suricata
detect-byte-extract.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "decode.h"
26 
27 #include "detect.h"
28 #include "detect-engine.h"
29 #include "detect-content.h"
30 #include "detect-pcre.h"
31 #include "detect-bytejump.h"
32 #include "detect-bytetest.h"
33 #include "detect-byte-extract.h"
34 #include "detect-isdataat.h"
35 #include "detect-engine-build.h"
36 
37 #include "rust.h"
38 
39 #include "app-layer-protos.h"
40 
41 #include "util-byte.h"
42 #include "util-debug.h"
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 
46 /* the base to be used if string mode is specified. These options would be
47  * specified in DetectByteParseData->base */
48 #define DETECT_BYTE_EXTRACT_BASE_HEX BaseHex
49 #define DETECT_BYTE_EXTRACT_BASE_DEC BaseDec
50 #define DETECT_BYTE_EXTRACT_BASE_OCT BaseOct
51 
52 /* the max no of bytes that can be extracted in string mode - (string, hex)
53  * (string, oct) or (string, dec) */
54 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT 23
55 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC 20
56 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX 14
57 /* the max no of bytes that can be extracted in non-string mode */
58 #define NO_STRING_MAX_BYTES_TO_EXTRACT 8
59 
60 static int DetectByteExtractSetup(DetectEngineCtx *, Signature *, const char *);
61 #ifdef UNITTESTS
62 static void DetectByteExtractRegisterTests(void);
63 #endif
64 static void DetectByteExtractFree(DetectEngineCtx *, void *);
65 
66 /**
67  * \brief Registers the keyword handlers for the "byte_extract" keyword.
68  */
69 void DetectByteExtractRegister(void)
70 {
71  sigmatch_table[DETECT_BYTE_EXTRACT].name = "byte_extract";
72  sigmatch_table[DETECT_BYTE_EXTRACT].desc = "extract <num of bytes> at a particular <offset> and store it in <var_name>";
73  sigmatch_table[DETECT_BYTE_EXTRACT].url = "/rules/payload-keywords.html#byte-extract";
74  sigmatch_table[DETECT_BYTE_EXTRACT].Match = NULL;
75  sigmatch_table[DETECT_BYTE_EXTRACT].Setup = DetectByteExtractSetup;
76  sigmatch_table[DETECT_BYTE_EXTRACT].Free = DetectByteExtractFree;
77 #ifdef UNITTESTS
78  sigmatch_table[DETECT_BYTE_EXTRACT].RegisterTests = DetectByteExtractRegisterTests;
79 #endif
80 }
81 
82 int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd,
83  const Signature *s, const uint8_t *payload, uint32_t payload_len, uint64_t *value,
84  uint8_t endian)
85 {
86  if (payload_len == 0) {
87  return 0;
88  }
89 
90  /* Calculate the ptr value for the bytetest and length remaining in
91  * the packet from that point.
92  */
93  const uint8_t *ptr;
94  int32_t len;
95  SCDetectByteExtractData *data = (SCDetectByteExtractData *)smd->ctx;
96  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
97  SCLogDebug("relative, working with det_ctx->buffer_offset %"PRIu32", "
98  "data->offset %"PRIu32"", det_ctx->buffer_offset, data->offset);
99 
100  ptr = payload + det_ctx->buffer_offset;
101  len = payload_len - det_ctx->buffer_offset;
102 
103  ptr += data->offset;
104  len -= data->offset;
105 
106  /* No match if there is no relative base */
107  if (len <= 0) {
108  return 0;
109  }
110  //PrintRawDataFp(stdout,ptr,len);
111  } else {
112  SCLogDebug("absolute, data->offset %"PRIu32"", data->offset);
113 
114  ptr = payload + data->offset;
115  len = payload_len - data->offset;
116  }
117 
118  /* Validate that the to-be-extracted is within the packet */
119  if (ptr < payload || data->nbytes > len) {
120  SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%"PRIu32", nbytes=%d",
121  payload, ptr, len, data->nbytes);
122  return 0;
123  }
124 
125  /* Extract the byte data */
126  uint64_t val = 0;
127  int extbytes;
128  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
129  extbytes = ByteExtractStringUint64(&val, data->base,
130  data->nbytes, (const char *)ptr);
131  if (extbytes <= 0) {
132  /* ByteExtractStringUint64() set val to 0 if there is no numeric value in data string */
133  if (val == 0) {
134  SCLogDebug("No Numeric value");
135  return 0;
136  } else {
137  SCLogDebug("error extracting %d bytes of string data: %d",
138  data->nbytes, extbytes);
139  return -1;
140  }
141  }
142  } else {
143  int endianness = (endian == BigEndian) ? BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN;
144  extbytes = ByteExtractUint64(&val, endianness, data->nbytes, ptr);
145  if (extbytes != data->nbytes) {
146  SCLogDebug("error extracting %d bytes of numeric data: %d",
147  data->nbytes, extbytes);
148  return 0;
149  }
150  }
151 
152  /* Adjust the jump value based on flags */
153  val *= data->multiplier_value;
154  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
155  if ((val % data->align_value) != 0) {
156  val += data->align_value - (val % data->align_value);
157  }
158  }
159 
160  ptr += extbytes;
161 
162  det_ctx->buffer_offset = (uint32_t)(ptr - payload);
163 
164  *value = val;
165  SCLogDebug("extracted value is %"PRIu64, val);
166  return 1;
167 }
168 
169 /**
170  * \internal
171  * \brief Used to parse byte_extract arg.
172  *
173  * \param de_ctx Pointer to the detection engine context
174  * \arg The argument to parse.
175  *
176  * \param bed On success an instance containing the parsed data.
177  * On failure, NULL.
178  */
179 static inline SCDetectByteExtractData *DetectByteExtractParse(
180  DetectEngineCtx *de_ctx, const char *arg)
181 {
182  SCDetectByteExtractData *bed = SCByteExtractParse(arg);
183  if (bed == NULL) {
184  SCLogError("invalid byte_extract values");
185  goto error;
186  }
187 
188  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_SLICE) {
189  SCLogError("byte_extract slice not yet supported; see issue #6831");
190  goto error;
191  }
192  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
193  if (bed->base == DETECT_BYTE_EXTRACT_BASE_OCT) {
194  /* if are dealing with octal nos, the max no that can fit in a 8
195  * byte value is 01777777777777777777777 */
196  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT) {
197  SCLogError("byte_extract can't process "
198  "more than %d bytes in \"string\" extraction",
199  STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT);
200  goto error;
201  }
202  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_DEC) {
203  /* if are dealing with decimal nos, the max no that can fit in a 8
204  * byte value is 18446744073709551615 */
205  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC) {
206  SCLogError("byte_extract can't process "
207  "more than %d bytes in \"string\" extraction",
208  STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC);
209  goto error;
210  }
211  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_HEX) {
212  /* if are dealing with hex nos, the max no that can fit in a 8
213  * byte value is 0xFFFFFFFFFFFFFFFF */
214  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX) {
215  SCLogError("byte_extract can't process "
216  "more than %d bytes in \"string\" extraction",
217  STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX);
218  goto error;
219  }
220  } else {
221  ; // just a placeholder. we won't reach here.
222  }
223  } else {
224  if (bed->nbytes > NO_STRING_MAX_BYTES_TO_EXTRACT) {
225  SCLogError("byte_extract can't process "
226  "more than %d bytes in \"non-string\" extraction",
227  NO_STRING_MAX_BYTES_TO_EXTRACT);
228  goto error;
229  }
230  /* if string has not been specified and no endian option has been
231  * specified, then set the default endian level of BIG */
232  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN))
233  bed->endian = BigEndian;
234  }
235  return bed;
236 
237  error:
238  if (bed != NULL)
239  DetectByteExtractFree(de_ctx, bed);
240  return NULL;
241 }
242 
243 /**
244  * \brief The setup function for the byte_extract keyword for a signature.
245  *
246  * \param de_ctx Pointer to the detection engine context.
247  * \param s Pointer to signature for the current Signature being parsed
248  * from the rules.
249  * \param m Pointer to the head of the SigMatch for the current rule
250  * being parsed.
251  * \param arg Pointer to the string holding the keyword value.
252  *
253  * \retval 0 On success.
254  * \retval -1 On failure.
255  */
256 static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
257 {
258  SigMatch *prev_pm = NULL;
259  SCDetectByteExtractData *data = NULL;
260  int ret = -1;
261 
262  data = DetectByteExtractParse(de_ctx, arg);
263  if (data == NULL)
264  goto error;
265 
266  int sm_list;
267  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
268  sm_list = s->init_data->list;
269 
270  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
271  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
272  }
273  } else if (data->endian == EndianDCE) {
274  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
275  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
276  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
277  DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
278  if (prev_pm == NULL) {
279  sm_list = DETECT_SM_LIST_PMATCH;
280  } else {
281  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
282  if (sm_list < 0)
283  goto error;
284  }
285  } else {
286  sm_list = DETECT_SM_LIST_PMATCH;
287  }
288 
289  if (SCDetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
290  goto error;
291 
292  } else if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
293  prev_pm = DetectGetLastSMFromLists(s,
294  DETECT_CONTENT, DETECT_PCRE,
295  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
296  DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
297  if (prev_pm == NULL) {
298  sm_list = DETECT_SM_LIST_PMATCH;
299  } else {
300  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
301  if (sm_list < 0)
302  goto error;
303  }
304 
305  } else {
306  sm_list = DETECT_SM_LIST_PMATCH;
307  }
308 
309  if (data->endian == EndianDCE) {
310  if (SCDetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
311  goto error;
312 
313  if ((DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ==
314  (data->flags & (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING))) {
315  SCLogError("Invalid option. "
316  "A byte_jump keyword with dce holds other invalid modifiers.");
317  goto error;
318  }
319  }
320 
321  SigMatch *prev_bed_sm = DetectGetLastSMByListId(s, sm_list,
322  DETECT_BYTE_EXTRACT, -1);
323  if (prev_bed_sm == NULL)
324  data->local_id = 0;
325  else
326  data->local_id = ((SCDetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1;
327  if (data->local_id > de_ctx->byte_extract_max_local_id)
328  de_ctx->byte_extract_max_local_id = data->local_id;
329 
330  if (SCSigMatchAppendSMToList(de_ctx, s, DETECT_BYTE_EXTRACT, (SigMatchCtx *)data, sm_list) ==
331  NULL) {
332  goto error;
333  }
334 
335  if (!(data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE))
336  goto okay;
337 
338  if (prev_pm == NULL)
339  goto okay;
340 
341  if (prev_pm->type == DETECT_CONTENT) {
342  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
343  cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
344  } else if (prev_pm->type == DETECT_PCRE) {
345  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
346  pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
347  }
348 
349  okay:
350  ret = 0;
351  return ret;
352  error:
353  DetectByteExtractFree(de_ctx, data);
354  return ret;
355 }
356 
357 /**
358  * \brief Used to free instances of SCDetectByteExtractData.
359  *
360  * \param ptr Instance of SCDetectByteExtractData to be freed.
361  */
362 static void DetectByteExtractFree(DetectEngineCtx *de_ctx, void *ptr)
363 {
364  SCByteExtractFree(ptr);
365 }
366 
367 /**
368  * \brief Lookup the SigMatch for a named byte_extract variable.
369  *
370  * \param arg The name of the byte_extract variable to lookup.
371  * \param s Pointer the signature to look in.
372  *
373  * \retval A pointer to the SigMatch if found, otherwise NULL.
374  */
375 SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, int sm_list, const Signature *s)
376 {
377  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
378  SigMatch *sm = s->init_data->buffers[x].head;
379  while (sm != NULL) {
380  if (sm->type == DETECT_BYTE_EXTRACT) {
381  const SCDetectByteExtractData *bed = (const SCDetectByteExtractData *)sm->ctx;
382  if (strcmp(bed->name, arg) == 0) {
383  return sm;
384  }
385  }
386  sm = sm->next;
387  }
388  }
389 
390  for (int list = 0; list < DETECT_SM_LIST_MAX; list++) {
391  SigMatch *sm = s->init_data->smlists[list];
392  while (sm != NULL) {
393  // Make sure that the linked buffers ore on the same list
394  if (sm->type == DETECT_BYTE_EXTRACT && (sm_list == -1 || sm_list == list)) {
395  const SCDetectByteExtractData *bed = (const SCDetectByteExtractData *)sm->ctx;
396  if (strcmp(bed->name, arg) == 0) {
397  return sm;
398  }
399  }
400  sm = sm->next;
401  }
402  }
403 
404  return NULL;
405 }
406 
407 /*************************************Unittests********************************/
408 
409 #ifdef UNITTESTS
410 
411 #include "detect-engine-buffer.h"
412 
413 static int g_file_data_buffer_id = 0;
414 static int g_http_uri_buffer_id = 0;
415 
416 static int DetectByteExtractTest01(void)
417 {
418  int result = 0;
419 
420  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one");
421  if (bed == NULL)
422  goto end;
423 
424  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 || bed->flags != 0 ||
425  bed->endian != BigEndian || bed->align_value != 0 ||
426  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
427  goto end;
428  }
429 
430  result = 1;
431  end:
432  if (bed != NULL)
433  DetectByteExtractFree(NULL, bed);
434  return result;
435 }
436 
437 static int DetectByteExtractTest02(void)
438 {
439  int result = 0;
440 
441  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative");
442  if (bed == NULL)
443  goto end;
444 
445  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
446  bed->flags != DETECT_BYTE_EXTRACT_FLAG_RELATIVE || bed->endian != BigEndian ||
447  bed->align_value != 0 ||
448  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
449  goto end;
450  }
451 
452  result = 1;
453  end:
454  if (bed != NULL)
455  DetectByteExtractFree(NULL, bed);
456  return result;
457 }
458 
459 static int DetectByteExtractTest03(void)
460 {
461  int result = 0;
462 
463  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, multiplier 10");
464  if (bed == NULL)
465  goto end;
466 
467  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
468  bed->flags != DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER || bed->endian != BigEndian ||
469  bed->align_value != 0 || bed->multiplier_value != 10) {
470  goto end;
471  }
472 
473  result = 1;
474  end:
475  if (bed != NULL)
476  DetectByteExtractFree(NULL, bed);
477  return result;
478 }
479 
480 static int DetectByteExtractTest04(void)
481 {
482  int result = 0;
483 
484  SCDetectByteExtractData *bed =
485  DetectByteExtractParse(NULL, "4, 2, one, relative, multiplier 10");
486  if (bed == NULL)
487  goto end;
488 
489  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
490  bed->flags !=
491  (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
492  bed->endian != BigEndian || bed->align_value != 0 || bed->multiplier_value != 10) {
493  goto end;
494  }
495 
496  result = 1;
497  end:
498  if (bed != NULL)
499  DetectByteExtractFree(NULL, bed);
500  return result;
501 }
502 
503 static int DetectByteExtractTest05(void)
504 {
505  int result = 0;
506 
507  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, big");
508  if (bed == NULL)
509  goto end;
510 
511  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
512  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN || bed->endian != BigEndian ||
513  bed->align_value != 0 ||
514  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
515  goto end;
516  }
517 
518  result = 1;
519  end:
520  if (bed != NULL)
521  DetectByteExtractFree(NULL, bed);
522  return result;
523 }
524 
525 static int DetectByteExtractTest06(void)
526 {
527  int result = 0;
528 
