suricata
detect-byte-extract.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "decode.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 #include "detect-engine.h"
31 #include "detect-engine-mpm.h"
32 #include "detect-engine-state.h"
33 #include "detect-content.h"
34 #include "detect-pcre.h"
35 #include "detect-bytejump.h"
36 #include "detect-bytetest.h"
37 #include "detect-byte-extract.h"
38 #include "detect-isdataat.h"
39 #include "detect-engine-build.h"
40 
41 #include "app-layer-protos.h"
42 
43 #include "flow.h"
44 #include "flow-var.h"
45 #include "flow-util.h"
46 
47 #include "util-byte.h"
48 #include "util-debug.h"
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
51 #include "util-spm.h"
52 
53 /* the default value of endianness to be used, if none's specified */
54 #define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT DETECT_BYTE_EXTRACT_ENDIAN_BIG
55 
56 /* the base to be used if string mode is specified. These options would be
57  * specified in DetectByteParseData->base */
58 #define DETECT_BYTE_EXTRACT_BASE_NONE 0
59 #define DETECT_BYTE_EXTRACT_BASE_HEX 16
60 #define DETECT_BYTE_EXTRACT_BASE_DEC 10
61 #define DETECT_BYTE_EXTRACT_BASE_OCT 8
62 
63 /* the default value for multiplier. Either ways we always store a
64  * multiplier, 1 or otherwise, so that we can always multiply the extracted
65  * value and store it, instead of checking if a multiplier is set or not */
66 #define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT 1
67 /* the min/max limit for multiplier */
68 #define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT 1
69 #define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT 65535
70 
71 /* the max no of bytes that can be extracted in string mode - (string, hex)
72  * (string, oct) or (string, dec) */
73 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT 23
74 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC 20
75 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX 14
76 /* the max no of bytes that can be extracted in non-string mode */
77 #define NO_STRING_MAX_BYTES_TO_EXTRACT 8
78 
79 #define PARSE_REGEX "^" \
80  "\\s*([0-9]+)\\s*" \
81  ",\\s*(-?[0-9]+)\\s*" \
82  ",\\s*([^\\s,]+)\\s*" \
83  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
84  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
85  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
86  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
87  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
88  "$"
89 
90 static DetectParseRegex parse_regex;
91 
92 static int DetectByteExtractSetup(DetectEngineCtx *, Signature *, const char *);
93 #ifdef UNITTESTS
94 static void DetectByteExtractRegisterTests(void);
95 #endif
96 static void DetectByteExtractFree(DetectEngineCtx *, void *);
97 
98 /**
99  * \brief Registers the keyword handlers for the "byte_extract" keyword.
100  */
101 void DetectByteExtractRegister(void)
102 {
103  sigmatch_table[DETECT_BYTE_EXTRACT].name = "byte_extract";
104  sigmatch_table[DETECT_BYTE_EXTRACT].desc = "extract <num of bytes> at a particular <offset> and store it in <var_name>";
105  sigmatch_table[DETECT_BYTE_EXTRACT].url = "/rules/payload-keywords.html#byte-extract";
106  sigmatch_table[DETECT_BYTE_EXTRACT].Match = NULL;
107  sigmatch_table[DETECT_BYTE_EXTRACT].Setup = DetectByteExtractSetup;
108  sigmatch_table[DETECT_BYTE_EXTRACT].Free = DetectByteExtractFree;
109 #ifdef UNITTESTS
110  sigmatch_table[DETECT_BYTE_EXTRACT].RegisterTests = DetectByteExtractRegisterTests;
111 #endif
112  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
113 }
114 
115 int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd,
116  const Signature *s, const uint8_t *payload, uint32_t payload_len, uint64_t *value,
117  uint8_t endian)
118 {
119  DetectByteExtractData *data = (DetectByteExtractData *)smd->ctx;
120  const uint8_t *ptr = NULL;
121  int32_t len = 0;
122  uint64_t val = 0;
123  int extbytes;
124 
125  if (payload_len == 0) {
126  return 0;
127  }
128 
129  /* Calculate the ptr value for the bytetest and length remaining in
130  * the packet from that point.
131  */
132  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
133  SCLogDebug("relative, working with det_ctx->buffer_offset %"PRIu32", "
134  "data->offset %"PRIu32"", det_ctx->buffer_offset, data->offset);
135 
136  ptr = payload + det_ctx->buffer_offset;
137  len = payload_len - det_ctx->buffer_offset;
138 
139  ptr += data->offset;
140  len -= data->offset;
141 
142  /* No match if there is no relative base */
143  if (len <= 0) {
144  return 0;
145  }
146  //PrintRawDataFp(stdout,ptr,len);
147  } else {
148  SCLogDebug("absolute, data->offset %"PRIu32"", data->offset);
149 
150  ptr = payload + data->offset;
151  len = payload_len - data->offset;
152  }
153 
154  /* Validate that the to-be-extracted is within the packet */
155  if (ptr < payload || data->nbytes > len) {
156  SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%"PRIu32", nbytes=%d",
157  payload, ptr, len, data->nbytes);
158  return 0;
159  }
160 
161  /* Extract the byte data */
162  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
163  extbytes = ByteExtractStringUint64(&val, data->base,
164  data->nbytes, (const char *)ptr);
165  if (extbytes <= 0) {
166  /* strtoull() return 0 if there is no numeric value in data string */
167  if (val == 0) {
168  SCLogDebug("No Numeric value");
169  return 0;
170  } else {
171  SCLogDebug("error extracting %d bytes of string data: %d",
172  data->nbytes, extbytes);
173  return -1;
174  }
175  }
176  } else {
177  int endianness = (endian == DETECT_BYTE_EXTRACT_ENDIAN_BIG) ?
178  BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN;
179  extbytes = ByteExtractUint64(&val, endianness, data->nbytes, ptr);
180  if (extbytes != data->nbytes) {
181  SCLogDebug("error extracting %d bytes of numeric data: %d",
182  data->nbytes, extbytes);
183  return 0;
184  }
185  }
186 
187  /* Adjust the jump value based on flags */
188  val *= data->multiplier_value;
189  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
190  if ((val % data->align_value) != 0) {
191  val += data->align_value - (val % data->align_value);
192  }
193  }
194 
195  ptr += extbytes;
196 
197  det_ctx->buffer_offset = ptr - payload;
198 
199  *value = val;
200  SCLogDebug("extracted value is %"PRIu64, val);
201  return 1;
202 }
203 
204 /**
205  * \internal
206  * \brief Used to parse byte_extract arg.
207  *
208  * \param de_ctx Pointer to the detection engine context
209  * \arg The argument to parse.
210  *
211  * \param bed On success an instance containing the parsed data.
212  * On failure, NULL.
213  */
214 static inline DetectByteExtractData *DetectByteExtractParse(DetectEngineCtx *de_ctx, const char *arg)
215 {
216  DetectByteExtractData *bed = NULL;
217  int res = 0;
218  size_t pcre2len;
219  int i = 0;
220  pcre2_match_data *match = NULL;
221 
222  int ret = DetectParsePcreExec(&parse_regex, &match, arg, 0, 0);
223  if (ret < 3 || ret > 19) {
224  SCLogError("parse error, ret %" PRId32 ", string \"%s\"", ret, arg);
225  SCLogError("Invalid arg to byte_extract : %s "
226  "for byte_extract",
227  arg);
228  goto error;
229  }
230 
231  bed = SCCalloc(1, sizeof(DetectByteExtractData));
232  if (unlikely(bed == NULL))
233  goto error;
234 
235  /* no of bytes to extract */
236  char nbytes_str[64] = "";
237  pcre2len = sizeof(nbytes_str);
238  res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)nbytes_str, &pcre2len);
239  if (res < 0) {
240  SCLogError("pcre2_substring_copy_bynumber failed "
241  "for arg 1 for byte_extract");
242  goto error;
243  }
244  if (StringParseUint8(&bed->nbytes, 10, 0,
245  (const char *)nbytes_str) < 0) {
246  SCLogError("Invalid value for number of bytes"
247  " to be extracted: \"%s\".",
248  nbytes_str);
249  goto error;
250  }
251 
252  /* offset */
253  char offset_str[64] = "";
254  pcre2len = sizeof(offset_str);
255  res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)offset_str, &pcre2len);
256  if (res < 0) {
257  SCLogError("pcre2_substring_copy_bynumber failed "
258  "for arg 2 for byte_extract");
259  goto error;
260  }
261  int32_t offset;
262  if (StringParseI32RangeCheck(&offset, 10, 0, (const char *)offset_str, -65535, 65535) < 0) {
263  SCLogError("Invalid value for offset: \"%s\".", offset_str);
264  goto error;
265  }
266  bed->offset = offset;
267 
268  /* var name */
269  char varname_str[256] = "";
270  pcre2len = sizeof(varname_str);
271  res = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)varname_str, &pcre2len);
272  if (res < 0) {
273  SCLogError("pcre2_substring_copy_bynumber failed "
274  "for arg 3 for byte_extract");
275  goto error;
276  }
277  bed->name = SCStrdup(varname_str);
278  if (bed->name == NULL)
279  goto error;
280 
281  /* check out other optional args */
282  for (i = 4; i < ret; i++) {
283  char opt_str[64] = "";
284  pcre2len = sizeof(opt_str);
285  res = SC_Pcre2SubstringCopy(match, i, (PCRE2_UCHAR8 *)opt_str, &pcre2len);
286  if (res < 0) {
287  SCLogError("pcre2_substring_copy_bynumber failed "
288  "for arg %d for byte_extract with %d",
289  i, res);
290  goto error;
291  }
292 
293  if (strcmp("relative", opt_str) == 0) {
294  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
295  SCLogError("relative specified more "
296  "than once for byte_extract");
297  goto error;
298  }
299  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_RELATIVE;
300  } else if (strcmp("multiplier", opt_str) == 0) {
301  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) {
302  SCLogError("multiplier specified more "
303  "than once for byte_extract");
304  goto error;
305  }
306  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER;
307  i++;
308 
309  char multiplier_str[16] = "";
310  pcre2len = sizeof(multiplier_str);
311  res = pcre2_substring_copy_bynumber(
312  match, i, (PCRE2_UCHAR8 *)multiplier_str, &pcre2len);
313  if (res < 0) {
314  SCLogError("pcre2_substring_copy_bynumber failed "
315  "for arg %d for byte_extract",
316  i);
317  goto error;
318  }
319  uint16_t multiplier;
320  if (StringParseU16RangeCheck(&multiplier, 10, 0, (const char *)multiplier_str,
321  DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT,
322  DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT) < 0) {
323  SCLogError("Invalid value for"
324  "multiplier: \"%s\".",
325  multiplier_str);
326  goto error;
327  }
328  bed->multiplier_value = multiplier;
329  } else if (strcmp("big", opt_str) == 0) {
330  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
331  SCLogError("endian option specified "
332  "more than once for byte_extract");
333  goto error;
334  }
335  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
336  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_BIG;
337  } else if (strcmp("little", opt_str) == 0) {
338  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
339  SCLogError("endian option specified "
340  "more than once for byte_extract");
341  goto error;
342  }
343  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
344  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_LITTLE;
345  } else if (strcmp("dce", opt_str) == 0) {
346  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
347  SCLogError("endian option specified "
348  "more than once for byte_extract");
349  goto error;
350  }
351  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
352  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_DCE;
353  } else if (strcmp("string", opt_str) == 0) {
354  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
355  SCLogError("string specified more "
356  "than once for byte_extract");
357  goto error;
358  }
359  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
360  SCLogError("The right way to specify "
361  "base is (string, base) and not (base, string) "
362  "for byte_extract");
363  goto error;
364  }
365  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_STRING;
366  } else if (strcmp("hex", opt_str) == 0) {
367  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
368  SCLogError("Base(hex) specified "
369  "without specifying string. The right way is "
370  "(string, base) and not (base, string)");
371  goto error;
372  }
373  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
374  SCLogError("More than one base "
375  "specified for byte_extract");
376  goto error;
377  }
378  bed->base = DETECT_BYTE_EXTRACT_BASE_HEX;
379  } else if (strcmp("oct", opt_str) == 0) {
380  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
381  SCLogError("Base(oct) specified "
382  "without specifying string. The right way is "
383  "(string, base) and not (base, string)");
384  goto error;
385  }
386  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
387  SCLogError("More than one base "
388  "specified for byte_extract");
389  goto error;
390  }
391  bed->base = DETECT_BYTE_EXTRACT_BASE_OCT;
392  } else if (strcmp("dec", opt_str) == 0) {
393  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
394  SCLogError("Base(dec) specified "
395  "without specifying string. The right way is "
396  "(string, base) and not (base, string)");
397  goto error;
398  }
399  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
400  SCLogError("More than one base "
401  "specified for byte_extract");
402  goto error;
403  }
404  bed->base = DETECT_BYTE_EXTRACT_BASE_DEC;
405  } else if (strcmp("align", opt_str) == 0) {
406  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
407  SCLogError("Align specified more "
408  "than once for byte_extract");
409  goto error;
410  }
411  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ALIGN;
412  i++;
413 
414  char align_str[16] = "";
415  pcre2len = sizeof(align_str);
416  res = pcre2_substring_copy_bynumber(match, i, (PCRE2_UCHAR8 *)align_str, &pcre2len);
417  if (res < 0) {
418  SCLogError("pcre2_substring_copy_bynumber failed "
419  "for arg %d in byte_extract",
420  i);
421  goto error;
422  }
423  if (StringParseUint8(&bed->align_value, 10, 0,
424  (const char *)align_str) < 0) {
425  SCLogError("Invalid align_value: "
426  "\"%s\".",
427  align_str);
428  goto error;
429  }
430  if (!(bed->align_value == 2 || bed->align_value == 4)) {
431  SCLogError("Invalid align_value for "
432  "byte_extract - \"%d\"",
433  bed->align_value);
434  goto error;
435  }
436  } else if (strcmp("", opt_str) == 0) {
437  ;
438  } else {
439  SCLogError("Invalid option - \"%s\" "
440  "specified in byte_extract",
441  opt_str);
442  goto error;
443  }
444  } /* for (i = 4; i < ret; i++) */
445 
446  /* validation */
447  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER)) {
448  /* default value */
449  bed->multiplier_value = DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT;
450  }
451 
452  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
453  if (bed->base == DETECT_BYTE_EXTRACT_BASE_NONE) {
454  /* Default to decimal if base not specified. */
455  bed->base = DETECT_BYTE_EXTRACT_BASE_DEC;
456  }
457  if (bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE) {
458  SCLogError("byte_extract can't have "
459  "endian \"big\" or \"little\" specified along with "
460  "\"string\"");
461  goto error;
462  }
463  if (bed->base == DETECT_BYTE_EXTRACT_BASE_OCT) {
464  /* if are dealing with octal nos, the max no that can fit in a 8
465  * byte value is 01777777777777777777777 */
466  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT) {
467  SCLogError("byte_extract can't process "
468  "more than %d bytes in \"string\" extraction",
469  STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT);
470  goto error;
471  }
472  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_DEC) {
473  /* if are dealing with decimal nos, the max no that can fit in a 8
474  * byte value is 18446744073709551615 */
475  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC) {
476  SCLogError("byte_extract can't process "
477  "more than %d bytes in \"string\" extraction",
478  STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC);
479  goto error;
480  }
481  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_HEX) {
482  /* if are dealing with hex nos, the max no that can fit in a 8
483  * byte value is 0xFFFFFFFFFFFFFFFF */
484  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX) {
485  SCLogError("byte_extract can't process "
486  "more than %d bytes in \"string\" extraction",
487  STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX);
488  goto error;
489  }
490  } else {
491  ; // just a placeholder. we won't reach here.
492  }
493  } else {
494  if (bed->nbytes > NO_STRING_MAX_BYTES_TO_EXTRACT) {
495  SCLogError("byte_extract can't process "
496  "more than %d bytes in \"non-string\" extraction",
497  NO_STRING_MAX_BYTES_TO_EXTRACT);
498  goto error;
499  }
500  /* if string has not been specified and no endian option has been
501  * specified, then set the default endian level of BIG */
502  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN))
503  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT;
504  }
505 
506  pcre2_match_data_free(match);
507 
508  return bed;
509  error:
510  if (bed != NULL)
511  DetectByteExtractFree(de_ctx, bed);
512  if (match) {
513  pcre2_match_data_free(match);
514  }
515  return NULL;
516 }
517 
518 /**
519  * \brief The setup function for the byte_extract keyword for a signature.
520  *
521  * \param de_ctx Pointer to the detection engine context.
522  * \param s Pointer to signature for the current Signature being parsed
523  * from the rules.
524  * \param m Pointer to the head of the SigMatch for the current rule
525  * being parsed.
526  * \param arg Pointer to the string holding the keyword value.
527  *
528  * \retval 0 On success.
529  * \retval -1 On failure.
530  */
531 static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
532 {
533  SigMatch *prev_pm = NULL;
534  DetectByteExtractData *data = NULL;
535  int ret = -1;
536 
537  data = DetectByteExtractParse(de_ctx, arg);
538  if (data == NULL)
539  goto error;
540 
541  int sm_list;
542  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
543  sm_list = s->init_data->list;
544 
545  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
546  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
547  }
548  } else if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
549  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
550  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
551  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
552  DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
553  if (prev_pm == NULL) {
554  sm_list = DETECT_SM_LIST_PMATCH;
555  } else {
556  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
557  if (sm_list < 0)
558  goto error;
559  }
560  } else {
561  sm_list = DETECT_SM_LIST_PMATCH;
562  }
563 
564  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
565  goto error;
566  s->flags |= SIG_FLAG_APPLAYER;
567 
568  } else if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
569  prev_pm = DetectGetLastSMFromLists(s,
570  DETECT_CONTENT, DETECT_PCRE,
571  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
572  DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
573  if (prev_pm == NULL) {
574  sm_list = DETECT_SM_LIST_PMATCH;
575  } else {
576  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
577  if (sm_list < 0)
578  goto error;
579  if (sm_list != DETECT_SM_LIST_PMATCH)
580  s->flags |= SIG_FLAG_APPLAYER;
581  }
582 
583  } else {
584  sm_list = DETECT_SM_LIST_PMATCH;
585  }
586 
587  if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
588  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
589  goto error;
590 
591  if ((data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) ||
592  (data->base == DETECT_BYTE_EXTRACT_BASE_DEC) ||
593  (data->base == DETECT_BYTE_EXTRACT_BASE_HEX) ||
594  (data->base == DETECT_BYTE_EXTRACT_BASE_OCT) ) {
595  SCLogError("Invalid option. "
596  "A byte_jump keyword with dce holds other invalid modifiers.");
597  goto error;
598  }
599  }
600 
601  SigMatch *prev_bed_sm = DetectGetLastSMByListId(s, sm_list,
602  DETECT_BYTE_EXTRACT, -1);
603  if (prev_bed_sm == NULL)
604  data->local_id = 0;
605  else
606  data->local_id = ((DetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1;
607  if (data->local_id > de_ctx->byte_extract_max_local_id)
608  de_ctx->byte_extract_max_local_id = data->local_id;
609 
610  if (SigMatchAppendSMToList(de_ctx, s, DETECT_BYTE_EXTRACT, (SigMatchCtx *)data, sm_list) ==
611  NULL) {
612  goto error;
613  }
614 
615  if (!(data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE))
616  goto okay;
617 
618  if (prev_pm == NULL)
619  goto okay;
620 
621  if (prev_pm->type == DETECT_CONTENT) {
622  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
623  cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
624  } else if (prev_pm->type == DETECT_PCRE) {
625  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
626  pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
627  }
628 
629  okay:
630  ret = 0;
631  return ret;
632  error:
633  DetectByteExtractFree(de_ctx, data);
634  return ret;
635 }
636 
637 /**
638  * \brief Used to free instances of DetectByteExtractData.
