suricata
detect-byte-extract.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "decode.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 #include "detect-engine.h"
31 #include "detect-engine-mpm.h"
32 #include "detect-engine-state.h"
33 #include "detect-content.h"
34 #include "detect-pcre.h"
35 #include "detect-bytejump.h"
36 #include "detect-bytetest.h"
37 #include "detect-byte-extract.h"
38 #include "detect-isdataat.h"
39 
40 #include "app-layer-protos.h"
41 
42 #include "flow.h"
43 #include "flow-var.h"
44 #include "flow-util.h"
45 
46 #include "util-byte.h"
47 #include "util-debug.h"
48 #include "util-unittest.h"
49 #include "util-unittest-helper.h"
50 #include "util-spm.h"
51 
52 /* the default value of endianess to be used, if none's specified */
53 #define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT DETECT_BYTE_EXTRACT_ENDIAN_BIG
54 
55 /* the base to be used if string mode is specified. These options would be
56  * specified in DetectByteParseData->base */
57 #define DETECT_BYTE_EXTRACT_BASE_NONE 0
58 #define DETECT_BYTE_EXTRACT_BASE_HEX 16
59 #define DETECT_BYTE_EXTRACT_BASE_DEC 10
60 #define DETECT_BYTE_EXTRACT_BASE_OCT 8
61 
62 /* the default value for multiplier. Either ways we always store a
63  * multiplier, 1 or otherwise, so that we can always multiply the extracted
64  * value and store it, instead of checking if a multiplier is set or not */
65 #define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT 1
66 /* the min/max limit for multiplier */
67 #define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT 1
68 #define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT 65535
69 
70 /* the max no of bytes that can be extracted in string mode - (string, hex)
71  * (string, oct) or (string, dec) */
72 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT 23
73 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC 20
74 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX 14
75 /* the max no of bytes that can be extraced in non-string mode */
76 #define NO_STRING_MAX_BYTES_TO_EXTRACT 8
77 
78 #define PARSE_REGEX "^" \
79  "\\s*([0-9]+)\\s*" \
80  ",\\s*(-?[0-9]+)\\s*" \
81  ",\\s*([^\\s,]+)\\s*" \
82  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
83  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
84  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
85  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
86  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
87  "$"
88 
89 static pcre *parse_regex;
90 static pcre_extra *parse_regex_study;
91 
92 static int DetectByteExtractSetup(DetectEngineCtx *, Signature *, const char *);
93 static void DetectByteExtractRegisterTests(void);
94 static void DetectByteExtractFree(void *);
95 
96 /**
97  * \brief Registers the keyword handlers for the "byte_extract" keyword.
98  */
99 void DetectByteExtractRegister(void)
100 {
101  sigmatch_table[DETECT_BYTE_EXTRACT].name = "byte_extract";
102  sigmatch_table[DETECT_BYTE_EXTRACT].Match = NULL;
103  sigmatch_table[DETECT_BYTE_EXTRACT].Setup = DetectByteExtractSetup;
104  sigmatch_table[DETECT_BYTE_EXTRACT].Free = DetectByteExtractFree;
105  sigmatch_table[DETECT_BYTE_EXTRACT].RegisterTests = DetectByteExtractRegisterTests;
106 
107  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
108 }
109 
110 int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd,
111  const Signature *s, uint8_t *payload,
112  uint16_t payload_len, uint64_t *value,
113  uint8_t endian)
114 {
115  DetectByteExtractData *data = (DetectByteExtractData *)smd->ctx;
116  uint8_t *ptr = NULL;
117  int32_t len = 0;
118  uint64_t val = 0;
119  int extbytes;
120 
121  if (payload_len == 0) {
122  return 0;
123  }
124 
125  /* Calculate the ptr value for the bytetest and length remaining in
126  * the packet from that point.