529  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, little");
530  if (bed == NULL)
531  goto end;
532 
533  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
534  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN || bed->endian != LittleEndian ||
535  bed->align_value != 0 ||
536  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
537  goto end;
538  }
539 
540  result = 1;
541  end:
542  if (bed != NULL)
543  DetectByteExtractFree(NULL, bed);
544  return result;
545 }
546 
547 static int DetectByteExtractTest07(void)
548 {
549  int result = 0;
550 
551  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, dce");
552  if (bed == NULL)
553  goto end;
554 
555  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
556  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN || bed->endian != EndianDCE ||
557  bed->align_value != 0 ||
558  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
559  goto end;
560  }
561 
562  result = 1;
563  end:
564  if (bed != NULL)
565  DetectByteExtractFree(NULL, bed);
566  return result;
567 }
568 
569 static int DetectByteExtractTest08(void)
570 {
571  int result = 0;
572 
573  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, hex");
574  if (bed == NULL)
575  goto end;
576 
577  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
578  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
579  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
580  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
581  goto end;
582  }
583 
584  result = 1;
585  end:
586  if (bed != NULL)
587  DetectByteExtractFree(NULL, bed);
588  return result;
589 }
590 
591 static int DetectByteExtractTest09(void)
592 {
593  int result = 0;
594 
595  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, oct");
596  if (bed == NULL)
597  goto end;
598 
599  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
600  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
601  bed->base != DETECT_BYTE_EXTRACT_BASE_OCT || bed->align_value != 0 ||
602  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
603  goto end;
604  }
605 
606  result = 1;
607  end:
608  if (bed != NULL)
609  DetectByteExtractFree(NULL, bed);
610  return result;
611 }
612 
613 static int DetectByteExtractTest10(void)
614 {
615  int result = 0;
616 
617  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, dec");
618  if (bed == NULL)
619  goto end;
620 
621  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
622  bed->base != DETECT_BYTE_EXTRACT_BASE_DEC || bed->align_value != 0 ||
623  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
624  goto end;
625  }
626 
627  result = 1;
628  end:
629  if (bed != NULL)
630  DetectByteExtractFree(NULL, bed);
631  return result;
632 }
633 
634 static int DetectByteExtractTest11(void)
635 {
636  int result = 0;
637 
638  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4");
639  if (bed == NULL)
640  goto end;
641 
642  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
643  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ALIGN || bed->endian != BigEndian ||
644  bed->align_value != 4 ||
645  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
646  goto end;
647  }
648 
649  result = 1;
650  end:
651  if (bed != NULL)
652  DetectByteExtractFree(NULL, bed);
653  return result;
654 }
655 
656 static int DetectByteExtractTest12(void)
657 {
658  int result = 0;
659 
660  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative");
661  if (bed == NULL)
662  goto end;
663 
664  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
665  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
666  bed->endian != BigEndian || bed->align_value != 4 ||
667  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
668  goto end;
669  }
670 
671  result = 1;
672  end:
673  if (bed != NULL)
674  DetectByteExtractFree(NULL, bed);
675  return result;
676 }
677 
678 static int DetectByteExtractTest13(void)
679 {
680  int result = 0;
681 
682  SCDetectByteExtractData *bed =
683  DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, big");
684  if (bed == NULL)
685  goto end;
686 
687  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
688  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
689  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
690  bed->endian != BigEndian || bed->align_value != 4 ||
691  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
692  goto end;
693  }
694 
695  result = 1;
696  end:
697  if (bed != NULL)
698  DetectByteExtractFree(NULL, bed);
699  return result;
700 }
701 
702 static int DetectByteExtractTest14(void)
703 {
704  int result = 0;
705 
706  SCDetectByteExtractData *bed =
707  DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, dce");
708  if (bed == NULL)
709  goto end;
710 
711  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
712  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
713  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
714  bed->endian != EndianDCE || bed->align_value != 4 ||
715  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
716  goto end;
717  }
718 
719  result = 1;
720  end:
721  if (bed != NULL)
722  DetectByteExtractFree(NULL, bed);
723  return result;
724 }
725 
726 static int DetectByteExtractTest15(void)
727 {
728  int result = 0;
729 
730  SCDetectByteExtractData *bed =
731  DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little");
732  if (bed == NULL)
733  goto end;
734 
735  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
736  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
737  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
738  bed->endian != LittleEndian || bed->align_value != 4 ||
739  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
740  goto end;
741  }
742 
743  result = 1;
744  end:
745  if (bed != NULL)
746  DetectByteExtractFree(NULL, bed);
747  return result;
748 }
749 
750 static int DetectByteExtractTest16(void)
751 {
752  int result = 0;
753 
754  SCDetectByteExtractData *bed =
755  DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little, multiplier 2");
756  if (bed == NULL)
757  goto end;
758 
759  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
760  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
761  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
762  DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
763  bed->endian != LittleEndian || bed->align_value != 4 || bed->multiplier_value != 2) {
764  goto end;
765  }
766 
767  result = 1;
768  end:
769  if (bed != NULL)
770  DetectByteExtractFree(NULL, bed);
771  return result;
772 }
773 
774 static int DetectByteExtractTest17(void)
775 {
776  int result = 0;
777 
778  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
779  "relative, little, "
780  "multiplier 2, string hex");
781  if (bed != NULL)
782  goto end;
783 
784  result = 1;
785  end:
786  if (bed != NULL)
787  DetectByteExtractFree(NULL, bed);
788  return result;
789 }
790 
791 static int DetectByteExtractTest18(void)
792 {
793  int result = 0;
794 
795  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
796  "relative, little, "
797  "multiplier 2, "
798  "relative");
799  if (bed != NULL)
800  goto end;
801 
802  result = 1;
803  end:
804  if (bed != NULL)
805  DetectByteExtractFree(NULL, bed);
806  return result;
807 }
808 
809 static int DetectByteExtractTest19(void)
810 {
811  int result = 0;
812 
813  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
814  "relative, little, "
815  "multiplier 2, "
816  "little");
817  if (bed != NULL)
818  goto end;
819 
820  result = 1;
821  end:
822  if (bed != NULL)
823  DetectByteExtractFree(NULL, bed);
824  return result;
825 }
826 
827 static int DetectByteExtractTest20(void)
828 {
829  int result = 0;
830 
831  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
832  "relative, "
833  "multiplier 2, "
834  "align 2");
835  if (bed != NULL)
836  goto end;
837 
838  result = 1;
839  end:
840  if (bed != NULL)
841  DetectByteExtractFree(NULL, bed);
842  return result;
843 }
844 
845 static int DetectByteExtractTest21(void)
846 {
847  int result = 0;
848 
849  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
850  "multiplier 2, "
851  "relative, "
852  "multiplier 2");
853  if (bed != NULL)
854  goto end;
855 
856  result = 1;
857  end:
858  if (bed != NULL)
859  DetectByteExtractFree(NULL, bed);
860  return result;
861 }
862 
863 static int DetectByteExtractTest22(void)
864 {
865  int result = 0;
866 
867  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
868  "string hex, "
869  "relative, "
870  "string hex");
871  if (bed != NULL)
872  goto end;
873 
874  result = 1;
875  end:
876  if (bed != NULL)
877  DetectByteExtractFree(NULL, bed);
878  return result;
879 }
880 
881 static int DetectByteExtractTest23(void)
882 {
883  int result = 0;
884 
885  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
886  "string hex, "
887  "relative, "
888  "string oct");
889  if (bed != NULL)
890  goto end;
891 
892  result = 1;
893  end:
894  if (bed != NULL)
895  DetectByteExtractFree(NULL, bed);
896  return result;
897 }
898 
899 static int DetectByteExtractTest24(void)
900 {
901  int result = 0;
902 
903  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, align 4, "
904  "string hex, "
905  "relative");
906  if (bed != NULL)
907  goto end;
908 
909  result = 1;
910  end:
911  if (bed != NULL)
912  DetectByteExtractFree(NULL, bed);
913  return result;
914 }
915 
916 static int DetectByteExtractTest25(void)
917 {
918  int result = 0;
919 
920  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "9, 2, one, align 4, "
921  "little, "
922  "relative");
923  if (bed != NULL)
924  goto end;
925 
926  result = 1;
927  end:
928  if (bed != NULL)
929  DetectByteExtractFree(NULL, bed);
930  return result;
931 }
932 
933 static int DetectByteExtractTest26(void)
934 {
935  int result = 0;
936 
937  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
938  "little, "
939  "relative, "
940  "multiplier 65536");
941  if (bed != NULL)
942  goto end;
943 
944  result = 1;
945  end:
946  if (bed != NULL)
947  DetectByteExtractFree(NULL, bed);
948  return result;
949 }
950 
951 static int DetectByteExtractTest27(void)
952 {
953  int result = 0;
954 
955  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
956  "little, "
957  "relative, "
958  "multiplier 0");
959  if (bed != NULL)
960  goto end;
961 
962  result = 1;
963  end:
964  if (bed != NULL)
965  DetectByteExtractFree(NULL, bed);
966  return result;
967 }
968 
969 static int DetectByteExtractTest28(void)
970 {
971  int result = 0;
972 
973  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "23, 2, one, string, oct");
974  if (bed == NULL)
975  goto end;
976 
977  result = 1;
978  end:
979  if (bed != NULL)
980  DetectByteExtractFree(NULL, bed);
981  return result;
982 }
983 
984 static int DetectByteExtractTest29(void)
985 {
986  int result = 0;
987 
988  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, string, oct");
989  if (bed != NULL)
990  goto end;
991 
992  result = 1;
993  end:
994  if (bed != NULL)
995  DetectByteExtractFree(NULL, bed);
996  return result;
997 }
998 
999 static int DetectByteExtractTest30(void)
1000 {
1001  int result = 0;
1002 
1003  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "20, 2, one, string, dec");
1004  if (bed == NULL)
1005  goto end;
1006 
1007  result = 1;
1008  end:
1009  if (bed != NULL)
1010  DetectByteExtractFree(NULL, bed);
1011  return result;
1012 }
1013 
1014 static int DetectByteExtractTest31(void)
1015 {
1016  int result = 0;
1017 
1018  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "21, 2, one, string, dec");
1019  if (bed != NULL)
1020  goto end;
1021 
1022  result = 1;
1023  end:
1024  if (bed != NULL)
1025  DetectByteExtractFree(NULL, bed);
1026  return result;
1027 }
1028 
1029 static int DetectByteExtractTest32(void)
1030 {
1031  int result = 0;
1032 
1033  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "14, 2, one, string, hex");
1034  if (bed == NULL)
1035  goto end;
1036 
1037  result = 1;
1038  end:
1039  if (bed != NULL)
1040  DetectByteExtractFree(NULL, bed);
1041  return result;
1042 }
1043 
1044 static int DetectByteExtractTest33(void)
1045 {
1046  int result = 0;
1047 
1048  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "15, 2, one, string, hex");
1049  if (bed != NULL)
1050  goto end;
1051 
1052  result = 1;
1053  end:
1054  if (bed != NULL)
1055  DetectByteExtractFree(NULL, bed);
1056  return result;
1057 }
1058 
1059 static int DetectByteExtractTest34(void)
1060 {
1061  DetectEngineCtx *de_ctx = NULL;
1062  int result = 0;
1063  Signature *s = NULL;
1064  SigMatch *sm = NULL;
1065  DetectContentData *cd = NULL;
1066  SCDetectByteExtractData *bed = NULL;
1067 
1068  de_ctx = DetectEngineCtxInit();
1069  if (de_ctx == NULL)
1070  goto end;
1071 
1072  de_ctx->flags |= DE_QUIET;
1073  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1074  "(msg:\"Testing bytejump_body\"; "
1075  "content:\"one\"; "
1076  "byte_extract:4,2,two,relative,string,hex; "
1077  "sid:1;)");
1078  if (de_ctx->sig_list == NULL) {
1079  result = 0;
1080  goto end;
1081  }
1082 
1083  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1084  result = 0;
1085  goto end;
1086  }
1087 
1088  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1089  if (sm->type != DETECT_CONTENT) {
1090  result = 0;
1091  goto end;
1092  }
1093  cd = (DetectContentData *)sm->ctx;
1094  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1095  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1096  cd->flags & DETECT_CONTENT_NOCASE ||
1097  cd->flags & DETECT_CONTENT_WITHIN ||
1098  cd->flags & DETECT_CONTENT_DISTANCE ||
1099  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1100  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1101  cd->flags & DETECT_CONTENT_NEGATED ) {
1102  printf("one failed\n");
1103  result = 0;
1104  goto end;
1105  }
1106 
1107  sm = sm->next;
1108  if (sm->type != DETECT_BYTE_EXTRACT) {
1109  result = 0;
1110  goto end;
1111  }
1112  bed = (SCDetectByteExtractData *)sm->ctx;
1113  if (bed->nbytes != 4 || bed->offset != 2 || strncmp(bed->name, "two", cd->content_len) != 0 ||
1114  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1115  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1116  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1117  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1118  goto end;
1119  }
1120 
1121  result = 1;
1122 
1123  end:
1124  SigGroupCleanup(de_ctx);
1125  SigCleanSignatures(de_ctx);
1126  DetectEngineCtxFree(de_ctx);
1127 
1128  return result;
1129 }
1130 
1131 static int DetectByteExtractTest35(void)
1132 {
1133  DetectEngineCtx *de_ctx = NULL;
1134  int result = 0;
1135  Signature *s = NULL;
1136  SigMatch *sm = NULL;
1137  DetectContentData *cd = NULL;
1138  DetectPcreData *pd = NULL;
1139  SCDetectByteExtractData *bed = NULL;
1140 
1141  de_ctx = DetectEngineCtxInit();
1142  if (de_ctx == NULL)
1143  goto end;
1144 
1145  de_ctx->flags |= DE_QUIET;
1146  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1147  "(msg:\"Testing bytejump_body\"; "
1148  "content:\"one\"; pcre:/asf/; "
1149  "byte_extract:4,0,two,relative,string,hex; "
1150  "sid:1;)");
1151  if (de_ctx->sig_list == NULL) {
1152  result = 0;
1153  goto end;
1154  }
1155 
1156  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1157  result = 0;
1158  goto end;
1159  }
1160 
1161  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1162  if (sm->type != DETECT_CONTENT) {
1163  result = 0;
1164  goto end;
1165  }
1166  cd = (DetectContentData *)sm->ctx;
1167  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1168  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1169  cd->flags & DETECT_CONTENT_NOCASE ||
1170  cd->flags & DETECT_CONTENT_WITHIN ||
1171  cd->flags & DETECT_CONTENT_DISTANCE ||
1172  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1173  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1174  cd->flags & DETECT_CONTENT_NEGATED ) {
1175  printf("one failed\n");
1176  result = 0;
