From 8ae92c7a5e280e09df65589b45604421a0c92cc3 Mon Sep 17 00:00:00 2001
From: Anoop Saldanha <anoopsaldanha@gmail.com>
Date: Fri, 30 Aug 2013 16:01:33 +0530
Subject: [PATCH] Add unittest to test for http ambiguous host header.

Previously we would not check the port part of the host from the uri
hostname, while we did use the port part from the host header, leading
to FPs.
---
 src/detect-http-header.c | 82 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)

diff --git a/src/detect-http-header.c b/src/detect-http-header.c
index 064591b075..3abbb375cf 100644
--- a/src/detect-http-header.c
+++ b/src/detect-http-header.c
@@ -1490,6 +1490,87 @@ int DetectHttpHeaderTest27(void)
     return result;
 }
 
+static int DetectHttpHeaderTest28(void)
+{
+    TcpSession ssn;
+    Packet *p = NULL;
+    ThreadVars th_v;
+    DetectEngineCtx *de_ctx = NULL;
+    DetectEngineThreadCtx *det_ctx = NULL;
+    Flow f;
+    uint8_t http_buf[] =
+        "POST http://xxx.intranet.local:8000/xxx HTTP/1.1\r\n"
+        "User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29\r\n"
+        "Host: xxx.intranet.local:8000\r\n"
+        "\r\n";
+    uint32_t http_len = sizeof(http_buf) - 1;
+    int result = 0;
+
+    memset(&th_v, 0, sizeof(th_v));
+    memset(&f, 0, sizeof(f));
+    memset(&ssn, 0, sizeof(ssn));
+
+    p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+    FLOW_INITIALIZE(&f);
+    f.protoctx = (void *)&ssn;
+    f.flags |= FLOW_IPV4;
+    p->flow = &f;
+    p->flowflags |= FLOW_PKT_TOSERVER;
+    p->flowflags |= FLOW_PKT_ESTABLISHED;
+    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+    f.alproto = ALPROTO_HTTP;
+
+    StreamTcpInitConfig(TRUE);
+
+    de_ctx = DetectEngineCtxInit();
+    if (de_ctx == NULL)
+        goto end;
+
+    de_ctx->flags |= DE_QUIET;
+
+    de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+                               "(app-layer-event:http.host_header_ambiguous; "
+                               "sid:1;)");
+    if (de_ctx->sig_list == NULL)
+        goto end;
+
+    SigGroupBuild(de_ctx);
+    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+    SCMutexLock(&f.m);
+    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
+    if (r != 0) {
+        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+        result = 0;
+        SCMutexUnlock(&f.m);
+        goto end;
+    }
+    SCMutexUnlock(&f.m);
+
+    /* do detect */
+    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+    if (PacketAlertCheck(p, 1)) {
+        printf("sid 1 didn't match but should have: ");
+        goto end;
+    }
+
+    result = 1;
+ end:
+    if (de_ctx != NULL)
+        SigGroupCleanup(de_ctx);
+    if (de_ctx != NULL)
+        SigCleanSignatures(de_ctx);
+    if (de_ctx != NULL)
+        DetectEngineCtxFree(de_ctx);
+
+    StreamTcpFreeConfig(TRUE);
+    FLOW_DESTROY(&f);
+    UTHFreePackets(&p, 1);
+    return result;
+}
+
 #endif /* UNITTESTS */
 
 void DetectHttpHeaderRegisterTests(void)
@@ -1516,6 +1597,7 @@ void DetectHttpHeaderRegisterTests(void)
     UtRegisterTest("DetectHttpHeaderTest25", DetectHttpHeaderTest25, 1);
     UtRegisterTest("DetectHttpHeaderTest26", DetectHttpHeaderTest26, 1);
     UtRegisterTest("DetectHttpHeaderTest27", DetectHttpHeaderTest27, 1);
+    UtRegisterTest("DetectHttpHeaderTest28", DetectHttpHeaderTest28, 1);
 #endif /* UNITTESTS */
 
     return;