639  *
640  * \param ptr Instance of DetectByteExtractData to be freed.
641  */
642 static void DetectByteExtractFree(DetectEngineCtx *de_ctx, void *ptr)
643 {
644  if (ptr != NULL) {
645  DetectByteExtractData *bed = ptr;
646  if (bed->name != NULL)
647  SCFree((void *)bed->name);
648  SCFree(bed);
649  }
650 
651  return;
652 }
653 
654 /**
655  * \brief Lookup the SigMatch for a named byte_extract variable.
656  *
657  * \param arg The name of the byte_extract variable to lookup.
658  * \param s Pointer the signature to look in.
659  *
660  * \retval A pointer to the SigMatch if found, otherwise NULL.
661  */
662 SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
663 {
664  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
665  SigMatch *sm = s->init_data->buffers[x].head;
666  while (sm != NULL) {
667  if (sm->type == DETECT_BYTE_EXTRACT) {
668  const DetectByteExtractData *bed = (const DetectByteExtractData *)sm->ctx;
669  if (strcmp(bed->name, arg) == 0) {
670  return sm;
671  }
672  }
673  sm = sm->next;
674  }
675  }
676 
677  for (int list = 0; list < DETECT_SM_LIST_MAX; list++) {
678  SigMatch *sm = s->init_data->smlists[list];
679  while (sm != NULL) {
680  if (sm->type == DETECT_BYTE_EXTRACT) {
681  const DetectByteExtractData *bed = (const DetectByteExtractData *)sm->ctx;
682  if (strcmp(bed->name, arg) == 0) {
683  return sm;
684  }
685  }
686  sm = sm->next;
687  }
688  }
689 
690  return NULL;
691 }
692 
693 /*************************************Unittests********************************/
694 
695 #ifdef UNITTESTS
696 
697 static int g_file_data_buffer_id = 0;
698 static int g_http_uri_buffer_id = 0;
699 
700 static int DetectByteExtractTest01(void)
701 {
702  int result = 0;
703 
704  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one");
705  if (bed == NULL)
706  goto end;
707 
708  if (bed->nbytes != 4 ||
709  bed->offset != 2 ||
710  strcmp(bed->name, "one") != 0 ||
711  bed->flags != 0 ||
712  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
713  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
714  bed->align_value != 0 ||
715  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
716  goto end;
717  }
718 
719  result = 1;
720  end:
721  if (bed != NULL)
722  DetectByteExtractFree(NULL, bed);
723  return result;
724 }
725 
726 static int DetectByteExtractTest02(void)
727 {
728  int result = 0;
729 
730  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative");
731  if (bed == NULL)
732  goto end;
733 
734  if (bed->nbytes != 4 ||
735  bed->offset != 2 ||
736  strcmp(bed->name, "one") != 0 ||
737  bed->flags != DETECT_BYTE_EXTRACT_FLAG_RELATIVE ||
738  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
739  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
740  bed->align_value != 0 ||
741  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
742  goto end;
743  }
744 
745  result = 1;
746  end:
747  if (bed != NULL)
748  DetectByteExtractFree(NULL, bed);
749  return result;
750 }
751 
752 static int DetectByteExtractTest03(void)
753 {
754  int result = 0;
755 
756  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, multiplier 10");
757  if (bed == NULL)
758  goto end;
759 
760  if (bed->nbytes != 4 ||
761  bed->offset != 2 ||
762  strcmp(bed->name, "one") != 0 ||
763  bed->flags != DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER ||
764  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
765  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
766  bed->align_value != 0 ||
767  bed->multiplier_value != 10) {
768  goto end;
769  }
770 
771  result = 1;
772  end:
773  if (bed != NULL)
774  DetectByteExtractFree(NULL, bed);
775  return result;
776 }
777 
778 static int DetectByteExtractTest04(void)
779 {
780  int result = 0;
781 
782  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative, multiplier 10");
783  if (bed == NULL)
784  goto end;
785 
786  if (bed->nbytes != 4 ||
787  bed->offset != 2 ||
788  strcmp(bed->name, "one") != 0 ||
789  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
790  DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
791  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
792  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
793  bed->align_value != 0 ||
794  bed->multiplier_value != 10) {
795  goto end;
796  }
797 
798  result = 1;
799  end:
800  if (bed != NULL)
801  DetectByteExtractFree(NULL, bed);
802  return result;
803 }
804 
805 static int DetectByteExtractTest05(void)
806 {
807  int result = 0;
808 
809  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, big");
810  if (bed == NULL)
811  goto end;
812 
813  if (bed->nbytes != 4 ||
814  bed->offset != 2 ||
815  strcmp(bed->name, "one") != 0 ||
816  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
817  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_BIG ||
818  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
819  bed->align_value != 0 ||
820  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
821  goto end;
822  }
823 
824  result = 1;
825  end:
826  if (bed != NULL)
827  DetectByteExtractFree(NULL, bed);
828  return result;
829 }
830 
831 static int DetectByteExtractTest06(void)
832 {
833  int result = 0;
834 
835  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, little");
836  if (bed == NULL)
837  goto end;
838 
839  if (bed->nbytes != 4 ||
840  bed->offset != 2 ||
841  strcmp(bed->name, "one") != 0 ||
842  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
843  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
844  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
845  bed->align_value != 0 ||
846  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
847  goto end;
848  }
849 
850  result = 1;
851  end:
852  if (bed != NULL)
853  DetectByteExtractFree(NULL, bed);
854  return result;
855 }
856 
857 static int DetectByteExtractTest07(void)
858 {
859  int result = 0;
860 
861  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, dce");
862  if (bed == NULL)
863  goto end;
864 
865  if (bed->nbytes != 4 ||
866  bed->offset != 2 ||
867  strcmp(bed->name, "one") != 0 ||
868  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
869  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DCE ||
870  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
871  bed->align_value != 0 ||
872  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
873  goto end;
874  }
875 
876  result = 1;
877  end:
878  if (bed != NULL)
879  DetectByteExtractFree(NULL, bed);
880  return result;
881 }
882 
883 static int DetectByteExtractTest08(void)
884 {
885  int result = 0;
886 
887  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, hex");
888  if (bed == NULL)
889  goto end;
890 
891  if (bed->nbytes != 4 ||
892  bed->offset != 2 ||
893  strcmp(bed->name, "one") != 0 ||
894  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
895  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
896  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
897  bed->align_value != 0 ||
898  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
899  goto end;
900  }
901 
902  result = 1;
903  end:
904  if (bed != NULL)
905  DetectByteExtractFree(NULL, bed);
906  return result;
907 }
908 
909 static int DetectByteExtractTest09(void)
910 {
911  int result = 0;
912 
913  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, oct");
914  if (bed == NULL)
915  goto end;
916 
917  if (bed->nbytes != 4 ||
918  bed->offset != 2 ||
919  strcmp(bed->name, "one") != 0 ||
920  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
921  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
922  bed->base != DETECT_BYTE_EXTRACT_BASE_OCT ||
923  bed->align_value != 0 ||
924  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
925  goto end;
926  }
927 
928  result = 1;
929  end:
930  if (bed != NULL)
931  DetectByteExtractFree(NULL, bed);
932  return result;
933 }
934 
935 static int DetectByteExtractTest10(void)
936 {
937  int result = 0;
938 
939  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, dec");
940  if (bed == NULL)
941  goto end;
942 
943  if (bed->nbytes != 4 ||
944  bed->offset != 2 ||
945  strcmp(bed->name, "one") != 0 ||
946  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
947  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
948  bed->base != DETECT_BYTE_EXTRACT_BASE_DEC ||
949  bed->align_value != 0 ||
950  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
951  goto end;
952  }
953 
954  result = 1;
955  end:
956  if (bed != NULL)
957  DetectByteExtractFree(NULL, bed);
958  return result;
959 }
960 
961 static int DetectByteExtractTest11(void)
962 {
963  int result = 0;
964 
965  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4");
966  if (bed == NULL)
967  goto end;
968 
969  if (bed->nbytes != 4 ||
970  bed->offset != 2 ||
971  strcmp(bed->name, "one") != 0 ||
972  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ALIGN ||
973  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
974  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
975  bed->align_value != 4 ||
976  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
977  goto end;
978  }
979 
980  result = 1;
981  end:
982  if (bed != NULL)
983  DetectByteExtractFree(NULL, bed);
984  return result;
985 }
986 
987 static int DetectByteExtractTest12(void)
988 {
989  int result = 0;
990 
991  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative");
992  if (bed == NULL)
993  goto end;
994 
995  if (bed->nbytes != 4 ||
996  bed->offset != 2 ||
997  strcmp(bed->name, "one") != 0 ||
998  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
999  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1000  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
1001  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1002  bed->align_value != 4 ||
1003  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1004  goto end;
1005  }
1006 
1007  result = 1;
1008  end:
1009  if (bed != NULL)
1010  DetectByteExtractFree(NULL, bed);
1011  return result;
1012 }
1013 
1014 static int DetectByteExtractTest13(void)
1015 {
1016  int result = 0;
1017 
1018  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, big");
1019  if (bed == NULL)
1020  goto end;
1021 
1022  if (bed->nbytes != 4 ||
1023  bed->offset != 2 ||
1024  strcmp(bed->name, "one") != 0 ||
1025  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1026  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1027  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1028  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_BIG ||
1029  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1030  bed->align_value != 4 ||
1031  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1032  goto end;
1033  }
1034 
1035  result = 1;
1036  end:
1037  if (bed != NULL)
1038  DetectByteExtractFree(NULL, bed);
1039  return result;
1040 }
1041 
1042 static int DetectByteExtractTest14(void)
1043 {
1044  int result = 0;
1045 
1046  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, dce");
1047  if (bed == NULL)
1048  goto end;
1049 
1050  if (bed->nbytes != 4 ||
1051  bed->offset != 2 ||
1052  strcmp(bed->name, "one") != 0 ||
1053  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1054  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1055  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1056  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DCE ||
1057  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1058  bed->align_value != 4 ||
1059  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1060  goto end;
1061  }
1062 
1063  result = 1;
1064  end:
1065  if (bed != NULL)
1066  DetectByteExtractFree(NULL, bed);
1067  return result;
1068 }
1069 
1070 static int DetectByteExtractTest15(void)
1071 {
1072  int result = 0;
1073 
1074  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little");
1075  if (bed == NULL)
1076  goto end;
1077 
1078  if (bed->nbytes != 4 ||
1079  bed->offset != 2 ||
1080  strcmp(bed->name, "one") != 0 ||
1081  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1082  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1083  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1084  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
1085  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1086  bed->align_value != 4 ||
1087  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1088  goto end;
1089  }
1090 
1091  result = 1;
1092  end:
1093  if (bed != NULL)
1094  DetectByteExtractFree(NULL, bed);
1095  return result;
1096 }
1097 
1098 static int DetectByteExtractTest16(void)
1099 {
1100  int result = 0;
1101 
1102  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little, multiplier 2");
1103  if (bed == NULL)
1104  goto end;
1105 
1106  if (bed->nbytes != 4 ||
1107  bed->offset != 2 ||
1108  strcmp(bed->name, "one") != 0 ||
1109  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1110  DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1111  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1112  DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
1113  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
1114  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1115  bed->align_value != 4 ||
1116  bed->multiplier_value != 2) {
1117  goto end;
1118  }
1119 
1120  result = 1;
1121  end:
1122  if (bed != NULL)
1123  DetectByteExtractFree(NULL, bed);
1124  return result;
1125 }
1126 
1127 static int DetectByteExtractTest17(void)
1128 {
1129  int result = 0;
1130 
1131  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1132  "relative, little, "
1133  "multiplier 2, string hex");
1134  if (bed != NULL)
1135  goto end;
1136 
1137  result = 1;
1138  end:
1139  if (bed != NULL)
1140  DetectByteExtractFree(NULL, bed);
1141  return result;
1142 }
1143 
1144 static int DetectByteExtractTest18(void)
1145 {
1146  int result = 0;
1147 
1148  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1149  "relative, little, "
1150  "multiplier 2, "
1151  "relative");
1152  if (bed != NULL)
1153  goto end;
1154 
1155  result = 1;
1156  end:
1157  if (bed != NULL)
1158  DetectByteExtractFree(NULL, bed);
1159  return result;
1160 }
1161 
1162 static int DetectByteExtractTest19(void)
1163 {
1164  int result = 0;
1165 
1166  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1167  "relative, little, "
1168  "multiplier 2, "
1169  "little");
1170  if (bed != NULL)
1171  goto end;
1172 
1173  result = 1;
1174  end:
1175  if (bed != NULL)
1176  DetectByteExtractFree(NULL, bed);
1177  return result;
1178 }
1179 
1180 static int DetectByteExtractTest20(void)
1181 {
1182  int result = 0;
1183 
1184  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1185  "relative, "
1186  "multiplier 2, "
1187  "align 2");
1188  if (bed != NULL)
1189  goto end;
1190 
1191  result = 1;
1192  end:
1193  if (bed != NULL)
1194  DetectByteExtractFree(NULL, bed);
1195  return result;
1196 }
1197 
1198 static int DetectByteExtractTest21(void)
1199 {
1200  int result = 0;
1201 
1202  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1203  "multiplier 2, "
1204  "relative, "
1205  "multiplier 2");
1206  if (bed != NULL)
1207  goto end;
1208 
1209  result = 1;
1210  end:
1211  if (bed != NULL)
1212  DetectByteExtractFree(NULL, bed);
1213  return result;
1214 }
1215 
1216 static int DetectByteExtractTest22(void)
1217 {
1218  int result = 0;
1219 
1220  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1221  "string hex, "
1222  "relative, "
1223  "string hex");
1224  if (bed != NULL)
1225  goto end;
1226 
1227  result = 1;
1228  end:
1229  if (bed != NULL)
1230  DetectByteExtractFree(NULL, bed);
1231  return result;
1232 }
1233 
1234 static int DetectByteExtractTest23(void)
1235 {
1236  int result = 0;
1237 
1238  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1239  "string hex, "
1240  "relative, "
1241  "string oct");
1242  if (bed != NULL)
1243  goto end;
1244 
1245  result = 1;
1246  end:
1247  if (bed != NULL)
1248  DetectByteExtractFree(NULL, bed);
1249  return result;
1250 }
1251 
1252 static int DetectByteExtractTest24(void)
1253 {
1254  int result = 0;
1255 
1256  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, align 4, "
1257  "string hex, "
1258  "relative");
1259  if (bed != NULL)
1260  goto end;
1261 
1262  result = 1;
1263  end:
1264  if (bed != NULL)
1265  DetectByteExtractFree(NULL, bed);
1266  return result;
1267 }
1268 
1269 static int DetectByteExtractTest25(void)
1270 {
1271  int result = 0;
1272 
1273  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "9, 2, one, align 4, "
1274  "little, "
1275  "relative");
1276  if (bed != NULL)
1277  goto end;
1278 
1279  result = 1;
1280  end:
1281  if (bed != NULL)
1282  DetectByteExtractFree(NULL, bed);
1283  return result;
1284 }
1285 
1286 static int DetectByteExtractTest26(void)
1287 {
1288  int result = 0;
1289 
1290  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1291  "little, "
1292  "relative, "
1293  "multiplier 65536");
1294  if (bed != NULL)
1295  goto end;
1296 
1297  result = 1;
1298  end:
1299  if (bed != NULL)
1300  DetectByteExtractFree(NULL, bed);
1301  return result;
1302 }
1303 
1304 static int DetectByteExtractTest27(void)
1305 {
1306  int result = 0;
1307 
1308  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1309  "little, "
1310  "relative, "
1311  "multiplier 0");
1312  if (bed != NULL)
1313  goto end;
1314 
1315  result = 1;
1316  end:
1317  if (bed != NULL)
1318  DetectByteExtractFree(NULL, bed);
1319  return result;
1320 }
1321 
1322 static int DetectByteExtractTest28(void)
1323 {
1324  int result = 0;
1325 
1326  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "23, 2, one, string, oct");
1327  if (bed == NULL)
1328  goto end;
1329 
1330  result = 1;
1331  end:
1332  if (bed != NULL)
1333  DetectByteExtractFree(NULL, bed);
1334  return result;
1335 }
1336 
1337 static int DetectByteExtractTest29(void)
1338 {
1339  int result = 0;
1340 
1341  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, string, oct");
1342  if (bed != NULL)
1343  goto end;
1344 
1345  result = 1;
1346  end:
1347  if (bed != NULL)
1348  DetectByteExtractFree(NULL, bed);
1349  return result;
1350 }
1351 
1352 static int DetectByteExtractTest30(void)
1353 {
1354  int result = 0;
1355 
1356  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "20, 2, one, string, dec");
1357  if (bed == NULL)
1358  goto end;
1359 
1360  result = 1;
1361  end:
1362  if (bed != NULL)