1177  goto end;
1178  }
1179 
1180  sm = sm->next;
1181  if (sm->type != DETECT_PCRE) {
1182  result = 0;
1183  goto end;
1184  }
1185  pd = (DetectPcreData *)sm->ctx;
1186  if (pd->flags != DETECT_PCRE_RELATIVE_NEXT) {
1187  result = 0;
1188  goto end;
1189  }
1190 
1191  sm = sm->next;
1192  if (sm->type != DETECT_BYTE_EXTRACT) {
1193  result = 0;
1194  goto end;
1195  }
1196  bed = (SCDetectByteExtractData *)sm->ctx;
1197  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1198  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1199  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1200  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1201  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1202  goto end;
1203  }
1204 
1205  result = 1;
1206 
1207  end:
1208  SigGroupCleanup(de_ctx);
1209  SigCleanSignatures(de_ctx);
1210  DetectEngineCtxFree(de_ctx);
1211 
1212  return result;
1213 }
1214 
1215 static int DetectByteExtractTest36(void)
1216 {
1217  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1218  FAIL_IF_NULL(de_ctx);
1219  de_ctx->flags |= DE_QUIET;
1220 
1221  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
1222  "content:\"one\"; byte_jump:1,13; "
1223  "byte_extract:4,0,two,relative,string,hex; "
1224  "sid:1;)");
1225  FAIL_IF_NULL(s);
1226  FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
1227 
1228  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1229  FAIL_IF(sm->type != DETECT_CONTENT);
1230  DetectContentData *cd = (DetectContentData *)sm->ctx;
1231  FAIL_IF(cd->flags & DETECT_CONTENT_RAWBYTES);
1232  FAIL_IF(strncmp((char *)cd->content, "one", cd->content_len) != 0);
1233  FAIL_IF(cd->flags & DETECT_CONTENT_NOCASE);
1234  FAIL_IF(cd->flags & DETECT_CONTENT_WITHIN);
1235  FAIL_IF(cd->flags & DETECT_CONTENT_DISTANCE);
1236  FAIL_IF(cd->flags & DETECT_CONTENT_FAST_PATTERN);
1237  FAIL_IF(cd->flags & DETECT_CONTENT_RELATIVE_NEXT);
1238  FAIL_IF(cd->flags & DETECT_CONTENT_NEGATED);
1239 
1240  sm = sm->next;
1241  FAIL_IF(sm->type != DETECT_BYTEJUMP);
1242  DetectBytejumpData *bjd = (DetectBytejumpData *)sm->ctx;
1243  FAIL_IF(bjd->flags != 0);
1244  sm = sm->next;
1245  FAIL_IF(sm->type != DETECT_BYTE_EXTRACT);
1246  SCDetectByteExtractData *bed = (SCDetectByteExtractData *)sm->ctx;
1247  FAIL_IF(bed->nbytes != 4);
1248  FAIL_IF(bed->offset != 0);
1249  FAIL_IF(strcmp(bed->name, "two") != 0);
1250  FAIL_IF(bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1251  DETECT_BYTE_EXTRACT_FLAG_STRING));
1252  FAIL_IF(bed->base != DETECT_BYTE_EXTRACT_BASE_HEX);
1253  FAIL_IF(bed->align_value != 0);
1254  FAIL_IF(bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT);
1255 
1256  DetectEngineCtxFree(de_ctx);
1257  PASS;
1258 }
1259 
1260 static int DetectByteExtractTest37(void)
1261 {
1262  DetectEngineCtx *de_ctx = NULL;
1263  int result = 0;
1264  Signature *s = NULL;
1265  SigMatch *sm = NULL;
1266  DetectContentData *cd = NULL;
1267  DetectContentData *ud = NULL;
1268  SCDetectByteExtractData *bed = NULL;
1269 
1270  de_ctx = DetectEngineCtxInit();
1271  if (de_ctx == NULL)
1272  goto end;
1273 
1274  de_ctx->flags |= DE_QUIET;
1275  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1276  "(msg:\"Testing bytejump_body\"; "
1277  "content:\"one\"; uricontent:\"two\"; "
1278  "byte_extract:4,0,two,relative,string,hex; "
1279  "sid:1;)");
1280  if (de_ctx->sig_list == NULL) {
1281  result = 0;
1282  goto end;
1283  }
1284 
1285  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1286  result = 0;
1287  goto end;
1288  }
1289 
1290  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1291  if (sm->type != DETECT_CONTENT) {
1292  result = 0;
1293  goto end;
1294  }
1295  cd = (DetectContentData *)sm->ctx;
1296  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1297  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1298  cd->flags & DETECT_CONTENT_NOCASE ||
1299  cd->flags & DETECT_CONTENT_WITHIN ||
1300  cd->flags & DETECT_CONTENT_DISTANCE ||
1301  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1302  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1303  cd->flags & DETECT_CONTENT_NEGATED ) {
1304  printf("one failed\n");
1305  result = 0;
1306  goto end;
1307  }
1308 
1309  if (sm->next != NULL) {
1310  result = 0;
1311  goto end;
1312  }
1313 
1314  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1315  if (sm->type != DETECT_CONTENT) {
1316  result = 0;
1317  goto end;
1318  }
1319  ud = (DetectContentData *)sm->ctx;
1320  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1321  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1322  ud->flags & DETECT_CONTENT_NOCASE ||
1323  ud->flags & DETECT_CONTENT_WITHIN ||
1324  ud->flags & DETECT_CONTENT_DISTANCE ||
1325  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1326  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1327  ud->flags & DETECT_CONTENT_NEGATED ) {
1328  printf("two failed\n");
1329  result = 0;
1330  goto end;
1331  }
1332 
1333  sm = sm->next;
1334  if (sm->type != DETECT_BYTE_EXTRACT) {
1335  result = 0;
1336  goto end;
1337  }
1338  bed = (SCDetectByteExtractData *)sm->ctx;
1339  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1340  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1341  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1342  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1343  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1344  goto end;
1345  }
1346 
1347  result = 1;
1348 
1349  end:
1350  SigGroupCleanup(de_ctx);
1351  SigCleanSignatures(de_ctx);
1352  DetectEngineCtxFree(de_ctx);
1353 
1354  return result;
1355 }
1356 
1357 static int DetectByteExtractTest38(void)
1358 {
1359  DetectEngineCtx *de_ctx = NULL;
1360  int result = 0;
1361  Signature *s = NULL;
1362  SigMatch *sm = NULL;
1363  DetectContentData *cd = NULL;
1364  DetectContentData *ud = NULL;
1365  SCDetectByteExtractData *bed = NULL;
1366 
1367  de_ctx = DetectEngineCtxInit();
1368  if (de_ctx == NULL)
1369  goto end;
1370 
1371  de_ctx->flags |= DE_QUIET;
1372  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1373  "(msg:\"Testing bytejump_body\"; "
1374  "content:\"one\"; uricontent:\"two\"; "
1375  "byte_extract:4,0,two,string,hex; "
1376  "sid:1;)");
1377  if (de_ctx->sig_list == NULL) {
1378  result = 0;
1379  goto end;
1380  }
1381 
1382  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1383  result = 0;
1384  goto end;
1385  }
1386 
1387  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1388  if (sm->type != DETECT_CONTENT) {
1389  result = 0;
1390  goto end;
1391  }
1392  cd = (DetectContentData *)sm->ctx;
1393  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1394  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1395  cd->flags & DETECT_CONTENT_NOCASE ||
1396  cd->flags & DETECT_CONTENT_WITHIN ||
1397  cd->flags & DETECT_CONTENT_DISTANCE ||
1398  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1399  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1400  cd->flags & DETECT_CONTENT_NEGATED ) {
1401  printf("one failed\n");
1402  result = 0;
1403  goto end;
1404  }
1405 
1406  sm = sm->next;
1407  if (sm->type != DETECT_BYTE_EXTRACT) {
1408  result = 0;
1409  goto end;
1410  }
1411  bed = (SCDetectByteExtractData *)sm->ctx;
1412  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1413  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1414  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1415  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1416  goto end;
1417  }
1418 
1419  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1420  if (sm->type != DETECT_CONTENT) {
1421  result = 0;
1422  goto end;
1423  }
1424  ud = (DetectContentData *)sm->ctx;
1425  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1426  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1427  ud->flags & DETECT_CONTENT_NOCASE ||
1428  ud->flags & DETECT_CONTENT_WITHIN ||
1429  ud->flags & DETECT_CONTENT_DISTANCE ||
1430  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1431  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1432  ud->flags & DETECT_CONTENT_NEGATED ) {
1433  printf("two failed\n");
1434  result = 0;
1435  goto end;
1436  }
1437 
1438  if (sm->next != NULL) {
1439  result = 0;
1440  goto end;
1441  }
1442 
1443  result = 1;
1444 
1445  end:
1446  SigGroupCleanup(de_ctx);
1447  SigCleanSignatures(de_ctx);
1448  DetectEngineCtxFree(de_ctx);
1449 
1450  return result;
1451 }
1452 
1453 static int DetectByteExtractTest39(void)
1454 {
1455  DetectEngineCtx *de_ctx = NULL;
1456  int result = 0;
1457  Signature *s = NULL;
1458  SigMatch *sm = NULL;
1459  DetectContentData *cd = NULL;
1460  DetectContentData *ud = NULL;
1461  SCDetectByteExtractData *bed = NULL;
1462 
1463  de_ctx = DetectEngineCtxInit();
1464  if (de_ctx == NULL)
1465  goto end;
1466 
1467  de_ctx->flags |= DE_QUIET;
1468  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1469  "(msg:\"Testing bytejump_body\"; "
1470  "content:\"one\"; content:\"two\"; http_uri; "
1471  "byte_extract:4,0,two,relative,string,hex; "
1472  "sid:1;)");
1473  if (de_ctx->sig_list == NULL) {
1474  result = 0;
1475  goto end;
1476  }
1477 
1478  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1479  result = 0;
1480  goto end;
1481  }
1482 
1483  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1484  if (sm->type != DETECT_CONTENT) {
1485  result = 0;
1486  goto end;
1487  }
1488  cd = (DetectContentData *)sm->ctx;
1489  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1490  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1491  cd->flags & DETECT_CONTENT_NOCASE ||
1492  cd->flags & DETECT_CONTENT_WITHIN ||
1493  cd->flags & DETECT_CONTENT_DISTANCE ||
1494  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1495  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1496  cd->flags & DETECT_CONTENT_NEGATED ) {
1497  printf("one failed\n");
1498  result = 0;
1499  goto end;
1500  }
1501 
1502  if (sm->next != NULL) {
1503  result = 0;
1504  goto end;
1505  }
1506 
1507  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1508  if (sm->type != DETECT_CONTENT) {
1509  result = 0;
1510  goto end;
1511  }
1512  ud = (DetectContentData *)sm->ctx;
1513  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1514  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1515  ud->flags & DETECT_CONTENT_NOCASE ||
1516  ud->flags & DETECT_CONTENT_WITHIN ||
1517  ud->flags & DETECT_CONTENT_DISTANCE ||
1518  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1519  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1520  ud->flags & DETECT_CONTENT_NEGATED ) {
1521  printf("two failed\n");
1522  result = 0;
1523  goto end;
1524  }
1525 
1526  sm = sm->next;
1527  if (sm->type != DETECT_BYTE_EXTRACT) {
1528  result = 0;
1529  goto end;
1530  }
1531  bed = (SCDetectByteExtractData *)sm->ctx;
1532  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1533  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1534  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1535  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1536  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1537  goto end;
1538  }
1539 
1540  result = 1;
1541 
1542  end:
1543  SigGroupCleanup(de_ctx);
1544  SigCleanSignatures(de_ctx);
1545  DetectEngineCtxFree(de_ctx);
1546 
1547  return result;
1548 }
1549 
1550 static int DetectByteExtractTest40(void)
1551 {
1552  DetectEngineCtx *de_ctx = NULL;
1553  int result = 0;
1554  Signature *s = NULL;
1555  SigMatch *sm = NULL;
1556  DetectContentData *cd = NULL;
1557  DetectContentData *ud = NULL;
1558  SCDetectByteExtractData *bed = NULL;
1559 
1560  de_ctx = DetectEngineCtxInit();
1561  if (de_ctx == NULL)
1562  goto end;
1563 
1564  de_ctx->flags |= DE_QUIET;
1565  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1566  "(msg:\"Testing bytejump_body\"; "
1567  "content:\"one\"; content:\"two\"; http_uri; "
1568  "byte_extract:4,0,two,string,hex; "
1569  "sid:1;)");
1570  if (de_ctx->sig_list == NULL) {
1571  result = 0;
1572  goto end;
1573  }
1574 
1575  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1576  result = 0;
1577  goto end;
1578  }
1579 
1580  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1581  if (sm->type != DETECT_CONTENT) {
1582  result = 0;
1583  goto end;
1584  }
1585  cd = (DetectContentData *)sm->ctx;
1586  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1587  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1588  cd->flags & DETECT_CONTENT_NOCASE ||
1589  cd->flags & DETECT_CONTENT_WITHIN ||
1590  cd->flags & DETECT_CONTENT_DISTANCE ||
1591  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1592  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1593  cd->flags & DETECT_CONTENT_NEGATED ) {
1594  printf("one failed\n");
1595  result = 0;
1596  goto end;
1597  }
1598 
1599  sm = sm->next;
1600  if (sm->type != DETECT_BYTE_EXTRACT) {
1601  result = 0;
1602  goto end;
1603  }
1604  bed = (SCDetectByteExtractData *)sm->ctx;
1605  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1606  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1607  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1608  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1609  goto end;
1610  }
1611 
1612  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1613  if (sm->type != DETECT_CONTENT) {
1614  result = 0;
1615  goto end;
1616  }
1617  ud = (DetectContentData *)sm->ctx;
1618  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1619  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1620  ud->flags & DETECT_CONTENT_NOCASE ||
1621  ud->flags & DETECT_CONTENT_WITHIN ||
1622  ud->flags & DETECT_CONTENT_DISTANCE ||
1623  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1624  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1625  ud->flags & DETECT_CONTENT_NEGATED ) {
1626  printf("two failed\n");
1627  result = 0;
1628  goto end;
1629  }
1630 
1631  if (sm->next != NULL) {
1632  result = 0;
1633  goto end;
1634  }
1635 
1636  result = 1;
1637 
1638  end:
1639  SigGroupCleanup(de_ctx);
1640  SigCleanSignatures(de_ctx);
1641  DetectEngineCtxFree(de_ctx);
1642 
1643  return result;
1644 }
1645 
1646 static int DetectByteExtractTest41(void)
1647 {
1648  DetectEngineCtx *de_ctx = NULL;
1649  int result = 0;
1650  Signature *s = NULL;
1651  SigMatch *sm = NULL;
1652  DetectContentData *cd = NULL;
1653  SCDetectByteExtractData *bed = NULL;
1654 
1655  de_ctx = DetectEngineCtxInit();
1656  if (de_ctx == NULL)
1657  goto end;
1658 
1659  de_ctx->flags |= DE_QUIET;
1660  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1661  "(msg:\"Testing bytejump_body\"; "
1662  "content:\"one\"; "
1663  "byte_extract:4,0,two,string,hex; "
1664  "byte_extract:4,0,three,string,hex; "
1665  "sid:1;)");
1666  if (de_ctx->sig_list == NULL) {
1667  result = 0;
1668  goto end;
1669  }
1670 
1671  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1672  result = 0;
1673  goto end;
1674  }
1675 
1676  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1677  if (sm->type != DETECT_CONTENT) {
1678  result = 0;
1679  goto end;
1680  }
1681  cd = (DetectContentData *)sm->ctx;
1682  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1683  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1684  cd->flags & DETECT_CONTENT_NOCASE ||
1685  cd->flags & DETECT_CONTENT_WITHIN ||
1686  cd->flags & DETECT_CONTENT_DISTANCE ||
1687  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1688  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1689  cd->flags & DETECT_CONTENT_NEGATED ) {
1690  printf("one failed\n");
1691  result = 0;
1692  goto end;
1693  }
1694 
1695  sm = sm->next;
1696  if (sm->type != DETECT_BYTE_EXTRACT) {
1697  result = 0;
1698  goto end;
1699  }
1700  bed = (SCDetectByteExtractData *)sm->ctx;
1701  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1702  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1703  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1704  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1705  goto end;