127  */
128  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
129  SCLogDebug("relative, working with det_ctx->buffer_offset %"PRIu32", "
130  "data->offset %"PRIu32"", det_ctx->buffer_offset, data->offset);
131 
132  ptr = payload + det_ctx->buffer_offset;
133  len = payload_len - det_ctx->buffer_offset;
134 
135  ptr += data->offset;
136  len -= data->offset;
137 
138  /* No match if there is no relative base */
139  if (len <= 0) {
140  return 0;
141  }
142  //PrintRawDataFp(stdout,ptr,len);
143  } else {
144  SCLogDebug("absolute, data->offset %"PRIu32"", data->offset);
145 
146  ptr = payload + data->offset;
147  len = payload_len - data->offset;
148  }
149 
150  /* Validate that the to-be-extracted is within the packet */
151  if (ptr < payload || data->nbytes > len) {
152  SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%"PRIu32", nbytes=%d",
153  payload, ptr, len, data->nbytes);
154  return 0;
155  }
156 
157  /* Extract the byte data */
158  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
159  extbytes = ByteExtractStringUint64(&val, data->base,
160  data->nbytes, (const char *)ptr);
161  if (extbytes <= 0) {
162  /* strtoull() return 0 if there is no numeric value in data string */
163  if (val == 0) {
164  SCLogDebug("No Numeric value");
165  return 0;
166  } else {
167  SCLogDebug("error extracting %d bytes of string data: %d",
168  data->nbytes, extbytes);
169  return -1;
170  }
171  }
172  } else {
173  int endianness = (endian == DETECT_BYTE_EXTRACT_ENDIAN_BIG) ?
174  BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN;
175  extbytes = ByteExtractUint64(&val, endianness, data->nbytes, ptr);
176  if (extbytes != data->nbytes) {
177  SCLogDebug("error extracting %d bytes of numeric data: %d",
178  data->nbytes, extbytes);
179  return 0;
180  }
181  }
182 
183  /* Adjust the jump value based on flags */
184  val *= data->multiplier_value;
185  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
186  if ((val % data->align_value) != 0) {
187  val += data->align_value - (val % data->align_value);
188  }
189  }
190 
191  ptr += extbytes;
192 
193  det_ctx->buffer_offset = ptr - payload;
194 
195  *value = val;
196  SCLogDebug("extracted value is %"PRIu64, val);
197  return 1;
198 }
199 
200 /**
201  * \internal
202  * \brief Used to parse byte_extract arg.
203  *
204  * \arg The argument to parse.
205  *
206  * \param bed On success an instance containing the parsed data.
207  * On failure, NULL.
208  */
209 static inline DetectByteExtractData *DetectByteExtractParse(const char *arg)
210 {
211  DetectByteExtractData *bed = NULL;
212 #define MAX_SUBSTRINGS 100
213  int ret = 0, res = 0;
214  int ov[MAX_SUBSTRINGS];
215  int i = 0;
216 
217  ret = pcre_exec(parse_regex, parse_regex_study, arg,
218  strlen(arg), 0, 0, ov, MAX_SUBSTRINGS);
219  if (ret < 3 || ret > 19) {
220  SCLogError(SC_ERR_PCRE_PARSE, "parse error, ret %" PRId32
221  ", string \"%s\"", ret, arg);
222  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid arg to byte_extract : %s "
223  "for byte_extract", arg);
224  goto error;
225  }
226 
227  bed = SCMalloc(sizeof(DetectByteExtractData));
228  if (unlikely(bed == NULL))
229  goto error;
230  memset(bed, 0, sizeof(DetectByteExtractData));
231 
232  /* no of bytes to extract */
233  char nbytes_str[64] = "";
234  res = pcre_copy_substring((char *)arg, ov,
235  MAX_SUBSTRINGS, 1, nbytes_str, sizeof(nbytes_str));
236  if (res < 0) {
237  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
238  "for arg 1 for byte_extract");
239  goto error;
240  }
241  bed->nbytes = atoi(nbytes_str);
242 
243  /* offset */
244  char offset_str[64] = "";
245  res = pcre_copy_substring((char *)arg, ov,
246  MAX_SUBSTRINGS, 2, offset_str, sizeof(offset_str));
247  if (res < 0) {
248  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
249  "for arg 2 for byte_extract");
250  goto error;
251  }
252  int offset = atoi(offset_str);
253  if (offset < -65535 || offset > 65535) {
254  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract offset invalid - %d. "
255  "The right offset range is -65535 to 65535", offset);
256  goto error;
257  }
258  bed->offset = offset;
259 
260  /* var name */
261  char varname_str[256] = "";
262  res = pcre_copy_substring((char *)arg, ov,
263  MAX_SUBSTRINGS, 3, varname_str, sizeof(varname_str));
264  if (res < 0) {
265  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
266  "for arg 3 for byte_extract");
267  goto error;
268  }
269  bed->name = SCStrdup(varname_str);
270  if (bed->name == NULL)
271  goto error;
