suricata
detect-byte-extract.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "decode.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 #include "detect-engine.h"
31 #include "detect-engine-mpm.h"
32 #include "detect-engine-state.h"
33 #include "detect-content.h"
34 #include "detect-pcre.h"
35 #include "detect-bytejump.h"
36 #include "detect-bytetest.h"
37 #include "detect-byte-extract.h"
38 #include "detect-isdataat.h"
39 #include "detect-engine-build.h"
40 
41 #include "app-layer-protos.h"
42 
43 #include "flow.h"
44 #include "flow-var.h"
45 #include "flow-util.h"
46 
47 #include "util-byte.h"
48 #include "util-debug.h"
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
51 #include "util-spm.h"
52 
53 /* the default value of endianness to be used, if none's specified */
54 #define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT DETECT_BYTE_EXTRACT_ENDIAN_BIG
55 
56 /* the base to be used if string mode is specified. These options would be
57  * specified in DetectByteParseData->base */
58 #define DETECT_BYTE_EXTRACT_BASE_NONE 0
59 #define DETECT_BYTE_EXTRACT_BASE_HEX 16
60 #define DETECT_BYTE_EXTRACT_BASE_DEC 10
61 #define DETECT_BYTE_EXTRACT_BASE_OCT 8
62 
63 /* the default value for multiplier. Either ways we always store a
64  * multiplier, 1 or otherwise, so that we can always multiply the extracted
65  * value and store it, instead of checking if a multiplier is set or not */
66 #define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT 1
67 /* the min/max limit for multiplier */
68 #define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT 1
69 #define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT 65535
70 
71 /* the max no of bytes that can be extracted in string mode - (string, hex)
72  * (string, oct) or (string, dec) */
73 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT 23
74 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC 20
75 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX 14
76 /* the max no of bytes that can be extracted in non-string mode */
77 #define NO_STRING_MAX_BYTES_TO_EXTRACT 8
78 
79 #define PARSE_REGEX "^" \
80  "\\s*([0-9]+)\\s*" \
81  ",\\s*(-?[0-9]+)\\s*" \
82  ",\\s*([^\\s,]+)\\s*" \
83  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
84  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
85  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
86  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
87  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
88  "$"
89 
90 static DetectParseRegex parse_regex;
91 
92 static int DetectByteExtractSetup(DetectEngineCtx *, Signature *, const char *);
93 #ifdef UNITTESTS
94 static void DetectByteExtractRegisterTests(void);
95 #endif
96 static void DetectByteExtractFree(DetectEngineCtx *, void *);
97 
98 /**
99  * \brief Registers the keyword handlers for the "byte_extract" keyword.
100  */
102 {
103  sigmatch_table[DETECT_BYTE_EXTRACT].name = "byte_extract";
104  sigmatch_table[DETECT_BYTE_EXTRACT].desc = "extract <num of bytes> at a particular <offset> and store it in <var_name>";
105  sigmatch_table[DETECT_BYTE_EXTRACT].url = "/rules/payload-keywords.html#byte-extract";
107  sigmatch_table[DETECT_BYTE_EXTRACT].Setup = DetectByteExtractSetup;
108  sigmatch_table[DETECT_BYTE_EXTRACT].Free = DetectByteExtractFree;
109 #ifdef UNITTESTS
110  sigmatch_table[DETECT_BYTE_EXTRACT].RegisterTests = DetectByteExtractRegisterTests;
111 #endif
112  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
113 }
114 
116  const Signature *s, const uint8_t *payload, uint32_t payload_len, uint64_t *value,
117  uint8_t endian)
118 {
120  const uint8_t *ptr = NULL;
121  int32_t len = 0;
122  uint64_t val = 0;
123  int extbytes;
124 
125  if (payload_len == 0) {
126  return 0;
127  }
128 
129  /* Calculate the ptr value for the bytetest and length remaining in
130  * the packet from that point.
131  */
133  SCLogDebug("relative, working with det_ctx->buffer_offset %"PRIu32", "
134  "data->offset %"PRIu32"", det_ctx->buffer_offset, data->offset);
135 
136  ptr = payload + det_ctx->buffer_offset;
137  len = payload_len - det_ctx->buffer_offset;
138 
139  ptr += data->offset;
140  len -= data->offset;
141 
142  /* No match if there is no relative base */
143  if (len <= 0) {
144  return 0;
145  }
146  //PrintRawDataFp(stdout,ptr,len);
147  } else {
148  SCLogDebug("absolute, data->offset %"PRIu32"", data->offset);
149 
150  ptr = payload + data->offset;
151  len = payload_len - data->offset;
152  }
153 
154  /* Validate that the to-be-extracted is within the packet */
155  if (ptr < payload || data->nbytes > len) {
156  SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%"PRIu32", nbytes=%d",
157  payload, ptr, len, data->nbytes);
158  return 0;
159  }
160 
161  /* Extract the byte data */
163  extbytes = ByteExtractStringUint64(&val, data->base,
164  data->nbytes, (const char *)ptr);
165  if (extbytes <= 0) {
166  /* strtoull() return 0 if there is no numeric value in data string */
167  if (val == 0) {
168  SCLogDebug("No Numeric value");
169  return 0;
170  } else {
171  SCLogDebug("error extracting %d bytes of string data: %d",
172  data->nbytes, extbytes);
173  return -1;
174  }
175  }
176  } else {
177  int endianness = (endian == DETECT_BYTE_EXTRACT_ENDIAN_BIG) ?
179  extbytes = ByteExtractUint64(&val, endianness, data->nbytes, ptr);
180  if (extbytes != data->nbytes) {
181  SCLogDebug("error extracting %d bytes of numeric data: %d",
182  data->nbytes, extbytes);
183  return 0;
184  }
185  }
186 
187  /* Adjust the jump value based on flags */
188  val *= data->multiplier_value;
190  if ((val % data->align_value) != 0) {
191  val += data->align_value - (val % data->align_value);
192  }
193  }
194 
195  ptr += extbytes;
196 
197  det_ctx->buffer_offset = ptr - payload;
198 
199  *value = val;
200  SCLogDebug("extracted value is %"PRIu64, val);
201  return 1;
202 }
203 
204 /**
205  * \internal
206  * \brief Used to parse byte_extract arg.
207  *
208  * \param de_ctx Pointer to the detection engine context
209  * \arg The argument to parse.
210  *
211  * \param bed On success an instance containing the parsed data.
212  * On failure, NULL.
213  */
214 static inline DetectByteExtractData *DetectByteExtractParse(DetectEngineCtx *de_ctx, const char *arg)
215 {
216  DetectByteExtractData *bed = NULL;
217  int res = 0;
218  size_t pcre2len;
219  int i = 0;
220  pcre2_match_data *match = NULL;
221 
222  int ret = DetectParsePcreExec(&parse_regex, &match, arg, 0, 0);
223  if (ret < 3 || ret > 19) {
224  SCLogError("parse error, ret %" PRId32 ", string \"%s\"", ret, arg);
225  SCLogError("Invalid arg to byte_extract : %s "
226  "for byte_extract",
227  arg);
228  goto error;
229  }
230 
231  bed = SCCalloc(1, sizeof(DetectByteExtractData));
232  if (unlikely(bed == NULL))
233  goto error;
234 
235  /* no of bytes to extract */
236  char nbytes_str[64] = "";
237  pcre2len = sizeof(nbytes_str);
238  res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)nbytes_str, &pcre2len);
239  if (res < 0) {
240  SCLogError("pcre2_substring_copy_bynumber failed "
241  "for arg 1 for byte_extract");
242  goto error;
243  }
244  if (StringParseUint8(&bed->nbytes, 10, 0,
245  (const char *)nbytes_str) < 0) {
246  SCLogError("Invalid value for number of bytes"
247  " to be extracted: \"%s\".",
248  nbytes_str);
249  goto error;
250  }
251 
252  /* offset */
253  char offset_str[64] = "";
254  pcre2len = sizeof(offset_str);
255  res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)offset_str, &pcre2len);
256  if (res < 0) {
257  SCLogError("pcre2_substring_copy_bynumber failed "
258  "for arg 2 for byte_extract");
259  goto error;
260  }
261  int32_t offset;
262  if (StringParseI32RangeCheck(&offset, 10, 0, (const char *)offset_str, -65535, 65535) < 0) {
263  SCLogError("Invalid value for offset: \"%s\".", offset_str);
264  goto error;
265  }
266  bed->offset = offset;
267 
268  /* var name */
269  char varname_str[256] = "";
270  pcre2len = sizeof(varname_str);
271  res = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)varname_str, &pcre2len);
272  if (res < 0) {
273  SCLogError("pcre2_substring_copy_bynumber failed "
274  "for arg 3 for byte_extract");
275  goto error;
276  }
277  bed->name = SCStrdup(varname_str);
278  if (bed->name == NULL)
279  goto error;
280 
281  /* check out other optional args */
282  for (i = 4; i < ret; i++) {
283  char opt_str[64] = "";
284  pcre2len = sizeof(opt_str);
285  res = SC_Pcre2SubstringCopy(match, i, (PCRE2_UCHAR8 *)opt_str, &pcre2len);
286  if (res < 0) {
287  SCLogError("pcre2_substring_copy_bynumber failed "
288  "for arg %d for byte_extract with %d",
289  i, res);
290  goto error;
291  }
292 
293  if (strcmp("relative", opt_str) == 0) {
295  SCLogError("relative specified more "
296  "than once for byte_extract");
297  goto error;
298  }
300  } else if (strcmp("multiplier", opt_str) == 0) {
302  SCLogError("multiplier specified more "
303  "than once for byte_extract");
304  goto error;
305  }
307  i++;
308 
309  char multiplier_str[16] = "";
310  pcre2len = sizeof(multiplier_str);
311  res = pcre2_substring_copy_bynumber(
312  match, i, (PCRE2_UCHAR8 *)multiplier_str, &pcre2len);
313  if (res < 0) {
314  SCLogError("pcre2_substring_copy_bynumber failed "
315  "for arg %d for byte_extract",
316  i);
317  goto error;
318  }
319  uint16_t multiplier;
320  if (StringParseU16RangeCheck(&multiplier, 10, 0, (const char *)multiplier_str,
323  SCLogError("Invalid value for"
324  "multiplier: \"%s\".",
325  multiplier_str);
326  goto error;
327  }
328  bed->multiplier_value = multiplier;
329  } else if (strcmp("big", opt_str) == 0) {
331  SCLogError("endian option specified "
332  "more than once for byte_extract");
333  goto error;
334  }
337  } else if (strcmp("little", opt_str) == 0) {
339  SCLogError("endian option specified "
340  "more than once for byte_extract");
341  goto error;
342  }
345  } else if (strcmp("dce", opt_str) == 0) {
347  SCLogError("endian option specified "
348  "more than once for byte_extract");
349  goto error;
350  }
353  } else if (strcmp("string", opt_str) == 0) {
355  SCLogError("string specified more "
356  "than once for byte_extract");
357  goto error;
358  }
359  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
360  SCLogError("The right way to specify "
361  "base is (string, base) and not (base, string) "
362  "for byte_extract");
363  goto error;
364  }
366  } else if (strcmp("hex", opt_str) == 0) {
367  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
368  SCLogError("Base(hex) specified "
369  "without specifying string. The right way is "
370  "(string, base) and not (base, string)");
371  goto error;
372  }
373  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
374  SCLogError("More than one base "
375  "specified for byte_extract");
376  goto error;
377  }
379  } else if (strcmp("oct", opt_str) == 0) {
380  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
381  SCLogError("Base(oct) specified "
382  "without specifying string. The right way is "
383  "(string, base) and not (base, string)");
384  goto error;
385  }
386  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
387  SCLogError("More than one base "
388  "specified for byte_extract");
389  goto error;
390  }
392  } else if (strcmp("dec", opt_str) == 0) {
393  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
394  SCLogError("Base(dec) specified "
395  "without specifying string. The right way is "
396  "(string, base) and not (base, string)");
397  goto error;
398  }
399  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
400  SCLogError("More than one base "
401  "specified for byte_extract");
402  goto error;
403  }
405  } else if (strcmp("align", opt_str) == 0) {
407  SCLogError("Align specified more "
408  "than once for byte_extract");
409  goto error;
410  }
412  i++;
413 
414  char align_str[16] = "";
415  pcre2len = sizeof(align_str);
416  res = pcre2_substring_copy_bynumber(match, i, (PCRE2_UCHAR8 *)align_str, &pcre2len);
417  if (res < 0) {
418  SCLogError("pcre2_substring_copy_bynumber failed "
419  "for arg %d in byte_extract",
420  i);
421  goto error;
422  }
423  if (StringParseUint8(&bed->align_value, 10, 0,
424  (const char *)align_str) < 0) {
425  SCLogError("Invalid align_value: "
426  "\"%s\".",
427  align_str);
428  goto error;
429  }
430  if (!(bed->align_value == 2 || bed->align_value == 4)) {
431  SCLogError("Invalid align_value for "
432  "byte_extract - \"%d\"",
433  bed->align_value);
434  goto error;
435  }
436  } else if (strcmp("", opt_str) == 0) {
437  ;
438  } else {
439  SCLogError("Invalid option - \"%s\" "
440  "specified in byte_extract",
441  opt_str);
442  goto error;
443  }
444  } /* for (i = 4; i < ret; i++) */
445 
446  /* validation */
448  /* default value */
450  }
451 
453  if (bed->base == DETECT_BYTE_EXTRACT_BASE_NONE) {
454  /* Default to decimal if base not specified. */
456  }
458  SCLogError("byte_extract can't have "
459  "endian \"big\" or \"little\" specified along with "
460  "\"string\"");
461  goto error;
462  }
463  if (bed->base == DETECT_BYTE_EXTRACT_BASE_OCT) {
464  /* if are dealing with octal nos, the max no that can fit in a 8
465  * byte value is 01777777777777777777777 */
467  SCLogError("byte_extract can't process "
468  "more than %d bytes in \"string\" extraction",
470  goto error;
471  }
472  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_DEC) {
473  /* if are dealing with decimal nos, the max no that can fit in a 8
474  * byte value is 18446744073709551615 */
476  SCLogError("byte_extract can't process "
477  "more than %d bytes in \"string\" extraction",
479  goto error;
480  }
481  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_HEX) {
482  /* if are dealing with hex nos, the max no that can fit in a 8
483  * byte value is 0xFFFFFFFFFFFFFFFF */
485  SCLogError("byte_extract can't process "
486  "more than %d bytes in \"string\" extraction",
488  goto error;
489  }
490  } else {
491  ; // just a placeholder. we won't reach here.
492  }
493  } else {
495  SCLogError("byte_extract can't process "
496  "more than %d bytes in \"non-string\" extraction",
498  goto error;
499  }
500  /* if string has not been specified and no endian option has been
501  * specified, then set the default endian level of BIG */
504  }
505 
506  pcre2_match_data_free(match);
507 
508  return bed;
509  error:
510  if (bed != NULL)
511  DetectByteExtractFree(de_ctx, bed);
512  if (match) {
513  pcre2_match_data_free(match);
514  }
515  return NULL;
516 }
517 
518 /**
519  * \brief The setup function for the byte_extract keyword for a signature.
520  *
521  * \param de_ctx Pointer to the detection engine context.
522  * \param s Pointer to signature for the current Signature being parsed
523  * from the rules.
524  * \param m Pointer to the head of the SigMatch for the current rule
525  * being parsed.
526  * \param arg Pointer to the string holding the keyword value.
527  *
528  * \retval 0 On success.
529  * \retval -1 On failure.