1706  }
1707  if (bed->local_id != 0) {
1708  result = 0;
1709  goto end;
1710  }
1711 
1712  sm = sm->next;
1713  if (sm->type != DETECT_BYTE_EXTRACT) {
1714  result = 0;
1715  goto end;
1716  }
1717  bed = (SCDetectByteExtractData *)sm->ctx;
1718  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "three") != 0 ||
1719  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1720  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1721  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1722  goto end;
1723  }
1724  if (bed->local_id != 1) {
1725  result = 0;
1726  goto end;
1727  }
1728 
1729  result = 1;
1730 
1731  end:
1732  SigGroupCleanup(de_ctx);
1733  SigCleanSignatures(de_ctx);
1734  DetectEngineCtxFree(de_ctx);
1735 
1736  return result;
1737 }
1738 
1739 static int DetectByteExtractTest42(void)
1740 {
1741  DetectEngineCtx *de_ctx = NULL;
1742  int result = 0;
1743  Signature *s = NULL;
1744  SigMatch *sm = NULL;
1745  DetectContentData *cd = NULL;
1746  DetectContentData *ud = NULL;
1747  SCDetectByteExtractData *bed = NULL;
1748 
1749  de_ctx = DetectEngineCtxInit();
1750  if (de_ctx == NULL)
1751  goto end;
1752 
1753  de_ctx->flags |= DE_QUIET;
1754  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1755  "(msg:\"Testing bytejump_body\"; "
1756  "content:\"one\"; "
1757  "byte_extract:4,0,two,string,hex; "
1758  "uricontent: \"three\"; "
1759  "byte_extract:4,0,four,string,hex,relative; "
1760  "byte_extract:4,0,five,string,hex; "
1761  "sid:1;)");
1762  if (de_ctx->sig_list == NULL) {
1763  result = 0;
1764  goto end;
1765  }
1766 
1767  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1768  result = 0;
1769  goto end;
1770  }
1771 
1772  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1773  if (sm->type != DETECT_CONTENT) {
1774  result = 0;
1775  goto end;
1776  }
1777  cd = (DetectContentData *)sm->ctx;
1778  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1779  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1780  cd->flags & DETECT_CONTENT_NOCASE ||
1781  cd->flags & DETECT_CONTENT_WITHIN ||
1782  cd->flags & DETECT_CONTENT_DISTANCE ||
1783  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1784  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1785  cd->flags & DETECT_CONTENT_NEGATED ) {
1786  printf("one failed\n");
1787  result = 0;
1788  goto end;
1789  }
1790 
1791  sm = sm->next;
1792  if (sm->type != DETECT_BYTE_EXTRACT) {
1793  result = 0;
1794  goto end;
1795  }
1796  bed = (SCDetectByteExtractData *)sm->ctx;
1797  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1798  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1799  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1800  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1801  goto end;
1802  }
1803  if (bed->local_id != 0) {
1804  result = 0;
1805  goto end;
1806  }
1807 
1808  sm = sm->next;
1809  if (sm->type != DETECT_BYTE_EXTRACT) {
1810  result = 0;
1811  goto end;
1812  }
1813  bed = (SCDetectByteExtractData *)sm->ctx;
1814  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "five") != 0 ||
1815  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1816  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1817  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1818  goto end;
1819  }
1820  if (bed->local_id != 1) {
1821  result = 0;
1822  goto end;
1823  }
1824 
1825  if (sm->next != NULL)
1826  goto end;
1827 
1828  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1829  if (sm->type != DETECT_CONTENT) {
1830  result = 0;
1831  goto end;
1832  }
1833  ud = (DetectContentData *)sm->ctx;
1834  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1835  strncmp((char *)ud->content, "three", cd->content_len) != 0 ||
1836  ud->flags & DETECT_CONTENT_NOCASE ||
1837  ud->flags & DETECT_CONTENT_WITHIN ||
1838  ud->flags & DETECT_CONTENT_DISTANCE ||
1839  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1840  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1841  ud->flags & DETECT_CONTENT_NEGATED ) {
1842  printf("two failed\n");
1843  result = 0;
1844  goto end;
1845  }
1846 
1847  sm = sm->next;
1848  if (sm->type != DETECT_BYTE_EXTRACT) {
1849  result = 0;
1850  goto end;
1851  }
1852  bed = (SCDetectByteExtractData *)sm->ctx;
1853  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "four") != 0 ||
1854  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1855  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1856  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1857  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1858  goto end;
1859  }
1860  if (bed->local_id != 0) {
1861  result = 0;
1862  goto end;
1863  }
1864 
1865  if (sm->next != NULL)
1866  goto end;
1867 
1868  result = 1;
1869 
1870  end:
1871  SigGroupCleanup(de_ctx);
1872  SigCleanSignatures(de_ctx);
1873  DetectEngineCtxFree(de_ctx);
1874 
1875  return result;
1876 }
1877 
1878 static int DetectByteExtractTest43(void)
1879 {
1880  DetectEngineCtx *de_ctx = NULL;
1881  int result = 0;
1882  Signature *s = NULL;
1883  SigMatch *sm = NULL;
1884  DetectContentData *cd = NULL;
1885  SCDetectByteExtractData *bed = NULL;
1886 
1887  de_ctx = DetectEngineCtxInit();
1888  if (de_ctx == NULL)
1889  goto end;
1890 
1891  de_ctx->flags |= DE_QUIET;
1892  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1893  "(msg:\"Testing bytejump_body\"; "
1894  "content:\"one\"; "
1895  "byte_extract:4,0,two,string,hex; "
1896  "content: \"three\"; offset:two; "
1897  "sid:1;)");
1898  if (de_ctx->sig_list == NULL) {
1899  result = 0;
1900  goto end;
1901  }
1902 
1903  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1904  result = 0;
1905  goto end;
1906  }
1907 
1908  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1909  if (sm->type != DETECT_CONTENT) {
1910  result = 0;
1911  goto end;
1912  }
1913  cd = (DetectContentData *)sm->ctx;
1914  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1915  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1916  cd->flags & DETECT_CONTENT_NOCASE ||
1917  cd->flags & DETECT_CONTENT_WITHIN ||
1918  cd->flags & DETECT_CONTENT_DISTANCE ||
1919  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1920  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1921  cd->flags & DETECT_CONTENT_NEGATED ) {
1922  printf("one failed\n");
1923  result = 0;
1924  goto end;
1925  }
1926 
1927  sm = sm->next;
1928  if (sm->type != DETECT_BYTE_EXTRACT) {
1929  result = 0;
1930  goto end;
1931  }
1932  bed = (SCDetectByteExtractData *)sm->ctx;
1933  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1934  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1935  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1936  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1937  goto end;
1938  }
1939  if (bed->local_id != 0) {
1940  result = 0;
1941  goto end;
1942  }
1943 
1944  sm = sm->next;
1945  if (sm->type != DETECT_CONTENT) {
1946  result = 0;
1947  goto end;
1948  }
1949  cd = (DetectContentData *)sm->ctx;
1950  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
1951  cd->flags != (DETECT_CONTENT_OFFSET_VAR | DETECT_CONTENT_OFFSET | DETECT_CONTENT_MPM) ||
1952  cd->offset != bed->local_id) {
1953  printf("three failed\n");
1954  result = 0;
1955  goto end;
1956  }
1957 
1958  if (sm->next != NULL)
1959  goto end;
1960 
1961  result = 1;
1962 
1963  end:
1964  SigGroupCleanup(de_ctx);
1965  SigCleanSignatures(de_ctx);
1966  DetectEngineCtxFree(de_ctx);
1967 
1968  return result;
1969 }
1970 
1971 static int DetectByteExtractTest44(void)
1972 {
1973  DetectEngineCtx *de_ctx = NULL;
1974  int result = 0;
1975  Signature *s = NULL;
1976  SigMatch *sm = NULL;
1977  DetectContentData *cd = NULL;
1978  SCDetectByteExtractData *bed1 = NULL;
1979  SCDetectByteExtractData *bed2 = NULL;
1980 
1981  de_ctx = DetectEngineCtxInit();
1982  if (de_ctx == NULL)
1983  goto end;
1984 
1985  de_ctx->flags |= DE_QUIET;
1986  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1987  "(msg:\"Testing bytejump_body\"; "
1988  "content:\"one\"; "
1989  "byte_extract:4,0,two,string,hex; "
1990  "byte_extract:4,0,three,string,hex; "
1991  "content: \"four\"; offset:two; "
1992  "content: \"five\"; offset:three; "
1993  "sid:1;)");
1994  if (de_ctx->sig_list == NULL) {
1995  result = 0;
1996  goto end;
1997  }
1998 
1999  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2000  result = 0;
2001  goto end;
2002  }
2003 
2004  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2005  if (sm->type != DETECT_CONTENT) {
2006  result = 0;
2007  goto end;
2008  }
2009  cd = (DetectContentData *)sm->ctx;
2010  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2011  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2012  cd->flags & DETECT_CONTENT_NOCASE ||
2013  cd->flags & DETECT_CONTENT_WITHIN ||
2014  cd->flags & DETECT_CONTENT_DISTANCE ||
2015  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2016  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2017  cd->flags & DETECT_CONTENT_NEGATED ) {
2018  printf("one failed\n");
2019  result = 0;
2020  goto end;
2021  }
2022 
2023  sm = sm->next;
2024  if (sm->type != DETECT_BYTE_EXTRACT) {
2025  result = 0;
2026  goto end;
2027  }
2028  bed1 = (SCDetectByteExtractData *)sm->ctx;
2029  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2030  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2031  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2032  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2033  goto end;
2034  }
2035  if (bed1->local_id != 0) {
2036  result = 0;
2037  goto end;
2038  }
2039 
2040  sm = sm->next;
2041  if (sm->type != DETECT_BYTE_EXTRACT) {
2042  result = 0;
2043  goto end;
2044  }
2045  bed2 = (SCDetectByteExtractData *)sm->ctx;
2046 
2047  sm = sm->next;
2048  if (sm->type != DETECT_CONTENT) {
2049  result = 0;
2050  goto end;
2051  }
2052  cd = (DetectContentData *)sm->ctx;
2053  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2054  cd->flags != (DETECT_CONTENT_OFFSET_VAR | DETECT_CONTENT_OFFSET | DETECT_CONTENT_MPM) ||
2055  cd->offset != bed1->local_id) {
2056  printf("four failed\n");
2057  result = 0;
2058  goto end;
2059  }
2060 
2061  sm = sm->next;
2062  if (sm->type != DETECT_CONTENT) {
2063  result = 0;
2064  goto end;
2065  }
2066  cd = (DetectContentData *)sm->ctx;
2067  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2068  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2069  DETECT_CONTENT_OFFSET) ||
2070  cd->offset != bed2->local_id) {
2071  printf("five failed\n");
2072  result = 0;
2073  goto end;
2074  }
2075 
2076  if (sm->next != NULL)
2077  goto end;
2078 
2079  result = 1;
2080 
2081  end:
2082  SigGroupCleanup(de_ctx);
2083  SigCleanSignatures(de_ctx);
2084  DetectEngineCtxFree(de_ctx);
2085 
2086  return result;
2087 }
2088 
2089 static int DetectByteExtractTest45(void)
2090 {
2091  DetectEngineCtx *de_ctx = NULL;
2092  int result = 0;
2093  Signature *s = NULL;
2094  SigMatch *sm = NULL;
2095  DetectContentData *cd = NULL;
2096  SCDetectByteExtractData *bed = NULL;
2097 
2098  de_ctx = DetectEngineCtxInit();
2099  if (de_ctx == NULL)
2100  goto end;
2101 
2102  de_ctx->flags |= DE_QUIET;
2103  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2104  "(msg:\"Testing bytejump_body\"; "
2105  "content:\"one\"; "
2106  "byte_extract:4,0,two,string,hex; "
2107  "content: \"three\"; depth:two; "
2108  "sid:1;)");
2109  if (de_ctx->sig_list == NULL) {
2110  result = 0;
2111  goto end;
2112  }
2113 
2114  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2115  result = 0;
2116  goto end;
2117  }
2118 
2119  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2120  if (sm->type != DETECT_CONTENT) {
2121  result = 0;
2122  goto end;
2123  }
2124  cd = (DetectContentData *)sm->ctx;
2125  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2126  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2127  cd->flags & DETECT_CONTENT_NOCASE ||
2128  cd->flags & DETECT_CONTENT_WITHIN ||
2129  cd->flags & DETECT_CONTENT_DISTANCE ||
2130  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2131  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2132  cd->flags & DETECT_CONTENT_NEGATED ) {
2133  printf("one failed\n");
2134  result = 0;
2135  goto end;
2136  }
2137 
2138  sm = sm->next;
2139  if (sm->type != DETECT_BYTE_EXTRACT) {
2140  result = 0;
2141  goto end;
2142  }
2143  bed = (SCDetectByteExtractData *)sm->ctx;
2144  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2145  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2146  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2147  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2148  goto end;
2149  }
2150  if (bed->local_id != 0) {
2151  result = 0;
2152  goto end;
2153  }
2154 
2155  sm = sm->next;
2156  if (sm->type != DETECT_CONTENT) {
2157  result = 0;
2158  goto end;
2159  }
2160  cd = (DetectContentData *)sm->ctx;
2161  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2162  cd->flags != (DETECT_CONTENT_DEPTH_VAR | DETECT_CONTENT_DEPTH | DETECT_CONTENT_MPM) ||
2163  cd->depth != bed->local_id || cd->offset != 0) {
2164  printf("three failed\n");
2165  result = 0;
2166  goto end;
2167  }
2168 
2169  if (sm->next != NULL)
2170  goto end;
2171 
2172  result = 1;
2173 
2174  end:
2175  SigGroupCleanup(de_ctx);
2176  SigCleanSignatures(de_ctx);
2177  DetectEngineCtxFree(de_ctx);
2178 
2179  return result;
2180 }
2181 
2182 static int DetectByteExtractTest46(void)
2183 {
2184  DetectEngineCtx *de_ctx = NULL;
2185  int result = 0;
2186  Signature *s = NULL;
2187  SigMatch *sm = NULL;
2188  DetectContentData *cd = NULL;
2189  SCDetectByteExtractData *bed1 = NULL;
2190  SCDetectByteExtractData *bed2 = NULL;
2191 
2192  de_ctx = DetectEngineCtxInit();
2193  if (de_ctx == NULL)
2194  goto end;
2195 
2196  de_ctx->flags |= DE_QUIET;
2197  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2198  "(msg:\"Testing bytejump_body\"; "
2199  "content:\"one\"; "
2200  "byte_extract:4,0,two,string,hex; "
2201  "byte_extract:4,0,three,string,hex; "
2202  "content: \"four\"; depth:two; "
2203  "content: \"five\"; depth:three; "
2204  "sid:1;)");
2205  if (de_ctx->sig_list == NULL) {
2206  result = 0;
2207  goto end;
2208  }
2209 
2210  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2211  result = 0;
2212  goto end;
2213  }
2214 
2215  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2216  if (sm->type != DETECT_CONTENT) {
2217  result = 0;
2218  goto end;
2219  }
2220  cd = (DetectContentData *)sm->ctx;
2221  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2222  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2223  cd->flags & DETECT_CONTENT_NOCASE ||
2224  cd->flags & DETECT_CONTENT_WITHIN ||
2225  cd->flags & DETECT_CONTENT_DISTANCE ||
2226  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2227  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2228  cd->flags & DETECT_CONTENT_NEGATED ) {
2229  printf("one failed\n");
2230  result = 0;
2231  goto end;
2232  }
2233 
2234  sm = sm->next;
2235  if (sm->type != DETECT_BYTE_EXTRACT) {
2236  result = 0;
2237  goto end;
2238  }
2239  bed1 = (SCDetectByteExtractData *)sm->ctx;
2240  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2241  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2242  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2243  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2244  goto end;
2245  }
2246  if (bed1->local_id != 0) {
2247  result = 0;
2248  goto end;
2249  }
2250 
2251  sm = sm->next;
2252  if (sm->type != DETECT_BYTE_EXTRACT) {
2253  result = 0;
2254  goto end;
2255  }
2256  bed2 = (SCDetectByteExtractData *)sm->ctx;
2257 
2258  sm = sm->next;
2259  if (sm->type != DETECT_CONTENT) {
2260  result = 0;
2261  goto end;
2262  }
2263  cd = (DetectContentData *)sm->ctx;
2264  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2265  cd->flags != (DETECT_CONTENT_DEPTH_VAR | DETECT_CONTENT_DEPTH | DETECT_CONTENT_MPM) ||
2266  cd->depth != bed1->local_id) {
2267  printf("four failed\n");
2268  result = 0;
2269  goto end;
