |  |  |  |         result = 0; | 
		
	
		
			
				|  |  |  |  |         goto end; | 
		
	
		
			
				|  |  |  |  |     } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     http_state = f.alstate; | 
		
	
		
			
				|  |  |  |  |     if (http_state == NULL) { | 
		
	
		
			
				|  |  |  |  |         printf("no http state: \n"); | 
		
	
		
			
				|  |  |  |  |         result = 0; | 
		
	
		
			
				|  |  |  |  |         goto end; | 
		
	
		
			
				|  |  |  |  |     } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     /* do detect */ | 
		
	
		
			
				|  |  |  |  |     SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     if (PacketAlertCheck(p1, 1)) { | 
		
	
		
			
				|  |  |  |  |         printf("sid 1 matched but shouldn't have\n"); | 
		
	
		
			
				|  |  |  |  |         goto end; | 
		
	
		
			
				|  |  |  |  |     } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_buf2_len); | 
		
	
		
			
				|  |  |  |  |     if (r != 0) { | 
		
	
		
			
				|  |  |  |  |         printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); | 
		
	
		
			
				|  |  |  |  |         result = 0; | 
		
	
		
			
				|  |  |  |  |         goto end; | 
		
	
		
			
				|  |  |  |  |     } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     /* do detect */ | 
		
	
		
			
				|  |  |  |  |     SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     if (PacketAlertCheck(p2, 1)) { | 
		
	
		
			
				|  |  |  |  |         printf("sid 1 matched but shouldn't have\n"); | 
		
	
		
			
				|  |  |  |  |         goto end; | 
		
	
		
			
				|  |  |  |  |     } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     result = 1; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  | end: | 
		
	
		
			
				|  |  |  |  |     if (de_ctx != NULL) | 
		
	
		
			
				|  |  |  |  |         SigGroupCleanup(de_ctx); | 
		
	
		
			
				|  |  |  |  |     if (de_ctx != NULL) | 
		
	
		
			
				|  |  |  |  |         SigCleanSignatures(de_ctx); | 
		
	
		
			
				|  |  |  |  |     if (de_ctx != NULL) | 
		
	
		
			
				|  |  |  |  |         DetectEngineCtxFree(de_ctx); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     StreamTcpFreeConfig(TRUE); | 
		
	
		
			
				|  |  |  |  |     FLOW_DESTROY(&f); | 
		
	
		
			
				|  |  |  |  |     UTHFreePackets(&p1, 1); | 
		
	
		
			
				|  |  |  |  |     UTHFreePackets(&p2, 1); | 
		
	
		
			
				|  |  |  |  |     return result; | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  | #endif /* UNITTESTS */ | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  | void DetectEngineHttpHeaderRegisterTests(void) | 
		
	
	
		
			
				
					|  |  |  | @ -3237,6 +3324,8 @@ void DetectEngineHttpHeaderRegisterTests(void) | 
		
	
		
			
				|  |  |  |  |                    DetectEngineHttpHeaderTest28, 1); | 
		
	
		
			
				|  |  |  |  |     UtRegisterTest("DetectEngineHttpHeaderTest29", | 
		
	
		
			
				|  |  |  |  |                    DetectEngineHttpHeaderTest29, 1); | 
		
	
		
			
				|  |  |  |  |     UtRegisterTest("DetectEngineHttpHeaderTest30", | 
		
	
		
			
				|  |  |  |  |                    DetectEngineHttpHeaderTest30, 1); | 
		
	
		
			
				|  |  |  |  | #if 0 | 
		
	
		
			
				|  |  |  |  |     UtRegisterTest("DetectEngineHttpHeaderTest30", | 
		
	
		
			
				|  |  |  |  |                    DetectEngineHttpHeaderTest30, 1); | 
		
	
	
		
			
				
					|  |  |  | 
 |