530  */
531 static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
532 {
533  SigMatch *prev_pm = NULL;
534  DetectByteExtractData *data = NULL;
535  int ret = -1;
536 
537  data = DetectByteExtractParse(de_ctx, arg);
538  if (data == NULL)
539  goto error;
540 
541  int sm_list;
542  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
543  sm_list = s->init_data->list;
544 
547  }
548  } else if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
553  if (prev_pm == NULL) {
554  sm_list = DETECT_SM_LIST_PMATCH;
555  } else {
556  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
557  if (sm_list < 0)
558  goto error;
559  }
560  } else {
561  sm_list = DETECT_SM_LIST_PMATCH;
562  }
563 
565  goto error;
566 
567  } else if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
568  prev_pm = DetectGetLastSMFromLists(s,
572  if (prev_pm == NULL) {
573  sm_list = DETECT_SM_LIST_PMATCH;
574  } else {
575  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
576  if (sm_list < 0)
577  goto error;
578  }
579 
580  } else {
581  sm_list = DETECT_SM_LIST_PMATCH;
582  }
583 
584  if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
586  goto error;
587 
588  if ((data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) ||
589  (data->base == DETECT_BYTE_EXTRACT_BASE_DEC) ||
590  (data->base == DETECT_BYTE_EXTRACT_BASE_HEX) ||
591  (data->base == DETECT_BYTE_EXTRACT_BASE_OCT) ) {
592  SCLogError("Invalid option. "
593  "A byte_jump keyword with dce holds other invalid modifiers.");
594  goto error;
595  }
596  }
597 
598  SigMatch *prev_bed_sm = DetectGetLastSMByListId(s, sm_list,
599  DETECT_BYTE_EXTRACT, -1);
600  if (prev_bed_sm == NULL)
601  data->local_id = 0;
602  else
603  data->local_id = ((DetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1;
606 
607  if (SigMatchAppendSMToList(de_ctx, s, DETECT_BYTE_EXTRACT, (SigMatchCtx *)data, sm_list) ==
608  NULL) {
609  goto error;
610  }
611 
613  goto okay;
614 
615  if (prev_pm == NULL)
616  goto okay;
617 
618  if (prev_pm->type == DETECT_CONTENT) {
619  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
621  } else if (prev_pm->type == DETECT_PCRE) {
622  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
624  }
625 
626  okay:
627  ret = 0;
628  return ret;
629  error:
630  DetectByteExtractFree(de_ctx, data);
631  return ret;
632 }
633 
634 /**
635  * \brief Used to free instances of DetectByteExtractData.
636  *
637  * \param ptr Instance of DetectByteExtractData to be freed.
638  */
639 static void DetectByteExtractFree(DetectEngineCtx *de_ctx, void *ptr)
640 {
641  if (ptr != NULL) {
642  DetectByteExtractData *bed = ptr;
643  if (bed->name != NULL)
644  SCFree((void *)bed->name);
645  SCFree(bed);
646  }
647 
648  return;
649 }
650 
651 /**
652  * \brief Lookup the SigMatch for a named byte_extract variable.
653  *
654  * \param arg The name of the byte_extract variable to lookup.
655  * \param s Pointer the signature to look in.
656  *
657  * \retval A pointer to the SigMatch if found, otherwise NULL.
658  */
660 {
661  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
662  SigMatch *sm = s->init_data->buffers[x].head;
663  while (sm != NULL) {
664  if (sm->type == DETECT_BYTE_EXTRACT) {
665  const DetectByteExtractData *bed = (const DetectByteExtractData *)sm->ctx;
666  if (strcmp(bed->name, arg) == 0) {
667  return sm;
668  }
669  }
670  sm = sm->next;
671  }
672  }
673 
674  for (int list = 0; list < DETECT_SM_LIST_MAX; list++) {
675  SigMatch *sm = s->init_data->smlists[list];
676  while (sm != NULL) {
677  if (sm->type == DETECT_BYTE_EXTRACT) {
678  const DetectByteExtractData *bed = (const DetectByteExtractData *)sm->ctx;
679  if (strcmp(bed->name, arg) == 0) {
680  return sm;
681  }
682  }
683  sm = sm->next;
684  }
685  }
686 
687  return NULL;
688 }
689 
690 /*************************************Unittests********************************/
691 
692 #ifdef UNITTESTS
693 
694 static int g_file_data_buffer_id = 0;
695 static int g_http_uri_buffer_id = 0;
696 
697 static int DetectByteExtractTest01(void)
698 {
699  int result = 0;
700 
701  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one");
702  if (bed == NULL)
703  goto end;
704 
705  if (bed->nbytes != 4 ||
706  bed->offset != 2 ||
707  strcmp(bed->name, "one") != 0 ||
708  bed->flags != 0 ||
711  bed->align_value != 0 ||
713  goto end;
714  }
715 
716  result = 1;
717  end:
718  if (bed != NULL)
719  DetectByteExtractFree(NULL, bed);
720  return result;
721 }
722 
723 static int DetectByteExtractTest02(void)
724 {
725  int result = 0;
726 
727  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative");
728  if (bed == NULL)
729  goto end;
730 
731  if (bed->nbytes != 4 ||
732  bed->offset != 2 ||
733  strcmp(bed->name, "one") != 0 ||
737  bed->align_value != 0 ||
739  goto end;
740  }
741 
742  result = 1;
743  end:
744  if (bed != NULL)
745  DetectByteExtractFree(NULL, bed);
746  return result;
747 }
748 
749 static int DetectByteExtractTest03(void)
750 {
751  int result = 0;
752 
753  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, multiplier 10");
754  if (bed == NULL)
755  goto end;
756 
757  if (bed->nbytes != 4 ||
758  bed->offset != 2 ||
759  strcmp(bed->name, "one") != 0 ||
763  bed->align_value != 0 ||
764  bed->multiplier_value != 10) {
765  goto end;
766  }
767 
768  result = 1;
769  end:
770  if (bed != NULL)
771  DetectByteExtractFree(NULL, bed);
772  return result;
773 }
774 
775 static int DetectByteExtractTest04(void)
776 {
777  int result = 0;
778 
779  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative, multiplier 10");
780  if (bed == NULL)
781  goto end;
782 
783  if (bed->nbytes != 4 ||
784  bed->offset != 2 ||
785  strcmp(bed->name, "one") != 0 ||
790  bed->align_value != 0 ||
791  bed->multiplier_value != 10) {
792  goto end;
793  }
794 
795  result = 1;
796  end:
797  if (bed != NULL)
798  DetectByteExtractFree(NULL, bed);
799  return result;
800 }
801 
802 static int DetectByteExtractTest05(void)
803 {
804  int result = 0;
805 
806  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, big");
807  if (bed == NULL)
808  goto end;
809 
810  if (bed->nbytes != 4 ||
811  bed->offset != 2 ||
812  strcmp(bed->name, "one") != 0 ||
816  bed->align_value != 0 ||
818  goto end;
819  }
820 
821  result = 1;
822  end:
823  if (bed != NULL)
824  DetectByteExtractFree(NULL, bed);
825  return result;
826 }
827 
828 static int DetectByteExtractTest06(void)
829 {
830  int result = 0;
831 
832  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, little");
833  if (bed == NULL)
834  goto end;
835 
836  if (bed->nbytes != 4 ||
837  bed->offset != 2 ||
838  strcmp(bed->name, "one") != 0 ||
842  bed->align_value != 0 ||
844  goto end;
845  }
846 
847  result = 1;
848  end:
849  if (bed != NULL)
850  DetectByteExtractFree(NULL, bed);
851  return result;
852 }
853 
854 static int DetectByteExtractTest07(void)
855 {
856  int result = 0;
857 
858  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, dce");
859  if (bed == NULL)
860  goto end;
861 
862  if (bed->nbytes != 4 ||
863  bed->offset != 2 ||
864  strcmp(bed->name, "one") != 0 ||
868  bed->align_value != 0 ||
870  goto end;
871  }
872 
873  result = 1;
874  end:
875  if (bed != NULL)
876  DetectByteExtractFree(NULL, bed);
877  return result;
878 }
879 
880 static int DetectByteExtractTest08(void)
881 {
882  int result = 0;
883 
884  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, hex");
885  if (bed == NULL)
886  goto end;
887 
888  if (bed->nbytes != 4 ||
889  bed->offset != 2 ||
890  strcmp(bed->name, "one") != 0 ||
894  bed->align_value != 0 ||
896  goto end;
897  }
898 
899  result = 1;
900  end:
901  if (bed != NULL)
902  DetectByteExtractFree(NULL, bed);
903  return result;
904 }
905 
906 static int DetectByteExtractTest09(void)
907 {
908  int result = 0;
909 
910  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, oct");
911  if (bed == NULL)
912  goto end;
913 
914  if (bed->nbytes != 4 ||
915  bed->offset != 2 ||
916  strcmp(bed->name, "one") != 0 ||
920  bed->align_value != 0 ||
922  goto end;
923  }
924 
925  result = 1;
926  end:
927  if (bed != NULL)
928  DetectByteExtractFree(NULL, bed);
929  return result;
930 }
931 
932 static int DetectByteExtractTest10(void)
933 {
934  int result = 0;
935 
936  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, dec");
937  if (bed == NULL)
938  goto end;
939 
940  if (bed->nbytes != 4 ||
941  bed->offset != 2 ||
942  strcmp(bed->name, "one") != 0 ||
946  bed->align_value != 0 ||
948  goto end;
949  }
950 
951  result = 1;
952  end:
953  if (bed != NULL)
954  DetectByteExtractFree(NULL, bed);
955  return result;
956 }
957 
958 static int DetectByteExtractTest11(void)
959 {
960  int result = 0;
961 
962  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4");
963  if (bed == NULL)
964  goto end;
965 
966  if (bed->nbytes != 4 ||
967  bed->offset != 2 ||
968  strcmp(bed->name, "one") != 0 ||
972  bed->align_value != 4 ||
974  goto end;
975  }
976 
977  result = 1;
978  end:
979  if (bed != NULL)
980  DetectByteExtractFree(NULL, bed);
981  return result;
982 }
983 
984 static int DetectByteExtractTest12(void)
985 {
986  int result = 0;
987 
988  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative");
989  if (bed == NULL)
990  goto end;
991 
992  if (bed->nbytes != 4 ||
993  bed->offset != 2 ||
994  strcmp(bed->name, "one") != 0 ||
999  bed->align_value != 4 ||
1001  goto end;
1002  }
1003 
1004  result = 1;
1005  end:
1006  if (bed != NULL)
1007  DetectByteExtractFree(NULL, bed);
1008  return result;
1009 }
1010 
1011 static int DetectByteExtractTest13(void)
1012 {
1013  int result = 0;
1014 
1015  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, big");
1016  if (bed == NULL)
1017  goto end;
1018 
1019  if (bed->nbytes != 4 ||
1020  bed->offset != 2 ||
1021  strcmp(bed->name, "one") != 0 ||
1027  bed->align_value != 4 ||
1029  goto end;
1030  }
1031 
1032  result = 1;
1033  end:
1034  if (bed != NULL)
1035  DetectByteExtractFree(NULL, bed);
1036  return result;
1037 }
1038 
1039 static int DetectByteExtractTest14(void)
1040 {
1041  int result = 0;
1042 
1043  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, dce");
1044  if (bed == NULL)
1045  goto end;
1046 
1047  if (bed->nbytes != 4 ||
1048  bed->offset != 2 ||
1049  strcmp(bed->name, "one") != 0 ||
1055  bed->align_value != 4 ||
1057  goto end;
1058  }
1059 
1060  result = 1;
1061  end:
1062  if (bed != NULL)
1063  DetectByteExtractFree(NULL, bed);
1064  return result;
1065 }
1066 
1067 static int DetectByteExtractTest15(void)
1068 {
1069  int result = 0;
1070 
1071  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little");
1072  if (bed == NULL)
1073  goto end;
1074 
1075  if (bed->nbytes != 4 ||
1076  bed->offset != 2 ||
1077  strcmp(bed->name, "one") != 0 ||
1083  bed->align_value != 4 ||
1085  goto end;
1086  }
1087 
1088  result = 1;
1089  end:
1090  if (bed != NULL)
1091  DetectByteExtractFree(NULL, bed);
1092  return result;
1093 }
1094 
1095 static int DetectByteExtractTest16(void)
1096 {
1097  int result = 0;
1098 
1099  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little, multiplier 2");
1100  if (bed == NULL)
1101  goto end;
1102 
1103  if (bed->nbytes != 4 ||
1104  bed->offset != 2 ||
1105  strcmp(bed->name, "one") != 0 ||
1112  bed->align_value != 4 ||
1113  bed->multiplier_value != 2) {
1114  goto end;
1115  }
1116 
1117  result = 1;
1118  end:
1119  if (bed != NULL)
1120  DetectByteExtractFree(NULL, bed);
1121  return result;
1122 }
1123 
1124 static int DetectByteExtractTest17(void)
1125 {
1126  int result = 0;
1127 
1128  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1129  "relative, little, "
1130  "multiplier 2, string hex");
1131  if (bed != NULL)
1132  goto end;
1133 
1134  result = 1;
1135  end:
1136  if (bed != NULL)
1137  DetectByteExtractFree(NULL, bed);
1138  return result;
1139 }
1140 
1141 static int DetectByteExtractTest18(void)
1142 {
1143  int result = 0;
1144 
1145  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1146  "relative, little, "
1147  "multiplier 2, "
1148  "relative");
1149  if (bed != NULL)
1150  goto end;
1151 
1152  result = 1;
1153  end:
1154  if (bed != NULL)
1155  DetectByteExtractFree(NULL, bed);
1156  return result;
1157 }
1158 
1159 static int DetectByteExtractTest19(void)
1160 {
1161  int result = 0;
1162 
1163  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1164  "relative, little, "
1165  "multiplier 2, "
1166  "little");
1167  if (bed != NULL)
1168  goto end;
1169 
1170  result = 1;
1171  end:
1172  if (bed != NULL)
1173  DetectByteExtractFree(NULL, bed);
1174  return result;
1175 }
1176 
1177 static int DetectByteExtractTest20(void)
1178 {
1179  int result = 0;
1180 
1181  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1182  "relative, "
1183  "multiplier 2, "
1184  "align 2");
1185  if (bed != NULL)
1186  goto end;
1187 
1188  result = 1;
1189  end:
1190  if (bed != NULL)
1191  DetectByteExtractFree(NULL, bed);
1192  return result;
1193 }
1194 
1195 static int DetectByteExtractTest21(void)
1196 {
1197  int result = 0;
1198 
1199  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1200  "multiplier 2, "
1201  "relative, "
1202  "multiplier 2");
1203  if (bed != NULL)
1204  goto end;
1205 
1206  result = 1;
1207  end:
1208  if (bed != NULL)
1209  DetectByteExtractFree(NULL, bed);
1210  return result;
1211 }
1212 
1213 static int DetectByteExtractTest22(void)
1214 {
1215  int result = 0;
1216 
1217  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1218  "string hex, "
1219  "relative, "
1220  "string hex");
1221  if (bed != NULL)
1222  goto end;
1223 
1224  result = 1;
1225  end:
1226  if (bed != NULL)
1227  DetectByteExtractFree(NULL, bed);
1228  return result;
1229 }
1230 
1231 static int DetectByteExtractTest23(void)
1232 {
1233  int result = 0;
1234 
1235  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1236  "string hex, "
1237  "relative, "
1238  "string oct");
1239  if (bed != NULL)
1240  goto end;
1241 
1242  result = 1;
1243  end:
1244  if (bed != NULL)
1245  DetectByteExtractFree(NULL, bed);
1246  return result;
1247 }
1248 
1249 static int DetectByteExtractTest24(void)
1250 {
1251  int result = 0;
1252 
1253  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, align 4, "
1254  "string hex, "
1255  "relative");
1256  if (bed != NULL)
1257  goto end;
1258 
1259  result = 1;
1260  end:
1261  if (bed != NULL)