272 
273  /* check out other optional args */
274  for (i = 4; i < ret; i++) {
275  char opt_str[64] = "";
276  res = pcre_copy_substring((char *)arg, ov,
277  MAX_SUBSTRINGS, i, opt_str, sizeof(opt_str));
278  if (res < 0) {
279  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
280  "for arg %d for byte_extract", i);
281  goto error;
282  }
283 
284  if (strcmp("relative", opt_str) == 0) {
285  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
286  SCLogError(SC_ERR_INVALID_SIGNATURE, "relative specified more "
287  "than once for byte_extract");
288  goto error;
289  }
290  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_RELATIVE;
291  } else if (strcmp("multiplier", opt_str) == 0) {
292  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) {
293  SCLogError(SC_ERR_INVALID_SIGNATURE, "multiplier specified more "
294  "than once for byte_extract");
295  goto error;
296  }
297  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER;
298  i++;
299 
300  char multiplier_str[16] = "";
301  res = pcre_copy_substring((char *)arg, ov,
302  MAX_SUBSTRINGS, i, multiplier_str, sizeof(multiplier_str));
303  if (res < 0) {
304  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
305  "for arg %d for byte_extract", i);
306  goto error;
307  }
308  int multiplier = atoi(multiplier_str);
309  if (multiplier < DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT ||
310  multiplier > DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT) {
311  SCLogError(SC_ERR_INVALID_SIGNATURE, "multipiler_value invalid "
312  "- %d. The range is %d-%d",
313  multiplier,
314  DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT,
315  DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT);
316  goto error;
317  }
318  bed->multiplier_value = multiplier;
319  } else if (strcmp("big", opt_str) == 0) {
320  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
321  SCLogError(SC_ERR_INVALID_SIGNATURE, "endian option specified "
322  "more than once for byte_extract");
323  goto error;
324  }
325  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
326  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_BIG;
327  } else if (strcmp("little", opt_str) == 0) {
328  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
329  SCLogError(SC_ERR_INVALID_SIGNATURE, "endian option specified "
330  "more than once for byte_extract");
331  goto error;
332  }
333  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
334  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_LITTLE;
335  } else if (strcmp("dce", opt_str) == 0) {
336  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
337  SCLogError(SC_ERR_INVALID_SIGNATURE, "endian option specified "
338  "more than once for byte_extract");
339  goto error;
340  }
341  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
342  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_DCE;
343  } else if (strcmp("string", opt_str) == 0) {
344  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
345  SCLogError(SC_ERR_INVALID_SIGNATURE, "string specified more "
346  "than once for byte_extract");
347  goto error;
348  }
349  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
350  SCLogError(SC_ERR_INVALID_SIGNATURE, "The right way to specify "
351  "base is (string, base) and not (base, string) "
352  "for byte_extract");
353  goto error;
354  }
355  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_STRING;
356  } else if (strcmp("hex", opt_str) == 0) {
357  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
358  SCLogError(SC_ERR_INVALID_SIGNATURE, "Base(hex) specified "
359  "without specifying string. The right way is "
360  "(string, base) and not (base, string)");
361  goto error;
362  }
363  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
364  SCLogError(SC_ERR_INVALID_SIGNATURE, "More than one base "
365  "specified for byte_extract");
366  goto error;
367  }
368  bed->base = DETECT_BYTE_EXTRACT_BASE_HEX;
369  } else if (strcmp("oct", opt_str) == 0) {
370  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
371  SCLogError(SC_ERR_INVALID_SIGNATURE, "Base(oct) specified "
372  "without specifying string. The right way is "
373  "(string, base) and not (base, string)");
374  goto error;
375  }
376  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
377  SCLogError(SC_ERR_INVALID_SIGNATURE, "More than one base "
378  "specified for byte_extract");
379  goto error;
380  }
381  bed->base = DETECT_BYTE_EXTRACT_BASE_OCT;
382  } else if (strcmp("dec", opt_str) == 0) {
383  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