1363  DetectByteExtractFree(NULL, bed);
1364  return result;
1365 }
1366 
1367 static int DetectByteExtractTest31(void)
1368 {
1369  int result = 0;
1370 
1371  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "21, 2, one, string, dec");
1372  if (bed != NULL)
1373  goto end;
1374 
1375  result = 1;
1376  end:
1377  if (bed != NULL)
1378  DetectByteExtractFree(NULL, bed);
1379  return result;
1380 }
1381 
1382 static int DetectByteExtractTest32(void)
1383 {
1384  int result = 0;
1385 
1386  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "14, 2, one, string, hex");
1387  if (bed == NULL)
1388  goto end;
1389 
1390  result = 1;
1391  end:
1392  if (bed != NULL)
1393  DetectByteExtractFree(NULL, bed);
1394  return result;
1395 }
1396 
1397 static int DetectByteExtractTest33(void)
1398 {
1399  int result = 0;
1400 
1401  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "15, 2, one, string, hex");
1402  if (bed != NULL)
1403  goto end;
1404 
1405  result = 1;
1406  end:
1407  if (bed != NULL)
1408  DetectByteExtractFree(NULL, bed);
1409  return result;
1410 }
1411 
1412 static int DetectByteExtractTest34(void)
1413 {
1414  DetectEngineCtx *de_ctx = NULL;
1415  int result = 0;
1416  Signature *s = NULL;
1417  SigMatch *sm = NULL;
1418  DetectContentData *cd = NULL;
1419  DetectByteExtractData *bed = NULL;
1420 
1421  de_ctx = DetectEngineCtxInit();
1422  if (de_ctx == NULL)
1423  goto end;
1424 
1425  de_ctx->flags |= DE_QUIET;
1426  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1427  "(msg:\"Testing bytejump_body\"; "
1428  "content:\"one\"; "
1429  "byte_extract:4,2,two,relative,string,hex; "
1430  "sid:1;)");
1431  if (de_ctx->sig_list == NULL) {
1432  result = 0;
1433  goto end;
1434  }
1435 
1436  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1437  result = 0;
1438  goto end;
1439  }
1440 
1441  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1442  if (sm->type != DETECT_CONTENT) {
1443  result = 0;
1444  goto end;
1445  }
1446  cd = (DetectContentData *)sm->ctx;
1447  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1448  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1449  cd->flags & DETECT_CONTENT_NOCASE ||
1450  cd->flags & DETECT_CONTENT_WITHIN ||
1451  cd->flags & DETECT_CONTENT_DISTANCE ||
1452  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1453  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1454  cd->flags & DETECT_CONTENT_NEGATED ) {
1455  printf("one failed\n");
1456  result = 0;
1457  goto end;
1458  }
1459 
1460  sm = sm->next;
1461  if (sm->type != DETECT_BYTE_EXTRACT) {
1462  result = 0;
1463  goto end;
1464  }
1465  bed = (DetectByteExtractData *)sm->ctx;
1466  if (bed->nbytes != 4 ||
1467  bed->offset != 2 ||
1468  strncmp(bed->name, "two", cd->content_len) != 0 ||
1469  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1470  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1471  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1472  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1473  bed->align_value != 0 ||
1474  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1475  goto end;
1476  }
1477 
1478  result = 1;
1479 
1480  end:
1481  SigGroupCleanup(de_ctx);
1482  SigCleanSignatures(de_ctx);
1483  DetectEngineCtxFree(de_ctx);
1484 
1485  return result;
1486 }
1487 
1488 static int DetectByteExtractTest35(void)
1489 {
1490  DetectEngineCtx *de_ctx = NULL;
1491  int result = 0;
1492  Signature *s = NULL;
1493  SigMatch *sm = NULL;
1494  DetectContentData *cd = NULL;
1495  DetectPcreData *pd = NULL;
1496  DetectByteExtractData *bed = NULL;
1497 
1498  de_ctx = DetectEngineCtxInit();
1499  if (de_ctx == NULL)
1500  goto end;
1501 
1502  de_ctx->flags |= DE_QUIET;
1503  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1504  "(msg:\"Testing bytejump_body\"; "
1505  "content:\"one\"; pcre:/asf/; "
1506  "byte_extract:4,0,two,relative,string,hex; "
1507  "sid:1;)");
1508  if (de_ctx->sig_list == NULL) {
1509  result = 0;
1510  goto end;
1511  }
1512 
1513  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1514  result = 0;
1515  goto end;
1516  }
1517 
1518  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1519  if (sm->type != DETECT_CONTENT) {
1520  result = 0;
1521  goto end;
1522  }
1523  cd = (DetectContentData *)sm->ctx;
1524  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1525  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1526  cd->flags & DETECT_CONTENT_NOCASE ||
1527  cd->flags & DETECT_CONTENT_WITHIN ||
1528  cd->flags & DETECT_CONTENT_DISTANCE ||
1529  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1530  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1531  cd->flags & DETECT_CONTENT_NEGATED ) {
1532  printf("one failed\n");
1533  result = 0;
1534  goto end;
1535  }
1536 
1537  sm = sm->next;
1538  if (sm->type != DETECT_PCRE) {
1539  result = 0;
1540  goto end;
1541  }
1542  pd = (DetectPcreData *)sm->ctx;
1543  if (pd->flags != DETECT_PCRE_RELATIVE_NEXT) {
1544  result = 0;
1545  goto end;
1546  }
1547 
1548  sm = sm->next;
1549  if (sm->type != DETECT_BYTE_EXTRACT) {
1550  result = 0;
1551  goto end;
1552  }
1553  bed = (DetectByteExtractData *)sm->ctx;
1554  if (bed->nbytes != 4 ||
1555  bed->offset != 0 ||
1556  strcmp(bed->name, "two") != 0 ||
1557  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1558  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1559  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1560  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1561  bed->align_value != 0 ||
1562  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1563  goto end;
1564  }
1565 
1566  result = 1;
1567 
1568  end:
1569  SigGroupCleanup(de_ctx);
1570  SigCleanSignatures(de_ctx);
1571  DetectEngineCtxFree(de_ctx);
1572 
1573  return result;
1574 }
1575 
1576 static int DetectByteExtractTest36(void)
1577 {
1578  DetectEngineCtx *de_ctx = NULL;
1579  int result = 0;
1580  Signature *s = NULL;
1581  SigMatch *sm = NULL;
1582  DetectContentData *cd = NULL;
1583  DetectBytejumpData *bjd = NULL;
1584  DetectByteExtractData *bed = NULL;
1585 
1586  de_ctx = DetectEngineCtxInit();
1587  if (de_ctx == NULL)
1588  goto end;
1589 
1590  de_ctx->flags |= DE_QUIET;
1591  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1592  "(msg:\"Testing bytejump_body\"; "
1593  "content:\"one\"; byte_jump:1,13; "
1594  "byte_extract:4,0,two,relative,string,hex; "
1595  "sid:1;)");
1596  if (de_ctx->sig_list == NULL) {
1597  result = 0;
1598  goto end;
1599  }
1600 
1601  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1602  result = 0;
1603  goto end;
1604  }
1605 
1606  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1607  if (sm->type != DETECT_CONTENT) {
1608  result = 0;
1609  goto end;
1610  }
1611  cd = (DetectContentData *)sm->ctx;
1612  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1613  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1614  cd->flags & DETECT_CONTENT_NOCASE ||
1615  cd->flags & DETECT_CONTENT_WITHIN ||
1616  cd->flags & DETECT_CONTENT_DISTANCE ||
1617  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1618  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1619  cd->flags & DETECT_CONTENT_NEGATED ) {
1620  printf("one failed\n");
1621  result = 0;
1622  goto end;
1623  }
1624 
1625  sm = sm->next;
1626  if (sm->type != DETECT_BYTEJUMP) {
1627  result = 0;
1628  goto end;
1629  }
1630  bjd = (DetectBytejumpData *)sm->ctx;
1631  if (bjd->flags != 0) {
1632  result = 0;
1633  goto end;
1634  }
1635 
1636  sm = sm->next;
1637  if (sm->type != DETECT_BYTE_EXTRACT) {
1638  result = 0;
1639  goto end;
1640  }
1641  bed = (DetectByteExtractData *)sm->ctx;
1642  if (bed->nbytes != 4 ||
1643  bed->offset != 0 ||
1644  strcmp(bed->name, "two") != 0 ||
1645  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1646  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1647  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1648  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1649  bed->align_value != 0 ||
1650  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1651  goto end;
1652  }
1653 
1654  result = 1;
1655 
1656  end:
1657  SigGroupCleanup(de_ctx);
1658  SigCleanSignatures(de_ctx);
1659  DetectEngineCtxFree(de_ctx);
1660 
1661  return result;
1662 }
1663 
1664 static int DetectByteExtractTest37(void)
1665 {
1666  DetectEngineCtx *de_ctx = NULL;
1667  int result = 0;
1668  Signature *s = NULL;
1669  SigMatch *sm = NULL;
1670  DetectContentData *cd = NULL;
1671  DetectContentData *ud = NULL;
1672  DetectByteExtractData *bed = NULL;
1673 
1674  de_ctx = DetectEngineCtxInit();
1675  if (de_ctx == NULL)
1676  goto end;
1677 
1678  de_ctx->flags |= DE_QUIET;
1679  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1680  "(msg:\"Testing bytejump_body\"; "
1681  "content:\"one\"; uricontent:\"two\"; "
1682  "byte_extract:4,0,two,relative,string,hex; "
1683  "sid:1;)");
1684  if (de_ctx->sig_list == NULL) {
1685  result = 0;
1686  goto end;
1687  }
1688 
1689  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1690  result = 0;
1691  goto end;
1692  }
1693 
1694  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1695  if (sm->type != DETECT_CONTENT) {
1696  result = 0;
1697  goto end;
1698  }
1699  cd = (DetectContentData *)sm->ctx;
1700  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1701  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1702  cd->flags & DETECT_CONTENT_NOCASE ||
1703  cd->flags & DETECT_CONTENT_WITHIN ||
1704  cd->flags & DETECT_CONTENT_DISTANCE ||
1705  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1706  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1707  cd->flags & DETECT_CONTENT_NEGATED ) {
1708  printf("one failed\n");
1709  result = 0;
1710  goto end;
1711  }
1712 
1713  if (sm->next != NULL) {
1714  result = 0;
1715  goto end;
1716  }
1717 
1718  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1719  if (sm->type != DETECT_CONTENT) {
1720  result = 0;
1721  goto end;
1722  }
1723  ud = (DetectContentData *)sm->ctx;
1724  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1725  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1726  ud->flags & DETECT_CONTENT_NOCASE ||
1727  ud->flags & DETECT_CONTENT_WITHIN ||
1728  ud->flags & DETECT_CONTENT_DISTANCE ||
1729  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1730  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1731  ud->flags & DETECT_CONTENT_NEGATED ) {
1732  printf("two failed\n");
1733  result = 0;
1734  goto end;
1735  }
1736 
1737  sm = sm->next;
1738  if (sm->type != DETECT_BYTE_EXTRACT) {
1739  result = 0;
1740  goto end;
1741  }
1742  bed = (DetectByteExtractData *)sm->ctx;
1743  if (bed->nbytes != 4 ||
1744  bed->offset != 0 ||
1745  strcmp(bed->name, "two") != 0 ||
1746  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1747  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1748  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1749  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1750  bed->align_value != 0 ||
1751  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1752  goto end;
1753  }
1754 
1755  result = 1;
1756 
1757  end:
1758  SigGroupCleanup(de_ctx);
1759  SigCleanSignatures(de_ctx);
1760  DetectEngineCtxFree(de_ctx);
1761 
1762  return result;
1763 }
1764 
1765 static int DetectByteExtractTest38(void)
1766 {
1767  DetectEngineCtx *de_ctx = NULL;
1768  int result = 0;
1769  Signature *s = NULL;
1770  SigMatch *sm = NULL;
1771  DetectContentData *cd = NULL;
1772  DetectContentData *ud = NULL;
1773  DetectByteExtractData *bed = NULL;
1774 
1775  de_ctx = DetectEngineCtxInit();
1776  if (de_ctx == NULL)
1777  goto end;
1778 
1779  de_ctx->flags |= DE_QUIET;
1780  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1781  "(msg:\"Testing bytejump_body\"; "
1782  "content:\"one\"; uricontent:\"two\"; "
1783  "byte_extract:4,0,two,string,hex; "
1784  "sid:1;)");
1785  if (de_ctx->sig_list == NULL) {
1786  result = 0;
1787  goto end;
1788  }
1789 
1790  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1791  result = 0;
1792  goto end;
1793  }
1794 
1795  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1796  if (sm->type != DETECT_CONTENT) {
1797  result = 0;
1798  goto end;
1799  }
1800  cd = (DetectContentData *)sm->ctx;
1801  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1802  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1803  cd->flags & DETECT_CONTENT_NOCASE ||
1804  cd->flags & DETECT_CONTENT_WITHIN ||
1805  cd->flags & DETECT_CONTENT_DISTANCE ||
1806  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1807  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1808  cd->flags & DETECT_CONTENT_NEGATED ) {
1809  printf("one failed\n");
1810  result = 0;
1811  goto end;
1812  }
1813 
1814  sm = sm->next;
1815  if (sm->type != DETECT_BYTE_EXTRACT) {
1816  result = 0;
1817  goto end;
1818  }
1819  bed = (DetectByteExtractData *)sm->ctx;
1820  if (bed->nbytes != 4 ||
1821  bed->offset != 0 ||
1822  strcmp(bed->name, "two") != 0 ||
1823  bed->flags !=DETECT_BYTE_EXTRACT_FLAG_STRING ||
1824  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1825  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1826  bed->align_value != 0 ||
1827  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1828  goto end;
1829  }
1830 
1831  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1832  if (sm->type != DETECT_CONTENT) {
1833  result = 0;
1834  goto end;
1835  }
1836  ud = (DetectContentData *)sm->ctx;
1837  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1838  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1839  ud->flags & DETECT_CONTENT_NOCASE ||
1840  ud->flags & DETECT_CONTENT_WITHIN ||
1841  ud->flags & DETECT_CONTENT_DISTANCE ||
1842  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1843  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1844  ud->flags & DETECT_CONTENT_NEGATED ) {
1845  printf("two failed\n");
1846  result = 0;
1847  goto end;
1848  }
1849 
1850  if (sm->next != NULL) {
1851  result = 0;
1852  goto end;
1853  }
1854 
1855  result = 1;
1856 
1857  end:
1858  SigGroupCleanup(de_ctx);
1859  SigCleanSignatures(de_ctx);
1860  DetectEngineCtxFree(de_ctx);
1861 
1862  return result;
1863 }
1864 
1865 static int DetectByteExtractTest39(void)
1866 {
1867  DetectEngineCtx *de_ctx = NULL;
1868  int result = 0;
1869  Signature *s = NULL;
1870  SigMatch *sm = NULL;
1871  DetectContentData *cd = NULL;
1872  DetectContentData *ud = NULL;
1873  DetectByteExtractData *bed = NULL;
1874 
1875  de_ctx = DetectEngineCtxInit();
1876  if (de_ctx == NULL)
1877  goto end;
1878 
1879  de_ctx->flags |= DE_QUIET;
1880  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1881  "(msg:\"Testing bytejump_body\"; "
1882  "content:\"one\"; content:\"two\"; http_uri; "
1883  "byte_extract:4,0,two,relative,string,hex; "
1884  "sid:1;)");
1885  if (de_ctx->sig_list == NULL) {
1886  result = 0;
1887  goto end;
1888  }
1889 
1890  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1891  result = 0;
1892  goto end;
1893  }
1894 
1895  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1896  if (sm->type != DETECT_CONTENT) {
1897  result = 0;
1898  goto end;
1899  }
1900  cd = (DetectContentData *)sm->ctx;
1901  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1902  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1903  cd->flags & DETECT_CONTENT_NOCASE ||
1904  cd->flags & DETECT_CONTENT_WITHIN ||
1905  cd->flags & DETECT_CONTENT_DISTANCE ||
1906  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1907  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1908  cd->flags & DETECT_CONTENT_NEGATED ) {
1909  printf("one failed\n");
1910  result = 0;
1911  goto end;
1912  }
1913 
1914  if (sm->next != NULL) {
1915  result = 0;
1916  goto end;
1917  }
1918 
1919  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1920  if (sm->type != DETECT_CONTENT) {
1921  result = 0;
1922  goto end;
1923  }
1924  ud = (DetectContentData *)sm->ctx;
1925  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1926  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1927  ud->flags & DETECT_CONTENT_NOCASE ||
1928  ud->flags & DETECT_CONTENT_WITHIN ||
1929  ud->flags & DETECT_CONTENT_DISTANCE ||
1930  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1931  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1932  ud->flags & DETECT_CONTENT_NEGATED ) {
1933  printf("two failed\n");
1934  result = 0;
1935  goto end;
1936  }
1937 
1938  sm = sm->next;
1939  if (sm->type != DETECT_BYTE_EXTRACT) {
1940  result = 0;
1941  goto end;
1942  }
1943  bed = (DetectByteExtractData *)sm->ctx;
1944  if (bed->nbytes != 4 ||
1945  bed->offset != 0 ||
1946  strcmp(bed->name, "two") != 0 ||
1947  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1948  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1949  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1950  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1951  bed->align_value != 0 ||
1952  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1953  goto end;
1954  }
1955 
1956  result = 1;
1957 
1958  end:
1959  SigGroupCleanup(de_ctx);
1960  SigCleanSignatures(de_ctx);
1961  DetectEngineCtxFree(de_ctx);
1962 
1963  return result;
1964 }
1965 
1966 static int DetectByteExtractTest40(void)
1967 {
1968  DetectEngineCtx *de_ctx = NULL;
1969  int result = 0;
1970  Signature *s = NULL;
1971  SigMatch *sm = NULL;
1972  DetectContentData *cd = NULL;
1973  DetectContentData *ud = NULL;
1974  DetectByteExtractData *bed = NULL;
1975 
1976  de_ctx = DetectEngineCtxInit();
1977  if (de_ctx == NULL)
1978  goto end;
1979 
1980  de_ctx->flags |= DE_QUIET;
1981  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1982  "(msg:\"Testing bytejump_body\"; "
1983  "content:\"one\"; content:\"two\"; http_uri; "
1984  "byte_extract:4,0,two,string,hex; "
1985  "sid:1;)");
1986  if (de_ctx->sig_list == NULL) {
1987  result = 0;
1988  goto end;
1989  }
1990 
1991  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1992  result = 0;
1993  goto end;
1994  }
1995 
1996  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1997  if (sm->type != DETECT_CONTENT) {
1998  result = 0;
1999  goto end;
2000  }
2001  cd = (DetectContentData *)sm->ctx;
2002  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2003  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2004  cd->flags & DETECT_CONTENT_NOCASE ||