1262  DetectByteExtractFree(NULL, bed);
1263  return result;
1264 }
1265 
1266 static int DetectByteExtractTest25(void)
1267 {
1268  int result = 0;
1269 
1270  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "9, 2, one, align 4, "
1271  "little, "
1272  "relative");
1273  if (bed != NULL)
1274  goto end;
1275 
1276  result = 1;
1277  end:
1278  if (bed != NULL)
1279  DetectByteExtractFree(NULL, bed);
1280  return result;
1281 }
1282 
1283 static int DetectByteExtractTest26(void)
1284 {
1285  int result = 0;
1286 
1287  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1288  "little, "
1289  "relative, "
1290  "multiplier 65536");
1291  if (bed != NULL)
1292  goto end;
1293 
1294  result = 1;
1295  end:
1296  if (bed != NULL)
1297  DetectByteExtractFree(NULL, bed);
1298  return result;
1299 }
1300 
1301 static int DetectByteExtractTest27(void)
1302 {
1303  int result = 0;
1304 
1305  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1306  "little, "
1307  "relative, "
1308  "multiplier 0");
1309  if (bed != NULL)
1310  goto end;
1311 
1312  result = 1;
1313  end:
1314  if (bed != NULL)
1315  DetectByteExtractFree(NULL, bed);
1316  return result;
1317 }
1318 
1319 static int DetectByteExtractTest28(void)
1320 {
1321  int result = 0;
1322 
1323  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "23, 2, one, string, oct");
1324  if (bed == NULL)
1325  goto end;
1326 
1327  result = 1;
1328  end:
1329  if (bed != NULL)
1330  DetectByteExtractFree(NULL, bed);
1331  return result;
1332 }
1333 
1334 static int DetectByteExtractTest29(void)
1335 {
1336  int result = 0;
1337 
1338  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, string, oct");
1339  if (bed != NULL)
1340  goto end;
1341 
1342  result = 1;
1343  end:
1344  if (bed != NULL)
1345  DetectByteExtractFree(NULL, bed);
1346  return result;
1347 }
1348 
1349 static int DetectByteExtractTest30(void)
1350 {
1351  int result = 0;
1352 
1353  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "20, 2, one, string, dec");
1354  if (bed == NULL)
1355  goto end;
1356 
1357  result = 1;
1358  end:
1359  if (bed != NULL)
1360  DetectByteExtractFree(NULL, bed);
1361  return result;
1362 }
1363 
1364 static int DetectByteExtractTest31(void)
1365 {
1366  int result = 0;
1367 
1368  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "21, 2, one, string, dec");
1369  if (bed != NULL)
1370  goto end;
1371 
1372  result = 1;
1373  end:
1374  if (bed != NULL)
1375  DetectByteExtractFree(NULL, bed);
1376  return result;
1377 }
1378 
1379 static int DetectByteExtractTest32(void)
1380 {
1381  int result = 0;
1382 
1383  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "14, 2, one, string, hex");
1384  if (bed == NULL)
1385  goto end;
1386 
1387  result = 1;
1388  end:
1389  if (bed != NULL)
1390  DetectByteExtractFree(NULL, bed);
1391  return result;
1392 }
1393 
1394 static int DetectByteExtractTest33(void)
1395 {
1396  int result = 0;
1397 
1398  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "15, 2, one, string, hex");
1399  if (bed != NULL)
1400  goto end;
1401 
1402  result = 1;
1403  end:
1404  if (bed != NULL)
1405  DetectByteExtractFree(NULL, bed);
1406  return result;
1407 }
1408 
1409 static int DetectByteExtractTest34(void)
1410 {
1411  DetectEngineCtx *de_ctx = NULL;
1412  int result = 0;
1413  Signature *s = NULL;
1414  SigMatch *sm = NULL;
1415  DetectContentData *cd = NULL;
1416  DetectByteExtractData *bed = NULL;
1417 
1419  if (de_ctx == NULL)
1420  goto end;
1421 
1422  de_ctx->flags |= DE_QUIET;
1423  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1424  "(msg:\"Testing bytejump_body\"; "
1425  "content:\"one\"; "
1426  "byte_extract:4,2,two,relative,string,hex; "
1427  "sid:1;)");
1428  if (de_ctx->sig_list == NULL) {
1429  result = 0;
1430  goto end;
1431  }
1432 
1433  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1434  result = 0;
1435  goto end;
1436  }
1437 
1439  if (sm->type != DETECT_CONTENT) {
1440  result = 0;
1441  goto end;
1442  }
1443  cd = (DetectContentData *)sm->ctx;
1444  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1445  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1446  cd->flags & DETECT_CONTENT_NOCASE ||
1447  cd->flags & DETECT_CONTENT_WITHIN ||
1451  cd->flags & DETECT_CONTENT_NEGATED ) {
1452  printf("one failed\n");
1453  result = 0;
1454  goto end;
1455  }
1456 
1457  sm = sm->next;
1458  if (sm->type != DETECT_BYTE_EXTRACT) {
1459  result = 0;
1460  goto end;
1461  }
1462  bed = (DetectByteExtractData *)sm->ctx;
1463  if (bed->nbytes != 4 ||
1464  bed->offset != 2 ||
1465  strncmp(bed->name, "two", cd->content_len) != 0 ||
1470  bed->align_value != 0 ||
1472  goto end;
1473  }
1474 
1475  result = 1;
1476 
1477  end:
1481 
1482  return result;
1483 }
1484 
1485 static int DetectByteExtractTest35(void)
1486 {
1487  DetectEngineCtx *de_ctx = NULL;
1488  int result = 0;
1489  Signature *s = NULL;
1490  SigMatch *sm = NULL;
1491  DetectContentData *cd = NULL;
1492  DetectPcreData *pd = NULL;
1493  DetectByteExtractData *bed = NULL;
1494 
1496  if (de_ctx == NULL)
1497  goto end;
1498 
1499  de_ctx->flags |= DE_QUIET;
1500  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1501  "(msg:\"Testing bytejump_body\"; "
1502  "content:\"one\"; pcre:/asf/; "
1503  "byte_extract:4,0,two,relative,string,hex; "
1504  "sid:1;)");
1505  if (de_ctx->sig_list == NULL) {
1506  result = 0;
1507  goto end;
1508  }
1509 
1510  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1511  result = 0;
1512  goto end;
1513  }
1514 
1516  if (sm->type != DETECT_CONTENT) {
1517  result = 0;
1518  goto end;
1519  }
1520  cd = (DetectContentData *)sm->ctx;
1521  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1522  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1523  cd->flags & DETECT_CONTENT_NOCASE ||
1524  cd->flags & DETECT_CONTENT_WITHIN ||
1528  cd->flags & DETECT_CONTENT_NEGATED ) {
1529  printf("one failed\n");
1530  result = 0;
1531  goto end;
1532  }
1533 
1534  sm = sm->next;
1535  if (sm->type != DETECT_PCRE) {
1536  result = 0;
1537  goto end;
1538  }
1539  pd = (DetectPcreData *)sm->ctx;
1540  if (pd->flags != DETECT_PCRE_RELATIVE_NEXT) {
1541  result = 0;
1542  goto end;
1543  }
1544 
1545  sm = sm->next;
1546  if (sm->type != DETECT_BYTE_EXTRACT) {
1547  result = 0;
1548  goto end;
1549  }
1550  bed = (DetectByteExtractData *)sm->ctx;
1551  if (bed->nbytes != 4 ||
1552  bed->offset != 0 ||
1553  strcmp(bed->name, "two") != 0 ||
1558  bed->align_value != 0 ||
1560  goto end;
1561  }
1562 
1563  result = 1;
1564 
1565  end:
1569 
1570  return result;
1571 }
1572 
1573 static int DetectByteExtractTest36(void)
1574 {
1577  de_ctx->flags |= DE_QUIET;
1578 
1579  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
1580  "content:\"one\"; byte_jump:1,13; "
1581  "byte_extract:4,0,two,relative,string,hex; "
1582  "sid:1;)");
1583  FAIL_IF_NULL(s);
1585 
1587  FAIL_IF(sm->type != DETECT_CONTENT);
1590  FAIL_IF(strncmp((char *)cd->content, "one", cd->content_len) != 0);
1597 
1598  sm = sm->next;
1599  FAIL_IF(sm->type != DETECT_BYTEJUMP);
1601  FAIL_IF(bjd->flags != 0);
1602  sm = sm->next;
1605  FAIL_IF(bed->nbytes != 4);
1606  FAIL_IF(bed->offset != 0);
1607  FAIL_IF(strcmp(bed->name, "two") != 0);
1611  FAIL_IF(bed->align_value != 0);
1613 
1615  PASS;
1616 }
1617 
1618 static int DetectByteExtractTest37(void)
1619 {
1620  DetectEngineCtx *de_ctx = NULL;
1621  int result = 0;
1622  Signature *s = NULL;
1623  SigMatch *sm = NULL;
1624  DetectContentData *cd = NULL;
1625  DetectContentData *ud = NULL;
1626  DetectByteExtractData *bed = NULL;
1627 
1629  if (de_ctx == NULL)
1630  goto end;
1631 
1632  de_ctx->flags |= DE_QUIET;
1633  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1634  "(msg:\"Testing bytejump_body\"; "
1635  "content:\"one\"; uricontent:\"two\"; "
1636  "byte_extract:4,0,two,relative,string,hex; "
1637  "sid:1;)");
1638  if (de_ctx->sig_list == NULL) {
1639  result = 0;
1640  goto end;
1641  }
1642 
1643  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1644  result = 0;
1645  goto end;
1646  }
1647 
1649  if (sm->type != DETECT_CONTENT) {
1650  result = 0;
1651  goto end;
1652  }
1653  cd = (DetectContentData *)sm->ctx;
1654  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1655  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1656  cd->flags & DETECT_CONTENT_NOCASE ||
1657  cd->flags & DETECT_CONTENT_WITHIN ||
1661  cd->flags & DETECT_CONTENT_NEGATED ) {
1662  printf("one failed\n");
1663  result = 0;
1664  goto end;
1665  }
1666 
1667  if (sm->next != NULL) {
1668  result = 0;
1669  goto end;
1670  }
1671 
1672  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1673  if (sm->type != DETECT_CONTENT) {
1674  result = 0;
1675  goto end;
1676  }
1677  ud = (DetectContentData *)sm->ctx;
1678  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1679  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1680  ud->flags & DETECT_CONTENT_NOCASE ||
1681  ud->flags & DETECT_CONTENT_WITHIN ||
1685  ud->flags & DETECT_CONTENT_NEGATED ) {
1686  printf("two failed\n");
1687  result = 0;
1688  goto end;
1689  }
1690 
1691  sm = sm->next;
1692  if (sm->type != DETECT_BYTE_EXTRACT) {
1693  result = 0;
1694  goto end;
1695  }
1696  bed = (DetectByteExtractData *)sm->ctx;
1697  if (bed->nbytes != 4 ||
1698  bed->offset != 0 ||
1699  strcmp(bed->name, "two") != 0 ||
1704  bed->align_value != 0 ||
1706  goto end;
1707  }
1708 
1709  result = 1;
1710 
1711  end:
1715 
1716  return result;
1717 }
1718 
1719 static int DetectByteExtractTest38(void)
1720 {
1721  DetectEngineCtx *de_ctx = NULL;
1722  int result = 0;
1723  Signature *s = NULL;
1724  SigMatch *sm = NULL;
1725  DetectContentData *cd = NULL;
1726  DetectContentData *ud = NULL;
1727  DetectByteExtractData *bed = NULL;
1728 
1730  if (de_ctx == NULL)
1731  goto end;
1732 
1733  de_ctx->flags |= DE_QUIET;
1734  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1735  "(msg:\"Testing bytejump_body\"; "
1736  "content:\"one\"; uricontent:\"two\"; "
1737  "byte_extract:4,0,two,string,hex; "
1738  "sid:1;)");
1739  if (de_ctx->sig_list == NULL) {
1740  result = 0;
1741  goto end;
1742  }
1743 
1744  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1745  result = 0;
1746  goto end;
1747  }
1748 
1750  if (sm->type != DETECT_CONTENT) {
1751  result = 0;
1752  goto end;
1753  }
1754  cd = (DetectContentData *)sm->ctx;
1755  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1756  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1757  cd->flags & DETECT_CONTENT_NOCASE ||
1758  cd->flags & DETECT_CONTENT_WITHIN ||
1762  cd->flags & DETECT_CONTENT_NEGATED ) {
1763  printf("one failed\n");
1764  result = 0;
1765  goto end;
1766  }
1767 
1768  sm = sm->next;
1769  if (sm->type != DETECT_BYTE_EXTRACT) {
1770  result = 0;
1771  goto end;
1772  }
1773  bed = (DetectByteExtractData *)sm->ctx;
1774  if (bed->nbytes != 4 ||
1775  bed->offset != 0 ||
1776  strcmp(bed->name, "two") != 0 ||
1780  bed->align_value != 0 ||
1782  goto end;
1783  }
1784 
1785  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1786  if (sm->type != DETECT_CONTENT) {
1787  result = 0;
1788  goto end;
1789  }
1790  ud = (DetectContentData *)sm->ctx;
1791  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1792  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1793  ud->flags & DETECT_CONTENT_NOCASE ||
1794  ud->flags & DETECT_CONTENT_WITHIN ||
1798  ud->flags & DETECT_CONTENT_NEGATED ) {
1799  printf("two failed\n");
1800  result = 0;
1801  goto end;
1802  }
1803 
1804  if (sm->next != NULL) {
1805  result = 0;
1806  goto end;
1807  }
1808 
1809  result = 1;
1810 
1811  end:
1815 
1816  return result;
1817 }
1818 
1819 static int DetectByteExtractTest39(void)
1820 {
1821  DetectEngineCtx *de_ctx = NULL;
1822  int result = 0;
1823  Signature *s = NULL;
1824  SigMatch *sm = NULL;
1825  DetectContentData *cd = NULL;
1826  DetectContentData *ud = NULL;
1827  DetectByteExtractData *bed = NULL;
1828 
1830  if (de_ctx == NULL)
1831  goto end;
1832 
1833  de_ctx->flags |= DE_QUIET;
1834  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1835  "(msg:\"Testing bytejump_body\"; "
1836  "content:\"one\"; content:\"two\"; http_uri; "
1837  "byte_extract:4,0,two,relative,string,hex; "
1838  "sid:1;)");
1839  if (de_ctx->sig_list == NULL) {
1840  result = 0;
1841  goto end;
1842  }
1843 
1844  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1845  result = 0;
1846  goto end;
1847  }
1848 
1850  if (sm->type != DETECT_CONTENT) {
1851  result = 0;
1852  goto end;
1853  }
1854  cd = (DetectContentData *)sm->ctx;
1855  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1856  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1857  cd->flags & DETECT_CONTENT_NOCASE ||
1858  cd->flags & DETECT_CONTENT_WITHIN ||
1862  cd->flags & DETECT_CONTENT_NEGATED ) {
1863  printf("one failed\n");
1864  result = 0;
1865  goto end;
1866  }
1867 
1868  if (sm->next != NULL) {
1869  result = 0;
1870  goto end;
1871  }
1872 
1873  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1874  if (sm->type != DETECT_CONTENT) {
1875  result = 0;
1876  goto end;
1877  }
1878  ud = (DetectContentData *)sm->ctx;
1879  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1880  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1881  ud->flags & DETECT_CONTENT_NOCASE ||
1882  ud->flags & DETECT_CONTENT_WITHIN ||
1886  ud->flags & DETECT_CONTENT_NEGATED ) {
1887  printf("two failed\n");
1888  result = 0;
1889  goto end;
1890  }
1891 
1892  sm = sm->next;
1893  if (sm->type != DETECT_BYTE_EXTRACT) {
1894  result = 0;
1895  goto end;
1896  }
1897  bed = (DetectByteExtractData *)sm->ctx;
1898  if (bed->nbytes != 4 ||
1899  bed->offset != 0 ||
1900  strcmp(bed->name, "two") != 0 ||
1905  bed->align_value != 0 ||
1907  goto end;
1908  }
1909 
1910  result = 1;
1911 
1912  end:
1916 
1917  return result;
1918 }
1919 
1920 static int DetectByteExtractTest40(void)
1921 {
1922  DetectEngineCtx *de_ctx = NULL;
1923  int result = 0;
1924  Signature *s = NULL;
1925  SigMatch *sm = NULL;
1926  DetectContentData *cd = NULL;
1927  DetectContentData *ud = NULL;
1928  DetectByteExtractData *bed = NULL;
1929 
1931  if (de_ctx == NULL)
1932  goto end;
1933 
1934  de_ctx->flags |= DE_QUIET;
1935  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1936  "(msg:\"Testing bytejump_body\"; "
1937  "content:\"one\"; content:\"two\"; http_uri; "