384  SCLogError(SC_ERR_INVALID_SIGNATURE, "Base(dec) specified "
385  "without specifying string. The right way is "
386  "(string, base) and not (base, string)");
387  goto error;
388  }
389  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
390  SCLogError(SC_ERR_INVALID_SIGNATURE, "More than one base "
391  "specified for byte_extract");
392  goto error;
393  }
394  bed->base = DETECT_BYTE_EXTRACT_BASE_DEC;
395  } else if (strcmp("align", opt_str) == 0) {
396  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
397  SCLogError(SC_ERR_INVALID_SIGNATURE, "Align specified more "
398  "than once for byte_extract");
399  goto error;
400  }
401  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ALIGN;
402  i++;
403 
404  char align_str[16] = "";
405  res = pcre_copy_substring((char *)arg, ov,
406  MAX_SUBSTRINGS, i, align_str, sizeof(align_str));
407  if (res < 0) {
408  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
409  "for arg %d in byte_extract", i);
410  goto error;
411  }
412  bed->align_value = atoi(align_str);
413  if (!(bed->align_value == 2 || bed->align_value == 4)) {
414  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid align_value for "
415  "byte_extract - \"%d\"", bed->align_value);
416  goto error;
417  }
418  } else if (strcmp("", opt_str) == 0) {
419  ;
420  } else {
421  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid option - \"%s\" "
422  "specified in byte_extract", opt_str);
423  goto error;
424  }
425  } /* for (i = 4; i < ret; i++) */
426 
427  /* validation */
428  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER)) {
429  /* default value */
430  bed->multiplier_value = DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT;
431  }
432 
433  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
434  if (bed->base == DETECT_BYTE_EXTRACT_BASE_NONE) {
435  /* Default to decimal if base not specified. */
436  bed->base = DETECT_BYTE_EXTRACT_BASE_DEC;
437  }
438  if (bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE) {
439  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't have "
440  "endian \"big\" or \"little\" specified along with "
441  "\"string\"");
442  goto error;
443  }
444  if (bed->base == DETECT_BYTE_EXTRACT_BASE_OCT) {
445  /* if are dealing with octal nos, the max no that can fit in a 8
446  * byte value is 01777777777777777777777 */
447  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT) {
448  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
449  "more than %d bytes in \"string\" extraction",
450  STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT);
451  goto error;
452  }
453  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_DEC) {
454  /* if are dealing with decimal nos, the max no that can fit in a 8
455  * byte value is 18446744073709551615 */
456  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC) {
457  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
458  "more than %d bytes in \"string\" extraction",
459  STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC);
460  goto error;
461  }
462  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_HEX) {
463  /* if are dealing with hex nos, the max no that can fit in a 8
464  * byte value is 0xFFFFFFFFFFFFFFFF */
465  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX) {
466  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
467  "more than %d bytes in \"string\" extraction",
468  STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX);
469  goto error;
470  }
471  } else {
472  ; // just a placeholder. we won't reach here.
473  }
474  } else {
475  if (bed->nbytes > NO_STRING_MAX_BYTES_TO_EXTRACT) {
476  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
477  "more than %d bytes in \"non-string\" extraction",
478  NO_STRING_MAX_BYTES_TO_EXTRACT);
479  goto error;
480  }
481  /* if string has not been specified and no endian option has been
482  * specified, then set the default endian level of BIG */
483  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN))
484  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT;
485  }
486 
487  return bed;
488  error:
489  if (bed != NULL)
490  DetectByteExtractFree(bed);
491  return NULL;
492 }
493 
494 /**
495  * \brief The setup function for the byte_extract keyword for a signature.
496  *
497  * \param de_ctx Pointer to the detection engine context.
498  * \param s Pointer to signature for the current Signature being parsed
499  * from the rules.
500  * \param m Pointer to the head of the SigMatch for the current rule
501  * being parsed.