2005  cd->flags & DETECT_CONTENT_WITHIN ||
2006  cd->flags & DETECT_CONTENT_DISTANCE ||
2007  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2008  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2009  cd->flags & DETECT_CONTENT_NEGATED ) {
2010  printf("one failed\n");
2011  result = 0;
2012  goto end;
2013  }
2014 
2015  sm = sm->next;
2016  if (sm->type != DETECT_BYTE_EXTRACT) {
2017  result = 0;
2018  goto end;
2019  }
2020  bed = (DetectByteExtractData *)sm->ctx;
2021  if (bed->nbytes != 4 ||
2022  bed->offset != 0 ||
2023  strcmp(bed->name, "two") != 0 ||
2024  bed->flags !=DETECT_BYTE_EXTRACT_FLAG_STRING ||
2025  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2026  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2027  bed->align_value != 0 ||
2028  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2029  goto end;
2030  }
2031 
2032  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
2033  if (sm->type != DETECT_CONTENT) {
2034  result = 0;
2035  goto end;
2036  }
2037  ud = (DetectContentData *)sm->ctx;
2038  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
2039  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
2040  ud->flags & DETECT_CONTENT_NOCASE ||
2041  ud->flags & DETECT_CONTENT_WITHIN ||
2042  ud->flags & DETECT_CONTENT_DISTANCE ||
2043  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
2044  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2045  ud->flags & DETECT_CONTENT_NEGATED ) {
2046  printf("two failed\n");
2047  result = 0;
2048  goto end;
2049  }
2050 
2051  if (sm->next != NULL) {
2052  result = 0;
2053  goto end;
2054  }
2055 
2056  result = 1;
2057 
2058  end:
2059  SigGroupCleanup(de_ctx);
2060  SigCleanSignatures(de_ctx);
2061  DetectEngineCtxFree(de_ctx);
2062 
2063  return result;
2064 }
2065 
2066 static int DetectByteExtractTest41(void)
2067 {
2068  DetectEngineCtx *de_ctx = NULL;
2069  int result = 0;
2070  Signature *s = NULL;
2071  SigMatch *sm = NULL;
2072  DetectContentData *cd = NULL;
2073  DetectByteExtractData *bed = NULL;
2074 
2075  de_ctx = DetectEngineCtxInit();
2076  if (de_ctx == NULL)
2077  goto end;
2078 
2079  de_ctx->flags |= DE_QUIET;
2080  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2081  "(msg:\"Testing bytejump_body\"; "
2082  "content:\"one\"; "
2083  "byte_extract:4,0,two,string,hex; "
2084  "byte_extract:4,0,three,string,hex; "
2085  "sid:1;)");
2086  if (de_ctx->sig_list == NULL) {
2087  result = 0;
2088  goto end;
2089  }
2090 
2091  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2092  result = 0;
2093  goto end;
2094  }
2095 
2096  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2097  if (sm->type != DETECT_CONTENT) {
2098  result = 0;
2099  goto end;
2100  }
2101  cd = (DetectContentData *)sm->ctx;
2102  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2103  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2104  cd->flags & DETECT_CONTENT_NOCASE ||
2105  cd->flags & DETECT_CONTENT_WITHIN ||
2106  cd->flags & DETECT_CONTENT_DISTANCE ||
2107  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2108  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2109  cd->flags & DETECT_CONTENT_NEGATED ) {
2110  printf("one failed\n");
2111  result = 0;
2112  goto end;
2113  }
2114 
2115  sm = sm->next;
2116  if (sm->type != DETECT_BYTE_EXTRACT) {
2117  result = 0;
2118  goto end;
2119  }
2120  bed = (DetectByteExtractData *)sm->ctx;
2121  if (bed->nbytes != 4 ||
2122  bed->offset != 0 ||
2123  strcmp(bed->name, "two") != 0 ||
2124  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2125  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2126  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2127  bed->align_value != 0 ||
2128  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2129  goto end;
2130  }
2131  if (bed->local_id != 0) {
2132  result = 0;
2133  goto end;
2134  }
2135 
2136  sm = sm->next;
2137  if (sm->type != DETECT_BYTE_EXTRACT) {
2138  result = 0;
2139  goto end;
2140  }
2141  bed = (DetectByteExtractData *)sm->ctx;
2142  if (bed->nbytes != 4 ||
2143  bed->offset != 0 ||
2144  strcmp(bed->name, "three") != 0 ||
2145  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2146  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2147  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2148  bed->align_value != 0 ||
2149  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2150  goto end;
2151  }
2152  if (bed->local_id != 1) {
2153  result = 0;
2154  goto end;
2155  }
2156 
2157  result = 1;
2158 
2159  end:
2160  SigGroupCleanup(de_ctx);
2161  SigCleanSignatures(de_ctx);
2162  DetectEngineCtxFree(de_ctx);
2163 
2164  return result;
2165 }
2166 
2167 static int DetectByteExtractTest42(void)
2168 {
2169  DetectEngineCtx *de_ctx = NULL;
2170  int result = 0;
2171  Signature *s = NULL;
2172  SigMatch *sm = NULL;
2173  DetectContentData *cd = NULL;
2174  DetectContentData *ud = NULL;
2175  DetectByteExtractData *bed = NULL;
2176 
2177  de_ctx = DetectEngineCtxInit();
2178  if (de_ctx == NULL)
2179  goto end;
2180 
2181  de_ctx->flags |= DE_QUIET;
2182  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2183  "(msg:\"Testing bytejump_body\"; "
2184  "content:\"one\"; "
2185  "byte_extract:4,0,two,string,hex; "
2186  "uricontent: \"three\"; "
2187  "byte_extract:4,0,four,string,hex,relative; "
2188  "byte_extract:4,0,five,string,hex; "
2189  "sid:1;)");
2190  if (de_ctx->sig_list == NULL) {
2191  result = 0;
2192  goto end;
2193  }
2194 
2195  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2196  result = 0;
2197  goto end;
2198  }
2199 
2200  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2201  if (sm->type != DETECT_CONTENT) {
2202  result = 0;
2203  goto end;
2204  }
2205  cd = (DetectContentData *)sm->ctx;
2206  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2207  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2208  cd->flags & DETECT_CONTENT_NOCASE ||
2209  cd->flags & DETECT_CONTENT_WITHIN ||
2210  cd->flags & DETECT_CONTENT_DISTANCE ||
2211  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2212  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2213  cd->flags & DETECT_CONTENT_NEGATED ) {
2214  printf("one failed\n");
2215  result = 0;
2216  goto end;
2217  }
2218 
2219  sm = sm->next;
2220  if (sm->type != DETECT_BYTE_EXTRACT) {
2221  result = 0;
2222  goto end;
2223  }
2224  bed = (DetectByteExtractData *)sm->ctx;
2225  if (bed->nbytes != 4 ||
2226  bed->offset != 0 ||
2227  strcmp(bed->name, "two") != 0 ||
2228  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2229  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2230  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2231  bed->align_value != 0 ||
2232  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2233  goto end;
2234  }
2235  if (bed->local_id != 0) {
2236  result = 0;
2237  goto end;
2238  }
2239 
2240  sm = sm->next;
2241  if (sm->type != DETECT_BYTE_EXTRACT) {
2242  result = 0;
2243  goto end;
2244  }
2245  bed = (DetectByteExtractData *)sm->ctx;
2246  if (bed->nbytes != 4 ||
2247  bed->offset != 0 ||
2248  strcmp(bed->name, "five") != 0 ||
2249  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2250  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2251  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2252  bed->align_value != 0 ||
2253  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2254  goto end;
2255  }
2256  if (bed->local_id != 1) {
2257  result = 0;
2258  goto end;
2259  }
2260 
2261  if (sm->next != NULL)
2262  goto end;
2263 
2264  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
2265  if (sm->type != DETECT_CONTENT) {
2266  result = 0;
2267  goto end;
2268  }
2269  ud = (DetectContentData *)sm->ctx;
2270  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
2271  strncmp((char *)ud->content, "three", cd->content_len) != 0 ||
2272  ud->flags & DETECT_CONTENT_NOCASE ||
2273  ud->flags & DETECT_CONTENT_WITHIN ||
2274  ud->flags & DETECT_CONTENT_DISTANCE ||
2275  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
2276  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2277  ud->flags & DETECT_CONTENT_NEGATED ) {
2278  printf("two failed\n");
2279  result = 0;
2280  goto end;
2281  }
2282 
2283  sm = sm->next;
2284  if (sm->type != DETECT_BYTE_EXTRACT) {
2285  result = 0;
2286  goto end;
2287  }
2288  bed = (DetectByteExtractData *)sm->ctx;
2289  if (bed->nbytes != 4 ||
2290  bed->offset != 0 ||
2291  strcmp(bed->name, "four") != 0 ||
2292  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
2293  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
2294  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2295  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2296  bed->align_value != 0 ||
2297  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2298  goto end;
2299  }
2300  if (bed->local_id != 0) {
2301  result = 0;
2302  goto end;
2303  }
2304 
2305  if (sm->next != NULL)
2306  goto end;
2307 
2308  result = 1;
2309 
2310  end:
2311  SigGroupCleanup(de_ctx);
2312  SigCleanSignatures(de_ctx);
2313  DetectEngineCtxFree(de_ctx);
2314 
2315  return result;
2316 }
2317 
2318 static int DetectByteExtractTest43(void)
2319 {
2320  DetectEngineCtx *de_ctx = NULL;
2321  int result = 0;
2322  Signature *s = NULL;
2323  SigMatch *sm = NULL;
2324  DetectContentData *cd = NULL;
2325  DetectByteExtractData *bed = NULL;
2326 
2327  de_ctx = DetectEngineCtxInit();
2328  if (de_ctx == NULL)
2329  goto end;
2330 
2331  de_ctx->flags |= DE_QUIET;
2332  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2333  "(msg:\"Testing bytejump_body\"; "
2334  "content:\"one\"; "
2335  "byte_extract:4,0,two,string,hex; "
2336  "content: \"three\"; offset:two; "
2337  "sid:1;)");
2338  if (de_ctx->sig_list == NULL) {
2339  result = 0;
2340  goto end;
2341  }
2342 
2343  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2344  result = 0;
2345  goto end;
2346  }
2347 
2348  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2349  if (sm->type != DETECT_CONTENT) {
2350  result = 0;
2351  goto end;
2352  }
2353  cd = (DetectContentData *)sm->ctx;
2354  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2355  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2356  cd->flags & DETECT_CONTENT_NOCASE ||
2357  cd->flags & DETECT_CONTENT_WITHIN ||
2358  cd->flags & DETECT_CONTENT_DISTANCE ||
2359  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2360  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2361  cd->flags & DETECT_CONTENT_NEGATED ) {
2362  printf("one failed\n");
2363  result = 0;
2364  goto end;
2365  }
2366 
2367  sm = sm->next;
2368  if (sm->type != DETECT_BYTE_EXTRACT) {
2369  result = 0;
2370  goto end;
2371  }
2372  bed = (DetectByteExtractData *)sm->ctx;
2373  if (bed->nbytes != 4 ||
2374  bed->offset != 0 ||
2375  strcmp(bed->name, "two") != 0 ||
2376  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2377  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2378  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2379  bed->align_value != 0 ||
2380  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2381  goto end;
2382  }
2383  if (bed->local_id != 0) {
2384  result = 0;
2385  goto end;
2386  }
2387 
2388  sm = sm->next;
2389  if (sm->type != DETECT_CONTENT) {
2390  result = 0;
2391  goto end;
2392  }
2393  cd = (DetectContentData *)sm->ctx;
2394  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2395  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2396  DETECT_CONTENT_OFFSET) ||
2397  cd->offset != bed->local_id) {
2398  printf("three failed\n");
2399  result = 0;
2400  goto end;
2401  }
2402 
2403  if (sm->next != NULL)
2404  goto end;
2405 
2406  result = 1;
2407 
2408  end:
2409  SigGroupCleanup(de_ctx);
2410  SigCleanSignatures(de_ctx);
2411  DetectEngineCtxFree(de_ctx);
2412 
2413  return result;
2414 }
2415 
2416 static int DetectByteExtractTest44(void)
2417 {
2418  DetectEngineCtx *de_ctx = NULL;
2419  int result = 0;
2420  Signature *s = NULL;
2421  SigMatch *sm = NULL;
2422  DetectContentData *cd = NULL;
2423  DetectByteExtractData *bed1 = NULL;
2424  DetectByteExtractData *bed2 = NULL;
2425 
2426  de_ctx = DetectEngineCtxInit();
2427  if (de_ctx == NULL)
2428  goto end;
2429 
2430  de_ctx->flags |= DE_QUIET;
2431  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2432  "(msg:\"Testing bytejump_body\"; "
2433  "content:\"one\"; "
2434  "byte_extract:4,0,two,string,hex; "
2435  "byte_extract:4,0,three,string,hex; "
2436  "content: \"four\"; offset:two; "
2437  "content: \"five\"; offset:three; "
2438  "sid:1;)");
2439  if (de_ctx->sig_list == NULL) {
2440  result = 0;
2441  goto end;
2442  }
2443 
2444  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2445  result = 0;
2446  goto end;
2447  }
2448 
2449  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2450  if (sm->type != DETECT_CONTENT) {
2451  result = 0;
2452  goto end;
2453  }
2454  cd = (DetectContentData *)sm->ctx;
2455  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2456  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2457  cd->flags & DETECT_CONTENT_NOCASE ||
2458  cd->flags & DETECT_CONTENT_WITHIN ||
2459  cd->flags & DETECT_CONTENT_DISTANCE ||
2460  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2461  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2462  cd->flags & DETECT_CONTENT_NEGATED ) {
2463  printf("one failed\n");
2464  result = 0;
2465  goto end;
2466  }
2467 
2468  sm = sm->next;
2469  if (sm->type != DETECT_BYTE_EXTRACT) {
2470  result = 0;
2471  goto end;
2472  }
2473  bed1 = (DetectByteExtractData *)sm->ctx;
2474  if (bed1->nbytes != 4 ||
2475  bed1->offset != 0 ||
2476  strcmp(bed1->name, "two") != 0 ||
2477  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2478  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2479  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2480  bed1->align_value != 0 ||
2481  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2482  goto end;
2483  }
2484  if (bed1->local_id != 0) {
2485  result = 0;
2486  goto end;
2487  }
2488 
2489  sm = sm->next;
2490  if (sm->type != DETECT_BYTE_EXTRACT) {
2491  result = 0;
2492  goto end;
2493  }
2494  bed2 = (DetectByteExtractData *)sm->ctx;
2495 
2496  sm = sm->next;
2497  if (sm->type != DETECT_CONTENT) {
2498  result = 0;
2499  goto end;
2500  }
2501  cd = (DetectContentData *)sm->ctx;
2502  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2503  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2504  DETECT_CONTENT_OFFSET) ||
2505  cd->offset != bed1->local_id) {
2506  printf("four failed\n");
2507  result = 0;
2508  goto end;
2509  }
2510 
2511  sm = sm->next;
2512  if (sm->type != DETECT_CONTENT) {
2513  result = 0;
2514  goto end;
2515  }
2516  cd = (DetectContentData *)sm->ctx;
2517  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2518  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2519  DETECT_CONTENT_OFFSET) ||
2520  cd->offset != bed2->local_id) {
2521  printf("five failed\n");
2522  result = 0;
2523  goto end;
2524  }
2525 
2526  if (sm->next != NULL)
2527  goto end;
2528 
2529  result = 1;
2530 
2531  end:
2532  SigGroupCleanup(de_ctx);
2533  SigCleanSignatures(de_ctx);
2534  DetectEngineCtxFree(de_ctx);
2535 
2536  return result;
2537 }
2538 
2539 static int DetectByteExtractTest45(void)
2540 {
2541  DetectEngineCtx *de_ctx = NULL;
2542  int result = 0;
2543  Signature *s = NULL;
2544  SigMatch *sm = NULL;
2545  DetectContentData *cd = NULL;
2546  DetectByteExtractData *bed = NULL;
2547 
2548  de_ctx = DetectEngineCtxInit();
2549  if (de_ctx == NULL)
2550  goto end;
2551 
2552  de_ctx->flags |= DE_QUIET;
2553  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2554  "(msg:\"Testing bytejump_body\"; "
2555  "content:\"one\"; "
2556  "byte_extract:4,0,two,string,hex; "
2557  "content: \"three\"; depth:two; "
2558  "sid:1;)");
2559  if (de_ctx->sig_list == NULL) {
2560  result = 0;
2561  goto end;
2562  }
2563 
2564  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2565  result = 0;
2566  goto end;
2567  }
2568 
2569  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2570  if (sm->type != DETECT_CONTENT) {
2571  result = 0;
2572  goto end;
2573  }
2574  cd = (DetectContentData *)sm->ctx;
2575  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2576  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2577  cd->flags & DETECT_CONTENT_NOCASE ||
2578  cd->flags & DETECT_CONTENT_WITHIN ||
2579  cd->flags & DETECT_CONTENT_DISTANCE ||
2580  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2581  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2582  cd->flags & DETECT_CONTENT_NEGATED ) {
2583  printf("one failed\n");
2584  result = 0;
2585  goto end;
2586  }
2587 
2588  sm = sm->next;
2589  if (sm->type != DETECT_BYTE_EXTRACT) {
2590  result = 0;
2591  goto end;
2592  }
2593  bed = (DetectByteExtractData *)sm->ctx;
2594  if (bed->nbytes != 4 ||
2595  bed->offset != 0 ||
2596  strcmp(bed->name, "two") != 0 ||
2597  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2598  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2599  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2600  bed->align_value != 0 ||
2601  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2602  goto end;
2603  }
2604  if (bed->local_id != 0) {
2605  result = 0;
2606  goto end;
2607  }
2608 
2609  sm = sm->next;
2610  if (sm->type != DETECT_CONTENT) {
2611  result = 0;
2612  goto end;
2613  }
2614  cd = (DetectContentData *)sm->ctx;
2615  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2616  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2617  DETECT_CONTENT_DEPTH) ||
2618  cd->depth != bed->local_id ||
2619  cd->offset != 0) {
2620  printf("three failed\n");
2621  result = 0;
2622  goto end;
2623  }
2624 
2625  if (sm->next != NULL)
2626  goto end;
2627 
2628  result = 1;
2629 
2630  end:
2631  SigGroupCleanup(de_ctx);
2632  SigCleanSignatures(de_ctx);
2633  DetectEngineCtxFree(de_ctx);
2634 
2635  return result;
2636 }
2637 
2638 static int DetectByteExtractTest46(void)
2639 {
2640  DetectEngineCtx *de_ctx = NULL;
2641  int result = 0;
2642  Signature *s = NULL;
2643  SigMatch *sm = NULL;
2644  DetectContentData *cd = NULL;
2645  DetectByteExtractData *bed1 = NULL;
2646  DetectByteExtractData *bed2 = NULL;
2647 
2648  de_ctx = DetectEngineCtxInit();
2649  if (de_ctx == NULL)
2650  goto end;
2651 
2652  de_ctx->flags |= DE_QUIET;