1938  "byte_extract:4,0,two,string,hex; "
1939  "sid:1;)");
1940  if (de_ctx->sig_list == NULL) {
1941  result = 0;
1942  goto end;
1943  }
1944 
1945  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1946  result = 0;
1947  goto end;
1948  }
1949 
1951  if (sm->type != DETECT_CONTENT) {
1952  result = 0;
1953  goto end;
1954  }
1955  cd = (DetectContentData *)sm->ctx;
1956  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1957  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1958  cd->flags & DETECT_CONTENT_NOCASE ||
1959  cd->flags & DETECT_CONTENT_WITHIN ||
1963  cd->flags & DETECT_CONTENT_NEGATED ) {
1964  printf("one failed\n");
1965  result = 0;
1966  goto end;
1967  }
1968 
1969  sm = sm->next;
1970  if (sm->type != DETECT_BYTE_EXTRACT) {
1971  result = 0;
1972  goto end;
1973  }
1974  bed = (DetectByteExtractData *)sm->ctx;
1975  if (bed->nbytes != 4 ||
1976  bed->offset != 0 ||
1977  strcmp(bed->name, "two") != 0 ||
1981  bed->align_value != 0 ||
1983  goto end;
1984  }
1985 
1986  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1987  if (sm->type != DETECT_CONTENT) {
1988  result = 0;
1989  goto end;
1990  }
1991  ud = (DetectContentData *)sm->ctx;
1992  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1993  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1994  ud->flags & DETECT_CONTENT_NOCASE ||
1995  ud->flags & DETECT_CONTENT_WITHIN ||
1999  ud->flags & DETECT_CONTENT_NEGATED ) {
2000  printf("two failed\n");
2001  result = 0;
2002  goto end;
2003  }
2004 
2005  if (sm->next != NULL) {
2006  result = 0;
2007  goto end;
2008  }
2009 
2010  result = 1;
2011 
2012  end:
2016 
2017  return result;
2018 }
2019 
2020 static int DetectByteExtractTest41(void)
2021 {
2022  DetectEngineCtx *de_ctx = NULL;
2023  int result = 0;
2024  Signature *s = NULL;
2025  SigMatch *sm = NULL;
2026  DetectContentData *cd = NULL;
2027  DetectByteExtractData *bed = NULL;
2028 
2030  if (de_ctx == NULL)
2031  goto end;
2032 
2033  de_ctx->flags |= DE_QUIET;
2034  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2035  "(msg:\"Testing bytejump_body\"; "
2036  "content:\"one\"; "
2037  "byte_extract:4,0,two,string,hex; "
2038  "byte_extract:4,0,three,string,hex; "
2039  "sid:1;)");
2040  if (de_ctx->sig_list == NULL) {
2041  result = 0;
2042  goto end;
2043  }
2044 
2045  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2046  result = 0;
2047  goto end;
2048  }
2049 
2051  if (sm->type != DETECT_CONTENT) {
2052  result = 0;
2053  goto end;
2054  }
2055  cd = (DetectContentData *)sm->ctx;
2056  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2057  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2058  cd->flags & DETECT_CONTENT_NOCASE ||
2059  cd->flags & DETECT_CONTENT_WITHIN ||
2063  cd->flags & DETECT_CONTENT_NEGATED ) {
2064  printf("one failed\n");
2065  result = 0;
2066  goto end;
2067  }
2068 
2069  sm = sm->next;
2070  if (sm->type != DETECT_BYTE_EXTRACT) {
2071  result = 0;
2072  goto end;
2073  }
2074  bed = (DetectByteExtractData *)sm->ctx;
2075  if (bed->nbytes != 4 ||
2076  bed->offset != 0 ||
2077  strcmp(bed->name, "two") != 0 ||
2081  bed->align_value != 0 ||
2083  goto end;
2084  }
2085  if (bed->local_id != 0) {
2086  result = 0;
2087  goto end;
2088  }
2089 
2090  sm = sm->next;
2091  if (sm->type != DETECT_BYTE_EXTRACT) {
2092  result = 0;
2093  goto end;
2094  }
2095  bed = (DetectByteExtractData *)sm->ctx;
2096  if (bed->nbytes != 4 ||
2097  bed->offset != 0 ||
2098  strcmp(bed->name, "three") != 0 ||
2102  bed->align_value != 0 ||
2104  goto end;
2105  }
2106  if (bed->local_id != 1) {
2107  result = 0;
2108  goto end;
2109  }
2110 
2111  result = 1;
2112 
2113  end:
2117 
2118  return result;
2119 }
2120 
2121 static int DetectByteExtractTest42(void)
2122 {
2123  DetectEngineCtx *de_ctx = NULL;
2124  int result = 0;
2125  Signature *s = NULL;
2126  SigMatch *sm = NULL;
2127  DetectContentData *cd = NULL;
2128  DetectContentData *ud = NULL;
2129  DetectByteExtractData *bed = NULL;
2130 
2132  if (de_ctx == NULL)
2133  goto end;
2134 
2135  de_ctx->flags |= DE_QUIET;
2136  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2137  "(msg:\"Testing bytejump_body\"; "
2138  "content:\"one\"; "
2139  "byte_extract:4,0,two,string,hex; "
2140  "uricontent: \"three\"; "
2141  "byte_extract:4,0,four,string,hex,relative; "
2142  "byte_extract:4,0,five,string,hex; "
2143  "sid:1;)");
2144  if (de_ctx->sig_list == NULL) {
2145  result = 0;
2146  goto end;
2147  }
2148 
2149  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2150  result = 0;
2151  goto end;
2152  }
2153 
2155  if (sm->type != DETECT_CONTENT) {
2156  result = 0;
2157  goto end;
2158  }
2159  cd = (DetectContentData *)sm->ctx;
2160  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2161  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2162  cd->flags & DETECT_CONTENT_NOCASE ||
2163  cd->flags & DETECT_CONTENT_WITHIN ||
2167  cd->flags & DETECT_CONTENT_NEGATED ) {
2168  printf("one failed\n");
2169  result = 0;
2170  goto end;
2171  }
2172 
2173  sm = sm->next;
2174  if (sm->type != DETECT_BYTE_EXTRACT) {
2175  result = 0;
2176  goto end;
2177  }
2178  bed = (DetectByteExtractData *)sm->ctx;
2179  if (bed->nbytes != 4 ||
2180  bed->offset != 0 ||
2181  strcmp(bed->name, "two") != 0 ||
2185  bed->align_value != 0 ||
2187  goto end;
2188  }
2189  if (bed->local_id != 0) {
2190  result = 0;
2191  goto end;
2192  }
2193 
2194  sm = sm->next;
2195  if (sm->type != DETECT_BYTE_EXTRACT) {
2196  result = 0;
2197  goto end;
2198  }
2199  bed = (DetectByteExtractData *)sm->ctx;
2200  if (bed->nbytes != 4 ||
2201  bed->offset != 0 ||
2202  strcmp(bed->name, "five") != 0 ||
2206  bed->align_value != 0 ||
2208  goto end;
2209  }
2210  if (bed->local_id != 1) {
2211  result = 0;
2212  goto end;
2213  }
2214 
2215  if (sm->next != NULL)
2216  goto end;
2217 
2218  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
2219  if (sm->type != DETECT_CONTENT) {
2220  result = 0;
2221  goto end;
2222  }
2223  ud = (DetectContentData *)sm->ctx;
2224  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
2225  strncmp((char *)ud->content, "three", cd->content_len) != 0 ||
2226  ud->flags & DETECT_CONTENT_NOCASE ||
2227  ud->flags & DETECT_CONTENT_WITHIN ||
2231  ud->flags & DETECT_CONTENT_NEGATED ) {
2232  printf("two failed\n");
2233  result = 0;
2234  goto end;
2235  }
2236 
2237  sm = sm->next;
2238  if (sm->type != DETECT_BYTE_EXTRACT) {
2239  result = 0;
2240  goto end;
2241  }
2242  bed = (DetectByteExtractData *)sm->ctx;
2243  if (bed->nbytes != 4 ||
2244  bed->offset != 0 ||
2245  strcmp(bed->name, "four") != 0 ||
2250  bed->align_value != 0 ||
2252  goto end;
2253  }
2254  if (bed->local_id != 0) {
2255  result = 0;
2256  goto end;
2257  }
2258 
2259  if (sm->next != NULL)
2260  goto end;
2261 
2262  result = 1;
2263 
2264  end:
2268 
2269  return result;
2270 }
2271 
2272 static int DetectByteExtractTest43(void)
2273 {
2274  DetectEngineCtx *de_ctx = NULL;
2275  int result = 0;
2276  Signature *s = NULL;
2277  SigMatch *sm = NULL;
2278  DetectContentData *cd = NULL;
2279  DetectByteExtractData *bed = NULL;
2280 
2282  if (de_ctx == NULL)
2283  goto end;
2284 
2285  de_ctx->flags |= DE_QUIET;
2286  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2287  "(msg:\"Testing bytejump_body\"; "
2288  "content:\"one\"; "
2289  "byte_extract:4,0,two,string,hex; "
2290  "content: \"three\"; offset:two; "
2291  "sid:1;)");
2292  if (de_ctx->sig_list == NULL) {
2293  result = 0;
2294  goto end;
2295  }
2296 
2297  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2298  result = 0;
2299  goto end;
2300  }
2301 
2303  if (sm->type != DETECT_CONTENT) {
2304  result = 0;
2305  goto end;
2306  }
2307  cd = (DetectContentData *)sm->ctx;
2308  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2309  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2310  cd->flags & DETECT_CONTENT_NOCASE ||
2311  cd->flags & DETECT_CONTENT_WITHIN ||
2315  cd->flags & DETECT_CONTENT_NEGATED ) {
2316  printf("one failed\n");
2317  result = 0;
2318  goto end;
2319  }
2320 
2321  sm = sm->next;
2322  if (sm->type != DETECT_BYTE_EXTRACT) {
2323  result = 0;
2324  goto end;
2325  }
2326  bed = (DetectByteExtractData *)sm->ctx;
2327  if (bed->nbytes != 4 ||
2328  bed->offset != 0 ||
2329  strcmp(bed->name, "two") != 0 ||
2333  bed->align_value != 0 ||
2335  goto end;
2336  }
2337  if (bed->local_id != 0) {
2338  result = 0;
2339  goto end;
2340  }
2341 
2342  sm = sm->next;
2343  if (sm->type != DETECT_CONTENT) {
2344  result = 0;
2345  goto end;
2346  }
2347  cd = (DetectContentData *)sm->ctx;
2348  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2351  cd->offset != bed->local_id) {
2352  printf("three failed\n");
2353  result = 0;
2354  goto end;
2355  }
2356 
2357  if (sm->next != NULL)
2358  goto end;
2359 
2360  result = 1;
2361 
2362  end:
2366 
2367  return result;
2368 }
2369 
2370 static int DetectByteExtractTest44(void)
2371 {
2372  DetectEngineCtx *de_ctx = NULL;
2373  int result = 0;
2374  Signature *s = NULL;
2375  SigMatch *sm = NULL;
2376  DetectContentData *cd = NULL;
2377  DetectByteExtractData *bed1 = NULL;
2378  DetectByteExtractData *bed2 = NULL;
2379 
2381  if (de_ctx == NULL)
2382  goto end;
2383 
2384  de_ctx->flags |= DE_QUIET;
2385  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2386  "(msg:\"Testing bytejump_body\"; "
2387  "content:\"one\"; "
2388  "byte_extract:4,0,two,string,hex; "
2389  "byte_extract:4,0,three,string,hex; "
2390  "content: \"four\"; offset:two; "
2391  "content: \"five\"; offset:three; "
2392  "sid:1;)");
2393  if (de_ctx->sig_list == NULL) {
2394  result = 0;
2395  goto end;
2396  }
2397 
2398  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2399  result = 0;
2400  goto end;
2401  }
2402 
2404  if (sm->type != DETECT_CONTENT) {
2405  result = 0;
2406  goto end;
2407  }
2408  cd = (DetectContentData *)sm->ctx;
2409  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2410  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2411  cd->flags & DETECT_CONTENT_NOCASE ||
2412  cd->flags & DETECT_CONTENT_WITHIN ||
2416  cd->flags & DETECT_CONTENT_NEGATED ) {
2417  printf("one failed\n");
2418  result = 0;
2419  goto end;
2420  }
2421 
2422  sm = sm->next;
2423  if (sm->type != DETECT_BYTE_EXTRACT) {
2424  result = 0;
2425  goto end;
2426  }
2427  bed1 = (DetectByteExtractData *)sm->ctx;
2428  if (bed1->nbytes != 4 ||
2429  bed1->offset != 0 ||
2430  strcmp(bed1->name, "two") != 0 ||
2434  bed1->align_value != 0 ||
2436  goto end;
2437  }
2438  if (bed1->local_id != 0) {
2439  result = 0;
2440  goto end;
2441  }
2442 
2443  sm = sm->next;
2444  if (sm->type != DETECT_BYTE_EXTRACT) {
2445  result = 0;
2446  goto end;
2447  }
2448  bed2 = (DetectByteExtractData *)sm->ctx;
2449 
2450  sm = sm->next;
2451  if (sm->type != DETECT_CONTENT) {
2452  result = 0;
2453  goto end;
2454  }
2455  cd = (DetectContentData *)sm->ctx;
2456  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2459  cd->offset != bed1->local_id) {
2460  printf("four failed\n");
2461  result = 0;
2462  goto end;
2463  }
2464 
2465  sm = sm->next;
2466  if (sm->type != DETECT_CONTENT) {
2467  result = 0;
2468  goto end;
2469  }
2470  cd = (DetectContentData *)sm->ctx;
2471  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2474  cd->offset != bed2->local_id) {
2475  printf("five failed\n");
2476  result = 0;
2477  goto end;
2478  }
2479 
2480  if (sm->next != NULL)
2481  goto end;
2482 
2483  result = 1;
2484 
2485  end:
2489 
2490  return result;
2491 }
2492 
2493 static int DetectByteExtractTest45(void)
2494 {
2495  DetectEngineCtx *de_ctx = NULL;
2496  int result = 0;
2497  Signature *s = NULL;
2498  SigMatch *sm = NULL;
2499  DetectContentData *cd = NULL;
2500  DetectByteExtractData *bed = NULL;
2501 
2503  if (de_ctx == NULL)
2504  goto end;
2505 
2506  de_ctx->flags |= DE_QUIET;
2507  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2508  "(msg:\"Testing bytejump_body\"; "
2509  "content:\"one\"; "
2510  "byte_extract:4,0,two,string,hex; "
2511  "content: \"three\"; depth:two; "
2512  "sid:1;)");
2513  if (de_ctx->sig_list == NULL) {
2514  result = 0;
2515  goto end;
2516  }
2517 
2518  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2519  result = 0;
2520  goto end;
2521  }
2522 
2524  if (sm->type != DETECT_CONTENT) {
2525  result = 0;
2526  goto end;
2527  }
2528  cd = (DetectContentData *)sm->ctx;
2529  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2530  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2531  cd->flags & DETECT_CONTENT_NOCASE ||
2532  cd->flags & DETECT_CONTENT_WITHIN ||
2536  cd->flags & DETECT_CONTENT_NEGATED ) {
2537  printf("one failed\n");
2538  result = 0;
2539  goto end;
2540  }
2541 
2542  sm = sm->next;
2543  if (sm->type != DETECT_BYTE_EXTRACT) {
2544  result = 0;
2545  goto end;
2546  }
2547  bed = (DetectByteExtractData *)sm->ctx;
2548  if (bed->nbytes != 4 ||
2549  bed->offset != 0 ||
2550  strcmp(bed->name, "two") != 0 ||
2554  bed->align_value != 0 ||
2556  goto end;
2557  }
2558  if (bed->local_id != 0) {
2559  result = 0;
2560  goto end;
2561  }
2562 
2563  sm = sm->next;
2564  if (sm->type != DETECT_CONTENT) {
2565  result = 0;
2566  goto end;
2567  }
2568  cd = (DetectContentData *)sm->ctx;
2569  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2572  cd->depth != bed->local_id ||
2573  cd->offset != 0) {
2574  printf("three failed\n");
2575  result = 0;
2576  goto end;
2577  }
2578 
2579  if (sm->next != NULL)
2580  goto end;
2581 
2582  result = 1;
2583 
2584  end:
2588 
2589  return result;
2590 }
2591 
2592 static int DetectByteExtractTest46(void)
2593 {
2594  DetectEngineCtx *de_ctx = NULL;
2595  int result = 0;
2596  Signature *s = NULL;
2597  SigMatch *sm = NULL;
2598  DetectContentData *cd = NULL;
2599  DetectByteExtractData *bed1 = NULL;
2600  DetectByteExtractData *bed2 = NULL;
2601 
2603  if (de_ctx == NULL)
2604  goto end;
2605 
2606  de_ctx->flags |= DE_QUIET;
2607  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2608  "(msg:\"Testing bytejump_body\"; "
2609  "content:\"one\"; "
2610  "byte_extract:4,0,two,string,hex; "
2611  "byte_extract:4,0,three,string,hex; "
2612  "content: \"four\"; depth:two; "
2613  "content: \"five\"; depth:three; "
2614  "sid:1;)");
2615  if (de_ctx->sig_list == NULL) {
2616  result = 0;
2617  goto end;
2618  }
2619 
2620  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2621  result = 0;