502  * \param arg Pointer to the string holding the keyword value.
503  *
504  * \retval 0 On success.
505  * \retval -1 On failure.
506  */
507 static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
508 {
509  SigMatch *sm = NULL;
510  SigMatch *prev_pm = NULL;
511  DetectByteExtractData *data = NULL;
512  int ret = -1;
513 
514  data = DetectByteExtractParse(arg);
515  if (data == NULL)
516  goto error;
517 
518  int sm_list;
519  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
520  sm_list = s->init_data->list;
521 
522  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
523  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
524  }
525  } else if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
526  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
527  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
528  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
529  DETECT_ISDATAAT, -1);
530  if (prev_pm == NULL) {
531  sm_list = DETECT_SM_LIST_PMATCH;
532  } else {
533  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
534  if (sm_list < 0)
535  goto error;
536  }
537  } else {
538  sm_list = DETECT_SM_LIST_PMATCH;
539  }
540 
541  s->alproto = ALPROTO_DCERPC;
542  s->flags |= SIG_FLAG_APPLAYER;
543 
544  } else if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
545  prev_pm = DetectGetLastSMFromLists(s,
546  DETECT_CONTENT, DETECT_PCRE,
547  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
548  DETECT_ISDATAAT, -1);
549  if (prev_pm == NULL) {
550  sm_list = DETECT_SM_LIST_PMATCH;
551  } else {
552  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
553  if (sm_list < 0)
554  goto error;
555  if (sm_list != DETECT_SM_LIST_PMATCH)
556  s->flags |= SIG_FLAG_APPLAYER;
557  }
558 
559  } else {
560  sm_list = DETECT_SM_LIST_PMATCH;
561  }
562 
563  if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
564  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
565  goto error;
566 
567  if ((data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) ||
568  (data->base == DETECT_BYTE_EXTRACT_BASE_DEC) ||
569  (data->base == DETECT_BYTE_EXTRACT_BASE_HEX) ||
570  (data->base == DETECT_BYTE_EXTRACT_BASE_OCT) ) {
571  SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
572  "A byte_jump keyword with dce holds other invalid modifiers.");
573  goto error;
574  }
575  }
576 
577  SigMatch *prev_bed_sm = DetectGetLastSMByListId(s, sm_list,
578  DETECT_BYTE_EXTRACT, -1);
579  if (prev_bed_sm == NULL)
580  data->local_id = 0;
581  else
582  data->local_id = ((DetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1;
583  if (data->local_id > de_ctx->byte_extract_max_local_id)
584  de_ctx->byte_extract_max_local_id = data->local_id;
585 
586 
587  sm = SigMatchAlloc();
588  if (sm == NULL)
589  goto error;
590  sm->type = DETECT_BYTE_EXTRACT;
591  sm->ctx = (void *)data;
592  SigMatchAppendSMToList(s, sm, sm_list);
593 
594 
595  if (!(data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE))
596  goto okay;
597 
598  if (prev_pm == NULL)
599  goto okay;
600 
601  if (prev_pm->type == DETECT_CONTENT) {
602  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
603  cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
604  } else if (prev_pm->type == DETECT_PCRE) {
605  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
606  pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
607  }
608 
609  okay:
610  ret = 0;
611  return ret;
612  error:
613  DetectByteExtractFree(data);
614  return ret;
615 }
616 
617 /**
618  * \brief Used to free instances of DetectByteExtractData.
619  *
620  * \param ptr Instance of DetectByteExtractData to be freed.
621  */
622 static void DetectByteExtractFree(void *ptr)
623 {
624  if (ptr != NULL) {
625  DetectByteExtractData *bed = ptr;
626  if (bed->name != NULL)
627  SCFree((void *)bed->name);
628  SCFree(bed);
629  }
630 
631  return;
632 }
633 
634 /**
635  * \brief Lookup the SigMatch for a named byte_extract variable.
636  *
637  * \param arg The name of the byte_extract variable to lookup.
638  * \param s Pointer the signature to look in.
639  *
640  * \retval A pointer to the SigMatch if found, otherwise NULL.