2653  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2654  "(msg:\"Testing bytejump_body\"; "
2655  "content:\"one\"; "
2656  "byte_extract:4,0,two,string,hex; "
2657  "byte_extract:4,0,three,string,hex; "
2658  "content: \"four\"; depth:two; "
2659  "content: \"five\"; depth:three; "
2660  "sid:1;)");
2661  if (de_ctx->sig_list == NULL) {
2662  result = 0;
2663  goto end;
2664  }
2665 
2666  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2667  result = 0;
2668  goto end;
2669  }
2670 
2671  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2672  if (sm->type != DETECT_CONTENT) {
2673  result = 0;
2674  goto end;
2675  }
2676  cd = (DetectContentData *)sm->ctx;
2677  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2678  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2679  cd->flags & DETECT_CONTENT_NOCASE ||
2680  cd->flags & DETECT_CONTENT_WITHIN ||
2681  cd->flags & DETECT_CONTENT_DISTANCE ||
2682  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2683  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2684  cd->flags & DETECT_CONTENT_NEGATED ) {
2685  printf("one failed\n");
2686  result = 0;
2687  goto end;
2688  }
2689 
2690  sm = sm->next;
2691  if (sm->type != DETECT_BYTE_EXTRACT) {
2692  result = 0;
2693  goto end;
2694  }
2695  bed1 = (DetectByteExtractData *)sm->ctx;
2696  if (bed1->nbytes != 4 ||
2697  bed1->offset != 0 ||
2698  strcmp(bed1->name, "two") != 0 ||
2699  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2700  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2701  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2702  bed1->align_value != 0 ||
2703  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2704  goto end;
2705  }
2706  if (bed1->local_id != 0) {
2707  result = 0;
2708  goto end;
2709  }
2710 
2711  sm = sm->next;
2712  if (sm->type != DETECT_BYTE_EXTRACT) {
2713  result = 0;
2714  goto end;
2715  }
2716  bed2 = (DetectByteExtractData *)sm->ctx;
2717 
2718  sm = sm->next;
2719  if (sm->type != DETECT_CONTENT) {
2720  result = 0;
2721  goto end;
2722  }
2723  cd = (DetectContentData *)sm->ctx;
2724  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2725  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2726  DETECT_CONTENT_DEPTH) ||
2727  cd->depth != bed1->local_id) {
2728  printf("four failed\n");
2729  result = 0;
2730  goto end;
2731  }
2732 
2733  sm = sm->next;
2734  if (sm->type != DETECT_CONTENT) {
2735  result = 0;
2736  goto end;
2737  }
2738  cd = (DetectContentData *)sm->ctx;
2739  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2740  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2741  DETECT_CONTENT_DEPTH) ||
2742  cd->depth != bed2->local_id) {
2743  printf("five failed\n");
2744  result = 0;
2745  goto end;
2746  }
2747 
2748  if (sm->next != NULL)
2749  goto end;
2750 
2751  result = 1;
2752 
2753  end:
2754  SigGroupCleanup(de_ctx);
2755  SigCleanSignatures(de_ctx);
2756  DetectEngineCtxFree(de_ctx);
2757 
2758  return result;
2759 }
2760 
2761 static int DetectByteExtractTest47(void)
2762 {
2763  DetectEngineCtx *de_ctx = NULL;
2764  int result = 0;
2765  Signature *s = NULL;
2766  SigMatch *sm = NULL;
2767  DetectContentData *cd = NULL;
2768  DetectByteExtractData *bed = NULL;
2769 
2770  de_ctx = DetectEngineCtxInit();
2771  if (de_ctx == NULL)
2772  goto end;
2773 
2774  de_ctx->flags |= DE_QUIET;
2775  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2776  "(msg:\"Testing bytejump_body\"; "
2777  "content:\"one\"; "
2778  "byte_extract:4,0,two,string,hex; "
2779  "content: \"three\"; distance:two; "
2780  "sid:1;)");
2781  if (de_ctx->sig_list == NULL) {
2782  result = 0;
2783  goto end;
2784  }
2785 
2786  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2787  result = 0;
2788  goto end;
2789  }
2790 
2791  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2792  if (sm->type != DETECT_CONTENT) {
2793  result = 0;
2794  goto end;
2795  }
2796  cd = (DetectContentData *)sm->ctx;
2797  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2798  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2799  cd->flags & DETECT_CONTENT_NOCASE ||
2800  cd->flags & DETECT_CONTENT_WITHIN ||
2801  cd->flags & DETECT_CONTENT_DISTANCE ||
2802  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2803  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2804  cd->flags & DETECT_CONTENT_NEGATED ) {
2805  printf("one failed\n");
2806  result = 0;
2807  goto end;
2808  }
2809 
2810  sm = sm->next;
2811  if (sm->type != DETECT_BYTE_EXTRACT) {
2812  result = 0;
2813  goto end;
2814  }
2815  bed = (DetectByteExtractData *)sm->ctx;
2816  if (bed->nbytes != 4 ||
2817  bed->offset != 0 ||
2818  strcmp(bed->name, "two") != 0 ||
2819  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2820  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2821  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2822  bed->align_value != 0 ||
2823  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2824  goto end;
2825  }
2826  if (bed->local_id != 0) {
2827  result = 0;
2828  goto end;
2829  }
2830 
2831  sm = sm->next;
2832  if (sm->type != DETECT_CONTENT) {
2833  result = 0;
2834  goto end;
2835  }
2836  cd = (DetectContentData *)sm->ctx;
2837  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2838  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2839  DETECT_CONTENT_DISTANCE) ||
2840  cd->distance != bed->local_id ||
2841  cd->offset != 0 ||
2842  cd->depth != 0) {
2843  printf("three failed\n");
2844  result = 0;
2845  goto end;
2846  }
2847 
2848  if (sm->next != NULL)
2849  goto end;
2850 
2851  result = 1;
2852 
2853  end:
2854  SigGroupCleanup(de_ctx);
2855  SigCleanSignatures(de_ctx);
2856  DetectEngineCtxFree(de_ctx);
2857 
2858  return result;
2859 }
2860 
2861 static int DetectByteExtractTest48(void)
2862 {
2863  DetectEngineCtx *de_ctx = NULL;
2864  int result = 0;
2865  Signature *s = NULL;
2866  SigMatch *sm = NULL;
2867  DetectContentData *cd = NULL;
2868  DetectByteExtractData *bed1 = NULL;
2869  DetectByteExtractData *bed2 = NULL;
2870 
2871  de_ctx = DetectEngineCtxInit();
2872  if (de_ctx == NULL)
2873  goto end;
2874 
2875  de_ctx->flags |= DE_QUIET;
2876  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2877  "(msg:\"Testing bytejump_body\"; "
2878  "content:\"one\"; "
2879  "byte_extract:4,0,two,string,hex; "
2880  "byte_extract:4,0,three,string,hex; "
2881  "content: \"four\"; distance:two; "
2882  "content: \"five\"; distance:three; "
2883  "sid:1;)");
2884  if (de_ctx->sig_list == NULL) {
2885  result = 0;
2886  goto end;
2887  }
2888 
2889  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2890  result = 0;
2891  goto end;
2892  }
2893 
2894  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2895  if (sm->type != DETECT_CONTENT) {
2896  result = 0;
2897  goto end;
2898  }
2899  cd = (DetectContentData *)sm->ctx;
2900  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2901  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2902  cd->flags & DETECT_CONTENT_NOCASE ||
2903  cd->flags & DETECT_CONTENT_WITHIN ||
2904  cd->flags & DETECT_CONTENT_DISTANCE ||
2905  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2906  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2907  cd->flags & DETECT_CONTENT_NEGATED ) {
2908  printf("one failed\n");
2909  result = 0;
2910  goto end;
2911  }
2912 
2913  sm = sm->next;
2914  if (sm->type != DETECT_BYTE_EXTRACT) {
2915  result = 0;
2916  goto end;
2917  }
2918  bed1 = (DetectByteExtractData *)sm->ctx;
2919  if (bed1->nbytes != 4 ||
2920  bed1->offset != 0 ||
2921  strcmp(bed1->name, "two") != 0 ||
2922  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2923  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2924  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2925  bed1->align_value != 0 ||
2926  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2927  goto end;
2928  }
2929  if (bed1->local_id != 0) {
2930  result = 0;
2931  goto end;
2932  }
2933 
2934  sm = sm->next;
2935  if (sm->type != DETECT_BYTE_EXTRACT) {
2936  result = 0;
2937  goto end;
2938  }
2939  bed2 = (DetectByteExtractData *)sm->ctx;
2940 
2941  sm = sm->next;
2942  if (sm->type != DETECT_CONTENT) {
2943  result = 0;
2944  goto end;
2945  }
2946  cd = (DetectContentData *)sm->ctx;
2947  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2948  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2949  DETECT_CONTENT_DISTANCE |
2950  DETECT_CONTENT_DISTANCE_NEXT) ||
2951  cd->distance != bed1->local_id ||
2952  cd->depth != 0 ||
2953  cd->offset != 0) {
2954  printf("four failed\n");
2955  result = 0;
2956  goto end;
2957  }
2958 
2959  sm = sm->next;
2960  if (sm->type != DETECT_CONTENT) {
2961  result = 0;
2962  goto end;
2963  }
2964  cd = (DetectContentData *)sm->ctx;
2965  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2966  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2967  DETECT_CONTENT_DISTANCE) ||
2968  cd->distance != bed2->local_id ||
2969  cd->depth != 0 ||
2970  cd->offset != 0) {
2971  printf("five failed\n");
2972  result = 0;
2973  goto end;
2974  }
2975 
2976  if (sm->next != NULL)
2977  goto end;
2978 
2979  result = 1;
2980 
2981  end:
2982  SigGroupCleanup(de_ctx);
2983  SigCleanSignatures(de_ctx);
2984  DetectEngineCtxFree(de_ctx);
2985 
2986  return result;
2987 }
2988 
2989 static int DetectByteExtractTest49(void)
2990 {
2991  DetectEngineCtx *de_ctx = NULL;
2992  int result = 0;
2993  Signature *s = NULL;
2994  SigMatch *sm = NULL;
2995  DetectContentData *cd = NULL;
2996  DetectByteExtractData *bed = NULL;
2997 
2998  de_ctx = DetectEngineCtxInit();
2999  if (de_ctx == NULL)
3000  goto end;
3001 
3002  de_ctx->flags |= DE_QUIET;
3003  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3004  "(msg:\"Testing bytejump_body\"; "
3005  "content:\"one\"; "
3006  "byte_extract:4,0,two,string,hex; "
3007  "content: \"three\"; within:two; "
3008  "sid:1;)");
3009  if (de_ctx->sig_list == NULL) {
3010  result = 0;
3011  goto end;
3012  }
3013 
3014  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3015  result = 0;
3016  goto end;
3017  }
3018 
3019  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3020  if (sm->type != DETECT_CONTENT) {
3021  result = 0;
3022  goto end;
3023  }
3024  cd = (DetectContentData *)sm->ctx;
3025  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3026  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3027  cd->flags & DETECT_CONTENT_NOCASE ||
3028  cd->flags & DETECT_CONTENT_WITHIN ||
3029  cd->flags & DETECT_CONTENT_DISTANCE ||
3030  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3031  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3032  cd->flags & DETECT_CONTENT_NEGATED ) {
3033  printf("one failed\n");
3034  result = 0;
3035  goto end;
3036  }
3037 
3038  sm = sm->next;
3039  if (sm->type != DETECT_BYTE_EXTRACT) {
3040  result = 0;
3041  goto end;
3042  }
3043  bed = (DetectByteExtractData *)sm->ctx;
3044  if (bed->nbytes != 4 ||
3045  bed->offset != 0 ||
3046  strcmp(bed->name, "two") != 0 ||
3047  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3048  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3049  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3050  bed->align_value != 0 ||
3051  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3052  goto end;
3053  }
3054  if (bed->local_id != 0) {
3055  result = 0;
3056  goto end;
3057  }
3058 
3059  sm = sm->next;
3060  if (sm->type != DETECT_CONTENT) {
3061  result = 0;
3062  goto end;
3063  }
3064  cd = (DetectContentData *)sm->ctx;
3065  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
3066  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
3067  DETECT_CONTENT_WITHIN) ||
3068  cd->within != bed->local_id ||
3069  cd->offset != 0 ||
3070  cd->depth != 0 ||
3071  cd->distance != 0) {
3072  printf("three failed\n");
3073  result = 0;
3074  goto end;
3075  }
3076 
3077  if (sm->next != NULL)
3078  goto end;
3079 
3080  result = 1;
3081 
3082  end:
3083  SigGroupCleanup(de_ctx);
3084  SigCleanSignatures(de_ctx);
3085  DetectEngineCtxFree(de_ctx);
3086 
3087  return result;
3088 }
3089 
3090 static int DetectByteExtractTest50(void)
3091 {
3092  DetectEngineCtx *de_ctx = NULL;
3093  int result = 0;
3094  Signature *s = NULL;
3095  SigMatch *sm = NULL;
3096  DetectContentData *cd = NULL;
3097  DetectByteExtractData *bed1 = NULL;
3098  DetectByteExtractData *bed2 = NULL;
3099 
3100  de_ctx = DetectEngineCtxInit();
3101  if (de_ctx == NULL)
3102  goto end;
3103 
3104  de_ctx->flags |= DE_QUIET;
3105  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3106  "(msg:\"Testing bytejump_body\"; "
3107  "content:\"one\"; "
3108  "byte_extract:4,0,two,string,hex; "
3109  "byte_extract:4,0,three,string,hex; "
3110  "content: \"four\"; within:two; "
3111  "content: \"five\"; within:three; "
3112  "sid:1;)");
3113  if (de_ctx->sig_list == NULL) {
3114  result = 0;
3115  goto end;
3116  }
3117 
3118  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3119  result = 0;
3120  goto end;
3121  }
3122 
3123  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3124  if (sm->type != DETECT_CONTENT) {
3125  result = 0;
3126  goto end;
3127  }
3128  cd = (DetectContentData *)sm->ctx;
3129  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3130  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3131  cd->flags & DETECT_CONTENT_NOCASE ||
3132  cd->flags & DETECT_CONTENT_WITHIN ||
3133  cd->flags & DETECT_CONTENT_DISTANCE ||
3134  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3135  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3136  cd->flags & DETECT_CONTENT_NEGATED ) {
3137  printf("one failed\n");
3138  result = 0;
3139  goto end;
3140  }
3141 
3142  sm = sm->next;
3143  if (sm->type != DETECT_BYTE_EXTRACT) {
3144  result = 0;
3145  goto end;
3146  }
3147  bed1 = (DetectByteExtractData *)sm->ctx;
3148  if (bed1->nbytes != 4 ||
3149  bed1->offset != 0 ||
3150  strcmp(bed1->name, "two") != 0 ||
3151  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3152  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3153  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3154  bed1->align_value != 0 ||
3155  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3156  goto end;
3157  }
3158  if (bed1->local_id != 0) {
3159  result = 0;
3160  goto end;
3161  }
3162 
3163  sm = sm->next;
3164  if (sm->type != DETECT_BYTE_EXTRACT) {
3165  result = 0;
3166  goto end;
3167  }
3168  bed2 = (DetectByteExtractData *)sm->ctx;
3169 
3170  sm = sm->next;
3171  if (sm->type != DETECT_CONTENT) {
3172  result = 0;
3173  goto end;
3174  }
3175  cd = (DetectContentData *)sm->ctx;
3176  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3177  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
3178  DETECT_CONTENT_WITHIN|
3179  DETECT_CONTENT_WITHIN_NEXT) ||
3180  cd->within != bed1->local_id ||
3181  cd->depth != 0 ||
3182  cd->offset != 0 ||
3183  cd->distance != 0) {
3184  printf("four failed\n");
3185  result = 0;
3186  goto end;
3187  }
3188 
3189  sm = sm->next;
3190  if (sm->type != DETECT_CONTENT) {
3191  result = 0;
3192  goto end;
3193  }
3194  cd = (DetectContentData *)sm->ctx;
3195  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
3196  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
3197  DETECT_CONTENT_WITHIN) ||
3198  cd->within != bed2->local_id ||
3199  cd->depth != 0 ||
3200  cd->offset != 0 ||
3201  cd->distance != 0) {
3202  printf("five failed\n");
3203  result = 0;
3204  goto end;
3205  }
3206 
3207  if (sm->next != NULL)
3208  goto end;
3209 
3210  result = 1;
3211 
3212  end:
3213  SigGroupCleanup(de_ctx);
3214  SigCleanSignatures(de_ctx);
3215  DetectEngineCtxFree(de_ctx);
3216 
3217  return result;
3218 }
3219 
3220 static int DetectByteExtractTest51(void)
3221 {
3222  DetectEngineCtx *de_ctx = NULL;
3223  int result = 0;
3224  Signature *s = NULL;
3225  SigMatch *sm = NULL;
3226  DetectContentData *cd = NULL;
3227  DetectByteExtractData *bed = NULL;
3228  DetectBytetestData *btd = NULL;
3229 
3230  de_ctx = DetectEngineCtxInit();
3231  if (de_ctx == NULL)
3232  goto end;
3233 
3234  de_ctx->flags |= DE_QUIET;
3235  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3236  "(msg:\"Testing bytejump_body\"; "
3237  "content:\"one\"; "
3238  "byte_extract:4,0,two,string,hex; "
3239  "byte_test: 2,=,10, two; "
3240  "sid:1;)");
3241  if (de_ctx->sig_list == NULL) {
3242  result = 0;
3243  goto end;
3244  }
3245 
3246  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3247  result = 0;
3248  goto end;
3249  }
3250 
3251  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3252  if (sm->type != DETECT_CONTENT) {
3253  result = 0;
3254  goto end;
3255  }
3256  cd = (DetectContentData *)sm->ctx;
3257  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3258  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3259  cd->flags & DETECT_CONTENT_NOCASE ||
3260  cd->flags & DETECT_CONTENT_WITHIN ||
3261  cd->flags & DETECT_CONTENT_DISTANCE ||
3262  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3263  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3264  cd->flags & DETECT_CONTENT_NEGATED ) {
3265  printf("one failed\n");
3266  result = 0;
3267  goto end;
3268  }
3269 
3270  sm = sm->next;
3271  if (sm->type != DETECT_BYTE_EXTRACT) {
3272  result = 0;
3273  goto end;
3274  }
3275  bed = (DetectByteExtractData *)sm->ctx;
3276  if (bed->nbytes != 4 ||
3277  bed->offset != 0 ||
3278  strcmp(bed->name, "two") != 0 ||
3279  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3280  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3281  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3282  bed->align_value != 0 ||
3283  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3284  goto end;
3285  }
3286  if (bed->local_id != 0) {
3287  result = 0;
3288  goto end;
3289  }
3290 
3291  sm = sm->next;
3292  if (sm->type != DETECT_BYTETEST) {
3293  result = 0;
3294  goto end;
3295  }
3296  btd = (DetectBytetestData *)sm->ctx;
3297  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
3298  btd->value != 10 ||
3299  btd->offset != 0) {
3300  printf("three failed\n");
3301  result = 0;
3302  goto end;
3303  }
3304 
3305  if (sm->next != NULL)
3306  goto end;
3307 
3308  result = 1;
3309 
3310  end:
3311  SigGroupCleanup(de_ctx);
3312  SigCleanSignatures(de_ctx);
3313  DetectEngineCtxFree(de_ctx);
3314 
3315  return result;
3316 }
3317 