2622  goto end;
2623  }
2624 
2626  if (sm->type != DETECT_CONTENT) {
2627  result = 0;
2628  goto end;
2629  }
2630  cd = (DetectContentData *)sm->ctx;
2631  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2632  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2633  cd->flags & DETECT_CONTENT_NOCASE ||
2634  cd->flags & DETECT_CONTENT_WITHIN ||
2638  cd->flags & DETECT_CONTENT_NEGATED ) {
2639  printf("one failed\n");
2640  result = 0;
2641  goto end;
2642  }
2643 
2644  sm = sm->next;
2645  if (sm->type != DETECT_BYTE_EXTRACT) {
2646  result = 0;
2647  goto end;
2648  }
2649  bed1 = (DetectByteExtractData *)sm->ctx;
2650  if (bed1->nbytes != 4 ||
2651  bed1->offset != 0 ||
2652  strcmp(bed1->name, "two") != 0 ||
2656  bed1->align_value != 0 ||
2658  goto end;
2659  }
2660  if (bed1->local_id != 0) {
2661  result = 0;
2662  goto end;
2663  }
2664 
2665  sm = sm->next;
2666  if (sm->type != DETECT_BYTE_EXTRACT) {
2667  result = 0;
2668  goto end;
2669  }
2670  bed2 = (DetectByteExtractData *)sm->ctx;
2671 
2672  sm = sm->next;
2673  if (sm->type != DETECT_CONTENT) {
2674  result = 0;
2675  goto end;
2676  }
2677  cd = (DetectContentData *)sm->ctx;
2678  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2681  cd->depth != bed1->local_id) {
2682  printf("four failed\n");
2683  result = 0;
2684  goto end;
2685  }
2686 
2687  sm = sm->next;
2688  if (sm->type != DETECT_CONTENT) {
2689  result = 0;
2690  goto end;
2691  }
2692  cd = (DetectContentData *)sm->ctx;
2693  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2696  cd->depth != bed2->local_id) {
2697  printf("five failed\n");
2698  result = 0;
2699  goto end;
2700  }
2701 
2702  if (sm->next != NULL)
2703  goto end;
2704 
2705  result = 1;
2706 
2707  end:
2711 
2712  return result;
2713 }
2714 
2715 static int DetectByteExtractTest47(void)
2716 {
2717  DetectEngineCtx *de_ctx = NULL;
2718  int result = 0;
2719  Signature *s = NULL;
2720  SigMatch *sm = NULL;
2721  DetectContentData *cd = NULL;
2722  DetectByteExtractData *bed = NULL;
2723 
2725  if (de_ctx == NULL)
2726  goto end;
2727 
2728  de_ctx->flags |= DE_QUIET;
2729  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2730  "(msg:\"Testing bytejump_body\"; "
2731  "content:\"one\"; "
2732  "byte_extract:4,0,two,string,hex; "
2733  "content: \"three\"; distance:two; "
2734  "sid:1;)");
2735  if (de_ctx->sig_list == NULL) {
2736  result = 0;
2737  goto end;
2738  }
2739 
2740  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2741  result = 0;
2742  goto end;
2743  }
2744 
2746  if (sm->type != DETECT_CONTENT) {
2747  result = 0;
2748  goto end;
2749  }
2750  cd = (DetectContentData *)sm->ctx;
2751  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2752  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2753  cd->flags & DETECT_CONTENT_NOCASE ||
2754  cd->flags & DETECT_CONTENT_WITHIN ||
2758  cd->flags & DETECT_CONTENT_NEGATED ) {
2759  printf("one failed\n");
2760  result = 0;
2761  goto end;
2762  }
2763 
2764  sm = sm->next;
2765  if (sm->type != DETECT_BYTE_EXTRACT) {
2766  result = 0;
2767  goto end;
2768  }
2769  bed = (DetectByteExtractData *)sm->ctx;
2770  if (bed->nbytes != 4 ||
2771  bed->offset != 0 ||
2772  strcmp(bed->name, "two") != 0 ||
2776  bed->align_value != 0 ||
2778  goto end;
2779  }
2780  if (bed->local_id != 0) {
2781  result = 0;
2782  goto end;
2783  }
2784 
2785  sm = sm->next;
2786  if (sm->type != DETECT_CONTENT) {
2787  result = 0;
2788  goto end;
2789  }
2790  cd = (DetectContentData *)sm->ctx;
2791  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2794  cd->distance != bed->local_id ||
2795  cd->offset != 0 ||
2796  cd->depth != 0) {
2797  printf("three failed\n");
2798  result = 0;
2799  goto end;
2800  }
2801 
2802  if (sm->next != NULL)
2803  goto end;
2804 
2805  result = 1;
2806 
2807  end:
2811 
2812  return result;
2813 }
2814 
2815 static int DetectByteExtractTest48(void)
2816 {
2817  DetectEngineCtx *de_ctx = NULL;
2818  int result = 0;
2819  Signature *s = NULL;
2820  SigMatch *sm = NULL;
2821  DetectContentData *cd = NULL;
2822  DetectByteExtractData *bed1 = NULL;
2823  DetectByteExtractData *bed2 = NULL;
2824 
2826  if (de_ctx == NULL)
2827  goto end;
2828 
2829  de_ctx->flags |= DE_QUIET;
2830  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2831  "(msg:\"Testing bytejump_body\"; "
2832  "content:\"one\"; "
2833  "byte_extract:4,0,two,string,hex; "
2834  "byte_extract:4,0,three,string,hex; "
2835  "content: \"four\"; distance:two; "
2836  "content: \"five\"; distance:three; "
2837  "sid:1;)");
2838  if (de_ctx->sig_list == NULL) {
2839  result = 0;
2840  goto end;
2841  }
2842 
2843  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2844  result = 0;
2845  goto end;
2846  }
2847 
2849  if (sm->type != DETECT_CONTENT) {
2850  result = 0;
2851  goto end;
2852  }
2853  cd = (DetectContentData *)sm->ctx;
2854  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2855  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2856  cd->flags & DETECT_CONTENT_NOCASE ||
2857  cd->flags & DETECT_CONTENT_WITHIN ||
2861  cd->flags & DETECT_CONTENT_NEGATED ) {
2862  printf("one failed\n");
2863  result = 0;
2864  goto end;
2865  }
2866 
2867  sm = sm->next;
2868  if (sm->type != DETECT_BYTE_EXTRACT) {
2869  result = 0;
2870  goto end;
2871  }
2872  bed1 = (DetectByteExtractData *)sm->ctx;
2873  if (bed1->nbytes != 4 ||
2874  bed1->offset != 0 ||
2875  strcmp(bed1->name, "two") != 0 ||
2879  bed1->align_value != 0 ||
2881  goto end;
2882  }
2883  if (bed1->local_id != 0) {
2884  result = 0;
2885  goto end;
2886  }
2887 
2888  sm = sm->next;
2889  if (sm->type != DETECT_BYTE_EXTRACT) {
2890  result = 0;
2891  goto end;
2892  }
2893  bed2 = (DetectByteExtractData *)sm->ctx;
2894 
2895  sm = sm->next;
2896  if (sm->type != DETECT_CONTENT) {
2897  result = 0;
2898  goto end;
2899  }
2900  cd = (DetectContentData *)sm->ctx;
2901  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2905  cd->distance != bed1->local_id ||
2906  cd->depth != 0 ||
2907  cd->offset != 0) {
2908  printf("four failed\n");
2909  result = 0;
2910  goto end;
2911  }
2912 
2913  sm = sm->next;
2914  if (sm->type != DETECT_CONTENT) {
2915  result = 0;
2916  goto end;
2917  }
2918  cd = (DetectContentData *)sm->ctx;
2919  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2922  cd->distance != bed2->local_id ||
2923  cd->depth != 0 ||
2924  cd->offset != 0) {
2925  printf("five failed\n");
2926  result = 0;
2927  goto end;
2928  }
2929 
2930  if (sm->next != NULL)
2931  goto end;
2932 
2933  result = 1;
2934 
2935  end:
2939 
2940  return result;
2941 }
2942 
2943 static int DetectByteExtractTest49(void)
2944 {
2945  DetectEngineCtx *de_ctx = NULL;
2946  int result = 0;
2947  Signature *s = NULL;
2948  SigMatch *sm = NULL;
2949  DetectContentData *cd = NULL;
2950  DetectByteExtractData *bed = NULL;
2951 
2953  if (de_ctx == NULL)
2954  goto end;
2955 
2956  de_ctx->flags |= DE_QUIET;
2957  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2958  "(msg:\"Testing bytejump_body\"; "
2959  "content:\"one\"; "
2960  "byte_extract:4,0,two,string,hex; "
2961  "content: \"three\"; within:two; "
2962  "sid:1;)");
2963  if (de_ctx->sig_list == NULL) {
2964  result = 0;
2965  goto end;
2966  }
2967 
2968  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2969  result = 0;
2970  goto end;
2971  }
2972 
2974  if (sm->type != DETECT_CONTENT) {
2975  result = 0;
2976  goto end;
2977  }
2978  cd = (DetectContentData *)sm->ctx;
2979  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2980  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2981  cd->flags & DETECT_CONTENT_NOCASE ||
2982  cd->flags & DETECT_CONTENT_WITHIN ||
2986  cd->flags & DETECT_CONTENT_NEGATED ) {
2987  printf("one failed\n");
2988  result = 0;
2989  goto end;
2990  }
2991 
2992  sm = sm->next;
2993  if (sm->type != DETECT_BYTE_EXTRACT) {
2994  result = 0;
2995  goto end;
2996  }
2997  bed = (DetectByteExtractData *)sm->ctx;
2998  if (bed->nbytes != 4 ||
2999  bed->offset != 0 ||
3000  strcmp(bed->name, "two") != 0 ||
3004  bed->align_value != 0 ||
3006  goto end;
3007  }
3008  if (bed->local_id != 0) {
3009  result = 0;
3010  goto end;
3011  }
3012 
3013  sm = sm->next;
3014  if (sm->type != DETECT_CONTENT) {
3015  result = 0;
3016  goto end;
3017  }
3018  cd = (DetectContentData *)sm->ctx;
3019  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
3022  cd->within != bed->local_id ||
3023  cd->offset != 0 ||
3024  cd->depth != 0 ||
3025  cd->distance != 0) {
3026  printf("three failed\n");
3027  result = 0;
3028  goto end;
3029  }
3030 
3031  if (sm->next != NULL)
3032  goto end;
3033 
3034  result = 1;
3035 
3036  end:
3040 
3041  return result;
3042 }
3043 
3044 static int DetectByteExtractTest50(void)
3045 {
3046  DetectEngineCtx *de_ctx = NULL;
3047  int result = 0;
3048  Signature *s = NULL;
3049  SigMatch *sm = NULL;
3050  DetectContentData *cd = NULL;
3051  DetectByteExtractData *bed1 = NULL;
3052  DetectByteExtractData *bed2 = NULL;
3053 
3055  if (de_ctx == NULL)
3056  goto end;
3057 
3058  de_ctx->flags |= DE_QUIET;
3059  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3060  "(msg:\"Testing bytejump_body\"; "
3061  "content:\"one\"; "
3062  "byte_extract:4,0,two,string,hex; "
3063  "byte_extract:4,0,three,string,hex; "
3064  "content: \"four\"; within:two; "
3065  "content: \"five\"; within:three; "
3066  "sid:1;)");
3067  if (de_ctx->sig_list == NULL) {
3068  result = 0;
3069  goto end;
3070  }
3071 
3072  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3073  result = 0;
3074  goto end;
3075  }
3076 
3078  if (sm->type != DETECT_CONTENT) {
3079  result = 0;
3080  goto end;
3081  }
3082  cd = (DetectContentData *)sm->ctx;
3083  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3084  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3085  cd->flags & DETECT_CONTENT_NOCASE ||
3086  cd->flags & DETECT_CONTENT_WITHIN ||
3090  cd->flags & DETECT_CONTENT_NEGATED ) {
3091  printf("one failed\n");
3092  result = 0;
3093  goto end;
3094  }
3095 
3096  sm = sm->next;
3097  if (sm->type != DETECT_BYTE_EXTRACT) {
3098  result = 0;
3099  goto end;
3100  }
3101  bed1 = (DetectByteExtractData *)sm->ctx;
3102  if (bed1->nbytes != 4 ||
3103  bed1->offset != 0 ||
3104  strcmp(bed1->name, "two") != 0 ||
3108  bed1->align_value != 0 ||
3110  goto end;
3111  }
3112  if (bed1->local_id != 0) {
3113  result = 0;
3114  goto end;
3115  }
3116 
3117  sm = sm->next;
3118  if (sm->type != DETECT_BYTE_EXTRACT) {
3119  result = 0;
3120  goto end;
3121  }
3122  bed2 = (DetectByteExtractData *)sm->ctx;
3123 
3124  sm = sm->next;
3125  if (sm->type != DETECT_CONTENT) {
3126  result = 0;
3127  goto end;
3128  }
3129  cd = (DetectContentData *)sm->ctx;
3130  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3134  cd->within != bed1->local_id ||
3135  cd->depth != 0 ||
3136  cd->offset != 0 ||
3137  cd->distance != 0) {
3138  printf("four failed\n");
3139  result = 0;
3140  goto end;
3141  }
3142 
3143  sm = sm->next;
3144  if (sm->type != DETECT_CONTENT) {
3145  result = 0;
3146  goto end;
3147  }
3148  cd = (DetectContentData *)sm->ctx;
3149  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
3152  cd->within != bed2->local_id ||
3153  cd->depth != 0 ||
3154  cd->offset != 0 ||
3155  cd->distance != 0) {
3156  printf("five failed\n");
3157  result = 0;
3158  goto end;
3159  }
3160 
3161  if (sm->next != NULL)
3162  goto end;
3163 
3164  result = 1;
3165 
3166  end:
3170 
3171  return result;
3172 }
3173 
3174 static int DetectByteExtractTest51(void)
3175 {
3176  DetectEngineCtx *de_ctx = NULL;
3177  int result = 0;
3178  Signature *s = NULL;
3179  SigMatch *sm = NULL;
3180  DetectContentData *cd = NULL;
3181  DetectByteExtractData *bed = NULL;
3182  DetectBytetestData *btd = NULL;
3183 
3185  if (de_ctx == NULL)
3186  goto end;
3187 
3188  de_ctx->flags |= DE_QUIET;
3189  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3190  "(msg:\"Testing bytejump_body\"; "
3191  "content:\"one\"; "
3192  "byte_extract:4,0,two,string,hex; "
3193  "byte_test: 2,=,10, two; "
3194  "sid:1;)");
3195  if (de_ctx->sig_list == NULL) {
3196  result = 0;
3197  goto end;
3198  }
3199 
3200  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3201  result = 0;
3202  goto end;
3203  }
3204 
3206  if (sm->type != DETECT_CONTENT) {
3207  result = 0;
3208  goto end;
3209  }
3210  cd = (DetectContentData *)sm->ctx;
3211  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3212  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3213  cd->flags & DETECT_CONTENT_NOCASE ||
3214  cd->flags & DETECT_CONTENT_WITHIN ||
3218  cd->flags & DETECT_CONTENT_NEGATED ) {
3219  printf("one failed\n");
3220  result = 0;
3221  goto end;
3222  }
3223 
3224  sm = sm->next;
3225  if (sm->type != DETECT_BYTE_EXTRACT) {
3226  result = 0;
3227  goto end;
3228  }
3229  bed = (DetectByteExtractData *)sm->ctx;
3230  if (bed->nbytes != 4 ||
3231  bed->offset != 0 ||
3232  strcmp(bed->name, "two") != 0 ||
3236  bed->align_value != 0 ||
3238  goto end;
3239  }
3240  if (bed->local_id != 0) {
3241  result = 0;
3242  goto end;
3243  }
3244 
3245  sm = sm->next;
3246  if (sm->type != DETECT_BYTETEST) {
3247  result = 0;
3248  goto end;
3249  }
3250  btd = (DetectBytetestData *)sm->ctx;
3251  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
3252  btd->value != 10 ||
3253  btd->offset != 0) {
3254  printf("three failed\n");
3255  result = 0;
3256  goto end;
3257  }
3258 
3259  if (sm->next != NULL)
3260  goto end;
3261 
3262  result = 1;
3263 
3264  end:
3268 
3269  return result;
3270 }
3271 
3272 static int DetectByteExtractTest52(void)
3273 {
3274  DetectEngineCtx *de_ctx = NULL;
3275  int result = 0;
3276  Signature *s = NULL;
3277  SigMatch *sm = NULL;
3278  DetectContentData *cd = NULL;
3279  DetectByteExtractData *bed1 = NULL;
3280  DetectBytetestData *btd = NULL;
3281 
3283  if (de_ctx == NULL)
3284  goto end;
3285 
3286  de_ctx->flags |= DE_QUIET;
3287  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3288  "(msg:\"Testing bytejump_body\"; "
3289  "content:\"one\"; "
3290  "byte_extract:4,0,two,string,hex; "
3291  "byte_extract:4,0,three,string,hex; "
3292  "byte_test: 2,=,two,three; "
3293  "byte_test: 3,=,10,three; "
3294  "sid:1;)");
3295  if (de_ctx->sig_list == NULL) {
3296  result = 0;
3297  goto end;
3298  }
3299 
3300  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3301  result = 0;
3302  goto end;
3303  }