2270  }
2271 
2272  sm = sm->next;
2273  if (sm->type != DETECT_CONTENT) {
2274  result = 0;
2275  goto end;
2276  }
2277  cd = (DetectContentData *)sm->ctx;
2278  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2279  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2280  DETECT_CONTENT_DEPTH) ||
2281  cd->depth != bed2->local_id) {
2282  printf("five failed\n");
2283  result = 0;
2284  goto end;
2285  }
2286 
2287  if (sm->next != NULL)
2288  goto end;
2289 
2290  result = 1;
2291 
2292  end:
2293  SigGroupCleanup(de_ctx);
2294  SigCleanSignatures(de_ctx);
2295  DetectEngineCtxFree(de_ctx);
2296 
2297  return result;
2298 }
2299 
2300 static int DetectByteExtractTest47(void)
2301 {
2302  DetectEngineCtx *de_ctx = NULL;
2303  int result = 0;
2304  Signature *s = NULL;
2305  SigMatch *sm = NULL;
2306  DetectContentData *cd = NULL;
2307  SCDetectByteExtractData *bed = NULL;
2308 
2309  de_ctx = DetectEngineCtxInit();
2310  if (de_ctx == NULL)
2311  goto end;
2312 
2313  de_ctx->flags |= DE_QUIET;
2314  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2315  "(msg:\"Testing bytejump_body\"; "
2316  "content:\"one\"; "
2317  "byte_extract:4,0,two,string,hex; "
2318  "content: \"three\"; distance:two; "
2319  "sid:1;)");
2320  if (de_ctx->sig_list == NULL) {
2321  result = 0;
2322  goto end;
2323  }
2324 
2325  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2326  result = 0;
2327  goto end;
2328  }
2329 
2330  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2331  if (sm->type != DETECT_CONTENT) {
2332  result = 0;
2333  goto end;
2334  }
2335  cd = (DetectContentData *)sm->ctx;
2336  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2337  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2338  cd->flags & DETECT_CONTENT_NOCASE ||
2339  cd->flags & DETECT_CONTENT_WITHIN ||
2340  cd->flags & DETECT_CONTENT_DISTANCE ||
2341  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2342  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2343  cd->flags & DETECT_CONTENT_NEGATED ) {
2344  printf("one failed\n");
2345  result = 0;
2346  goto end;
2347  }
2348 
2349  sm = sm->next;
2350  if (sm->type != DETECT_BYTE_EXTRACT) {
2351  result = 0;
2352  goto end;
2353  }
2354  bed = (SCDetectByteExtractData *)sm->ctx;
2355  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2356  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2357  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2358  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2359  goto end;
2360  }
2361  if (bed->local_id != 0) {
2362  result = 0;
2363  goto end;
2364  }
2365 
2366  sm = sm->next;
2367  if (sm->type != DETECT_CONTENT) {
2368  result = 0;
2369  goto end;
2370  }
2371  cd = (DetectContentData *)sm->ctx;
2372  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2373  cd->flags !=
2374  (DETECT_CONTENT_DISTANCE_VAR | DETECT_CONTENT_DISTANCE | DETECT_CONTENT_MPM) ||
2375  cd->distance != bed->local_id || cd->offset != 0 || cd->depth != 0) {
2376  printf("three failed\n");
2377  result = 0;
2378  goto end;
2379  }
2380 
2381  if (sm->next != NULL)
2382  goto end;
2383 
2384  result = 1;
2385 
2386  end:
2387  SigGroupCleanup(de_ctx);
2388  SigCleanSignatures(de_ctx);
2389  DetectEngineCtxFree(de_ctx);
2390 
2391  return result;
2392 }
2393 
2394 static int DetectByteExtractTest48(void)
2395 {
2396  DetectEngineCtx *de_ctx = NULL;
2397  int result = 0;
2398  Signature *s = NULL;
2399  SigMatch *sm = NULL;
2400  DetectContentData *cd = NULL;
2401  SCDetectByteExtractData *bed1 = NULL;
2402  SCDetectByteExtractData *bed2 = NULL;
2403 
2404  de_ctx = DetectEngineCtxInit();
2405  if (de_ctx == NULL)
2406  goto end;
2407 
2408  de_ctx->flags |= DE_QUIET;
2409  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2410  "(msg:\"Testing bytejump_body\"; "
2411  "content:\"one\"; "
2412  "byte_extract:4,0,two,string,hex; "
2413  "byte_extract:4,0,three,string,hex; "
2414  "content: \"four\"; distance:two; "
2415  "content: \"five\"; distance:three; "
2416  "sid:1;)");
2417  if (de_ctx->sig_list == NULL) {
2418  result = 0;
2419  goto end;
2420  }
2421 
2422  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2423  result = 0;
2424  goto end;
2425  }
2426 
2427  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2428  if (sm->type != DETECT_CONTENT) {
2429  result = 0;
2430  goto end;
2431  }
2432  cd = (DetectContentData *)sm->ctx;
2433  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2434  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2435  cd->flags & DETECT_CONTENT_NOCASE ||
2436  cd->flags & DETECT_CONTENT_WITHIN ||
2437  cd->flags & DETECT_CONTENT_DISTANCE ||
2438  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2439  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2440  cd->flags & DETECT_CONTENT_NEGATED ) {
2441  printf("one failed\n");
2442  result = 0;
2443  goto end;
2444  }
2445 
2446  sm = sm->next;
2447  if (sm->type != DETECT_BYTE_EXTRACT) {
2448  result = 0;
2449  goto end;
2450  }
2451  bed1 = (SCDetectByteExtractData *)sm->ctx;
2452  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2453  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2454  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2455  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2456  goto end;
2457  }
2458  if (bed1->local_id != 0) {
2459  result = 0;
2460  goto end;
2461  }
2462 
2463  sm = sm->next;
2464  if (sm->type != DETECT_BYTE_EXTRACT) {
2465  result = 0;
2466  goto end;
2467  }
2468  bed2 = (SCDetectByteExtractData *)sm->ctx;
2469 
2470  sm = sm->next;
2471  if (sm->type != DETECT_CONTENT) {
2472  result = 0;
2473  goto end;
2474  }
2475  cd = (DetectContentData *)sm->ctx;
2476  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2477  cd->flags != (DETECT_CONTENT_DISTANCE_VAR | DETECT_CONTENT_DISTANCE |
2478  DETECT_CONTENT_DISTANCE_NEXT | DETECT_CONTENT_MPM) ||
2479  cd->distance != bed1->local_id || cd->depth != 0 || cd->offset != 0) {
2480  printf("four failed\n");
2481  result = 0;
2482  goto end;
2483  }
2484 
2485  sm = sm->next;
2486  if (sm->type != DETECT_CONTENT) {
2487  result = 0;
2488  goto end;
2489  }
2490  cd = (DetectContentData *)sm->ctx;
2491  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2492  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2493  DETECT_CONTENT_DISTANCE) ||
2494  cd->distance != bed2->local_id ||
2495  cd->depth != 0 ||
2496  cd->offset != 0) {
2497  printf("five failed\n");
2498  result = 0;
2499  goto end;
2500  }
2501 
2502  if (sm->next != NULL)
2503  goto end;
2504 
2505  result = 1;
2506 
2507  end:
2508  SigGroupCleanup(de_ctx);
2509  SigCleanSignatures(de_ctx);
2510  DetectEngineCtxFree(de_ctx);
2511 
2512  return result;
2513 }
2514 
2515 static int DetectByteExtractTest49(void)
2516 {
2517  DetectEngineCtx *de_ctx = NULL;
2518  int result = 0;
2519  Signature *s = NULL;
2520  SigMatch *sm = NULL;
2521  DetectContentData *cd = NULL;
2522  SCDetectByteExtractData *bed = NULL;
2523 
2524  de_ctx = DetectEngineCtxInit();
2525  if (de_ctx == NULL)
2526  goto end;
2527 
2528  de_ctx->flags |= DE_QUIET;
2529  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2530  "(msg:\"Testing bytejump_body\"; "
2531  "content:\"one\"; "
2532  "byte_extract:4,0,two,string,hex; "
2533  "content: \"three\"; within:two; "
2534  "sid:1;)");
2535  if (de_ctx->sig_list == NULL) {
2536  result = 0;
2537  goto end;
2538  }
2539 
2540  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2541  result = 0;
2542  goto end;
2543  }
2544 
2545  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2546  if (sm->type != DETECT_CONTENT) {
2547  result = 0;
2548  goto end;
2549  }
2550  cd = (DetectContentData *)sm->ctx;
2551  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2552  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2553  cd->flags & DETECT_CONTENT_NOCASE ||
2554  cd->flags & DETECT_CONTENT_WITHIN ||
2555  cd->flags & DETECT_CONTENT_DISTANCE ||
2556  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2557  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2558  cd->flags & DETECT_CONTENT_NEGATED ) {
2559  printf("one failed\n");
2560  result = 0;
2561  goto end;
2562  }
2563 
2564  sm = sm->next;
2565  if (sm->type != DETECT_BYTE_EXTRACT) {
2566  result = 0;
2567  goto end;
2568  }
2569  bed = (SCDetectByteExtractData *)sm->ctx;
2570  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2571  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2572  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2573  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2574  goto end;
2575  }
2576  if (bed->local_id != 0) {
2577  result = 0;
2578  goto end;
2579  }
2580 
2581  sm = sm->next;
2582  if (sm->type != DETECT_CONTENT) {
2583  result = 0;
2584  goto end;
2585  }
2586  cd = (DetectContentData *)sm->ctx;
2587  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2588  cd->flags != (DETECT_CONTENT_WITHIN_VAR | DETECT_CONTENT_WITHIN | DETECT_CONTENT_MPM) ||
2589  cd->within != bed->local_id || cd->offset != 0 || cd->depth != 0 || cd->distance != 0) {
2590  printf("three failed\n");
2591  result = 0;
2592  goto end;
2593  }
2594 
2595  if (sm->next != NULL)
2596  goto end;
2597 
2598  result = 1;
2599 
2600  end:
2601  SigGroupCleanup(de_ctx);
2602  SigCleanSignatures(de_ctx);
2603  DetectEngineCtxFree(de_ctx);
2604 
2605  return result;
2606 }
2607 
2608 static int DetectByteExtractTest50(void)
2609 {
2610  DetectEngineCtx *de_ctx = NULL;
2611  int result = 0;
2612  Signature *s = NULL;
2613  SigMatch *sm = NULL;
2614  DetectContentData *cd = NULL;
2615  SCDetectByteExtractData *bed1 = NULL;
2616  SCDetectByteExtractData *bed2 = NULL;
2617 
2618  de_ctx = DetectEngineCtxInit();
2619  if (de_ctx == NULL)
2620  goto end;
2621 
2622  de_ctx->flags |= DE_QUIET;
2623  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2624  "(msg:\"Testing bytejump_body\"; "
2625  "content:\"one\"; "
2626  "byte_extract:4,0,two,string,hex; "
2627  "byte_extract:4,0,three,string,hex; "
2628  "content: \"four\"; within:two; "
2629  "content: \"five\"; within:three; "
2630  "sid:1;)");
2631  if (de_ctx->sig_list == NULL) {
2632  result = 0;
2633  goto end;
2634  }
2635 
2636  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2637  result = 0;
2638  goto end;
2639  }
2640 
2641  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2642  if (sm->type != DETECT_CONTENT) {
2643  result = 0;
2644  goto end;
2645  }
2646  cd = (DetectContentData *)sm->ctx;
2647  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2648  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2649  cd->flags & DETECT_CONTENT_NOCASE ||
2650  cd->flags & DETECT_CONTENT_WITHIN ||
2651  cd->flags & DETECT_CONTENT_DISTANCE ||
2652  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2653  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2654  cd->flags & DETECT_CONTENT_NEGATED ) {
2655  printf("one failed\n");
2656  result = 0;
2657  goto end;
2658  }
2659 
2660  sm = sm->next;
2661  if (sm->type != DETECT_BYTE_EXTRACT) {
2662  result = 0;
2663  goto end;
2664  }
2665  bed1 = (SCDetectByteExtractData *)sm->ctx;
2666  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2667  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2668  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2669  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2670  goto end;
2671  }
2672  if (bed1->local_id != 0) {
2673  result = 0;
2674  goto end;
2675  }
2676 
2677  sm = sm->next;
2678  if (sm->type != DETECT_BYTE_EXTRACT) {
2679  result = 0;
2680  goto end;
2681  }
2682  bed2 = (SCDetectByteExtractData *)sm->ctx;
2683 
2684  sm = sm->next;
2685  if (sm->type != DETECT_CONTENT) {
2686  result = 0;
2687  goto end;
2688  }
2689  cd = (DetectContentData *)sm->ctx;
2690  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2691  cd->flags != (DETECT_CONTENT_WITHIN_VAR | DETECT_CONTENT_WITHIN |
2692  DETECT_CONTENT_WITHIN_NEXT | DETECT_CONTENT_MPM) ||
2693  cd->within != bed1->local_id || cd->depth != 0 || cd->offset != 0 ||
2694  cd->distance != 0) {
2695  printf("four failed\n");
2696  result = 0;
2697  goto end;
2698  }
2699 
2700  sm = sm->next;
2701  if (sm->type != DETECT_CONTENT) {
2702  result = 0;
2703  goto end;
2704  }
2705  cd = (DetectContentData *)sm->ctx;
2706  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2707  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
2708  DETECT_CONTENT_WITHIN) ||
2709  cd->within != bed2->local_id ||
2710  cd->depth != 0 ||
2711  cd->offset != 0 ||
2712  cd->distance != 0) {
2713  printf("five failed\n");
2714  result = 0;
2715  goto end;
2716  }
2717 
2718  if (sm->next != NULL)
2719  goto end;
2720 
2721  result = 1;
2722 
2723  end:
2724  SigGroupCleanup(de_ctx);
2725  SigCleanSignatures(de_ctx);
2726  DetectEngineCtxFree(de_ctx);
2727 
2728  return result;
2729 }
2730 
2731 static int DetectByteExtractTest51(void)
2732 {
2733  DetectEngineCtx *de_ctx = NULL;
2734  int result = 0;
2735  Signature *s = NULL;
2736  SigMatch *sm = NULL;
2737  DetectContentData *cd = NULL;
2738  SCDetectByteExtractData *bed = NULL;
2739  DetectBytetestData *btd = NULL;
2740 
2741  de_ctx = DetectEngineCtxInit();
2742  if (de_ctx == NULL)
2743  goto end;
2744 
2745  de_ctx->flags |= DE_QUIET;
2746  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2747  "(msg:\"Testing bytejump_body\"; "
2748  "content:\"one\"; "
2749  "byte_extract:4,0,two,string,hex; "
2750  "byte_test: 2,=,10, two; "
2751  "sid:1;)");
2752  if (de_ctx->sig_list == NULL) {
2753  result = 0;
2754  goto end;
2755  }
2756 
2757  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2758  result = 0;
2759  goto end;
2760  }
2761 
2762  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2763  if (sm->type != DETECT_CONTENT) {
2764  result = 0;
2765  goto end;
2766  }
2767  cd = (DetectContentData *)sm->ctx;
2768  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2769  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2770  cd->flags & DETECT_CONTENT_NOCASE ||
2771  cd->flags & DETECT_CONTENT_WITHIN ||
2772  cd->flags & DETECT_CONTENT_DISTANCE ||
2773  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2774  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2775  cd->flags & DETECT_CONTENT_NEGATED ) {
2776  printf("one failed\n");
2777  result = 0;
2778  goto end;
2779  }
2780 
2781  sm = sm->next;
2782  if (sm->type != DETECT_BYTE_EXTRACT) {
2783  result = 0;
2784  goto end;
2785  }
2786  bed = (SCDetectByteExtractData *)sm->ctx;
2787  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2788  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2789  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2790  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2791  goto end;
2792  }
2793  if (bed->local_id != 0) {
2794  result = 0;
2795  goto end;
2796  }
2797 
2798  sm = sm->next;
2799  if (sm->type != DETECT_BYTETEST) {
2800  result = 0;
2801  goto end;
2802  }
2803  btd = (DetectBytetestData *)sm->ctx;
2804  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
2805  btd->value != 10 ||
2806  btd->offset != 0) {
2807  printf("three failed\n");
2808  result = 0;
2809  goto end;
2810  }
2811 
2812  if (sm->next != NULL)
2813  goto end;
2814 
2815  result = 1;
2816 
2817  end:
2818  SigGroupCleanup(de_ctx);
2819  SigCleanSignatures(de_ctx);
2820  DetectEngineCtxFree(de_ctx);
2821 
2822  return result;
2823 }
2824 
2825 static int DetectByteExtractTest52(void)
2826 {
2827  DetectEngineCtx *de_ctx = NULL;
2828  int result = 0;
2829  Signature *s = NULL;
2830  SigMatch *sm = NULL;
2831  DetectContentData *cd = NULL;
2832  SCDetectByteExtractData *bed1 = NULL;
2833  DetectBytetestData *btd = NULL;
2834 
2835  de_ctx = DetectEngineCtxInit();
2836  if (de_ctx == NULL)
2837  goto end;
2838 
2839  de_ctx->flags |= DE_QUIET;
2840  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2841  "(msg:\"Testing bytejump_body\"; "
2842  "content:\"one\"; "
2843  "byte_extract:4,0,two,string,hex; "
2844  "byte_extract:4,0,three,string,hex; "