3318 static int DetectByteExtractTest52(void)
3319 {
3320  DetectEngineCtx *de_ctx = NULL;
3321  int result = 0;
3322  Signature *s = NULL;
3323  SigMatch *sm = NULL;
3324  DetectContentData *cd = NULL;
3325  DetectByteExtractData *bed1 = NULL;
3326  DetectBytetestData *btd = NULL;
3327 
3328  de_ctx = DetectEngineCtxInit();
3329  if (de_ctx == NULL)
3330  goto end;
3331 
3332  de_ctx->flags |= DE_QUIET;
3333  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3334  "(msg:\"Testing bytejump_body\"; "
3335  "content:\"one\"; "
3336  "byte_extract:4,0,two,string,hex; "
3337  "byte_extract:4,0,three,string,hex; "
3338  "byte_test: 2,=,two,three; "
3339  "byte_test: 3,=,10,three; "
3340  "sid:1;)");
3341  if (de_ctx->sig_list == NULL) {
3342  result = 0;
3343  goto end;
3344  }
3345 
3346  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3347  result = 0;
3348  goto end;
3349  }
3350 
3351  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3352  if (sm->type != DETECT_CONTENT) {
3353  result = 0;
3354  goto end;
3355  }
3356  cd = (DetectContentData *)sm->ctx;
3357  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3358  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3359  cd->flags & DETECT_CONTENT_NOCASE ||
3360  cd->flags & DETECT_CONTENT_WITHIN ||
3361  cd->flags & DETECT_CONTENT_DISTANCE ||
3362  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3363  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3364  cd->flags & DETECT_CONTENT_NEGATED ) {
3365  printf("one failed\n");
3366  result = 0;
3367  goto end;
3368  }
3369 
3370  sm = sm->next;
3371  if (sm->type != DETECT_BYTE_EXTRACT) {
3372  result = 0;
3373  goto end;
3374  }
3375  bed1 = (DetectByteExtractData *)sm->ctx;
3376  if (bed1->nbytes != 4 ||
3377  bed1->offset != 0 ||
3378  strcmp(bed1->name, "two") != 0 ||
3379  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3380  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3381  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3382  bed1->align_value != 0 ||
3383  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3384  goto end;
3385  }
3386  if (bed1->local_id != 0) {
3387  result = 0;
3388  goto end;
3389  }
3390 
3391  sm = sm->next;
3392  if (sm->type != DETECT_BYTE_EXTRACT) {
3393  result = 0;
3394  goto end;
3395  }
3396 
3397  sm = sm->next;
3398  if (sm->type != DETECT_BYTETEST) {
3399  result = 0;
3400  goto end;
3401  }
3402  btd = (DetectBytetestData *)sm->ctx;
3403  if (btd->flags != (DETECT_BYTETEST_OFFSET_VAR |
3404  DETECT_BYTETEST_VALUE_VAR) ||
3405  btd->value != 0 ||
3406  btd->offset != 1) {
3407  printf("three failed\n");
3408  result = 0;
3409  goto end;
3410  }
3411 
3412  sm = sm->next;
3413  if (sm->type != DETECT_BYTETEST) {
3414  result = 0;
3415  goto end;
3416  }
3417  btd = (DetectBytetestData *)sm->ctx;
3418  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
3419  btd->value != 10 ||
3420  btd->offset != 1) {
3421  printf("four failed\n");
3422  result = 0;
3423  goto end;
3424  }
3425 
3426  if (sm->next != NULL)
3427  goto end;
3428 
3429  result = 1;
3430 
3431  end:
3432  SigGroupCleanup(de_ctx);
3433  SigCleanSignatures(de_ctx);
3434  DetectEngineCtxFree(de_ctx);
3435 
3436  return result;
3437 }
3438 
3439 static int DetectByteExtractTest53(void)
3440 {
3441  DetectEngineCtx *de_ctx = NULL;
3442  int result = 0;
3443  Signature *s = NULL;
3444  SigMatch *sm = NULL;
3445  DetectContentData *cd = NULL;
3446  DetectByteExtractData *bed = NULL;
3447  DetectBytejumpData *bjd = NULL;
3448 
3449  de_ctx = DetectEngineCtxInit();
3450  if (de_ctx == NULL)
3451  goto end;
3452 
3453  de_ctx->flags |= DE_QUIET;
3454  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3455  "(msg:\"Testing bytejump_body\"; "
3456  "content:\"one\"; "
3457  "byte_extract:4,0,two,string,hex; "
3458  "byte_jump: 2,two; "
3459  "sid:1;)");
3460  if (de_ctx->sig_list == NULL) {
3461  result = 0;
3462  goto end;
3463  }
3464 
3465  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3466  result = 0;
3467  goto end;
3468  }
3469 
3470  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3471  if (sm->type != DETECT_CONTENT) {
3472  result = 0;
3473  goto end;
3474  }
3475  cd = (DetectContentData *)sm->ctx;
3476  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3477  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3478  cd->flags & DETECT_CONTENT_NOCASE ||
3479  cd->flags & DETECT_CONTENT_WITHIN ||
3480  cd->flags & DETECT_CONTENT_DISTANCE ||
3481  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3482  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3483  cd->flags & DETECT_CONTENT_NEGATED ) {
3484  printf("one failed\n");
3485  result = 0;
3486  goto end;
3487  }
3488 
3489  sm = sm->next;
3490  if (sm->type != DETECT_BYTE_EXTRACT) {
3491  result = 0;
3492  goto end;
3493  }
3494  bed = (DetectByteExtractData *)sm->ctx;
3495  if (bed->nbytes != 4 ||
3496  bed->offset != 0 ||
3497  strcmp(bed->name, "two") != 0 ||
3498  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3499  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3500  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3501  bed->align_value != 0 ||
3502  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3503  goto end;
3504  }
3505  if (bed->local_id != 0) {
3506  result = 0;
3507  goto end;
3508  }
3509 
3510  sm = sm->next;
3511  if (sm->type != DETECT_BYTEJUMP) {
3512  result = 0;
3513  goto end;
3514  }
3515  bjd = (DetectBytejumpData *)sm->ctx;
3516  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
3517  bjd->offset != 0) {
3518  printf("three failed\n");
3519  result = 0;
3520  goto end;
3521  }
3522 
3523  if (sm->next != NULL)
3524  goto end;
3525 
3526  result = 1;
3527 
3528  end:
3529  SigGroupCleanup(de_ctx);
3530  SigCleanSignatures(de_ctx);
3531  DetectEngineCtxFree(de_ctx);
3532 
3533  return result;
3534 }
3535 
3536 static int DetectByteExtractTest54(void)
3537 {
3538  DetectEngineCtx *de_ctx = NULL;
3539  int result = 0;
3540  Signature *s = NULL;
3541  SigMatch *sm = NULL;
3542  DetectContentData *cd = NULL;
3543  DetectByteExtractData *bed1 = NULL;
3544  DetectBytejumpData *bjd = NULL;
3545 
3546  de_ctx = DetectEngineCtxInit();
3547  if (de_ctx == NULL)
3548  goto end;
3549 
3550  de_ctx->flags |= DE_QUIET;
3551  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3552  "(msg:\"Testing bytejump_body\"; "
3553  "content:\"one\"; "
3554  "byte_extract:4,0,two,string,hex; "
3555  "byte_extract:4,0,three,string,hex; "
3556  "byte_jump: 2,two; "
3557  "byte_jump: 3,three; "
3558  "sid:1;)");
3559  if (de_ctx->sig_list == NULL) {
3560  result = 0;
3561  goto end;
3562  }
3563 
3564  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3565  result = 0;
3566  goto end;
3567  }
3568 
3569  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3570  if (sm->type != DETECT_CONTENT) {
3571  result = 0;
3572  goto end;
3573  }
3574  cd = (DetectContentData *)sm->ctx;
3575  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3576  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3577  cd->flags & DETECT_CONTENT_NOCASE ||
3578  cd->flags & DETECT_CONTENT_WITHIN ||
3579  cd->flags & DETECT_CONTENT_DISTANCE ||
3580  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3581  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3582  cd->flags & DETECT_CONTENT_NEGATED ) {
3583  printf("one failed\n");
3584  result = 0;
3585  goto end;
3586  }
3587 
3588  sm = sm->next;
3589  if (sm->type != DETECT_BYTE_EXTRACT) {
3590  result = 0;
3591  goto end;
3592  }
3593  bed1 = (DetectByteExtractData *)sm->ctx;
3594  if (bed1->nbytes != 4 ||
3595  bed1->offset != 0 ||
3596  strcmp(bed1->name, "two") != 0 ||
3597  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3598  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3599  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3600  bed1->align_value != 0 ||
3601  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3602  goto end;
3603  }
3604  if (bed1->local_id != 0) {
3605  result = 0;
3606  goto end;
3607  }
3608 
3609  sm = sm->next;
3610  if (sm->type != DETECT_BYTE_EXTRACT) {
3611  result = 0;
3612  goto end;
3613  }
3614 
3615  sm = sm->next;
3616  if (sm->type != DETECT_BYTEJUMP) {
3617  result = 0;
3618  goto end;
3619  }
3620  bjd = (DetectBytejumpData *)sm->ctx;
3621  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
3622  bjd->offset != 0) {
3623  printf("three failed\n");
3624  result = 0;
3625  goto end;
3626  }
3627 
3628  sm = sm->next;
3629  if (sm->type != DETECT_BYTEJUMP) {
3630  result = 0;
3631  goto end;
3632  }
3633  bjd = (DetectBytejumpData *)sm->ctx;
3634  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
3635  bjd->offset != 1) {
3636  printf("four failed\n");
3637  result = 0;
3638  goto end;
3639  }
3640 
3641  if (sm->next != NULL)
3642  goto end;
3643 
3644  result = 1;
3645 
3646  end:
3647  SigGroupCleanup(de_ctx);
3648  SigCleanSignatures(de_ctx);
3649  DetectEngineCtxFree(de_ctx);
3650 
3651  return result;
3652 }
3653 
3654 static int DetectByteExtractTest55(void)
3655 {
3656  DetectEngineCtx *de_ctx = NULL;
3657  int result = 0;
3658  Signature *s = NULL;
3659  SigMatch *sm = NULL;
3660  DetectContentData *cd = NULL;
3661  DetectByteExtractData *bed1 = NULL;
3662  DetectByteExtractData *bed2 = NULL;
3663 
3664  de_ctx = DetectEngineCtxInit();
3665  if (de_ctx == NULL)
3666  goto end;
3667 
3668  de_ctx->flags |= DE_QUIET;
3669  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3670  "(msg:\"Testing byte_extract\"; "
3671  "content:\"one\"; "
3672  "byte_extract:4,0,two,string,hex; "
3673  "byte_extract:4,0,three,string,hex; "
3674  "byte_extract:4,0,four,string,hex; "
3675  "byte_extract:4,0,five,string,hex; "
3676  "content: \"four\"; within:two; distance:three; "
3677  "sid:1;)");
3678  if (de_ctx->sig_list == NULL) {
3679  goto end;
3680  }
3681 
3682  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3683  goto end;
3684  }
3685 
3686  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3687  if (sm->type != DETECT_CONTENT) {
3688  goto end;
3689  }
3690  cd = (DetectContentData *)sm->ctx;
3691  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3692  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3693  cd->flags & DETECT_CONTENT_NOCASE ||
3694  cd->flags & DETECT_CONTENT_WITHIN ||
3695  cd->flags & DETECT_CONTENT_DISTANCE ||
3696  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3697  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3698  cd->flags & DETECT_CONTENT_NEGATED ) {
3699  printf("one failed: ");
3700  goto end;
3701  }
3702 
3703  sm = sm->next;
3704  if (sm->type != DETECT_BYTE_EXTRACT) {
3705  goto end;
3706  }
3707  bed1 = (DetectByteExtractData *)sm->ctx;
3708  if (bed1->nbytes != 4 ||
3709  bed1->offset != 0 ||
3710  strcmp(bed1->name, "two") != 0 ||
3711  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3712  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3713  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3714  bed1->align_value != 0 ||
3715  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3716  goto end;
3717  }
3718  if (bed1->local_id != 0) {
3719  goto end;
3720  }
3721 
3722  sm = sm->next;
3723  if (sm->type != DETECT_BYTE_EXTRACT) {
3724  goto end;
3725  }
3726  bed2 = (DetectByteExtractData *)sm->ctx;
3727 
3728  sm = sm->next;
3729  if (sm->type != DETECT_BYTE_EXTRACT) {
3730  goto end;
3731  }
3732 
3733  sm = sm->next;
3734  if (sm->type != DETECT_BYTE_EXTRACT) {
3735  goto end;
3736  }
3737 
3738  sm = sm->next;
3739  if (sm->type != DETECT_CONTENT) {
3740  goto end;
3741  }
3742  cd = (DetectContentData *)sm->ctx;
3743  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3744  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
3745  DETECT_CONTENT_WITHIN_VAR |
3746  DETECT_CONTENT_DISTANCE |
3747  DETECT_CONTENT_WITHIN) ||
3748  cd->within != bed1->local_id ||
3749  cd->distance != bed2->local_id) {
3750  printf("four failed: ");
3751  goto end;
3752  }
3753 
3754  if (sm->next != NULL) {
3755  goto end;
3756  }
3757 
3758  result = 1;
3759 
3760  end:
3761  SigGroupCleanup(de_ctx);
3762  SigCleanSignatures(de_ctx);
3763  DetectEngineCtxFree(de_ctx);
3764 
3765  return result;
3766 }
3767 
3768 static int DetectByteExtractTest56(void)
3769 {
3770  DetectEngineCtx *de_ctx = NULL;
3771  int result = 0;
3772  Signature *s = NULL;
3773  SigMatch *sm = NULL;
3774  DetectContentData *cd = NULL;
3775  DetectByteExtractData *bed1 = NULL;
3776  DetectByteExtractData *bed2 = NULL;
3777 
3778  de_ctx = DetectEngineCtxInit();
3779  if (de_ctx == NULL)
3780  goto end;
3781 
3782  de_ctx->flags |= DE_QUIET;
3783  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3784  "(msg:\"Testing bytejump_body\"; "
3785  "uricontent:\"urione\"; "
3786  "content:\"one\"; "
3787  "byte_extract:4,0,two,string,hex; "
3788  "byte_extract:4,0,three,string,hex; "
3789  "byte_extract:4,0,four,string,hex; "
3790  "byte_extract:4,0,five,string,hex; "
3791  "content: \"four\"; within:two; distance:three; "
3792  "sid:1;)");
3793  if (de_ctx->sig_list == NULL) {
3794  result = 0;
3795  goto end;
3796  }
3797 
3798  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3799  result = 0;
3800  goto end;
3801  }
3802 
3803  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3804  if (sm->type != DETECT_CONTENT) {
3805  result = 0;
3806  goto end;
3807  }
3808  cd = (DetectContentData *)sm->ctx;
3809  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3810  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3811  cd->flags & DETECT_CONTENT_NOCASE ||
3812  cd->flags & DETECT_CONTENT_WITHIN ||
3813  cd->flags & DETECT_CONTENT_DISTANCE ||
3814  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3815  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3816  cd->flags & DETECT_CONTENT_NEGATED ) {
3817  printf("one failed\n");
3818  result = 0;
3819  goto end;
3820  }
3821 
3822  if (sm->next != NULL)
3823  goto end;
3824 
3825  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3826  if (sm->type != DETECT_CONTENT) {
3827  result = 0;
3828  goto end;
3829  }
3830  cd = (DetectContentData *)sm->ctx;
3831  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3832  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3833  cd->flags & DETECT_CONTENT_NOCASE ||
3834  cd->flags & DETECT_CONTENT_WITHIN ||
3835  cd->flags & DETECT_CONTENT_DISTANCE ||
3836  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3837  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3838  cd->flags & DETECT_CONTENT_NEGATED ) {
3839  printf("one failed\n");
3840  result = 0;
3841  goto end;
3842  }
3843 
3844  sm = sm->next;
3845  if (sm->type != DETECT_BYTE_EXTRACT) {
3846  result = 0;
3847  goto end;
3848  }
3849  bed1 = (DetectByteExtractData *)sm->ctx;
3850  if (bed1->nbytes != 4 ||
3851  bed1->offset != 0 ||
3852  strcmp(bed1->name, "two") != 0 ||
3853  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3854  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3855  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3856  bed1->align_value != 0 ||
3857  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3858  goto end;
3859  }
3860  if (bed1->local_id != 0) {
3861  result = 0;
3862  goto end;
3863  }
3864 
3865  sm = sm->next;
3866  if (sm->type != DETECT_BYTE_EXTRACT) {
3867  result = 0;
3868  goto end;
3869  }
3870  bed2 = (DetectByteExtractData *)sm->ctx;
3871 
3872  sm = sm->next;
3873  if (sm->type != DETECT_BYTE_EXTRACT) {
3874  result = 0;
3875  goto end;
3876  }
3877 
3878  sm = sm->next;
3879  if (sm->type != DETECT_BYTE_EXTRACT) {
3880  result = 0;
3881  goto end;
3882  }
3883 
3884  sm = sm->next;
3885  if (sm->type != DETECT_CONTENT) {
3886  result = 0;
3887  goto end;
3888  }
3889  cd = (DetectContentData *)sm->ctx;
3890  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3891  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
3892  DETECT_CONTENT_WITHIN_VAR |
3893  DETECT_CONTENT_DISTANCE |
3894  DETECT_CONTENT_WITHIN) ||
3895  cd->within != bed1->local_id ||
3896  cd->distance != bed2->local_id ) {
3897  printf("four failed\n");
3898  result = 0;
3899  goto end;
3900  }
3901 
3902  if (sm->next != NULL) {
3903  goto end;
3904  }
3905 
3906  result = 1;
3907 
3908  end:
3909  SigGroupCleanup(de_ctx);
3910  SigCleanSignatures(de_ctx);
3911  DetectEngineCtxFree(de_ctx);
3912 
3913  return result;
3914 }
3915 
3916 static int DetectByteExtractTest57(void)
3917 {
3918  DetectEngineCtx *de_ctx = NULL;
3919  int result = 0;
3920  Signature *s = NULL;
3921  SigMatch *sm = NULL;
3922  DetectContentData *cd = NULL;
3923  DetectByteExtractData *bed1 = NULL;
3924  DetectByteExtractData *bed2 = NULL;
3925  DetectByteExtractData *bed3 = NULL;
3926  DetectByteExtractData *bed4 = NULL;
3927 
3928  de_ctx = DetectEngineCtxInit();
3929  if (de_ctx == NULL)
3930  goto end;
3931 
3932  de_ctx->flags |= DE_QUIET;
3933  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3934  "(msg:\"Testing bytejump_body\"; "
3935  "content:\"one\"; "
3936  "uricontent: \"urione\"; "
3937  "byte_extract:4,0,two,string,hex,relative; "
3938  "byte_extract:4,0,three,string,hex,relative; "
3939  "byte_extract:4,0,four,string,hex,relative; "
3940  "byte_extract:4,0,five,string,hex,relative; "
3941  "uricontent: \"four\"; within:two; distance:three; "
3942  "sid:1;)");
3943  if (de_ctx->sig_list == NULL) {
3944  result = 0;
3945  goto end;
3946  }
3947 
3948  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3949  result = 0;
3950  goto end;
3951  }
3952 
3953  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3954  if (sm->type != DETECT_CONTENT) {
3955  result = 0;
3956  goto end;
3957  }
3958  cd = (DetectContentData *)sm->ctx;
3959  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3960  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3961  cd->flags & DETECT_CONTENT_NOCASE ||
3962  cd->flags & DETECT_CONTENT_WITHIN ||
3963  cd->flags & DETECT_CONTENT_DISTANCE ||
3964  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3965  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3966  cd->flags & DETECT_CONTENT_NEGATED ) {
3967  printf("one failed\n");
3968  result = 0;
3969  goto end;
3970  }
3971 
3972  if (sm->next != NULL)
3973  goto end;
3974 
3975  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3976  if (sm->type != DETECT_CONTENT) {
3977  result = 0;
3978  goto end;
3979  }
3980  cd = (DetectContentData *)sm->ctx;