3304 
3306  if (sm->type != DETECT_CONTENT) {
3307  result = 0;
3308  goto end;
3309  }
3310  cd = (DetectContentData *)sm->ctx;
3311  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3312  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3313  cd->flags & DETECT_CONTENT_NOCASE ||
3314  cd->flags & DETECT_CONTENT_WITHIN ||
3318  cd->flags & DETECT_CONTENT_NEGATED ) {
3319  printf("one failed\n");
3320  result = 0;
3321  goto end;
3322  }
3323 
3324  sm = sm->next;
3325  if (sm->type != DETECT_BYTE_EXTRACT) {
3326  result = 0;
3327  goto end;
3328  }
3329  bed1 = (DetectByteExtractData *)sm->ctx;
3330  if (bed1->nbytes != 4 ||
3331  bed1->offset != 0 ||
3332  strcmp(bed1->name, "two") != 0 ||
3336  bed1->align_value != 0 ||
3338  goto end;
3339  }
3340  if (bed1->local_id != 0) {
3341  result = 0;
3342  goto end;
3343  }
3344 
3345  sm = sm->next;
3346  if (sm->type != DETECT_BYTE_EXTRACT) {
3347  result = 0;
3348  goto end;
3349  }
3350 
3351  sm = sm->next;
3352  if (sm->type != DETECT_BYTETEST) {
3353  result = 0;
3354  goto end;
3355  }
3356  btd = (DetectBytetestData *)sm->ctx;
3357  if (btd->flags != (DETECT_BYTETEST_OFFSET_VAR |
3359  btd->value != 0 ||
3360  btd->offset != 1) {
3361  printf("three failed\n");
3362  result = 0;
3363  goto end;
3364  }
3365 
3366  sm = sm->next;
3367  if (sm->type != DETECT_BYTETEST) {
3368  result = 0;
3369  goto end;
3370  }
3371  btd = (DetectBytetestData *)sm->ctx;
3372  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
3373  btd->value != 10 ||
3374  btd->offset != 1) {
3375  printf("four failed\n");
3376  result = 0;
3377  goto end;
3378  }
3379 
3380  if (sm->next != NULL)
3381  goto end;
3382 
3383  result = 1;
3384 
3385  end:
3389 
3390  return result;
3391 }
3392 
3393 static int DetectByteExtractTest53(void)
3394 {
3397  de_ctx->flags |= DE_QUIET;
3398 
3399  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
3400  "content:\"one\"; "
3401  "byte_extract:4,0,two,string,hex; "
3402  "byte_jump: 2,two; "
3403  "sid:1;)");
3404  FAIL_IF_NULL(s);
3406 
3408  FAIL_IF(sm->type != DETECT_CONTENT);
3410  FAIL_IF(cd->flags != 0);
3411 
3412  sm = sm->next;
3413  FAIL_IF_NULL(sm);
3416 
3417  FAIL_IF(bed->nbytes != 4);
3418  FAIL_IF(bed->offset != 0);
3419  FAIL_IF(strcmp(bed->name, "two") != 0);
3423  FAIL_IF(bed->align_value != 0);
3425  FAIL_IF(bed->local_id != 0);
3426 
3427  sm = sm->next;
3428  FAIL_IF_NULL(sm);
3429  FAIL_IF(sm->type != DETECT_BYTEJUMP);
3431 
3433  FAIL_IF(bjd->offset != 0);
3434 
3435  FAIL_IF_NOT_NULL(sm->next);
3437  PASS;
3438 }
3439 
3440 static int DetectByteExtractTest54(void)
3441 {
3442  DetectEngineCtx *de_ctx = NULL;
3443  int result = 0;
3444  Signature *s = NULL;
3445  SigMatch *sm = NULL;
3446  DetectContentData *cd = NULL;
3447  DetectByteExtractData *bed1 = NULL;
3448  DetectBytejumpData *bjd = NULL;
3449 
3451  if (de_ctx == NULL)
3452  goto end;
3453 
3454  de_ctx->flags |= DE_QUIET;
3455  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3456  "(msg:\"Testing bytejump_body\"; "
3457  "content:\"one\"; "
3458  "byte_extract:4,0,two,string,hex; "
3459  "byte_extract:4,0,three,string,hex; "
3460  "byte_jump: 2,two; "
3461  "byte_jump: 3,three; "
3462  "sid:1;)");
3463  if (de_ctx->sig_list == NULL) {
3464  result = 0;
3465  goto end;
3466  }
3467 
3468  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3469  result = 0;
3470  goto end;
3471  }
3472 
3474  if (sm->type != DETECT_CONTENT) {
3475  result = 0;
3476  goto end;
3477  }
3478  cd = (DetectContentData *)sm->ctx;
3479  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3480  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3481  cd->flags & DETECT_CONTENT_NOCASE ||
3482  cd->flags & DETECT_CONTENT_WITHIN ||
3486  cd->flags & DETECT_CONTENT_NEGATED ) {
3487  printf("one failed\n");
3488  result = 0;
3489  goto end;
3490  }
3491 
3492  sm = sm->next;
3493  if (sm->type != DETECT_BYTE_EXTRACT) {
3494  result = 0;
3495  goto end;
3496  }
3497  bed1 = (DetectByteExtractData *)sm->ctx;
3498  if (bed1->nbytes != 4 ||
3499  bed1->offset != 0 ||
3500  strcmp(bed1->name, "two") != 0 ||
3504  bed1->align_value != 0 ||
3506  goto end;
3507  }
3508  if (bed1->local_id != 0) {
3509  result = 0;
3510  goto end;
3511  }
3512 
3513  sm = sm->next;
3514  if (sm->type != DETECT_BYTE_EXTRACT) {
3515  result = 0;
3516  goto end;
3517  }
3518 
3519  sm = sm->next;
3520  if (sm->type != DETECT_BYTEJUMP) {
3521  result = 0;
3522  goto end;
3523  }
3524  bjd = (DetectBytejumpData *)sm->ctx;
3525  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 0) {
3526  printf("three failed\n");
3527  result = 0;
3528  goto end;
3529  }
3530 
3531  sm = sm->next;
3532  if (sm->type != DETECT_BYTEJUMP) {
3533  result = 0;
3534  goto end;
3535  }
3536  bjd = (DetectBytejumpData *)sm->ctx;
3537  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 1) {
3538  printf("four failed\n");
3539  result = 0;
3540  goto end;
3541  }
3542 
3543  if (sm->next != NULL)
3544  goto end;
3545 
3546  result = 1;
3547 
3548  end:
3552 
3553  return result;
3554 }
3555 
3556 static int DetectByteExtractTest55(void)
3557 {
3558  DetectEngineCtx *de_ctx = NULL;
3559  int result = 0;
3560  Signature *s = NULL;
3561  SigMatch *sm = NULL;
3562  DetectContentData *cd = NULL;
3563  DetectByteExtractData *bed1 = NULL;
3564  DetectByteExtractData *bed2 = NULL;
3565 
3567  if (de_ctx == NULL)
3568  goto end;
3569 
3570  de_ctx->flags |= DE_QUIET;
3571  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3572  "(msg:\"Testing byte_extract\"; "
3573  "content:\"one\"; "
3574  "byte_extract:4,0,two,string,hex; "
3575  "byte_extract:4,0,three,string,hex; "
3576  "byte_extract:4,0,four,string,hex; "
3577  "byte_extract:4,0,five,string,hex; "
3578  "content: \"four\"; within:two; distance:three; "
3579  "sid:1;)");
3580  if (de_ctx->sig_list == NULL) {
3581  goto end;
3582  }
3583 
3584  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3585  goto end;
3586  }
3587 
3589  if (sm->type != DETECT_CONTENT) {
3590  goto end;
3591  }
3592  cd = (DetectContentData *)sm->ctx;
3593  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3594  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3595  cd->flags & DETECT_CONTENT_NOCASE ||
3596  cd->flags & DETECT_CONTENT_WITHIN ||
3600  cd->flags & DETECT_CONTENT_NEGATED ) {
3601  printf("one failed: ");
3602  goto end;
3603  }
3604 
3605  sm = sm->next;
3606  if (sm->type != DETECT_BYTE_EXTRACT) {
3607  goto end;
3608  }
3609  bed1 = (DetectByteExtractData *)sm->ctx;
3610  if (bed1->nbytes != 4 ||
3611  bed1->offset != 0 ||
3612  strcmp(bed1->name, "two") != 0 ||
3616  bed1->align_value != 0 ||
3618  goto end;
3619  }
3620  if (bed1->local_id != 0) {
3621  goto end;
3622  }
3623 
3624  sm = sm->next;
3625  if (sm->type != DETECT_BYTE_EXTRACT) {
3626  goto end;
3627  }
3628  bed2 = (DetectByteExtractData *)sm->ctx;
3629 
3630  sm = sm->next;
3631  if (sm->type != DETECT_BYTE_EXTRACT) {
3632  goto end;
3633  }
3634 
3635  sm = sm->next;
3636  if (sm->type != DETECT_BYTE_EXTRACT) {
3637  goto end;
3638  }
3639 
3640  sm = sm->next;
3641  if (sm->type != DETECT_CONTENT) {
3642  goto end;
3643  }
3644  cd = (DetectContentData *)sm->ctx;
3645  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3650  cd->within != bed1->local_id ||
3651  cd->distance != bed2->local_id) {
3652  printf("four failed: ");
3653  goto end;
3654  }
3655 
3656  if (sm->next != NULL) {
3657  goto end;
3658  }
3659 
3660  result = 1;
3661 
3662  end:
3666 
3667  return result;
3668 }
3669 
3670 static int DetectByteExtractTest56(void)
3671 {
3672  DetectEngineCtx *de_ctx = NULL;
3673  int result = 0;
3674  Signature *s = NULL;
3675  SigMatch *sm = NULL;
3676  DetectContentData *cd = NULL;
3677  DetectByteExtractData *bed1 = NULL;
3678  DetectByteExtractData *bed2 = NULL;
3679 
3681  if (de_ctx == NULL)
3682  goto end;
3683 
3684  de_ctx->flags |= DE_QUIET;
3685  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3686  "(msg:\"Testing bytejump_body\"; "
3687  "uricontent:\"urione\"; "
3688  "content:\"one\"; "
3689  "byte_extract:4,0,two,string,hex; "
3690  "byte_extract:4,0,three,string,hex; "
3691  "byte_extract:4,0,four,string,hex; "
3692  "byte_extract:4,0,five,string,hex; "
3693  "content: \"four\"; within:two; distance:three; "
3694  "sid:1;)");
3695  if (de_ctx->sig_list == NULL) {
3696  result = 0;
3697  goto end;
3698  }
3699 
3700  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3701  result = 0;
3702  goto end;
3703  }
3704 
3705  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3706  if (sm->type != DETECT_CONTENT) {
3707  result = 0;
3708  goto end;
3709  }
3710  cd = (DetectContentData *)sm->ctx;
3711  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3712  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3713  cd->flags & DETECT_CONTENT_NOCASE ||
3714  cd->flags & DETECT_CONTENT_WITHIN ||
3718  cd->flags & DETECT_CONTENT_NEGATED ) {
3719  printf("one failed\n");
3720  result = 0;
3721  goto end;
3722  }
3723 
3724  if (sm->next != NULL)
3725  goto end;
3726 
3728  if (sm->type != DETECT_CONTENT) {
3729  result = 0;
3730  goto end;
3731  }
3732  cd = (DetectContentData *)sm->ctx;
3733  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3734  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3735  cd->flags & DETECT_CONTENT_NOCASE ||
3736  cd->flags & DETECT_CONTENT_WITHIN ||
3740  cd->flags & DETECT_CONTENT_NEGATED ) {
3741  printf("one failed\n");
3742  result = 0;
3743  goto end;
3744  }
3745 
3746  sm = sm->next;
3747  if (sm->type != DETECT_BYTE_EXTRACT) {
3748  result = 0;
3749  goto end;
3750  }
3751  bed1 = (DetectByteExtractData *)sm->ctx;
3752  if (bed1->nbytes != 4 ||
3753  bed1->offset != 0 ||
3754  strcmp(bed1->name, "two") != 0 ||
3758  bed1->align_value != 0 ||
3760  goto end;
3761  }
3762  if (bed1->local_id != 0) {
3763  result = 0;
3764  goto end;
3765  }
3766 
3767  sm = sm->next;
3768  if (sm->type != DETECT_BYTE_EXTRACT) {
3769  result = 0;
3770  goto end;
3771  }
3772  bed2 = (DetectByteExtractData *)sm->ctx;
3773 
3774  sm = sm->next;
3775  if (sm->type != DETECT_BYTE_EXTRACT) {
3776  result = 0;
3777  goto end;
3778  }
3779 
3780  sm = sm->next;
3781  if (sm->type != DETECT_BYTE_EXTRACT) {
3782  result = 0;
3783  goto end;
3784  }
3785 
3786  sm = sm->next;
3787  if (sm->type != DETECT_CONTENT) {
3788  result = 0;
3789  goto end;
3790  }
3791  cd = (DetectContentData *)sm->ctx;
3792  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3797  cd->within != bed1->local_id ||
3798  cd->distance != bed2->local_id ) {
3799  printf("four failed\n");
3800  result = 0;
3801  goto end;
3802  }
3803 
3804  if (sm->next != NULL) {
3805  goto end;
3806  }
3807 
3808  result = 1;
3809 
3810  end:
3814 
3815  return result;
3816 }
3817 
3818 static int DetectByteExtractTest57(void)
3819 {
3820  DetectEngineCtx *de_ctx = NULL;
3821  int result = 0;
3822  Signature *s = NULL;
3823  SigMatch *sm = NULL;
3824  DetectContentData *cd = NULL;
3825  DetectByteExtractData *bed1 = NULL;
3826  DetectByteExtractData *bed2 = NULL;
3827  DetectByteExtractData *bed3 = NULL;
3828  DetectByteExtractData *bed4 = NULL;
3829 
3831  if (de_ctx == NULL)
3832  goto end;
3833 
3834  de_ctx->flags |= DE_QUIET;
3835  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3836  "(msg:\"Testing bytejump_body\"; "
3837  "content:\"one\"; "
3838  "uricontent: \"urione\"; "
3839  "byte_extract:4,0,two,string,hex,relative; "
3840  "byte_extract:4,0,three,string,hex,relative; "
3841  "byte_extract:4,0,four,string,hex,relative; "
3842  "byte_extract:4,0,five,string,hex,relative; "
3843  "uricontent: \"four\"; within:two; distance:three; "
3844  "sid:1;)");
3845  if (de_ctx->sig_list == NULL) {
3846  result = 0;
3847  goto end;
3848  }
3849 
3850  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3851  result = 0;
3852  goto end;
3853  }
3854 
3856  if (sm->type != DETECT_CONTENT) {
3857  result = 0;
3858  goto end;
3859  }
3860  cd = (DetectContentData *)sm->ctx;
3861  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3862  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3863  cd->flags & DETECT_CONTENT_NOCASE ||
3864  cd->flags & DETECT_CONTENT_WITHIN ||
3868  cd->flags & DETECT_CONTENT_NEGATED ) {
3869  printf("one failed\n");
3870  result = 0;
3871  goto end;
3872  }
3873 
3874  if (sm->next != NULL)
3875  goto end;
3876 
3877  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3878  if (sm->type != DETECT_CONTENT) {
3879  result = 0;
3880  goto end;
3881  }
3882  cd = (DetectContentData *)sm->ctx;
3883  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3884  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3885  cd->flags & DETECT_CONTENT_NOCASE ||
3886  cd->flags & DETECT_CONTENT_WITHIN ||
3890  cd->flags & DETECT_CONTENT_NEGATED ) {
3891  printf("one failed\n");
3892  result = 0;
3893  goto end;
3894  }
3895 
3896  sm = sm->next;
3897  if (sm->type != DETECT_BYTE_EXTRACT) {
3898  result = 0;
3899  goto end;
3900  }
3901  bed1 = (DetectByteExtractData *)sm->ctx;
3902  if (bed1->nbytes != 4 ||
3903  bed1->offset != 0 ||
3904  strcmp(bed1->name, "two") != 0 ||
3909  bed1->align_value != 0 ||
3911  goto end;
3912  }
3913  if (bed1->local_id != 0) {
3914  result = 0;
3915  goto end;
3916  }
3917 
3918  sm = sm->next;
3919  if (sm->type != DETECT_BYTE_EXTRACT) {
3920  result = 0;
3921  goto end;
3922  }
3923  bed2 = (DetectByteExtractData *)sm->ctx;
3924  if (bed2->local_id != 1) {
3925  result = 0;
3926  goto end;
3927  }
3928 
3929  sm = sm->next;
3930  if (sm->type != DETECT_BYTE_EXTRACT) {
3931  result = 0;
3932  goto end;
3933  }
3934  bed3 = (DetectByteExtractData *)sm->ctx;
3935  if (bed3->local_id != 2) {
3936  result = 0;
3937  goto end;
3938  }
3939 
3940  sm = sm->next;
3941  if (sm->type != DETECT_BYTE_EXTRACT) {
3942  result = 0;
3943  goto end;
3944  }
3945  bed4 = (DetectByteExtractData *)sm->ctx;
3946  if (bed4->local_id != 3) {
3947  result = 0;
3948  goto end;
3949  }
3950 
3951  sm = sm->next;
3952  if (sm->type != DETECT_CONTENT) {
3953  result = 0;
3954  goto end;
3955  }
3956  cd = (DetectContentData *)sm->ctx;
3957  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3962  cd->within != bed1->local_id ||
3963  cd->distance != bed2->local_id) {
3964  printf("four failed\n");
3965  result = 0;
3966  goto end;
3967  }
3968 
3969  if (sm->next != NULL) {
3970  goto end;
3971  }
3972 
3973  result = 1;
3974 
3975  end:
3979 