2845  "byte_test: 2,=,two,three; "
2846  "byte_test: 3,=,10,three; "
2847  "sid:1;)");
2848  if (de_ctx->sig_list == NULL) {
2849  result = 0;
2850  goto end;
2851  }
2852 
2853  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2854  result = 0;
2855  goto end;
2856  }
2857 
2858  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2859  if (sm->type != DETECT_CONTENT) {
2860  result = 0;
2861  goto end;
2862  }
2863  cd = (DetectContentData *)sm->ctx;
2864  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2865  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2866  cd->flags & DETECT_CONTENT_NOCASE ||
2867  cd->flags & DETECT_CONTENT_WITHIN ||
2868  cd->flags & DETECT_CONTENT_DISTANCE ||
2869  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2870  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2871  cd->flags & DETECT_CONTENT_NEGATED ) {
2872  printf("one failed\n");
2873  result = 0;
2874  goto end;
2875  }
2876 
2877  sm = sm->next;
2878  if (sm->type != DETECT_BYTE_EXTRACT) {
2879  result = 0;
2880  goto end;
2881  }
2882  bed1 = (SCDetectByteExtractData *)sm->ctx;
2883  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2884  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2885  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2886  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2887  goto end;
2888  }
2889  if (bed1->local_id != 0) {
2890  result = 0;
2891  goto end;
2892  }
2893 
2894  sm = sm->next;
2895  if (sm->type != DETECT_BYTE_EXTRACT) {
2896  result = 0;
2897  goto end;
2898  }
2899 
2900  sm = sm->next;
2901  if (sm->type != DETECT_BYTETEST) {
2902  result = 0;
2903  goto end;
2904  }
2905  btd = (DetectBytetestData *)sm->ctx;
2906  if (btd->flags != (DETECT_BYTETEST_OFFSET_VAR |
2907  DETECT_BYTETEST_VALUE_VAR) ||
2908  btd->value != 0 ||
2909  btd->offset != 1) {
2910  printf("three failed\n");
2911  result = 0;
2912  goto end;
2913  }
2914 
2915  sm = sm->next;
2916  if (sm->type != DETECT_BYTETEST) {
2917  result = 0;
2918  goto end;
2919  }
2920  btd = (DetectBytetestData *)sm->ctx;
2921  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
2922  btd->value != 10 ||
2923  btd->offset != 1) {
2924  printf("four failed\n");
2925  result = 0;
2926  goto end;
2927  }
2928 
2929  if (sm->next != NULL)
2930  goto end;
2931 
2932  result = 1;
2933 
2934  end:
2935  SigGroupCleanup(de_ctx);
2936  SigCleanSignatures(de_ctx);
2937  DetectEngineCtxFree(de_ctx);
2938 
2939  return result;
2940 }
2941 
2942 static int DetectByteExtractTest53(void)
2943 {
2944  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2945  FAIL_IF_NULL(de_ctx);
2946  de_ctx->flags |= DE_QUIET;
2947 
2948  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
2949  "content:\"one\"; "
2950  "byte_extract:4,0,two,string,hex; "
2951  "byte_jump: 2,two; "
2952  "sid:1;)");
2953  FAIL_IF_NULL(s);
2954  FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
2955 
2956  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2957  FAIL_IF(sm->type != DETECT_CONTENT);
2958  DetectContentData *cd = (DetectContentData *)sm->ctx;
2959  FAIL_IF(cd->flags != (DETECT_CONTENT_MPM | DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED));
2960 
2961  sm = sm->next;
2962  FAIL_IF_NULL(sm);
2963  FAIL_IF(sm->type != DETECT_BYTE_EXTRACT);
2964  SCDetectByteExtractData *bed = (SCDetectByteExtractData *)sm->ctx;
2965 
2966  FAIL_IF(bed->nbytes != 4);
2967  FAIL_IF(bed->offset != 0);
2968  FAIL_IF(strcmp(bed->name, "two") != 0);
2969  FAIL_IF(bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING));
2970  FAIL_IF(bed->base != DETECT_BYTE_EXTRACT_BASE_HEX);
2971  FAIL_IF(bed->align_value != 0);
2972  FAIL_IF(bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT);
2973  FAIL_IF(bed->local_id != 0);
2974 
2975  sm = sm->next;
2976  FAIL_IF_NULL(sm);
2977  FAIL_IF(sm->type != DETECT_BYTEJUMP);
2978  DetectBytejumpData *bjd = (DetectBytejumpData *)sm->ctx;
2979 
2980  FAIL_IF(bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR);
2981  FAIL_IF(bjd->offset != 0);
2982 
2983  FAIL_IF_NOT_NULL(sm->next);
2984  DetectEngineCtxFree(de_ctx);
2985  PASS;
2986 }
2987 
2988 static int DetectByteExtractTest54(void)
2989 {
2990  DetectEngineCtx *de_ctx = NULL;
2991  int result = 0;
2992  Signature *s = NULL;
2993  SigMatch *sm = NULL;
2994  DetectContentData *cd = NULL;
2995  SCDetectByteExtractData *bed1 = NULL;
2996  DetectBytejumpData *bjd = NULL;
2997 
2998  de_ctx = DetectEngineCtxInit();
2999  if (de_ctx == NULL)
3000  goto end;
3001 
3002  de_ctx->flags |= DE_QUIET;
3003  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3004  "(msg:\"Testing bytejump_body\"; "
3005  "content:\"one\"; "
3006  "byte_extract:4,0,two,string,hex; "
3007  "byte_extract:4,0,three,string,hex; "
3008  "byte_jump: 2,two; "
3009  "byte_jump: 3,three; "
3010  "sid:1;)");
3011  if (de_ctx->sig_list == NULL) {
3012  result = 0;
3013  goto end;
3014  }
3015 
3016  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3017  result = 0;
3018  goto end;
3019  }
3020 
3021  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3022  if (sm->type != DETECT_CONTENT) {
3023  result = 0;
3024  goto end;
3025  }
3026  cd = (DetectContentData *)sm->ctx;
3027  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3028  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3029  cd->flags & DETECT_CONTENT_NOCASE ||
3030  cd->flags & DETECT_CONTENT_WITHIN ||
3031  cd->flags & DETECT_CONTENT_DISTANCE ||
3032  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3033  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3034  cd->flags & DETECT_CONTENT_NEGATED ) {
3035  printf("one failed\n");
3036  result = 0;
3037  goto end;
3038  }
3039 
3040  sm = sm->next;
3041  if (sm->type != DETECT_BYTE_EXTRACT) {
3042  result = 0;
3043  goto end;
3044  }
3045  bed1 = (SCDetectByteExtractData *)sm->ctx;
3046  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3047  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3048  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3049  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3050  goto end;
3051  }
3052  if (bed1->local_id != 0) {
3053  result = 0;
3054  goto end;
3055  }
3056 
3057  sm = sm->next;
3058  if (sm->type != DETECT_BYTE_EXTRACT) {
3059  result = 0;
3060  goto end;
3061  }
3062 
3063  sm = sm->next;
3064  if (sm->type != DETECT_BYTEJUMP) {
3065  result = 0;
3066  goto end;
3067  }
3068  bjd = (DetectBytejumpData *)sm->ctx;
3069  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 0) {
3070  printf("three failed\n");
3071  result = 0;
3072  goto end;
3073  }
3074 
3075  sm = sm->next;
3076  if (sm->type != DETECT_BYTEJUMP) {
3077  result = 0;
3078  goto end;
3079  }
3080  bjd = (DetectBytejumpData *)sm->ctx;
3081  FAIL_IF(bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR);
3082  FAIL_IF(bjd->offset != 1);
3083 
3084  if (sm->next != NULL)
3085  goto end;
3086 
3087  result = 1;
3088 
3089  end:
3090  SigGroupCleanup(de_ctx);
3091  SigCleanSignatures(de_ctx);
3092  DetectEngineCtxFree(de_ctx);
3093 
3094  return result;
3095 }
3096 
3097 static int DetectByteExtractTest55(void)
3098 {
3099  DetectEngineCtx *de_ctx = NULL;
3100  int result = 0;
3101  Signature *s = NULL;
3102  SigMatch *sm = NULL;
3103  DetectContentData *cd = NULL;
3104  SCDetectByteExtractData *bed1 = NULL;
3105  SCDetectByteExtractData *bed2 = NULL;
3106 
3107  de_ctx = DetectEngineCtxInit();
3108  if (de_ctx == NULL)
3109  goto end;
3110 
3111  de_ctx->flags |= DE_QUIET;
3112  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3113  "(msg:\"Testing byte_extract\"; "
3114  "content:\"one\"; "
3115  "byte_extract:4,0,two,string,hex; "
3116  "byte_extract:4,0,three,string,hex; "
3117  "byte_extract:4,0,four,string,hex; "
3118  "byte_extract:4,0,five,string,hex; "
3119  "content: \"four\"; within:two; distance:three; "
3120  "sid:1;)");
3121  if (de_ctx->sig_list == NULL) {
3122  goto end;
3123  }
3124 
3125  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3126  goto end;
3127  }
3128 
3129  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3130  if (sm->type != DETECT_CONTENT) {
3131  goto end;
3132  }
3133  cd = (DetectContentData *)sm->ctx;
3134  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3135  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3136  cd->flags & DETECT_CONTENT_NOCASE ||
3137  cd->flags & DETECT_CONTENT_WITHIN ||
3138  cd->flags & DETECT_CONTENT_DISTANCE ||
3139  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3140  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3141  cd->flags & DETECT_CONTENT_NEGATED ) {
3142  printf("one failed: ");
3143  goto end;
3144  }
3145 
3146  sm = sm->next;
3147  if (sm->type != DETECT_BYTE_EXTRACT) {
3148  goto end;
3149  }
3150  bed1 = (SCDetectByteExtractData *)sm->ctx;
3151  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3152  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3153  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3154  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3155  goto end;
3156  }
3157  if (bed1->local_id != 0) {
3158  goto end;
3159  }
3160 
3161  sm = sm->next;
3162  if (sm->type != DETECT_BYTE_EXTRACT) {
3163  goto end;
3164  }
3165  bed2 = (SCDetectByteExtractData *)sm->ctx;
3166 
3167  sm = sm->next;
3168  if (sm->type != DETECT_BYTE_EXTRACT) {
3169  goto end;
3170  }
3171 
3172  sm = sm->next;
3173  if (sm->type != DETECT_BYTE_EXTRACT) {
3174  goto end;
3175  }
3176 
3177  sm = sm->next;
3178  if (sm->type != DETECT_CONTENT) {
3179  goto end;
3180  }
3181  cd = (DetectContentData *)sm->ctx;
3182  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3183  cd->flags !=
3184  (DETECT_CONTENT_DISTANCE_VAR | DETECT_CONTENT_WITHIN_VAR |
3185  DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN | DETECT_CONTENT_MPM) ||
3186  cd->within != bed1->local_id || cd->distance != bed2->local_id) {
3187  printf("four failed: ");
3188  goto end;
3189  }
3190 
3191  if (sm->next != NULL) {
3192  goto end;
3193  }
3194 
3195  result = 1;
3196 
3197  end:
3198  SigGroupCleanup(de_ctx);
3199  SigCleanSignatures(de_ctx);
3200  DetectEngineCtxFree(de_ctx);
3201 
3202  return result;
3203 }
3204 
3205 static int DetectByteExtractTest56(void)
3206 {
3207  DetectEngineCtx *de_ctx = NULL;
3208  int result = 0;
3209  Signature *s = NULL;
3210  SigMatch *sm = NULL;
3211  DetectContentData *cd = NULL;
3212  SCDetectByteExtractData *bed1 = NULL;
3213  SCDetectByteExtractData *bed2 = NULL;
3214 
3215  de_ctx = DetectEngineCtxInit();
3216  if (de_ctx == NULL)
3217  goto end;
3218 
3219  de_ctx->flags |= DE_QUIET;
3220  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3221  "(msg:\"Testing bytejump_body\"; "
3222  "uricontent:\"urione\"; "
3223  "content:\"one\"; "
3224  "byte_extract:4,0,two,string,hex; "
3225  "byte_extract:4,0,three,string,hex; "
3226  "byte_extract:4,0,four,string,hex; "
3227  "byte_extract:4,0,five,string,hex; "
3228  "content: \"four\"; within:two; distance:three; "
3229  "sid:1;)");
3230  if (de_ctx->sig_list == NULL) {
3231  result = 0;
3232  goto end;
3233  }
3234 
3235  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3236  result = 0;
3237  goto end;
3238  }
3239 
3240  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3241  if (sm->type != DETECT_CONTENT) {
3242  result = 0;
3243  goto end;
3244  }
3245  cd = (DetectContentData *)sm->ctx;
3246  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3247  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3248  cd->flags & DETECT_CONTENT_NOCASE ||
3249  cd->flags & DETECT_CONTENT_WITHIN ||
3250  cd->flags & DETECT_CONTENT_DISTANCE ||
3251  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3252  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3253  cd->flags & DETECT_CONTENT_NEGATED ) {
3254  printf("one failed\n");
3255  result = 0;
3256  goto end;
3257  }
3258 
3259  if (sm->next != NULL)
3260  goto end;
3261 
3262  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3263  if (sm->type != DETECT_CONTENT) {
3264  result = 0;
3265  goto end;
3266  }
3267  cd = (DetectContentData *)sm->ctx;
3268  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3269  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3270  cd->flags & DETECT_CONTENT_NOCASE ||
3271  cd->flags & DETECT_CONTENT_WITHIN ||
3272  cd->flags & DETECT_CONTENT_DISTANCE ||
3273  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3274  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3275  cd->flags & DETECT_CONTENT_NEGATED ) {
3276  printf("one failed\n");
3277  result = 0;
3278  goto end;
3279  }
3280 
3281  sm = sm->next;
3282  if (sm->type != DETECT_BYTE_EXTRACT) {
3283  result = 0;
3284  goto end;
3285  }
3286  bed1 = (SCDetectByteExtractData *)sm->ctx;
3287  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3288  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3289  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3290  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3291  goto end;
3292  }
3293  if (bed1->local_id != 0) {
3294  result = 0;
3295  goto end;
3296  }
3297 
3298  sm = sm->next;
3299  if (sm->type != DETECT_BYTE_EXTRACT) {
3300  result = 0;
3301  goto end;
3302  }
3303  bed2 = (SCDetectByteExtractData *)sm->ctx;
3304 
3305  sm = sm->next;
3306  if (sm->type != DETECT_BYTE_EXTRACT) {
3307  result = 0;
3308  goto end;
3309  }
3310 
3311  sm = sm->next;
3312  if (sm->type != DETECT_BYTE_EXTRACT) {
3313  result = 0;
3314  goto end;
3315  }
3316 
3317  sm = sm->next;
3318  if (sm->type != DETECT_CONTENT) {
3319  result = 0;
3320  goto end;
3321  }
3322  cd = (DetectContentData *)sm->ctx;
3323  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3324  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
3325  DETECT_CONTENT_WITHIN_VAR |
3326  DETECT_CONTENT_DISTANCE |
3327  DETECT_CONTENT_WITHIN) ||
3328  cd->within != bed1->local_id ||
3329  cd->distance != bed2->local_id ) {
3330  printf("four failed\n");
3331  result = 0;
3332  goto end;
3333  }
3334 
3335  if (sm->next != NULL) {
3336  goto end;
3337  }
3338 
3339  result = 1;
3340 
3341  end:
3342  SigGroupCleanup(de_ctx);
3343  SigCleanSignatures(de_ctx);
3344  DetectEngineCtxFree(de_ctx);
3345 
3346  return result;
3347 }
3348 
3349 static int DetectByteExtractTest57(void)
3350 {
3351  DetectEngineCtx *de_ctx = NULL;
3352  int result = 0;
3353  Signature *s = NULL;
3354  SigMatch *sm = NULL;
3355  DetectContentData *cd = NULL;
3356  SCDetectByteExtractData *bed1 = NULL;
3357  SCDetectByteExtractData *bed2 = NULL;
3358  SCDetectByteExtractData *bed3 = NULL;
3359  SCDetectByteExtractData *bed4 = NULL;
3360 
3361  de_ctx = DetectEngineCtxInit();
3362  if (de_ctx == NULL)
3363  goto end;
3364 
3365  de_ctx->flags |= DE_QUIET;
3366  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3367  "(msg:\"Testing bytejump_body\"; "
3368  "content:\"one\"; "
3369  "uricontent: \"urione\"; "
3370  "byte_extract:4,0,two,string,hex,relative; "
3371  "byte_extract:4,0,three,string,hex,relative; "
3372  "byte_extract:4,0,four,string,hex,relative; "
3373  "byte_extract:4,0,five,string,hex,relative; "
3374  "uricontent: \"four\"; within:two; distance:three; "
3375  "sid:1;)");
3376  if (de_ctx->sig_list == NULL) {
3377  result = 0;
3378  goto end;
3379  }
3380 
3381  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3382  result = 0;
3383  goto end;
3384  }
3385 
3386  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3387  if (sm->type != DETECT_CONTENT) {
3388  result = 0;
3389  goto end;
3390  }
3391  cd = (DetectContentData *)sm->ctx;
3392  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3393  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3394  cd->flags & DETECT_CONTENT_NOCASE ||
3395  cd->flags & DETECT_CONTENT_WITHIN ||
3396  cd->flags & DETECT_CONTENT_DISTANCE ||
3397  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3398  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3399  cd->flags & DETECT_CONTENT_NEGATED ) {
3400  printf("one failed\n");
3401  result = 0;
3402  goto end;
3403  }
3404 