3981  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3982  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3983  cd->flags & DETECT_CONTENT_NOCASE ||
3984  cd->flags & DETECT_CONTENT_WITHIN ||
3985  cd->flags & DETECT_CONTENT_DISTANCE ||
3986  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3987  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3988  cd->flags & DETECT_CONTENT_NEGATED ) {
3989  printf("one failed\n");
3990  result = 0;
3991  goto end;
3992  }
3993 
3994  sm = sm->next;
3995  if (sm->type != DETECT_BYTE_EXTRACT) {
3996  result = 0;
3997  goto end;
3998  }
3999  bed1 = (DetectByteExtractData *)sm->ctx;
4000  if (bed1->nbytes != 4 ||
4001  bed1->offset != 0 ||
4002  strcmp(bed1->name, "two") != 0 ||
4003  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4004  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4005  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4006  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4007  bed1->align_value != 0 ||
4008  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4009  goto end;
4010  }
4011  if (bed1->local_id != 0) {
4012  result = 0;
4013  goto end;
4014  }
4015 
4016  sm = sm->next;
4017  if (sm->type != DETECT_BYTE_EXTRACT) {
4018  result = 0;
4019  goto end;
4020  }
4021  bed2 = (DetectByteExtractData *)sm->ctx;
4022  if (bed2->local_id != 1) {
4023  result = 0;
4024  goto end;
4025  }
4026 
4027  sm = sm->next;
4028  if (sm->type != DETECT_BYTE_EXTRACT) {
4029  result = 0;
4030  goto end;
4031  }
4032  bed3 = (DetectByteExtractData *)sm->ctx;
4033  if (bed3->local_id != 2) {
4034  result = 0;
4035  goto end;
4036  }
4037 
4038  sm = sm->next;
4039  if (sm->type != DETECT_BYTE_EXTRACT) {
4040  result = 0;
4041  goto end;
4042  }
4043  bed4 = (DetectByteExtractData *)sm->ctx;
4044  if (bed4->local_id != 3) {
4045  result = 0;
4046  goto end;
4047  }
4048 
4049  sm = sm->next;
4050  if (sm->type != DETECT_CONTENT) {
4051  result = 0;
4052  goto end;
4053  }
4054  cd = (DetectContentData *)sm->ctx;
4055  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
4056  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
4057  DETECT_CONTENT_WITHIN_VAR |
4058  DETECT_CONTENT_DISTANCE |
4059  DETECT_CONTENT_WITHIN) ||
4060  cd->within != bed1->local_id ||
4061  cd->distance != bed2->local_id) {
4062  printf("four failed\n");
4063  result = 0;
4064  goto end;
4065  }
4066 
4067  if (sm->next != NULL) {
4068  goto end;
4069  }
4070 
4071  result = 1;
4072 
4073  end:
4074  SigGroupCleanup(de_ctx);
4075  SigCleanSignatures(de_ctx);
4076  DetectEngineCtxFree(de_ctx);
4077 
4078  return result;
4079 }
4080 
4081 static int DetectByteExtractTest58(void)
4082 {
4083  DetectEngineCtx *de_ctx = NULL;
4084  int result = 0;
4085  Signature *s = NULL;
4086  SigMatch *sm = NULL;
4087  DetectContentData *cd = NULL;
4088  DetectByteExtractData *bed1 = NULL;
4089  DetectBytejumpData *bjd = NULL;
4090  DetectIsdataatData *isdd = NULL;
4091 
4092  de_ctx = DetectEngineCtxInit();
4093  if (de_ctx == NULL)
4094  goto end;
4095 
4096  de_ctx->flags |= DE_QUIET;
4097  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4098  "(msg:\"Testing bytejump_body\"; "
4099  "content:\"one\"; "
4100  "byte_extract:4,0,two,string,hex; "
4101  "byte_extract:4,0,three,string,hex; "
4102  "byte_jump: 2,two; "
4103  "byte_jump: 3,three; "
4104  "isdataat: three; "
4105  "sid:1;)");
4106  if (de_ctx->sig_list == NULL) {
4107  result = 0;
4108  goto end;
4109  }
4110 
4111  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4112  result = 0;
4113  goto end;
4114  }
4115 
4116  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
4117  if (sm->type != DETECT_CONTENT) {
4118  result = 0;
4119  goto end;
4120  }
4121  cd = (DetectContentData *)sm->ctx;
4122  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4123  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4124  cd->flags & DETECT_CONTENT_NOCASE ||
4125  cd->flags & DETECT_CONTENT_WITHIN ||
4126  cd->flags & DETECT_CONTENT_DISTANCE ||
4127  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4128  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
4129  cd->flags & DETECT_CONTENT_NEGATED ) {
4130  printf("one failed\n");
4131  result = 0;
4132  goto end;
4133  }
4134 
4135  sm = sm->next;
4136  if (sm->type != DETECT_BYTE_EXTRACT) {
4137  result = 0;
4138  goto end;
4139  }
4140  bed1 = (DetectByteExtractData *)sm->ctx;
4141  if (bed1->nbytes != 4 ||
4142  bed1->offset != 0 ||
4143  strcmp(bed1->name, "two") != 0 ||
4144  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
4145  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4146  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4147  bed1->align_value != 0 ||
4148  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4149  goto end;
4150  }
4151  if (bed1->local_id != 0) {
4152  result = 0;
4153  goto end;
4154  }
4155 
4156  sm = sm->next;
4157  if (sm->type != DETECT_BYTE_EXTRACT) {
4158  result = 0;
4159  goto end;
4160  }
4161 
4162  sm = sm->next;
4163  if (sm->type != DETECT_BYTEJUMP) {
4164  result = 0;
4165  goto end;
4166  }
4167  bjd = (DetectBytejumpData *)sm->ctx;
4168  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4169  bjd->offset != 0) {
4170  printf("three failed\n");
4171  result = 0;
4172  goto end;
4173  }
4174 
4175  sm = sm->next;
4176  if (sm->type != DETECT_BYTEJUMP) {
4177  result = 0;
4178  goto end;
4179  }
4180  bjd = (DetectBytejumpData *)sm->ctx;
4181  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4182  bjd->offset != 1) {
4183  printf("four failed\n");
4184  result = 0;
4185  goto end;
4186  }
4187 
4188  sm = sm->next;
4189  if (sm->type != DETECT_ISDATAAT) {
4190  result = 0;
4191  goto end;
4192  }
4193  isdd = (DetectIsdataatData *)sm->ctx;
4194  if (isdd->flags != ISDATAAT_OFFSET_VAR ||
4195  isdd->dataat != 1) {
4196  printf("isdataat failed\n");
4197  result = 0;
4198  goto end;
4199  }
4200 
4201  if (sm->next != NULL)
4202  goto end;
4203 
4204  result = 1;
4205 
4206  end:
4207  SigGroupCleanup(de_ctx);
4208  SigCleanSignatures(de_ctx);
4209  DetectEngineCtxFree(de_ctx);
4210 
4211  return result;
4212 }
4213 
4214 static int DetectByteExtractTest59(void)
4215 {
4216  DetectEngineCtx *de_ctx = NULL;
4217  int result = 0;
4218  Signature *s = NULL;
4219  SigMatch *sm = NULL;
4220  DetectContentData *cd = NULL;
4221  DetectByteExtractData *bed1 = NULL;
4222  DetectBytejumpData *bjd = NULL;
4223  DetectIsdataatData *isdd = NULL;
4224 
4225  de_ctx = DetectEngineCtxInit();
4226  if (de_ctx == NULL)
4227  goto end;
4228 
4229  de_ctx->flags |= DE_QUIET;
4230  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4231  "(msg:\"Testing bytejump_body\"; "
4232  "content:\"one\"; "
4233  "byte_extract:4,0,two,string,hex; "
4234  "byte_extract:4,0,three,string,hex; "
4235  "byte_jump: 2,two; "
4236  "byte_jump: 3,three; "
4237  "isdataat: three,relative; "
4238  "sid:1;)");
4239  if (de_ctx->sig_list == NULL) {
4240  result = 0;
4241  goto end;
4242  }
4243 
4244  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4245  result = 0;
4246  goto end;
4247  }
4248 
4249  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
4250  if (sm->type != DETECT_CONTENT) {
4251  result = 0;
4252  goto end;
4253  }
4254  cd = (DetectContentData *)sm->ctx;
4255  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4256  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4257  cd->flags & DETECT_CONTENT_NOCASE ||
4258  cd->flags & DETECT_CONTENT_WITHIN ||
4259  cd->flags & DETECT_CONTENT_DISTANCE ||
4260  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4261  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
4262  cd->flags & DETECT_CONTENT_NEGATED ) {
4263  printf("one failed\n");
4264  result = 0;
4265  goto end;
4266  }
4267 
4268  sm = sm->next;
4269  if (sm->type != DETECT_BYTE_EXTRACT) {
4270  result = 0;
4271  goto end;
4272  }
4273  bed1 = (DetectByteExtractData *)sm->ctx;
4274  if (bed1->nbytes != 4 ||
4275  bed1->offset != 0 ||
4276  strcmp(bed1->name, "two") != 0 ||
4277  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
4278  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4279  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4280  bed1->align_value != 0 ||
4281  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4282  goto end;
4283  }
4284  if (bed1->local_id != 0) {
4285  result = 0;
4286  goto end;
4287  }
4288 
4289  sm = sm->next;
4290  if (sm->type != DETECT_BYTE_EXTRACT) {
4291  result = 0;
4292  goto end;
4293  }
4294 
4295  sm = sm->next;
4296  if (sm->type != DETECT_BYTEJUMP) {
4297  result = 0;
4298  goto end;
4299  }
4300  bjd = (DetectBytejumpData *)sm->ctx;
4301  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4302  bjd->offset != 0) {
4303  printf("three failed\n");
4304  result = 0;
4305  goto end;
4306  }
4307 
4308  sm = sm->next;
4309  if (sm->type != DETECT_BYTEJUMP) {
4310  result = 0;
4311  goto end;
4312  }
4313  bjd = (DetectBytejumpData *)sm->ctx;
4314  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4315  bjd->offset != 1) {
4316  printf("four failed\n");
4317  result = 0;
4318  goto end;
4319  }
4320 
4321  sm = sm->next;
4322  if (sm->type != DETECT_ISDATAAT) {
4323  result = 0;
4324  goto end;
4325  }
4326  isdd = (DetectIsdataatData *)sm->ctx;
4327  if (isdd->flags != (ISDATAAT_OFFSET_VAR |
4328  ISDATAAT_RELATIVE) ||
4329  isdd->dataat != 1) {
4330  printf("isdataat failed\n");
4331  result = 0;
4332  goto end;
4333  }
4334 
4335  if (sm->next != NULL)
4336  goto end;
4337 
4338  result = 1;
4339 
4340  end:
4341  SigGroupCleanup(de_ctx);
4342  SigCleanSignatures(de_ctx);
4343  DetectEngineCtxFree(de_ctx);
4344 
4345  return result;
4346 }
4347 
4348 static int DetectByteExtractTest60(void)
4349 {
4350  DetectEngineCtx *de_ctx = NULL;
4351  int result = 0;
4352  Signature *s = NULL;
4353  SigMatch *sm = NULL;
4354  DetectContentData *cd = NULL;
4355  DetectByteExtractData *bed1 = NULL;
4356  DetectIsdataatData *isdd = NULL;
4357 
4358  de_ctx = DetectEngineCtxInit();
4359  if (de_ctx == NULL)
4360  goto end;
4361 
4362  de_ctx->flags |= DE_QUIET;
4363  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4364  "(msg:\"Testing bytejump_body\"; "
4365  "content:\"one\"; "
4366  "byte_extract:4,0,two,string,hex,relative; "
4367  "uricontent: \"three\"; "
4368  "byte_extract:4,0,four,string,hex,relative; "
4369  "isdataat: two; "
4370  "sid:1;)");
4371  if (de_ctx->sig_list == NULL) {
4372  result = 0;
4373  goto end;
4374  }
4375 
4376  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4377  result = 0;
4378  goto end;
4379  }
4380 
4381  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
4382  if (sm->type != DETECT_CONTENT) {
4383  result = 0;
4384  goto end;
4385  }
4386  cd = (DetectContentData *)sm->ctx;
4387  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4388  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4389  cd->flags & DETECT_CONTENT_NOCASE ||
4390  cd->flags & DETECT_CONTENT_WITHIN ||
4391  cd->flags & DETECT_CONTENT_DISTANCE ||
4392  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4393  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
4394  cd->flags & DETECT_CONTENT_NEGATED ) {
4395  printf("one failed\n");
4396  result = 0;
4397  goto end;
4398  }
4399 
4400  sm = sm->next;
4401  if (sm->type != DETECT_BYTE_EXTRACT) {
4402  result = 0;
4403  goto end;
4404  }
4405  bed1 = (DetectByteExtractData *)sm->ctx;
4406  if (bed1->nbytes != 4 ||
4407  bed1->offset != 0 ||
4408  strcmp(bed1->name, "two") != 0 ||
4409  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4410  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4411  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4412  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4413  bed1->align_value != 0 ||
4414  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4415  goto end;
4416  }
4417  if (bed1->local_id != 0) {
4418  result = 0;
4419  goto end;
4420  }
4421 
4422  sm = sm->next;
4423  if (sm->type != DETECT_ISDATAAT) {
4424  result = 0;
4425  goto end;
4426  }
4427  isdd = (DetectIsdataatData *)sm->ctx;
4428  if (isdd->flags != (ISDATAAT_OFFSET_VAR) ||
4429  isdd->dataat != bed1->local_id) {
4430  printf("isdataat failed\n");
4431  result = 0;
4432  goto end;
4433  }
4434 
4435  if (sm->next != NULL)
4436  goto end;
4437 
4438  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
4439  if (sm == NULL) {
4440  result = 0;
4441  goto end;
4442  }
4443  if (sm->type != DETECT_CONTENT) {
4444  result = 0;
4445  goto end;
4446  }
4447  cd = (DetectContentData *)sm->ctx;
4448  if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4449  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
4450  printf("one failed\n");
4451  result = 0;
4452  goto end;
4453  }
4454 
4455  sm = sm->next;
4456  if (sm->type != DETECT_BYTE_EXTRACT) {
4457  result = 0;
4458  goto end;
4459  }
4460  bed1 = (DetectByteExtractData *)sm->ctx;
4461  if (bed1->nbytes != 4 ||
4462  bed1->offset != 0 ||
4463  strcmp(bed1->name, "four") != 0 ||
4464  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4465  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4466  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4467  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4468  bed1->align_value != 0 ||
4469  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4470  goto end;
4471  }
4472  if (bed1->local_id != 0) {
4473  result = 0;
4474  goto end;
4475  }
4476 
4477  if (sm->next != NULL)
4478  goto end;
4479 
4480  result = 1;
4481 
4482  end:
4483  SigGroupCleanup(de_ctx);
4484  SigCleanSignatures(de_ctx);
4485  DetectEngineCtxFree(de_ctx);
4486 
4487  return result;
4488 }
4489 
4490 static int DetectByteExtractTest61(void)
4491 {
4492  DetectEngineCtx *de_ctx = NULL;
4493  int result = 0;
4494  Signature *s = NULL;
4495  SigMatch *sm = NULL;
4496  DetectContentData *cd = NULL;
4497  DetectByteExtractData *bed1 = NULL;
4498  DetectIsdataatData *isdd = NULL;
4499 
4500  de_ctx = DetectEngineCtxInit();
4501  if (de_ctx == NULL)
4502  goto end;
4503 
4504  de_ctx->flags |= DE_QUIET;
4505  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4506  "(msg:\"Testing bytejump_body\"; "
4507  "content:\"one\"; "
4508  "byte_extract:4,0,two,string,hex,relative; "
4509  "uricontent: \"three\"; "
4510  "byte_extract:4,0,four,string,hex,relative; "
4511  "isdataat: four, relative; "
4512  "sid:1;)");
4513  if (de_ctx->sig_list == NULL) {
4514  result = 0;
4515  goto end;
4516  }
4517 
4518  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4519  result = 0;
4520  goto end;
4521  }
4522 
4523  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
4524  if (sm->type != DETECT_CONTENT) {
4525  result = 0;
4526  goto end;
4527  }
4528  cd = (DetectContentData *)sm->ctx;
4529  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4530  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4531  cd->flags & DETECT_CONTENT_NOCASE ||
4532  cd->flags & DETECT_CONTENT_WITHIN ||
4533  cd->flags & DETECT_CONTENT_DISTANCE ||
4534  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4535  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
4536  cd->flags & DETECT_CONTENT_NEGATED ) {
4537  printf("one failed\n");
4538  result = 0;
4539  goto end;
4540  }
4541 
4542  sm = sm->next;
4543  if (sm->type != DETECT_BYTE_EXTRACT) {
4544  result = 0;
4545  goto end;
4546  }
4547  bed1 = (DetectByteExtractData *)sm->ctx;
4548  if (bed1->nbytes != 4 ||
4549  bed1->offset != 0 ||
4550  strcmp(bed1->name, "two") != 0 ||
4551  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4552  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4553  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4554  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4555  bed1->align_value != 0 ||
4556  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4557  goto end;
4558  }
4559  if (bed1->local_id != 0) {
4560  result = 0;
4561  goto end;
4562  }
4563 
4564  if (sm->next != NULL)
4565  goto end;
4566 
4567  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
4568  if (sm == NULL) {
4569  result = 0;
4570  goto end;
4571  }
4572  if (sm->type != DETECT_CONTENT) {
4573  result = 0;
4574  goto end;
4575  }
4576  cd = (DetectContentData *)sm->ctx;
4577  if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4578  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
4579  printf("one failed\n");
4580  result = 0;
4581  goto end;
4582  }
4583 
4584  sm = sm->next;
4585  if (sm->type != DETECT_BYTE_EXTRACT) {
4586  result = 0;
4587  goto end;
4588  }
4589  bed1 = (DetectByteExtractData *)sm->ctx;
4590  if (bed1->nbytes != 4 ||
4591  bed1->offset != 0 ||
4592  strcmp(bed1->name, "four") != 0 ||
4593  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4594  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4595  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4596  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4597  bed1->align_value != 0 ||
4598  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4599  goto end;
4600  }
4601  if (bed1->local_id != 0) {
4602  result = 0;
4603  goto end;
4604  }
4605 
4606  sm = sm->next;
4607  if (sm->type != DETECT_ISDATAAT) {
4608  result = 0;
4609  goto end;
4610  }
4611  isdd = (DetectIsdataatData *)sm->ctx;
4612  if (isdd->flags != (ISDATAAT_OFFSET_VAR |
4613  ISDATAAT_RELATIVE) ||
4614  isdd->dataat != bed1->local_id) {
4615  printf("isdataat failed\n");
4616  result = 0;
4617  goto end;
4618  }
4619 
4620  if (sm->next != NULL)
4621  goto end;
4622 
4623  result = 1;
4624 
4625  end:
4626  SigGroupCleanup(de_ctx);
4627  SigCleanSignatures(de_ctx);
4628  DetectEngineCtxFree(de_ctx);
4629 
4630  return result;
4631 }
4632 
4633 static int DetectByteExtractTest62(void)
4634 {
4635  DetectEngineCtx *de_ctx = NULL;
4636  int result = 0;
4637  Signature *s = NULL;
4638  SigMatch *sm = NULL;
4639  DetectByteExtractData *bed = NULL;
4640 
4641  de_ctx = DetectEngineCtxInit();
4642  if (de_ctx == NULL)
4643  goto end;
4644 
4645  de_ctx->flags |= DE_QUIET;
4646  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4647  "(file_data; byte_extract:4,2,two,relative,string,hex; "
4648  "sid:1;)");
4649  if (de_ctx->sig_list == NULL) {
4650  goto end;
4651  }
4652 
4653  sm = DetectBufferGetFirstSigMatch(s, g_file_data_buffer_id);
4654  if (sm == NULL) {
4655  goto end;
4656  }
4657  if (sm->type != DETECT_BYTE_EXTRACT) {