3980  return result;
3981 }
3982 
3983 static int DetectByteExtractTest58(void)
3984 {
3985  DetectEngineCtx *de_ctx = NULL;
3986  int result = 0;
3987  Signature *s = NULL;
3988  SigMatch *sm = NULL;
3989  DetectContentData *cd = NULL;
3990  DetectByteExtractData *bed1 = NULL;
3991  DetectBytejumpData *bjd = NULL;
3992  DetectIsdataatData *isdd = NULL;
3993 
3995  if (de_ctx == NULL)
3996  goto end;
3997 
3998  de_ctx->flags |= DE_QUIET;
3999  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4000  "(msg:\"Testing bytejump_body\"; "
4001  "content:\"one\"; "
4002  "byte_extract:4,0,two,string,hex; "
4003  "byte_extract:4,0,three,string,hex; "
4004  "byte_jump: 2,two; "
4005  "byte_jump: 3,three; "
4006  "isdataat: three; "
4007  "sid:1;)");
4008  if (de_ctx->sig_list == NULL) {
4009  result = 0;
4010  goto end;
4011  }
4012 
4013  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4014  result = 0;
4015  goto end;
4016  }
4017 
4019  if (sm->type != DETECT_CONTENT) {
4020  result = 0;
4021  goto end;
4022  }
4023  cd = (DetectContentData *)sm->ctx;
4024  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4025  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4026  cd->flags & DETECT_CONTENT_NOCASE ||
4027  cd->flags & DETECT_CONTENT_WITHIN ||
4031  cd->flags & DETECT_CONTENT_NEGATED ) {
4032  printf("one failed\n");
4033  result = 0;
4034  goto end;
4035  }
4036 
4037  sm = sm->next;
4038  if (sm->type != DETECT_BYTE_EXTRACT) {
4039  result = 0;
4040  goto end;
4041  }
4042  bed1 = (DetectByteExtractData *)sm->ctx;
4043  if (bed1->nbytes != 4 ||
4044  bed1->offset != 0 ||
4045  strcmp(bed1->name, "two") != 0 ||
4049  bed1->align_value != 0 ||
4051  goto end;
4052  }
4053  if (bed1->local_id != 0) {
4054  result = 0;
4055  goto end;
4056  }
4057 
4058  sm = sm->next;
4059  if (sm->type != DETECT_BYTE_EXTRACT) {
4060  result = 0;
4061  goto end;
4062  }
4063 
4064  sm = sm->next;
4065  if (sm->type != DETECT_BYTEJUMP) {
4066  result = 0;
4067  goto end;
4068  }
4069  bjd = (DetectBytejumpData *)sm->ctx;
4070  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 0) {
4071  printf("three failed\n");
4072  result = 0;
4073  goto end;
4074  }
4075 
4076  sm = sm->next;
4077  if (sm->type != DETECT_BYTEJUMP) {
4078  result = 0;
4079  goto end;
4080  }
4081  bjd = (DetectBytejumpData *)sm->ctx;
4082  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 1) {
4083  printf("four failed\n");
4084  result = 0;
4085  goto end;
4086  }
4087 
4088  sm = sm->next;
4089  if (sm->type != DETECT_ISDATAAT) {
4090  result = 0;
4091  goto end;
4092  }
4093  isdd = (DetectIsdataatData *)sm->ctx;
4094  if (isdd->flags != ISDATAAT_OFFSET_VAR ||
4095  isdd->dataat != 1) {
4096  printf("isdataat failed\n");
4097  result = 0;
4098  goto end;
4099  }
4100 
4101  if (sm->next != NULL)
4102  goto end;
4103 
4104  result = 1;
4105 
4106  end:
4110 
4111  return result;
4112 }
4113 
4114 static int DetectByteExtractTest59(void)
4115 {
4118  de_ctx->flags |= DE_QUIET;
4119 
4120  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
4121  "content:\"one\"; "
4122  "byte_extract:4,0,two,string,hex; "
4123  "byte_extract:4,0,three,string,hex; "
4124  "byte_jump: 2,two; "
4125  "byte_jump: 3,three; "
4126  "isdataat: three,relative; "
4127  "sid:1;)");
4128  FAIL_IF_NULL(s);
4129 
4132  FAIL_IF(sm->type != DETECT_CONTENT);
4133 
4136  FAIL_IF(strncmp((char *)cd->content, "one", cd->content_len) != 0);
4143 
4144  sm = sm->next;
4145  FAIL_IF_NULL(sm);
4147 
4149  FAIL_IF(bed1->nbytes != 4);
4150  FAIL_IF(bed1->offset != 0);
4151  FAIL_IF(strcmp(bed1->name, "two") != 0);
4155  FAIL_IF(bed1->align_value != 0);
4157 
4158  FAIL_IF(bed1->local_id != 0);
4159 
4160  sm = sm->next;
4161  FAIL_IF_NULL(sm);
4163 
4164  sm = sm->next;
4165  FAIL_IF_NULL(sm);
4166  FAIL_IF(sm->type != DETECT_BYTEJUMP);
4167 
4170  FAIL_IF(bjd->offset != 0);
4171 
4172  sm = sm->next;
4173  FAIL_IF_NULL(sm);
4174  FAIL_IF(sm->type != DETECT_BYTEJUMP);
4175 
4176  bjd = (DetectBytejumpData *)sm->ctx;
4178  FAIL_IF(bjd->offset != 1);
4179 
4180  sm = sm->next;
4181  FAIL_IF_NULL(sm);
4182  FAIL_IF(sm->type != DETECT_ISDATAAT);
4183  DetectIsdataatData *isdd = (DetectIsdataatData *)sm->ctx;
4185  FAIL_IF(isdd->dataat != 1);
4186 
4187  FAIL_IF(sm->next != NULL);
4189 
4190  PASS;
4191 }
4192 
4193 static int DetectByteExtractTest60(void)
4194 {
4195  DetectEngineCtx *de_ctx = NULL;
4196  int result = 0;
4197  Signature *s = NULL;
4198  SigMatch *sm = NULL;
4199  DetectContentData *cd = NULL;
4200  DetectByteExtractData *bed1 = NULL;
4201  DetectIsdataatData *isdd = NULL;
4202 
4204  if (de_ctx == NULL)
4205  goto end;
4206 
4207  de_ctx->flags |= DE_QUIET;
4208  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4209  "(msg:\"Testing bytejump_body\"; "
4210  "content:\"one\"; "
4211  "byte_extract:4,0,two,string,hex,relative; "
4212  "uricontent: \"three\"; "
4213  "byte_extract:4,0,four,string,hex,relative; "
4214  "isdataat: two; "
4215  "sid:1;)");
4216  if (de_ctx->sig_list == NULL) {
4217  result = 0;
4218  goto end;
4219  }
4220 
4221  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4222  result = 0;
4223  goto end;
4224  }
4225 
4227  if (sm->type != DETECT_CONTENT) {
4228  result = 0;
4229  goto end;
4230  }
4231  cd = (DetectContentData *)sm->ctx;
4232  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4233  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4234  cd->flags & DETECT_CONTENT_NOCASE ||
4235  cd->flags & DETECT_CONTENT_WITHIN ||
4239  cd->flags & DETECT_CONTENT_NEGATED ) {
4240  printf("one failed\n");
4241  result = 0;
4242  goto end;
4243  }
4244 
4245  sm = sm->next;
4246  if (sm->type != DETECT_BYTE_EXTRACT) {
4247  result = 0;
4248  goto end;
4249  }
4250  bed1 = (DetectByteExtractData *)sm->ctx;
4251  if (bed1->nbytes != 4 ||
4252  bed1->offset != 0 ||
4253  strcmp(bed1->name, "two") != 0 ||
4258  bed1->align_value != 0 ||
4260  goto end;
4261  }
4262  if (bed1->local_id != 0) {
4263  result = 0;
4264  goto end;
4265  }
4266 
4267  sm = sm->next;
4268  if (sm->type != DETECT_ISDATAAT) {
4269  result = 0;
4270  goto end;
4271  }
4272  isdd = (DetectIsdataatData *)sm->ctx;
4273  if (isdd->flags != (ISDATAAT_OFFSET_VAR) ||
4274  isdd->dataat != bed1->local_id) {
4275  printf("isdataat failed\n");
4276  result = 0;
4277  goto end;
4278  }
4279 
4280  if (sm->next != NULL)
4281  goto end;
4282 
4283  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
4284  if (sm == NULL) {
4285  result = 0;
4286  goto end;
4287  }
4288  if (sm->type != DETECT_CONTENT) {
4289  result = 0;
4290  goto end;
4291  }
4292  cd = (DetectContentData *)sm->ctx;
4293  if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4294  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
4295  printf("one failed\n");
4296  result = 0;
4297  goto end;
4298  }
4299 
4300  sm = sm->next;
4301  if (sm->type != DETECT_BYTE_EXTRACT) {
4302  result = 0;
4303  goto end;
4304  }
4305  bed1 = (DetectByteExtractData *)sm->ctx;
4306  if (bed1->nbytes != 4 ||
4307  bed1->offset != 0 ||
4308  strcmp(bed1->name, "four") != 0 ||
4313  bed1->align_value != 0 ||
4315  goto end;
4316  }
4317  if (bed1->local_id != 0) {
4318  result = 0;
4319  goto end;
4320  }
4321 
4322  if (sm->next != NULL)
4323  goto end;
4324 
4325  result = 1;
4326 
4327  end:
4331 
4332  return result;
4333 }
4334 
4335 static int DetectByteExtractTest61(void)
4336 {
4337  DetectEngineCtx *de_ctx = NULL;
4338  int result = 0;
4339  Signature *s = NULL;
4340  SigMatch *sm = NULL;
4341  DetectContentData *cd = NULL;
4342  DetectByteExtractData *bed1 = NULL;
4343  DetectIsdataatData *isdd = NULL;
4344 
4346  if (de_ctx == NULL)
4347  goto end;
4348 
4349  de_ctx->flags |= DE_QUIET;
4350  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4351  "(msg:\"Testing bytejump_body\"; "
4352  "content:\"one\"; "
4353  "byte_extract:4,0,two,string,hex,relative; "
4354  "uricontent: \"three\"; "
4355  "byte_extract:4,0,four,string,hex,relative; "
4356  "isdataat: four, relative; "
4357  "sid:1;)");
4358  if (de_ctx->sig_list == NULL) {
4359  result = 0;
4360  goto end;
4361  }
4362 
4363  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4364  result = 0;
4365  goto end;
4366  }
4367 
4369  if (sm->type != DETECT_CONTENT) {
4370  result = 0;
4371  goto end;
4372  }
4373  cd = (DetectContentData *)sm->ctx;
4374  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4375  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4376  cd->flags & DETECT_CONTENT_NOCASE ||
4377  cd->flags & DETECT_CONTENT_WITHIN ||
4381  cd->flags & DETECT_CONTENT_NEGATED ) {
4382  printf("one failed\n");
4383  result = 0;
4384  goto end;
4385  }
4386 
4387  sm = sm->next;
4388  if (sm->type != DETECT_BYTE_EXTRACT) {
4389  result = 0;
4390  goto end;
4391  }
4392  bed1 = (DetectByteExtractData *)sm->ctx;
4393  if (bed1->nbytes != 4 ||
4394  bed1->offset != 0 ||
4395  strcmp(bed1->name, "two") != 0 ||
4400  bed1->align_value != 0 ||
4402  goto end;
4403  }
4404  if (bed1->local_id != 0) {
4405  result = 0;
4406  goto end;
4407  }
4408 
4409  if (sm->next != NULL)
4410  goto end;
4411 
4412  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
4413  if (sm == NULL) {
4414  result = 0;
4415  goto end;
4416  }
4417  if (sm->type != DETECT_CONTENT) {
4418  result = 0;
4419  goto end;
4420  }
4421  cd = (DetectContentData *)sm->ctx;
4422  if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4423  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
4424  printf("one failed\n");
4425  result = 0;
4426  goto end;
4427  }
4428 
4429  sm = sm->next;
4430  if (sm->type != DETECT_BYTE_EXTRACT) {
4431  result = 0;
4432  goto end;
4433  }
4434  bed1 = (DetectByteExtractData *)sm->ctx;
4435  if (bed1->nbytes != 4 ||
4436  bed1->offset != 0 ||
4437  strcmp(bed1->name, "four") != 0 ||
4442  bed1->align_value != 0 ||
4444  goto end;
4445  }
4446  if (bed1->local_id != 0) {
4447  result = 0;
4448  goto end;
4449  }
4450 
4451  sm = sm->next;
4452  if (sm->type != DETECT_ISDATAAT) {
4453  result = 0;
4454  goto end;
4455  }
4456  isdd = (DetectIsdataatData *)sm->ctx;
4457  if (isdd->flags != (ISDATAAT_OFFSET_VAR |
4458  ISDATAAT_RELATIVE) ||
4459  isdd->dataat != bed1->local_id) {
4460  printf("isdataat failed\n");
4461  result = 0;
4462  goto end;
4463  }
4464 
4465  if (sm->next != NULL)
4466  goto end;
4467 
4468  result = 1;
4469 
4470  end:
4474 
4475  return result;
4476 }
4477 
4478 static int DetectByteExtractTest62(void)
4479 {
4480  DetectEngineCtx *de_ctx = NULL;
4481  int result = 0;
4482  Signature *s = NULL;
4483  SigMatch *sm = NULL;
4484  DetectByteExtractData *bed = NULL;
4485 
4487  if (de_ctx == NULL)
4488  goto end;
4489 
4490  de_ctx->flags |= DE_QUIET;
4491  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4492  "(file_data; byte_extract:4,2,two,relative,string,hex; "
4493  "sid:1;)");
4494  if (de_ctx->sig_list == NULL) {
4495  goto end;
4496  }
4497 
4498  sm = DetectBufferGetFirstSigMatch(s, g_file_data_buffer_id);
4499  if (sm == NULL) {
4500  goto end;
4501  }
4502  if (sm->type != DETECT_BYTE_EXTRACT) {
4503  goto end;
4504  }
4505  bed = (DetectByteExtractData *)sm->ctx;
4506  if (bed->nbytes != 4 ||
4507  bed->offset != 2 ||
4508  strncmp(bed->name, "two", 3) != 0 ||
4512  bed->align_value != 0 ||
4514  goto end;
4515  }
4516 
4517  result = 1;
4518 
4519  end:
4523 
4524  return result;
4525 }
4526 
4527 static int DetectByteExtractTest63(void)
4528 {
4529  int result = 0;
4530 
4531  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, -2, one");
4532  if (bed == NULL)
4533  goto end;
4534 
4535  if (bed->nbytes != 4 ||
4536  bed->offset != -2 ||
4537  strcmp(bed->name, "one") != 0 ||
4538  bed->flags != 0 ||
4541  bed->align_value != 0 ||
4543  goto end;
4544  }
4545 
4546  result = 1;
4547  end:
4548  if (bed != NULL)
4549  DetectByteExtractFree(NULL, bed);
4550  return result;
4551 }
4552 
4553 static int DetectByteExtractTestParseNoBase(void)
4554 {
4555  int result = 0;
4556 
4557  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string");
4558  if (bed == NULL)
4559  goto end;
4560 
4561  if (bed->nbytes != 4) {
4562  goto end;
4563  }
4564  if (bed->offset != 2) {
4565  goto end;
4566  }
4567  if (strcmp(bed->name, "one") != 0) {
4568  goto end;
4569  }
4570  if (bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING) {
4571  goto end;
4572  }
4574  goto end;
4575  }
4576  if (bed->base != DETECT_BYTE_EXTRACT_BASE_DEC) {
4577  goto end;
4578  }
4579  if (bed->align_value != 0) {
4580  goto end;
4581  }
4583  goto end;
4584  }
4585 
4586  result = 1;
4587  end:
4588  if (bed != NULL)
4589  DetectByteExtractFree(NULL, bed);
4590  return result;
4591 }
4592 
4593 static void DetectByteExtractRegisterTests(void)
4594 {
4595  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
4596  g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
4597 
4598  UtRegisterTest("DetectByteExtractTest01", DetectByteExtractTest01);
4599  UtRegisterTest("DetectByteExtractTest02", DetectByteExtractTest02);
4600  UtRegisterTest("DetectByteExtractTest03", DetectByteExtractTest03);
4601  UtRegisterTest("DetectByteExtractTest04", DetectByteExtractTest04);
4602  UtRegisterTest("DetectByteExtractTest05", DetectByteExtractTest05);
4603  UtRegisterTest("DetectByteExtractTest06", DetectByteExtractTest06);
4604  UtRegisterTest("DetectByteExtractTest07", DetectByteExtractTest07);
4605  UtRegisterTest("DetectByteExtractTest08", DetectByteExtractTest08);
4606  UtRegisterTest("DetectByteExtractTest09", DetectByteExtractTest09);
4607  UtRegisterTest("DetectByteExtractTest10", DetectByteExtractTest10);
4608  UtRegisterTest("DetectByteExtractTest11", DetectByteExtractTest11);
4609  UtRegisterTest("DetectByteExtractTest12", DetectByteExtractTest12);
4610  UtRegisterTest("DetectByteExtractTest13", DetectByteExtractTest13);
4611  UtRegisterTest("DetectByteExtractTest14", DetectByteExtractTest14);
4612  UtRegisterTest("DetectByteExtractTest15", DetectByteExtractTest15);
4613  UtRegisterTest("DetectByteExtractTest16", DetectByteExtractTest16);
4614  UtRegisterTest("DetectByteExtractTest17", DetectByteExtractTest17);
4615  UtRegisterTest("DetectByteExtractTest18", DetectByteExtractTest18);
4616  UtRegisterTest("DetectByteExtractTest19", DetectByteExtractTest19);
4617  UtRegisterTest("DetectByteExtractTest20", DetectByteExtractTest20);
4618  UtRegisterTest("DetectByteExtractTest21", DetectByteExtractTest21);