3405  if (sm->next != NULL)
3406  goto end;
3407 
3408  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3409  if (sm->type != DETECT_CONTENT) {
3410  result = 0;
3411  goto end;
3412  }
3413  cd = (DetectContentData *)sm->ctx;
3414  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3415  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3416  cd->flags & DETECT_CONTENT_NOCASE ||
3417  cd->flags & DETECT_CONTENT_WITHIN ||
3418  cd->flags & DETECT_CONTENT_DISTANCE ||
3419  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3420  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3421  cd->flags & DETECT_CONTENT_NEGATED ) {
3422  printf("one failed\n");
3423  result = 0;
3424  goto end;
3425  }
3426 
3427  sm = sm->next;
3428  if (sm->type != DETECT_BYTE_EXTRACT) {
3429  result = 0;
3430  goto end;
3431  }
3432  bed1 = (SCDetectByteExtractData *)sm->ctx;
3433  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3434  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3435  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3436  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3437  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3438  goto end;
3439  }
3440  if (bed1->local_id != 0) {
3441  result = 0;
3442  goto end;
3443  }
3444 
3445  sm = sm->next;
3446  if (sm->type != DETECT_BYTE_EXTRACT) {
3447  result = 0;
3448  goto end;
3449  }
3450  bed2 = (SCDetectByteExtractData *)sm->ctx;
3451  if (bed2->local_id != 1) {
3452  result = 0;
3453  goto end;
3454  }
3455 
3456  sm = sm->next;
3457  if (sm->type != DETECT_BYTE_EXTRACT) {
3458  result = 0;
3459  goto end;
3460  }
3461  bed3 = (SCDetectByteExtractData *)sm->ctx;
3462  if (bed3->local_id != 2) {
3463  result = 0;
3464  goto end;
3465  }
3466 
3467  sm = sm->next;
3468  if (sm->type != DETECT_BYTE_EXTRACT) {
3469  result = 0;
3470  goto end;
3471  }
3472  bed4 = (SCDetectByteExtractData *)sm->ctx;
3473  if (bed4->local_id != 3) {
3474  result = 0;
3475  goto end;
3476  }
3477 
3478  sm = sm->next;
3479  if (sm->type != DETECT_CONTENT) {
3480  result = 0;
3481  goto end;
3482  }
3483  cd = (DetectContentData *)sm->ctx;
3484  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3485  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
3486  DETECT_CONTENT_WITHIN_VAR |
3487  DETECT_CONTENT_DISTANCE |
3488  DETECT_CONTENT_WITHIN) ||
3489  cd->within != bed1->local_id ||
3490  cd->distance != bed2->local_id) {
3491  printf("four failed\n");
3492  result = 0;
3493  goto end;
3494  }
3495 
3496  if (sm->next != NULL) {
3497  goto end;
3498  }
3499 
3500  result = 1;
3501 
3502  end:
3503  SigGroupCleanup(de_ctx);
3504  SigCleanSignatures(de_ctx);
3505  DetectEngineCtxFree(de_ctx);
3506 
3507  return result;
3508 }
3509 
3510 static int DetectByteExtractTest58(void)
3511 {
3512  DetectEngineCtx *de_ctx = NULL;
3513  int result = 0;
3514  Signature *s = NULL;
3515  SigMatch *sm = NULL;
3516  DetectContentData *cd = NULL;
3517  SCDetectByteExtractData *bed1 = NULL;
3518  DetectBytejumpData *bjd = NULL;
3519  DetectIsdataatData *isdd = NULL;
3520 
3521  de_ctx = DetectEngineCtxInit();
3522  if (de_ctx == NULL)
3523  goto end;
3524 
3525  de_ctx->flags |= DE_QUIET;
3526  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3527  "(msg:\"Testing bytejump_body\"; "
3528  "content:\"one\"; "
3529  "byte_extract:4,0,two,string,hex; "
3530  "byte_extract:4,0,three,string,hex; "
3531  "byte_jump: 2,two; "
3532  "byte_jump: 3,three; "
3533  "isdataat: three; "
3534  "sid:1;)");
3535  if (de_ctx->sig_list == NULL) {
3536  result = 0;
3537  goto end;
3538  }
3539 
3540  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3541  result = 0;
3542  goto end;
3543  }
3544 
3545  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3546  if (sm->type != DETECT_CONTENT) {
3547  result = 0;
3548  goto end;
3549  }
3550  cd = (DetectContentData *)sm->ctx;
3551  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3552  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3553  cd->flags & DETECT_CONTENT_NOCASE ||
3554  cd->flags & DETECT_CONTENT_WITHIN ||
3555  cd->flags & DETECT_CONTENT_DISTANCE ||
3556  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3557  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3558  cd->flags & DETECT_CONTENT_NEGATED ) {
3559  printf("one failed\n");
3560  result = 0;
3561  goto end;
3562  }
3563 
3564  sm = sm->next;
3565  if (sm->type != DETECT_BYTE_EXTRACT) {
3566  result = 0;
3567  goto end;
3568  }
3569  bed1 = (SCDetectByteExtractData *)sm->ctx;
3570  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3571  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3572  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3573  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3574  goto end;
3575  }
3576  if (bed1->local_id != 0) {
3577  result = 0;
3578  goto end;
3579  }
3580 
3581  sm = sm->next;
3582  if (sm->type != DETECT_BYTE_EXTRACT) {
3583  result = 0;
3584  goto end;
3585  }
3586 
3587  sm = sm->next;
3588  if (sm->type != DETECT_BYTEJUMP) {
3589  result = 0;
3590  goto end;
3591  }
3592  bjd = (DetectBytejumpData *)sm->ctx;
3593  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 0) {
3594  printf("three failed\n");
3595  result = 0;
3596  goto end;
3597  }
3598 
3599  sm = sm->next;
3600  if (sm->type != DETECT_BYTEJUMP) {
3601  result = 0;
3602  goto end;
3603  }
3604  bjd = (DetectBytejumpData *)sm->ctx;
3605  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 1) {
3606  printf("four failed\n");
3607  result = 0;
3608  goto end;
3609  }
3610 
3611  sm = sm->next;
3612  if (sm->type != DETECT_ISDATAAT) {
3613  result = 0;
3614  goto end;
3615  }
3616  isdd = (DetectIsdataatData *)sm->ctx;
3617  if (isdd->flags != ISDATAAT_OFFSET_VAR ||
3618  isdd->dataat != 1) {
3619  printf("isdataat failed\n");
3620  result = 0;
3621  goto end;
3622  }
3623 
3624  if (sm->next != NULL)
3625  goto end;
3626 
3627  result = 1;
3628 
3629  end:
3630  SigGroupCleanup(de_ctx);
3631  SigCleanSignatures(de_ctx);
3632  DetectEngineCtxFree(de_ctx);
3633 
3634  return result;
3635 }
3636 
3637 static int DetectByteExtractTest59(void)
3638 {
3639  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3640  FAIL_IF_NULL(de_ctx);
3641  de_ctx->flags |= DE_QUIET;
3642 
3643  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
3644  "content:\"one\"; "
3645  "byte_extract:4,0,two,string,hex; "
3646  "byte_extract:4,0,three,string,hex; "
3647  "byte_jump: 2,two; "
3648  "byte_jump: 3,three; "
3649  "isdataat: three,relative; "
3650  "sid:1;)");
3651  FAIL_IF_NULL(s);
3652 
3653  FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
3654  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3655  FAIL_IF(sm->type != DETECT_CONTENT);
3656 
3657  DetectContentData *cd = (DetectContentData *)sm->ctx;
3658  FAIL_IF(cd->flags & DETECT_CONTENT_RAWBYTES);
3659  FAIL_IF(strncmp((char *)cd->content, "one", cd->content_len) != 0);
3660  FAIL_IF(cd->flags & DETECT_CONTENT_NOCASE);
3661  FAIL_IF(cd->flags & DETECT_CONTENT_WITHIN);
3662  FAIL_IF(cd->flags & DETECT_CONTENT_DISTANCE);
3663  FAIL_IF(cd->flags & DETECT_CONTENT_FAST_PATTERN);
3664  FAIL_IF(cd->flags & DETECT_CONTENT_RELATIVE_NEXT);
3665  FAIL_IF(cd->flags & DETECT_CONTENT_NEGATED);
3666 
3667  sm = sm->next;
3668  FAIL_IF_NULL(sm);
3669  FAIL_IF(sm->type != DETECT_BYTE_EXTRACT);
3670 
3671  SCDetectByteExtractData *bed1 = (SCDetectByteExtractData *)sm->ctx;
3672  FAIL_IF(bed1->nbytes != 4);
3673  FAIL_IF(bed1->offset != 0);
3674  FAIL_IF(strcmp(bed1->name, "two") != 0);
3675  printf("a\n");
3676  FAIL_IF(bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING));
3677  printf("b\n");
3678  FAIL_IF(bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX);
3679  FAIL_IF(bed1->align_value != 0);
3680  FAIL_IF(bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT);
3681 
3682  FAIL_IF(bed1->local_id != 0);
3683 
3684  sm = sm->next;
3685  FAIL_IF_NULL(sm);
3686  FAIL_IF(sm->type != DETECT_BYTE_EXTRACT);
3687 
3688  sm = sm->next;
3689  FAIL_IF_NULL(sm);
3690  FAIL_IF(sm->type != DETECT_BYTEJUMP);
3691 
3692  DetectBytejumpData *bjd = (DetectBytejumpData *)sm->ctx;
3693  FAIL_IF(bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR);
3694  FAIL_IF(bjd->offset != 0);
3695 
3696  sm = sm->next;
3697  FAIL_IF_NULL(sm);
3698  FAIL_IF(sm->type != DETECT_BYTEJUMP);
3699 
3700  bjd = (DetectBytejumpData *)sm->ctx;
3701  FAIL_IF(bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR);
3702  FAIL_IF(bjd->offset != 1);
3703 
3704  sm = sm->next;
3705  FAIL_IF_NULL(sm);
3706  FAIL_IF(sm->type != DETECT_ISDATAAT);
3707  DetectIsdataatData *isdd = (DetectIsdataatData *)sm->ctx;
3708  FAIL_IF(isdd->flags != (ISDATAAT_OFFSET_VAR | ISDATAAT_RELATIVE));
3709  FAIL_IF(isdd->dataat != 1);
3710 
3711  FAIL_IF(sm->next != NULL);
3712  DetectEngineCtxFree(de_ctx);
3713 
3714  PASS;
3715 }
3716 
3717 static int DetectByteExtractTest60(void)
3718 {
3719  DetectEngineCtx *de_ctx = NULL;
3720  int result = 0;
3721  Signature *s = NULL;
3722  SigMatch *sm = NULL;
3723  DetectContentData *cd = NULL;
3724  SCDetectByteExtractData *bed1 = NULL;
3725  DetectIsdataatData *isdd = NULL;
3726 
3727  de_ctx = DetectEngineCtxInit();
3728  if (de_ctx == NULL)
3729  goto end;
3730 
3731  de_ctx->flags |= DE_QUIET;
3732  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3733  "(msg:\"Testing bytejump_body\"; "
3734  "content:\"one\"; "
3735  "byte_extract:4,0,two,string,hex,relative; "
3736  "uricontent: \"three\"; "
3737  "byte_extract:4,0,four,string,hex,relative; "
3738  "isdataat: two; "
3739  "sid:1;)");
3740  if (de_ctx->sig_list == NULL) {
3741  result = 0;
3742  goto end;
3743  }
3744 
3745  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3746  result = 0;
3747  goto end;
3748  }
3749 
3750  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3751  if (sm->type != DETECT_CONTENT) {
3752  result = 0;
3753  goto end;
3754  }
3755  cd = (DetectContentData *)sm->ctx;
3756  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3757  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3758  cd->flags & DETECT_CONTENT_NOCASE ||
3759  cd->flags & DETECT_CONTENT_WITHIN ||
3760  cd->flags & DETECT_CONTENT_DISTANCE ||
3761  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3762  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3763  cd->flags & DETECT_CONTENT_NEGATED ) {
3764  printf("one failed\n");
3765  result = 0;
3766  goto end;
3767  }
3768 
3769  sm = sm->next;
3770  if (sm->type != DETECT_BYTE_EXTRACT) {
3771  result = 0;
3772  goto end;
3773  }
3774  bed1 = (SCDetectByteExtractData *)sm->ctx;
3775  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3776  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3777  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3778  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3779  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3780  goto end;
3781  }
3782  if (bed1->local_id != 0) {
3783  result = 0;
3784  goto end;
3785  }
3786 
3787  sm = sm->next;
3788  if (sm->type != DETECT_ISDATAAT) {
3789  result = 0;
3790  goto end;
3791  }
3792  isdd = (DetectIsdataatData *)sm->ctx;
3793  if (isdd->flags != (ISDATAAT_OFFSET_VAR) ||
3794  isdd->dataat != bed1->local_id) {
3795  printf("isdataat failed\n");
3796  result = 0;
3797  goto end;
3798  }
3799 
3800  if (sm->next != NULL)
3801  goto end;
3802 
3803  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3804  if (sm == NULL) {
3805  result = 0;
3806  goto end;
3807  }
3808  if (sm->type != DETECT_CONTENT) {
3809  result = 0;
3810  goto end;
3811  }
3812  cd = (DetectContentData *)sm->ctx;
3813  if (cd->flags != (DETECT_CONTENT_RELATIVE_NEXT | DETECT_CONTENT_MPM) ||
3814  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
3815  printf("one failed\n");
3816  result = 0;
3817  goto end;
3818  }
3819 
3820  sm = sm->next;
3821  if (sm->type != DETECT_BYTE_EXTRACT) {
3822  result = 0;
3823  goto end;
3824  }
3825  bed1 = (SCDetectByteExtractData *)sm->ctx;
3826  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "four") != 0 ||
3827  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3828  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3829  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3830  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3831  goto end;
3832  }
3833  if (bed1->local_id != 0) {
3834  result = 0;
3835  goto end;
3836  }
3837 
3838  if (sm->next != NULL)
3839  goto end;
3840 
3841  result = 1;
3842 
3843  end:
3844  SigGroupCleanup(de_ctx);
3845  SigCleanSignatures(de_ctx);
3846  DetectEngineCtxFree(de_ctx);
3847 
3848  return result;
3849 }
3850 
3851 static int DetectByteExtractTest61(void)
3852 {
3853  DetectEngineCtx *de_ctx = NULL;
3854  int result = 0;
3855  Signature *s = NULL;
3856  SigMatch *sm = NULL;
3857  DetectContentData *cd = NULL;
3858  SCDetectByteExtractData *bed1 = NULL;
3859  DetectIsdataatData *isdd = NULL;
3860 
3861  de_ctx = DetectEngineCtxInit();
3862  if (de_ctx == NULL)
3863  goto end;
3864 
3865  de_ctx->flags |= DE_QUIET;
3866  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3867  "(msg:\"Testing bytejump_body\"; "
3868  "content:\"one\"; "
3869  "byte_extract:4,0,two,string,hex,relative; "
3870  "uricontent: \"three\"; "
3871  "byte_extract:4,0,four,string,hex,relative; "
3872  "isdataat: four, relative; "
3873  "sid:1;)");
3874  if (de_ctx->sig_list == NULL) {
3875  result = 0;
3876  goto end;
3877  }
3878 
3879  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3880  result = 0;
3881  goto end;
3882  }
3883 
3884  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3885  if (sm->type != DETECT_CONTENT) {
3886  result = 0;
3887  goto end;
3888  }
3889  cd = (DetectContentData *)sm->ctx;
3890  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3891  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3892  cd->flags & DETECT_CONTENT_NOCASE ||
3893  cd->flags & DETECT_CONTENT_WITHIN ||
3894  cd->flags & DETECT_CONTENT_DISTANCE ||
3895  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3896  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3897  cd->flags & DETECT_CONTENT_NEGATED ) {
3898  printf("one failed\n");
3899  result = 0;
3900  goto end;
3901  }
3902 
3903  sm = sm->next;
3904  if (sm->type != DETECT_BYTE_EXTRACT) {
3905  result = 0;
3906  goto end;
3907  }
3908  bed1 = (SCDetectByteExtractData *)sm->ctx;
3909  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3910  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3911  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3912  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3913  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3914  goto end;
3915  }
3916  if (bed1->local_id != 0) {
3917  result = 0;
3918  goto end;
3919  }
3920 
3921  if (sm->next != NULL)
3922  goto end;
3923 
3924  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3925  if (sm == NULL) {
3926  result = 0;
3927  goto end;
3928  }
3929  if (sm->type != DETECT_CONTENT) {
3930  result = 0;
3931  goto end;
3932  }
3933  cd = (DetectContentData *)sm->ctx;
3934  if (cd->flags != (DETECT_CONTENT_RELATIVE_NEXT | DETECT_CONTENT_MPM) ||
3935  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
3936  printf("one failed\n");
3937  result = 0;
3938  goto end;
3939  }
3940 
3941  sm = sm->next;
3942  if (sm->type != DETECT_BYTE_EXTRACT) {
3943  result = 0;
3944  goto end;
3945  }
3946  bed1 = (SCDetectByteExtractData *)sm->ctx;
3947  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "four") != 0 ||
3948  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3949  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3950  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3951  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3952  goto end;
3953  }
3954  if (bed1->local_id != 0) {
3955  result = 0;
3956  goto end;
3957  }
3958 
3959  sm = sm->next;
3960  if (sm->type != DETECT_ISDATAAT) {
3961  result = 0;
3962  goto end;
3963  }
3964  isdd = (DetectIsdataatData *)sm->ctx;
3965  if (isdd->flags != (ISDATAAT_OFFSET_VAR |