4658  goto end;
4659  }
4660  bed = (DetectByteExtractData *)sm->ctx;
4661  if (bed->nbytes != 4 ||
4662  bed->offset != 2 ||
4663  strncmp(bed->name, "two", 3) != 0 ||
4664  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4665  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4666  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4667  bed->align_value != 0 ||
4668  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4669  goto end;
4670  }
4671 
4672  result = 1;
4673 
4674  end:
4675  SigGroupCleanup(de_ctx);
4676  SigCleanSignatures(de_ctx);
4677  DetectEngineCtxFree(de_ctx);
4678 
4679  return result;
4680 }
4681 
4682 static int DetectByteExtractTest63(void)
4683 {
4684  int result = 0;
4685 
4686  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, -2, one");
4687  if (bed == NULL)
4688  goto end;
4689 
4690  if (bed->nbytes != 4 ||
4691  bed->offset != -2 ||
4692  strcmp(bed->name, "one") != 0 ||
4693  bed->flags != 0 ||
4694  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
4695  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
4696  bed->align_value != 0 ||
4697  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4698  goto end;
4699  }
4700 
4701  result = 1;
4702  end:
4703  if (bed != NULL)
4704  DetectByteExtractFree(NULL, bed);
4705  return result;
4706 }
4707 
4708 static int DetectByteExtractTestParseNoBase(void)
4709 {
4710  int result = 0;
4711 
4712  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string");
4713  if (bed == NULL)
4714  goto end;
4715 
4716  if (bed->nbytes != 4) {
4717  goto end;
4718  }
4719  if (bed->offset != 2) {
4720  goto end;
4721  }
4722  if (strcmp(bed->name, "one") != 0) {
4723  goto end;
4724  }
4725  if (bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING) {
4726  goto end;
4727  }
4728  if (bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE) {
4729  goto end;
4730  }
4731  if (bed->base != DETECT_BYTE_EXTRACT_BASE_DEC) {
4732  goto end;
4733  }
4734  if (bed->align_value != 0) {
4735  goto end;
4736  }
4737  if (bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4738  goto end;
4739  }
4740 
4741  result = 1;
4742  end:
4743  if (bed != NULL)
4744  DetectByteExtractFree(NULL, bed);
4745  return result;
4746 }
4747 
4748 static void DetectByteExtractRegisterTests(void)
4749 {
4750  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
4751  g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
4752 
4753  UtRegisterTest("DetectByteExtractTest01", DetectByteExtractTest01);
4754  UtRegisterTest("DetectByteExtractTest02", DetectByteExtractTest02);
4755  UtRegisterTest("DetectByteExtractTest03", DetectByteExtractTest03);
4756  UtRegisterTest("DetectByteExtractTest04", DetectByteExtractTest04);
4757  UtRegisterTest("DetectByteExtractTest05", DetectByteExtractTest05);
4758  UtRegisterTest("DetectByteExtractTest06", DetectByteExtractTest06);
4759  UtRegisterTest("DetectByteExtractTest07", DetectByteExtractTest07);
4760  UtRegisterTest("DetectByteExtractTest08", DetectByteExtractTest08);
4761  UtRegisterTest("DetectByteExtractTest09", DetectByteExtractTest09);
4762  UtRegisterTest("DetectByteExtractTest10", DetectByteExtractTest10);
4763  UtRegisterTest("DetectByteExtractTest11", DetectByteExtractTest11);
4764  UtRegisterTest("DetectByteExtractTest12", DetectByteExtractTest12);
4765  UtRegisterTest("DetectByteExtractTest13", DetectByteExtractTest13);
4766  UtRegisterTest("DetectByteExtractTest14", DetectByteExtractTest14);
4767  UtRegisterTest("DetectByteExtractTest15", DetectByteExtractTest15);
4768  UtRegisterTest("DetectByteExtractTest16", DetectByteExtractTest16);
4769  UtRegisterTest("DetectByteExtractTest17", DetectByteExtractTest17);
4770  UtRegisterTest("DetectByteExtractTest18", DetectByteExtractTest18);
4771  UtRegisterTest("DetectByteExtractTest19", DetectByteExtractTest19);
4772  UtRegisterTest("DetectByteExtractTest20", DetectByteExtractTest20);
4773  UtRegisterTest("DetectByteExtractTest21", DetectByteExtractTest21);
4774  UtRegisterTest("DetectByteExtractTest22", DetectByteExtractTest22);
4775  UtRegisterTest("DetectByteExtractTest23", DetectByteExtractTest23);
4776  UtRegisterTest("DetectByteExtractTest24", DetectByteExtractTest24);
4777  UtRegisterTest("DetectByteExtractTest25", DetectByteExtractTest25);
4778  UtRegisterTest("DetectByteExtractTest26", DetectByteExtractTest26);
4779  UtRegisterTest("DetectByteExtractTest27", DetectByteExtractTest27);
4780  UtRegisterTest("DetectByteExtractTest28", DetectByteExtractTest28);
4781  UtRegisterTest("DetectByteExtractTest29", DetectByteExtractTest29);
4782  UtRegisterTest("DetectByteExtractTest30", DetectByteExtractTest30);
4783  UtRegisterTest("DetectByteExtractTest31", DetectByteExtractTest31);
4784  UtRegisterTest("DetectByteExtractTest32", DetectByteExtractTest32);
4785  UtRegisterTest("DetectByteExtractTest33", DetectByteExtractTest33);
4786  UtRegisterTest("DetectByteExtractTest34", DetectByteExtractTest34);
4787  UtRegisterTest("DetectByteExtractTest35", DetectByteExtractTest35);
4788  UtRegisterTest("DetectByteExtractTest36", DetectByteExtractTest36);
4789  UtRegisterTest("DetectByteExtractTest37", DetectByteExtractTest37);
4790  UtRegisterTest("DetectByteExtractTest38", DetectByteExtractTest38);
4791  UtRegisterTest("DetectByteExtractTest39", DetectByteExtractTest39);
4792  UtRegisterTest("DetectByteExtractTest40", DetectByteExtractTest40);
4793  UtRegisterTest("DetectByteExtractTest41", DetectByteExtractTest41);
4794  UtRegisterTest("DetectByteExtractTest42", DetectByteExtractTest42);
4795 
4796  UtRegisterTest("DetectByteExtractTest43", DetectByteExtractTest43);
4797  UtRegisterTest("DetectByteExtractTest44", DetectByteExtractTest44);
4798 
4799  UtRegisterTest("DetectByteExtractTest45", DetectByteExtractTest45);
4800  UtRegisterTest("DetectByteExtractTest46", DetectByteExtractTest46);
4801 
4802  UtRegisterTest("DetectByteExtractTest47", DetectByteExtractTest47);
4803  UtRegisterTest("DetectByteExtractTest48", DetectByteExtractTest48);
4804 
4805  UtRegisterTest("DetectByteExtractTest49", DetectByteExtractTest49);
4806  UtRegisterTest("DetectByteExtractTest50", DetectByteExtractTest50);
4807 
4808  UtRegisterTest("DetectByteExtractTest51", DetectByteExtractTest51);
4809  UtRegisterTest("DetectByteExtractTest52", DetectByteExtractTest52);
4810 
4811  UtRegisterTest("DetectByteExtractTest53", DetectByteExtractTest53);
4812  UtRegisterTest("DetectByteExtractTest54", DetectByteExtractTest54);
4813 
4814  UtRegisterTest("DetectByteExtractTest55", DetectByteExtractTest55);
4815  UtRegisterTest("DetectByteExtractTest56", DetectByteExtractTest56);
4816  UtRegisterTest("DetectByteExtractTest57", DetectByteExtractTest57);
4817 
4818  UtRegisterTest("DetectByteExtractTest58", DetectByteExtractTest58);
4819  UtRegisterTest("DetectByteExtractTest59", DetectByteExtractTest59);
4820  UtRegisterTest("DetectByteExtractTest60", DetectByteExtractTest60);
4821  UtRegisterTest("DetectByteExtractTest61", DetectByteExtractTest61);
4822  UtRegisterTest("DetectByteExtractTest62", DetectByteExtractTest62);
4823  UtRegisterTest("DetectByteExtractTest63", DetectByteExtractTest63);
4824 
4825  UtRegisterTest("DetectByteExtractTestParseNoBase",
4826  DetectByteExtractTestParseNoBase);
4827 }
4828 #endif /* UNITTESTS */
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DetectContentData_::offset
uint16_t offset
Definition: detect-content.h:107
util-byte.h
DetectBytetestData_::flags
uint16_t flags
Definition: detect-bytetest.h:58
DETECT_BYTETEST_VALUE_VAR
#define DETECT_BYTETEST_VALUE_VAR
Definition: detect-bytetest.h:49
SigTableElmt_::url
const char * url
Definition: detect.h:1287
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:66
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1737
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:524
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
DETECT_BYTE_EXTRACT_ENDIAN_DCE
#define DETECT_BYTE_EXTRACT_ENDIAN_DCE
Definition: detect-byte-extract.h:38
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1107
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:110
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:572
SigTableElmt_::desc
const char * desc
Definition: detect.h:1286
ByteExtractUint64
int ByteExtractUint64(uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Definition: util-byte.c:122
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
NO_STRING_MAX_BYTES_TO_EXTRACT
#define NO_STRING_MAX_BYTES_TO_EXTRACT
Definition: detect-byte-extract.c:77
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1274
DETECT_CONTENT_DISTANCE_VAR
#define DETECT_CONTENT_DISTANCE_VAR
Definition: detect-content.h:47
flow-util.h
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1284
SignatureInitData_::smlists_tail
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
Definition: detect.h:574
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:76
ISDATAAT_OFFSET_VAR
#define ISDATAAT_OFFSET_VAR
Definition: detect-isdataat.h:30
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectContentData_::within
int32_t within
Definition: detect-content.h:109
DETECT_BYTE_EXTRACT_FLAG_STRING
#define DETECT_BYTE_EXTRACT_FLAG_STRING
Definition: detect-byte-extract.h:30
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:34
DetectByteExtractData_::local_id
uint8_t local_id
Definition: detect-byte-extract.h:45
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
detect-isdataat.h
DETECT_BYTE_EXTRACT_BASE_DEC
#define DETECT_BYTE_EXTRACT_BASE_DEC
Definition: detect-byte-extract.c:60
DetectByteExtractData_
Holds data related to byte_extract keyword.
Definition: detect-byte-extract.h:43
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:356
threads.h
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:832
DETECT_CONTENT_RAWBYTES
#define DETECT_CONTENT_RAWBYTES
Definition: detect-content.h:38
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2586
DETECT_CONTENT_DEPTH_VAR
#define DETECT_CONTENT_DEPTH_VAR
Definition: detect-content.h:46
DE_QUIET
#define DE_QUIET
Definition: detect.h:318
DETECT_BYTE_EXTRACT_BASE_HEX
#define DETECT_BYTE_EXTRACT_BASE_HEX
Definition: detect-byte-extract.c:59
DetectIsdataatData_
Definition: detect-isdataat.h:32
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2656
DetectContentData_
Definition: detect-content.h:93
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:48
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:46
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:234
DetectBytetestData_
Definition: detect-bytetest.h:53
DetectByteExtractData_::nbytes
uint8_t nbytes
Definition: detect-byte-extract.h:47
SigMatchData_
Data needed for Match()
Definition: detect.h:353
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1269
detect-pcre.h
DetectBytejumpData_
Definition: detect-bytejump.h:45
util-unittest.h
DetectBytejumpData_::offset
int32_t offset
Definition: detect-bytejump.h:49
util-unittest-helper.h
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:238
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1124
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id.
Definition: detect-parse.c:715
DetectByteExtractDoMatch
int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd, const Signature *s, const uint8_t *payload, uint32_t payload_len, uint64_t *value, uint8_t endian)
Definition: detect-byte-extract.c:115
STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
Definition: detect-byte-extract.c:73
StringParseUint8
int StringParseUint8(uint8_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:361
decode.h
util-debug.h
DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT
#define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT
Definition: detect-byte-extract.c:54
DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT
Definition: detect-byte-extract.c:66
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1080
StringParseI32RangeCheck
int StringParseI32RangeCheck(int32_t *res, int base, size_t len, const char *str, int32_t min, int32_t max)
Definition: util-byte.c:716
DetectByteExtractData_::offset
int32_t offset
Definition: detect-byte-extract.h:49
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2780
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SignatureInitData_::list
int list
Definition: detect.h:556
DETECT_BYTE_EXTRACT_ENDIAN_BIG
#define DETECT_BYTE_EXTRACT_ENDIAN_BIG
Definition: detect-byte-extract.h:36
detect-engine-mpm.h
detect.h
StringParseU16RangeCheck
int StringParseU16RangeCheck(uint16_t *res, int base, size_t len, const char *str, uint16_t min, uint16_t max)
Definition: util-byte.c:433
DETECT_BYTE_EXTRACT_BASE_OCT
#define DETECT_BYTE_EXTRACT_BASE_OCT
Definition: detect-byte-extract.c:61
DetectByteExtractData_::align_value
uint8_t align_value
Definition: detect-byte-extract.h:54
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:348
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2298
DetectByteExtractData_::endian
uint8_t endian
Definition: detect-byte-extract.h:52
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:347
BYTE_BIG_ENDIAN
#define BYTE_BIG_ENDIAN
Definition: util-byte.h:29
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2045
DETECT_BYTETEST_OFFSET_VAR
#define DETECT_BYTETEST_OFFSET_VAR
Definition: detect-bytetest.h:50
Signature_::flags
uint32_t flags
Definition: detect.h:588
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:106
detect-engine-build.h
DETECT_BYTE_EXTRACT_FLAG_RELATIVE
#define DETECT_BYTE_EXTRACT_FLAG_RELATIVE
Definition: detect-byte-extract.h:28
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
detect-bytejump.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:659
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
DETECT_CONTENT_DISTANCE_NEXT
#define DETECT_CONTENT_DISTANCE_NEXT
Definition: detect-content.h:58
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1252
DetectByteExtractRetrieveSMVar
SigMatch * DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
Lookup the SigMatch for a named byte_extract variable.
Definition: detect-byte-extract.c:662
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:909
DetectByteExtractData_::base
uint8_t base
Definition: detect-byte-extract.h:53
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:64
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:339
DETECT_CONTENT_WITHIN_VAR
#define DETECT_CONTENT_WITHIN_VAR
Definition: detect-content.h:48
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:135
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:75
BYTE_LITTLE_ENDIAN
#define BYTE_LITTLE_ENDIAN
Definition: util-byte.h:30
DETECT_BYTE_EXTRACT_BASE_NONE
#define DETECT_BYTE_EXTRACT_BASE_NONE
Definition: detect-byte-extract.c:58
DETECT_BYTE_EXTRACT_ENDIAN_LITTLE
#define DETECT_BYTE_EXTRACT_ENDIAN_LITTLE
Definition: detect-byte-extract.h:37
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:345
STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
Definition: detect-byte-extract.c:74
detect-byte-extract.h
DetectContentData_::distance
int32_t distance
Definition: detect-content.h:108
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:129
DetectBufferGetFirstSigMatch
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
Definition: detect-engine.c:1356
DETECT_CONTENT_WITHIN_NEXT
#define DETECT_CONTENT_WITHIN_NEXT
Definition: detect-content.h:57
util-spm.h
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:94
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:840
DETECT_BYTE_EXTRACT_FLAG_ALIGN
#define DETECT_BYTE_EXTRACT_FLAG_ALIGN
Definition: detect-byte-extract.h:31
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:577
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
DetectByteExtractData_::name
const char * name
Definition: detect-byte-extract.h:50
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:822
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DetectByteExtractData_::multiplier_value
uint16_t multiplier_value
Definition: detect-byte-extract.h:56
DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_OFFSET
Definition: detect-content.h:32
DETECT_BYTE_EXTRACT_ENDIAN_NONE
#define DETECT_BYTE_EXTRACT_ENDIAN_NONE
Definition: detect-byte-extract.h:35
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:182
DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER
#define DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER
Definition: detect-byte-extract.h:29
detect-parse.h
Signature_
Signature container.
Definition: detect.h:587
SigMatch_
a single match condition for a signature
Definition: detect.h:344
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:82
DETECT_SM_LIST_MAX
@ DETECT_SM_LIST_MAX
Definition: detect.h:126
DetectByteExtractData_::flags
uint8_t flags
Definition: detect-byte-extract.h:51
DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT
Definition: detect-byte-extract.c:68
DETECT_BYTE_EXTRACT_FLAG_ENDIAN
#define DETECT_BYTE_EXTRACT_FLAG_ENDIAN
Definition: detect-byte-extract.h:32
DetectBytetestData_::offset
int32_t offset
Definition: detect-bytetest.h:60
DetectIsdataatData_::dataat
uint16_t dataat
Definition: detect-isdataat.h:33
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2547
DetectByteExtractRegister
void DetectByteExtractRegister(void)
Registers the keyword handlers for the "byte_extract" keyword.
Definition: detect-byte-extract.c:101
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:35
app-layer-protos.h
SC_Pcre2SubstringCopy
int SC_Pcre2SubstringCopy(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2756
DetectPcreData_
Definition: detect-pcre.h:43
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-byte-extract.c:79
DETECT_BYTEMATH
@ DETECT_BYTEMATH
Definition: detect-engine-register.h:77
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:621
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:449
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:834
flow.h
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT
Definition: detect-byte-extract.c:69
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:578
flow-var.h
STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
Definition: detect-byte-extract.c:75
DetectBytetestData_::value
uint64_t value
Definition: detect-bytetest.h:62
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1276
DetectBytejumpData_::flags
uint16_t flags
Definition: detect-bytejump.h:48
DETECT_CONTENT_OFFSET_VAR
#define DETECT_CONTENT_OFFSET_VAR
Definition: detect-content.h:45
detect-bytetest.h