641  */
642 SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
643 {
644  const int nlists = s->init_data->smlists_array_size;
645  for (int list = 0; list < nlists; list++) {
646  SigMatch *sm = s->init_data->smlists[list];
647  while (sm != NULL) {
648  if (sm->type == DETECT_BYTE_EXTRACT) {
649  const DetectByteExtractData *bed = (const DetectByteExtractData *)sm->ctx;
650  if (strcmp(bed->name, arg) == 0) {
651  return sm;
652  }
653  }
654  sm = sm->next;
655  }
656  }
657 
658  return NULL;
659 }
660 
661 /*************************************Unittests********************************/
662 
663 #ifdef UNITTESTS
664 
665 static int g_file_data_buffer_id = 0;
666 static int g_http_uri_buffer_id = 0;
667 
668 static int DetectByteExtractTest01(void)
669 {
670  int result = 0;
671 
672  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one");
673  if (bed == NULL)
674  goto end;
675 
676  if (bed->nbytes != 4 ||
677  bed->offset != 2 ||
678  strcmp(bed->name, "one") != 0 ||
679  bed->flags != 0 ||
680  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
681  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
682  bed->align_value != 0 ||
683  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
684  goto end;
685  }
686 
687  result = 1;
688  end:
689  if (bed != NULL)
690  DetectByteExtractFree(bed);
691  return result;
692 }
693 
694 static int DetectByteExtractTest02(void)
695 {
696  int result = 0;
697 
698  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, relative");
699  if (bed == NULL)
700  goto end;
701 
702  if (bed->nbytes != 4 ||
703  bed->offset != 2 ||
704  strcmp(bed->name, "one") != 0 ||
705  bed->flags != DETECT_BYTE_EXTRACT_FLAG_RELATIVE ||
706  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
707  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
708  bed->align_value != 0 ||
709  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
710  goto end;
711  }
712 
713  result = 1;
714  end:
715  if (bed != NULL)
716  DetectByteExtractFree(bed);
717  return result;
718 }
719 
720 static int DetectByteExtractTest03(void)
721 {
722  int result = 0;
723 
724  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, multiplier 10");
725  if (bed == NULL)
726  goto end;
727 
728  if (bed->nbytes != 4 ||
729  bed->offset != 2 ||
730  strcmp(bed->name, "one") != 0 ||
731  bed->flags != DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER ||
732  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
733  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
734  bed->align_value != 0 ||
735  bed->multiplier_value != 10) {
736  goto end;
737  }
738 
739  result = 1;
740  end:
741  if (bed != NULL)
742  DetectByteExtractFree(bed);
743  return result;
744 }
745 
746 static int DetectByteExtractTest04(void)
747 {
748  int result = 0;
749 
750  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, relative, multiplier 10");
751  if (bed == NULL)
752  goto end;
753 
754  if (bed->nbytes != 4 ||
755  bed->offset != 2 ||
756  strcmp(bed->name, "one") != 0 ||
757  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
758  DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
759  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
760  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
761  bed->align_value != 0 ||
762  bed->multiplier_value != 10) {
763  goto end;
764  }
765 
766  result = 1;
767  end:
768  if (bed != NULL)
769  DetectByteExtractFree(bed);
770  return result;
771 }
772 
773 static int DetectByteExtractTest05(void)
774 {
775  int result = 0;
776 
777  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, big");
778  if (bed == NULL)
779  goto end;
780 
781  if (bed->nbytes != 4 ||
782  bed->offset != 2 ||
783  strcmp(bed->name, "one") != 0 ||
784  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
785  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_BIG ||
786  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
787  bed->align_value != 0 ||
788  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
789  goto end;
790  }
791 
792  result = 1;
793  end:
794  if (bed != NULL)
795  DetectByteExtractFree(bed);
796  return result;
797 }
798 
799 static int DetectByteExtractTest06(void)
800 {
801  int result = 0;
802 
803  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, little");
804  if (bed == NULL)
805  goto end;
806 
807  if (bed->nbytes != 4 ||
808  bed->offset != 2 ||
809  strcmp(bed->name, "one") != 0 ||
810  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
811  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
812  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
813  bed->align_value != 0 ||
814  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
815  goto end;
816  }
817 
818  result = 1;
819  end:
820  if (bed != NULL)
821  DetectByteExtractFree(bed);
822  return result;
823 }
824 
825 static int DetectByteExtractTest07(void)
826 {
827  int result = 0;
828 
829  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, dce");
830  if (bed == NULL)
831  goto end;
832 
833  if (bed->nbytes != 4 ||
834  bed->offset != 2 ||
835  strcmp(bed->name, "one") != 0 ||
836  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
837  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DCE ||
838  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
839  bed->align_value != 0 ||
840  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
841  goto end;
842  }
843 
844  result = 1;
845  end:
846  if (bed != NULL)
847  DetectByteExtractFree(bed);
848  return result;
849 }
850 
851 static int DetectByteExtractTest08(void)
852 {
853  int result = 0;
854 
855  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, string, hex");
856  if (bed == NULL)
857  goto end;
858 
859  if (bed->nbytes != 4 ||
860  bed->offset != 2 ||
861  strcmp(bed->name, "one") != 0 ||
862  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
863  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
864  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
865  bed->align_value != 0 ||
866  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
867  goto end;
868  }
869 
870  result = 1;
871  end:
872  if (bed != NULL)
873  DetectByteExtractFree(bed);
874  return result;
875 }
876 
877 static int DetectByteExtractTest09(void)
878 {
879  int result = 0;
880 
881  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, string, oct");
882  if (bed == NULL)
883  goto end;
884 
885  if (bed->nbytes != 4 ||
886  bed->offset != 2 ||
887  strcmp(bed->name, "one") != 0 ||
888  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
889  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
890  bed->base != DETECT_BYTE_EXTRACT_BASE_OCT ||
891  bed->align_value != 0 ||
892  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
893  goto end;
894  }
895 
896  result = 1;
897  end:
898  if (bed != NULL)
899  DetectByteExtractFree(bed);
900  return result;
901 }
902 
903 static int DetectByteExtractTest10(void)
904 {
905  int result = 0;
906 
907  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, string, dec");
908  if (bed == NULL)
909  goto end;
910 
911  if (bed->nbytes != 4 ||
912  bed->offset != 2 ||
913  strcmp(bed->name, "one") != 0 ||
914  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
915  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
916  bed->base != DETECT_BYTE_EXTRACT_BASE_DEC ||
917  bed->align_value != 0 ||
918  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
919  goto end;
920  }
921 
922  result = 1;
923  end:
924  if (bed != NULL)
925  DetectByteExtractFree(bed);
926  return result;
927 }
928 
929 static int DetectByteExtractTest11(void)
930 {
931  int result = 0;
932 
933  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4");
934  if (bed == NULL)
935  goto end;
936 
937  if (bed->nbytes != 4 ||
938  bed->offset != 2 ||
939  strcmp(bed->name, "one") != 0 ||
940  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ALIGN ||
941  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
942  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
943  bed->align_value != 4 ||
944  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
945  goto end;
946  }
947 
948  result = 1;
949  end:
950  if (bed != NULL)
951  DetectByteExtractFree(bed);
952  return result;
953 }
954 
955 static int DetectByteExtractTest12(void)
956 {
957  int result = 0;
958 
959  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, relative");
960  if (bed == NULL)
961  goto end;
962 
963  if (bed->nbytes != 4 ||
964  bed->offset != 2 ||
965  strcmp(bed->name, "one") != 0 ||
966  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
967  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
968  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
969  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
970  bed->align_value != 4 ||
971  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
972  goto end;
973  }
974 
975  result = 1;
976  end:
977  if (bed != NULL)
978  DetectByteExtractFree(bed);
979  return result;
980 }
981 
982 static int DetectByteExtractTest13(void)
983 {
984  int result = 0;
985 
986  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, relative, big");
987  if (bed == NULL)
988  goto end;
989 
990  if (bed->nbytes != 4 ||
991  bed->offset != 2 ||
992  strcmp(bed->name, "one") != 0 ||
993  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
994  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
995  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
996  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_BIG ||