3966  ISDATAAT_RELATIVE) ||
3967  isdd->dataat != bed1->local_id) {
3968  printf("isdataat failed\n");
3969  result = 0;
3970  goto end;
3971  }
3972 
3973  if (sm->next != NULL)
3974  goto end;
3975 
3976  result = 1;
3977 
3978  end:
3979  SigGroupCleanup(de_ctx);
3980  SigCleanSignatures(de_ctx);
3981  DetectEngineCtxFree(de_ctx);
3982 
3983  return result;
3984 }
3985 
3986 static int DetectByteExtractTest62(void)
3987 {
3988  DetectEngineCtx *de_ctx = NULL;
3989  int result = 0;
3990  Signature *s = NULL;
3991  SigMatch *sm = NULL;
3992  SCDetectByteExtractData *bed = NULL;
3993 
3994  de_ctx = DetectEngineCtxInit();
3995  if (de_ctx == NULL)
3996  goto end;
3997 
3998  de_ctx->flags |= DE_QUIET;
3999  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4000  "(file_data; byte_extract:4,2,two,relative,string,hex; "
4001  "sid:1;)");
4002  if (de_ctx->sig_list == NULL) {
4003  goto end;
4004  }
4005 
4006  sm = DetectBufferGetFirstSigMatch(s, g_file_data_buffer_id);
4007  if (sm == NULL) {
4008  goto end;
4009  }
4010  if (sm->type != DETECT_BYTE_EXTRACT) {
4011  goto end;
4012  }
4013  bed = (SCDetectByteExtractData *)sm->ctx;
4014  if (bed->nbytes != 4 || bed->offset != 2 || strncmp(bed->name, "two", 3) != 0 ||
4015  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
4016  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4017  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
4018  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4019  goto end;
4020  }
4021 
4022  result = 1;
4023 
4024  end:
4025  SigGroupCleanup(de_ctx);
4026  SigCleanSignatures(de_ctx);
4027  DetectEngineCtxFree(de_ctx);
4028 
4029  return result;
4030 }
4031 
4032 static int DetectByteExtractTest63(void)
4033 {
4034  int result = 0;
4035 
4036  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, -2, one");
4037  if (bed == NULL)
4038  goto end;
4039 
4040  if (bed->nbytes != 4 || bed->offset != -2 || strcmp(bed->name, "one") != 0 || bed->flags != 0 ||
4041  bed->endian != BigEndian || bed->align_value != 0 ||
4042  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4043  goto end;
4044  }
4045 
4046  result = 1;
4047  end:
4048  if (bed != NULL)
4049  DetectByteExtractFree(NULL, bed);
4050  return result;
4051 }
4052 
4053 static int DetectByteExtractTestParseNoBase(void)
4054 {
4055  int result = 0;
4056 
4057  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string");
4058  if (bed == NULL)
4059  goto end;
4060 
4061  if (bed->nbytes != 4) {
4062  goto end;
4063  }
4064  if (bed->offset != 2) {
4065  goto end;
4066  }
4067  if (strcmp(bed->name, "one") != 0) {
4068  goto end;
4069  }
4070  if (bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING) {
4071  goto end;
4072  }
4073  if (bed->base != DETECT_BYTE_EXTRACT_BASE_DEC) {
4074  goto end;
4075  }
4076  if (bed->align_value != 0) {
4077  goto end;
4078  }
4079  if (bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4080  goto end;
4081  }
4082 
4083  result = 1;
4084  end:
4085  if (bed != NULL)
4086  DetectByteExtractFree(NULL, bed);
4087  return result;
4088 }
4089 
4090 static void DetectByteExtractRegisterTests(void)
4091 {
4092  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
4093  g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
4094 
4095  UtRegisterTest("DetectByteExtractTest01", DetectByteExtractTest01);
4096  UtRegisterTest("DetectByteExtractTest02", DetectByteExtractTest02);
4097  UtRegisterTest("DetectByteExtractTest03", DetectByteExtractTest03);
4098  UtRegisterTest("DetectByteExtractTest04", DetectByteExtractTest04);
4099  UtRegisterTest("DetectByteExtractTest05", DetectByteExtractTest05);
4100  UtRegisterTest("DetectByteExtractTest06", DetectByteExtractTest06);
4101  UtRegisterTest("DetectByteExtractTest07", DetectByteExtractTest07);
4102  UtRegisterTest("DetectByteExtractTest08", DetectByteExtractTest08);
4103  UtRegisterTest("DetectByteExtractTest09", DetectByteExtractTest09);
4104  UtRegisterTest("DetectByteExtractTest10", DetectByteExtractTest10);
4105  UtRegisterTest("DetectByteExtractTest11", DetectByteExtractTest11);
4106  UtRegisterTest("DetectByteExtractTest12", DetectByteExtractTest12);
4107  UtRegisterTest("DetectByteExtractTest13", DetectByteExtractTest13);
4108  UtRegisterTest("DetectByteExtractTest14", DetectByteExtractTest14);
4109  UtRegisterTest("DetectByteExtractTest15", DetectByteExtractTest15);
4110  UtRegisterTest("DetectByteExtractTest16", DetectByteExtractTest16);
4111  UtRegisterTest("DetectByteExtractTest17", DetectByteExtractTest17);
4112  UtRegisterTest("DetectByteExtractTest18", DetectByteExtractTest18);
4113  UtRegisterTest("DetectByteExtractTest19", DetectByteExtractTest19);
4114  UtRegisterTest("DetectByteExtractTest20", DetectByteExtractTest20);
4115  UtRegisterTest("DetectByteExtractTest21", DetectByteExtractTest21);
4116  UtRegisterTest("DetectByteExtractTest22", DetectByteExtractTest22);
4117  UtRegisterTest("DetectByteExtractTest23", DetectByteExtractTest23);
4118  UtRegisterTest("DetectByteExtractTest24", DetectByteExtractTest24);
4119  UtRegisterTest("DetectByteExtractTest25", DetectByteExtractTest25);
4120  UtRegisterTest("DetectByteExtractTest26", DetectByteExtractTest26);
4121  UtRegisterTest("DetectByteExtractTest27", DetectByteExtractTest27);
4122  UtRegisterTest("DetectByteExtractTest28", DetectByteExtractTest28);
4123  UtRegisterTest("DetectByteExtractTest29", DetectByteExtractTest29);
4124  UtRegisterTest("DetectByteExtractTest30", DetectByteExtractTest30);
4125  UtRegisterTest("DetectByteExtractTest31", DetectByteExtractTest31);
4126  UtRegisterTest("DetectByteExtractTest32", DetectByteExtractTest32);
4127  UtRegisterTest("DetectByteExtractTest33", DetectByteExtractTest33);
4128  UtRegisterTest("DetectByteExtractTest34", DetectByteExtractTest34);
4129  UtRegisterTest("DetectByteExtractTest35", DetectByteExtractTest35);
4130  UtRegisterTest("DetectByteExtractTest36", DetectByteExtractTest36);
4131  UtRegisterTest("DetectByteExtractTest37", DetectByteExtractTest37);
4132  UtRegisterTest("DetectByteExtractTest38", DetectByteExtractTest38);
4133  UtRegisterTest("DetectByteExtractTest39", DetectByteExtractTest39);
4134  UtRegisterTest("DetectByteExtractTest40", DetectByteExtractTest40);
4135  UtRegisterTest("DetectByteExtractTest41", DetectByteExtractTest41);
4136  UtRegisterTest("DetectByteExtractTest42", DetectByteExtractTest42);
4137 
4138  UtRegisterTest("DetectByteExtractTest43", DetectByteExtractTest43);
4139  UtRegisterTest("DetectByteExtractTest44", DetectByteExtractTest44);
4140 
4141  UtRegisterTest("DetectByteExtractTest45", DetectByteExtractTest45);
4142  UtRegisterTest("DetectByteExtractTest46", DetectByteExtractTest46);
4143 
4144  UtRegisterTest("DetectByteExtractTest47", DetectByteExtractTest47);
4145  UtRegisterTest("DetectByteExtractTest48", DetectByteExtractTest48);
4146 
4147  UtRegisterTest("DetectByteExtractTest49", DetectByteExtractTest49);
4148  UtRegisterTest("DetectByteExtractTest50", DetectByteExtractTest50);
4149 
4150  UtRegisterTest("DetectByteExtractTest51", DetectByteExtractTest51);
4151  UtRegisterTest("DetectByteExtractTest52", DetectByteExtractTest52);
4152 
4153  UtRegisterTest("DetectByteExtractTest53", DetectByteExtractTest53);
4154  UtRegisterTest("DetectByteExtractTest54", DetectByteExtractTest54);
4155 
4156  UtRegisterTest("DetectByteExtractTest55", DetectByteExtractTest55);
4157  UtRegisterTest("DetectByteExtractTest56", DetectByteExtractTest56);
4158  UtRegisterTest("DetectByteExtractTest57", DetectByteExtractTest57);
4159 
4160  UtRegisterTest("DetectByteExtractTest58", DetectByteExtractTest58);
4161  UtRegisterTest("DetectByteExtractTest59", DetectByteExtractTest59);
4162  UtRegisterTest("DetectByteExtractTest60", DetectByteExtractTest60);
4163  UtRegisterTest("DetectByteExtractTest61", DetectByteExtractTest61);
4164  UtRegisterTest("DetectByteExtractTest62", DetectByteExtractTest62);
4165  UtRegisterTest("DetectByteExtractTest63", DetectByteExtractTest63);
4166 
4167  UtRegisterTest("DetectByteExtractTestParseNoBase",
4168  DetectByteExtractTestParseNoBase);
4169 }
4170 #endif /* UNITTESTS */
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DetectContentData_::offset
uint16_t offset
Definition: detect-content.h:107
util-byte.h
DetectBytetestData_::flags
uint16_t flags
Definition: detect-bytetest.h:58
DETECT_BYTETEST_VALUE_VAR
#define DETECT_BYTETEST_VALUE_VAR
Definition: detect-bytetest.h:49
SigTableElmt_::url
const char * url
Definition: detect.h:1462
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:66
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:534
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1268
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:119
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:642
SigTableElmt_::desc
const char * desc
Definition: detect.h:1461
ByteExtractUint64
int ByteExtractUint64(uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Definition: util-byte.c:122
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
NO_STRING_MAX_BYTES_TO_EXTRACT
#define NO_STRING_MAX_BYTES_TO_EXTRACT
Definition: detect-byte-extract.c:58
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1446
DETECT_CONTENT_DISTANCE_VAR
#define DETECT_CONTENT_DISTANCE_VAR
Definition: detect-content.h:47
DetectBufferGetFirstSigMatch
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
Definition: detect-engine-buffer.c:157
SigTableElmt_::name
const char * name
Definition: detect.h:1459
SignatureInitData_::smlists_tail
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
Definition: detect.h:644
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:83
ISDATAAT_OFFSET_VAR
#define ISDATAAT_OFFSET_VAR
Definition: detect-isdataat.h:30
DetectContentData_::within
int32_t within
Definition: detect-content.h:109
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:34
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:69
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:275
detect-isdataat.h
DETECT_BYTE_EXTRACT_BASE_DEC
#define DETECT_BYTE_EXTRACT_BASE_DEC
Definition: detect-byte-extract.c:49
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:368
DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED
#define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED
Definition: detect-content.h:55
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DETECT_CONTENT_RAWBYTES
#define DETECT_CONTENT_RAWBYTES
Definition: detect-content.h:38
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2641
DETECT_CONTENT_DEPTH_VAR
#define DETECT_CONTENT_DEPTH_VAR
Definition: detect-content.h:46
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
DETECT_BYTE_EXTRACT_BASE_HEX
#define DETECT_BYTE_EXTRACT_BASE_HEX
Definition: detect-byte-extract.c:48
DetectIsdataatData_
Definition: detect-isdataat.h:32
DetectContentData_
Definition: detect-content.h:93
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:51
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:56
SCDetectSignatureSetAppProto
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:2229
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:234
DetectBytetestData_
Definition: detect-bytetest.h:53
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3437
SigMatchData_
Data needed for Match()
Definition: detect.h:365
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1441
detect-pcre.h
DetectBytejumpData_
Definition: detect-bytejump.h:46
util-unittest.h
DetectBytejumpData_::offset
int32_t offset
Definition: detect-bytejump.h:50
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1277
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id.
Definition: detect-parse.c:658
DetectByteExtractDoMatch
int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd, const Signature *s, const uint8_t *payload, uint32_t payload_len, uint64_t *value, uint8_t endian)
Definition: detect-byte-extract.c:82
STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
Definition: detect-byte-extract.c:54
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SignatureInitData_::list
int list
Definition: detect.h:628
DetectByteExtractRetrieveSMVar
SigMatch * DetectByteExtractRetrieveSMVar(const char *arg, int sm_list, const Signature *s)
Lookup the SigMatch for a named byte_extract variable.
Definition: detect-byte-extract.c:375
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:388
detect.h
DETECT_BYTE_EXTRACT_BASE_OCT
#define DETECT_BYTE_EXTRACT_BASE_OCT
Definition: detect-byte-extract.c:50
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:360
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3095
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
BYTE_BIG_ENDIAN
#define BYTE_BIG_ENDIAN
Definition: util-byte.h:29
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2275
DETECT_BYTETEST_OFFSET_VAR
#define DETECT_BYTETEST_OFFSET_VAR
Definition: detect-bytetest.h:50
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:106
detect-engine-build.h
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
detect-bytejump.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:747
DETECT_CONTENT_DISTANCE_NEXT
#define DETECT_CONTENT_DISTANCE_NEXT
Definition: detect-content.h:58
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1421
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:1010
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:71
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
DETECT_CONTENT_WITHIN_VAR
#define DETECT_CONTENT_WITHIN_VAR
Definition: detect-content.h:48
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:144
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:82
BYTE_LITTLE_ENDIAN
#define BYTE_LITTLE_ENDIAN
Definition: util-byte.h:30
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:357
STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
Definition: detect-byte-extract.c:55
detect-byte-extract.h
DetectContentData_::distance
int32_t distance
Definition: detect-content.h:108
DETECT_CONTENT_WITHIN_NEXT
#define DETECT_CONTENT_WITHIN_NEXT
Definition: detect-content.h:57
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:94
detect-engine-buffer.h
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:941
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:647
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:267
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:763
DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_OFFSET
Definition: detect-content.h:32
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:85
DETECT_CONTENT_MPM
#define DETECT_CONTENT_MPM
Definition: detect-content.h:61
Signature_
Signature container.
Definition: detect.h:668
SigMatch_
a single match condition for a signature
Definition: detect.h:356
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:93
DETECT_SM_LIST_MAX
@ DETECT_SM_LIST_MAX
Definition: detect.h:135
DetectBytetestData_::offset
int32_t offset
Definition: detect-bytetest.h:60
DetectIsdataatData_::dataat
uint16_t dataat
Definition: detect-isdataat.h:33
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2602
DetectByteExtractRegister
void DetectByteExtractRegister(void)
Registers the keyword handlers for the "byte_extract" keyword.
Definition: detect-byte-extract.c:69
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
app-layer-protos.h
DetectPcreData_
Definition: detect-pcre.h:47
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
DETECT_BYTEMATH
@ DETECT_BYTEMATH
Definition: detect-engine-register.h:84
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:564
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:648
STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
Definition: detect-byte-extract.c:56
DetectBytetestData_::value
uint64_t value
Definition: detect-bytetest.h:62
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1448
DETECT_BYTEJUMP_OFFSET_VAR
#define DETECT_BYTEJUMP_OFFSET_VAR
Definition: detect-bytejump.h:44
DetectBytejumpData_::flags
uint16_t flags
Definition: detect-bytejump.h:49
DETECT_CONTENT_OFFSET_VAR
#define DETECT_CONTENT_OFFSET_VAR
Definition: detect-content.h:45
detect-bytetest.h