4619  UtRegisterTest("DetectByteExtractTest22", DetectByteExtractTest22);
4620  UtRegisterTest("DetectByteExtractTest23", DetectByteExtractTest23);
4621  UtRegisterTest("DetectByteExtractTest24", DetectByteExtractTest24);
4622  UtRegisterTest("DetectByteExtractTest25", DetectByteExtractTest25);
4623  UtRegisterTest("DetectByteExtractTest26", DetectByteExtractTest26);
4624  UtRegisterTest("DetectByteExtractTest27", DetectByteExtractTest27);
4625  UtRegisterTest("DetectByteExtractTest28", DetectByteExtractTest28);
4626  UtRegisterTest("DetectByteExtractTest29", DetectByteExtractTest29);
4627  UtRegisterTest("DetectByteExtractTest30", DetectByteExtractTest30);
4628  UtRegisterTest("DetectByteExtractTest31", DetectByteExtractTest31);
4629  UtRegisterTest("DetectByteExtractTest32", DetectByteExtractTest32);
4630  UtRegisterTest("DetectByteExtractTest33", DetectByteExtractTest33);
4631  UtRegisterTest("DetectByteExtractTest34", DetectByteExtractTest34);
4632  UtRegisterTest("DetectByteExtractTest35", DetectByteExtractTest35);
4633  UtRegisterTest("DetectByteExtractTest36", DetectByteExtractTest36);
4634  UtRegisterTest("DetectByteExtractTest37", DetectByteExtractTest37);
4635  UtRegisterTest("DetectByteExtractTest38", DetectByteExtractTest38);
4636  UtRegisterTest("DetectByteExtractTest39", DetectByteExtractTest39);
4637  UtRegisterTest("DetectByteExtractTest40", DetectByteExtractTest40);
4638  UtRegisterTest("DetectByteExtractTest41", DetectByteExtractTest41);
4639  UtRegisterTest("DetectByteExtractTest42", DetectByteExtractTest42);
4640 
4641  UtRegisterTest("DetectByteExtractTest43", DetectByteExtractTest43);
4642  UtRegisterTest("DetectByteExtractTest44", DetectByteExtractTest44);
4643 
4644  UtRegisterTest("DetectByteExtractTest45", DetectByteExtractTest45);
4645  UtRegisterTest("DetectByteExtractTest46", DetectByteExtractTest46);
4646 
4647  UtRegisterTest("DetectByteExtractTest47", DetectByteExtractTest47);
4648  UtRegisterTest("DetectByteExtractTest48", DetectByteExtractTest48);
4649 
4650  UtRegisterTest("DetectByteExtractTest49", DetectByteExtractTest49);
4651  UtRegisterTest("DetectByteExtractTest50", DetectByteExtractTest50);
4652 
4653  UtRegisterTest("DetectByteExtractTest51", DetectByteExtractTest51);
4654  UtRegisterTest("DetectByteExtractTest52", DetectByteExtractTest52);
4655 
4656  UtRegisterTest("DetectByteExtractTest53", DetectByteExtractTest53);
4657  UtRegisterTest("DetectByteExtractTest54", DetectByteExtractTest54);
4658 
4659  UtRegisterTest("DetectByteExtractTest55", DetectByteExtractTest55);
4660  UtRegisterTest("DetectByteExtractTest56", DetectByteExtractTest56);
4661  UtRegisterTest("DetectByteExtractTest57", DetectByteExtractTest57);
4662 
4663  UtRegisterTest("DetectByteExtractTest58", DetectByteExtractTest58);
4664  UtRegisterTest("DetectByteExtractTest59", DetectByteExtractTest59);
4665  UtRegisterTest("DetectByteExtractTest60", DetectByteExtractTest60);
4666  UtRegisterTest("DetectByteExtractTest61", DetectByteExtractTest61);
4667  UtRegisterTest("DetectByteExtractTest62", DetectByteExtractTest62);
4668  UtRegisterTest("DetectByteExtractTest63", DetectByteExtractTest63);
4669 
4670  UtRegisterTest("DetectByteExtractTestParseNoBase",
4671  DetectByteExtractTestParseNoBase);
4672 }
4673 #endif /* UNITTESTS */
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DetectContentData_::offset
uint16_t offset
Definition: detect-content.h:107
util-byte.h
DetectBytetestData_::flags
uint16_t flags
Definition: detect-bytetest.h:58
DETECT_BYTETEST_VALUE_VAR
#define DETECT_BYTETEST_VALUE_VAR
Definition: detect-bytetest.h:49
SigTableElmt_::url
const char * url
Definition: detect.h:1296
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:66
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1753
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:527
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
DETECT_BYTE_EXTRACT_ENDIAN_DCE
#define DETECT_BYTE_EXTRACT_ENDIAN_DCE
Definition: detect-byte-extract.h:38
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1121
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:113
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:578
SigTableElmt_::desc
const char * desc
Definition: detect.h:1295
ByteExtractUint64
int ByteExtractUint64(uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Definition: util-byte.c:122
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
NO_STRING_MAX_BYTES_TO_EXTRACT
#define NO_STRING_MAX_BYTES_TO_EXTRACT
Definition: detect-byte-extract.c:77
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1283
DETECT_CONTENT_DISTANCE_VAR
#define DETECT_CONTENT_DISTANCE_VAR
Definition: detect-content.h:47
flow-util.h
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1293
SignatureInitData_::smlists_tail
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
Definition: detect.h:580
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:76
ISDATAAT_OFFSET_VAR
#define ISDATAAT_OFFSET_VAR
Definition: detect-isdataat.h:30
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectContentData_::within
int32_t within
Definition: detect-content.h:109
DETECT_BYTE_EXTRACT_FLAG_STRING
#define DETECT_BYTE_EXTRACT_FLAG_STRING
Definition: detect-byte-extract.h:30
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:34
DetectByteExtractData_::local_id
uint8_t local_id
Definition: detect-byte-extract.h:45
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
detect-isdataat.h
DETECT_BYTE_EXTRACT_BASE_DEC
#define DETECT_BYTE_EXTRACT_BASE_DEC
Definition: detect-byte-extract.c:60
DetectByteExtractData_
Holds data related to byte_extract keyword.
Definition: detect-byte-extract.h:43
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
threads.h
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:836
DETECT_CONTENT_RAWBYTES
#define DETECT_CONTENT_RAWBYTES
Definition: detect-content.h:38
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2580
DETECT_CONTENT_DEPTH_VAR
#define DETECT_CONTENT_DEPTH_VAR
Definition: detect-content.h:46
DE_QUIET
#define DE_QUIET
Definition: detect.h:321
DETECT_BYTE_EXTRACT_BASE_HEX
#define DETECT_BYTE_EXTRACT_BASE_HEX
Definition: detect-byte-extract.c:59
DetectIsdataatData_
Definition: detect-isdataat.h:32
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2674
DetectContentData_
Definition: detect-content.h:93
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:46
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:54
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:234
DetectBytetestData_
Definition: detect-bytetest.h:53
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2620
DetectByteExtractData_::nbytes
uint8_t nbytes
Definition: detect-byte-extract.h:47
SigMatchData_
Data needed for Match()
Definition: detect.h:356
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1278
detect-pcre.h
DetectBytejumpData_
Definition: detect-bytejump.h:46
util-unittest.h
DetectBytejumpData_::offset
int32_t offset
Definition: detect-bytejump.h:50
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1119
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id.
Definition: detect-parse.c:713
DetectByteExtractDoMatch
int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd, const Signature *s, const uint8_t *payload, uint32_t payload_len, uint64_t *value, uint8_t endian)
Definition: detect-byte-extract.c:115
STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
Definition: detect-byte-extract.c:73
StringParseUint8
int StringParseUint8(uint8_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:361
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT
#define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT
Definition: detect-byte-extract.c:54
DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT
Definition: detect-byte-extract.c:66
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1092
StringParseI32RangeCheck
int StringParseI32RangeCheck(int32_t *res, int base, size_t len, const char *str, int32_t min, int32_t max)
Definition: util-byte.c:716
DetectByteExtractData_::offset
int32_t offset
Definition: detect-byte-extract.h:49
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2791
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SignatureInitData_::list
int list
Definition: detect.h:562
DETECT_BYTE_EXTRACT_ENDIAN_BIG
#define DETECT_BYTE_EXTRACT_ENDIAN_BIG
Definition: detect-byte-extract.h:36
detect-engine-mpm.h
detect.h
StringParseU16RangeCheck
int StringParseU16RangeCheck(uint16_t *res, int base, size_t len, const char *str, uint16_t min, uint16_t max)
Definition: util-byte.c:433
DETECT_BYTE_EXTRACT_BASE_OCT
#define DETECT_BYTE_EXTRACT_BASE_OCT
Definition: detect-byte-extract.c:61
DetectByteExtractData_::align_value
uint8_t align_value
Definition: detect-byte-extract.h:54
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:351
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2314
DetectByteExtractData_::endian
uint8_t endian
Definition: detect-byte-extract.h:52
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:350
BYTE_BIG_ENDIAN
#define BYTE_BIG_ENDIAN
Definition: util-byte.h:29
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2218
DETECT_BYTETEST_OFFSET_VAR
#define DETECT_BYTETEST_OFFSET_VAR
Definition: detect-bytetest.h:50
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:106
detect-engine-build.h
DETECT_BYTE_EXTRACT_FLAG_RELATIVE
#define DETECT_BYTE_EXTRACT_FLAG_RELATIVE
Definition: detect-byte-extract.h:28
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
detect-bytejump.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:662
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
DETECT_CONTENT_DISTANCE_NEXT
#define DETECT_CONTENT_DISTANCE_NEXT
Definition: detect-content.h:58
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1261
DetectByteExtractRetrieveSMVar
SigMatch * DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
Lookup the SigMatch for a named byte_extract variable.
Definition: detect-byte-extract.c:659
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:912
DetectByteExtractData_::base
uint8_t base
Definition: detect-byte-extract.h:53
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:64
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:342
DETECT_CONTENT_WITHIN_VAR
#define DETECT_CONTENT_WITHIN_VAR
Definition: detect-content.h:48
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:138
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:75
BYTE_LITTLE_ENDIAN
#define BYTE_LITTLE_ENDIAN
Definition: util-byte.h:30
DETECT_BYTE_EXTRACT_BASE_NONE
#define DETECT_BYTE_EXTRACT_BASE_NONE
Definition: detect-byte-extract.c:58
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DETECT_BYTE_EXTRACT_ENDIAN_LITTLE
#define DETECT_BYTE_EXTRACT_ENDIAN_LITTLE
Definition: detect-byte-extract.h:37
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:348
STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
Definition: detect-byte-extract.c:74
detect-byte-extract.h
DetectContentData_::distance
int32_t distance
Definition: detect-content.h:108
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
DetectBufferGetFirstSigMatch
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
Definition: detect-engine.c:1351
DETECT_CONTENT_WITHIN_NEXT
#define DETECT_CONTENT_WITHIN_NEXT
Definition: detect-content.h:57
util-spm.h
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:94
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:844
DETECT_BYTE_EXTRACT_FLAG_ALIGN
#define DETECT_BYTE_EXTRACT_FLAG_ALIGN
Definition: detect-byte-extract.h:31
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:583
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
DetectByteExtractData_::name
const char * name
Definition: detect-byte-extract.h:50
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:820
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DetectByteExtractData_::multiplier_value
uint16_t multiplier_value
Definition: detect-byte-extract.h:56
DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_OFFSET
Definition: detect-content.h:32
DETECT_BYTE_EXTRACT_ENDIAN_NONE
#define DETECT_BYTE_EXTRACT_ENDIAN_NONE
Definition: detect-byte-extract.h:35
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:184
DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER
#define DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER
Definition: detect-byte-extract.h:29
detect-parse.h
Signature_
Signature container.
Definition: detect.h:593
SigMatch_
a single match condition for a signature
Definition: detect.h:347
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:82
DETECT_SM_LIST_MAX
@ DETECT_SM_LIST_MAX
Definition: detect.h:129
DetectByteExtractData_::flags
uint8_t flags
Definition: detect-byte-extract.h:51
DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT
Definition: detect-byte-extract.c:68
DETECT_BYTE_EXTRACT_FLAG_ENDIAN
#define DETECT_BYTE_EXTRACT_FLAG_ENDIAN
Definition: detect-byte-extract.h:32
DetectBytetestData_::offset
int32_t offset
Definition: detect-bytetest.h:60
DetectIsdataatData_::dataat
uint16_t dataat
Definition: detect-isdataat.h:33
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2541
DetectByteExtractRegister
void DetectByteExtractRegister(void)
Registers the keyword handlers for the "byte_extract" keyword.
Definition: detect-byte-extract.c:101
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
app-layer-protos.h
SC_Pcre2SubstringCopy
int SC_Pcre2SubstringCopy(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2767
DetectPcreData_
Definition: detect-pcre.h:42
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-byte-extract.c:79
DETECT_BYTEMATH
@ DETECT_BYTEMATH
Definition: detect-engine-register.h:77
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:619
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:447
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:838
flow.h
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT
Definition: detect-byte-extract.c:69
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:584
flow-var.h
STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
Definition: detect-byte-extract.c:75
DetectBytetestData_::value
uint64_t value
Definition: detect-bytetest.h:62
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1285
DETECT_BYTEJUMP_OFFSET_VAR
#define DETECT_BYTEJUMP_OFFSET_VAR
Definition: detect-bytejump.h:44
DetectBytejumpData_::flags
uint16_t flags
Definition: detect-bytejump.h:49
DETECT_CONTENT_OFFSET_VAR
#define DETECT_CONTENT_OFFSET_VAR
Definition: detect-content.h:45
detect-bytetest.h