997  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
998  bed->align_value != 4 ||
999  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1000  goto end;
1001  }
1002 
1003  result = 1;
1004  end:
1005  if (bed != NULL)
1006  DetectByteExtractFree(bed);
1007  return result;
1008 }
1009 
1010 static int DetectByteExtractTest14(void)
1011 {
1012  int result = 0;
1013 
1014  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, relative, dce");
1015  if (bed == NULL)
1016  goto end;
1017 
1018  if (bed->nbytes != 4 ||
1019  bed->offset != 2 ||
1020  strcmp(bed->name, "one") != 0 ||
1021  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1022  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1023  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1024  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DCE ||
1025  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1026  bed->align_value != 4 ||
1027  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1028  goto end;
1029  }
1030 
1031  result = 1;
1032  end:
1033  if (bed != NULL)
1034  DetectByteExtractFree(bed);
1035  return result;
1036 }
1037 
1038 static int DetectByteExtractTest15(void)
1039 {
1040  int result = 0;
1041 
1042  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, relative, little");
1043  if (bed == NULL)
1044  goto end;
1045 
1046  if (bed->nbytes != 4 ||
1047  bed->offset != 2 ||
1048  strcmp(bed->name, "one") != 0 ||
1049  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1050  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1051  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1052  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
1053  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1054  bed->align_value != 4 ||
1055  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1056  goto end;
1057  }
1058 
1059  result = 1;
1060  end:
1061  if (bed != NULL)
1062  DetectByteExtractFree(bed);
1063  return result;
1064 }
1065 
1066 static int DetectByteExtractTest16(void)
1067 {
1068  int result = 0;
1069 
1070  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, relative, little, multiplier 2");
1071  if (bed == NULL)
1072  goto end;
1073 
1074  if (bed->nbytes != 4 ||
1075  bed->offset != 2 ||
1076  strcmp(bed->name, "one") != 0 ||
1077  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1078  DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1079  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1080  DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
1081  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
1082  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1083  bed->align_value != 4 ||
1084  bed->multiplier_value != 2) {
1085  goto end;
1086  }
1087 
1088  result = 1;
1089  end:
1090  if (bed != NULL)
1091  DetectByteExtractFree(bed);
1092  return result;
1093 }
1094 
1095 static int DetectByteExtractTest17(void)
1096 {
1097  int result = 0;
1098 
1099  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, "
1100  "relative, little, "
1101  "multiplier 2, string hex");
1102  if (bed != NULL)
1103  goto end;
1104 
1105  result = 1;
1106  end:
1107  if (bed != NULL)
1108  DetectByteExtractFree(bed);
1109  return result;
1110 }
1111 
1112 static int DetectByteExtractTest18(void)
1113 {
1114  int result = 0;
1115 
1116  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, "
1117  "relative, little, "
1118  "multiplier 2, "
1119  "relative");
1120  if (bed != NULL)
1121  goto end;
1122 
1123  result = 1;
1124  end:
1125  if (bed != NULL)
1126  DetectByteExtractFree(bed);
1127  return result;
1128 }
1129 
1130 static int DetectByteExtractTest19(void)
1131 {
1132  int result = 0;
1133 
1134  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, "
1135  "relative, little, "
1136  "multiplier 2, "
1137  "little");
1138  if (bed != NULL)
1139  goto end;
1140 
1141  result = 1;
1142  end:
1143  if (bed != NULL)
1144  DetectByteExtractFree(bed);
1145  return result;
1146 }
1147 
1148 static int DetectByteExtractTest20(void)
1149 {
1150  int result = 0;
1151 
1152  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, "
1153  "relative, "
1154  "multiplier 2, "
1155  "align 2");
1156  if (bed != NULL)
1157  goto end;
1158 
1159  result = 1;
1160  end:
1161  if (bed != NULL)
1162  DetectByteExtractFree(bed);
1163  return result;
1164 }
1165 
1166 static int DetectByteExtractTest21(void)
1167 {
1168  int result = 0;
1169 
1170  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, "
1171  "multiplier 2, "
1172  "relative, "
1173  "multiplier 2");
1174  if (bed != NULL)
1175  goto end;
1176 
1177  result = 1;
1178  end:
1179  if (bed != NULL)
1180  DetectByteExtractFree(bed);
1181  return result;
1182 }
1183 
1184 static int DetectByteExtractTest22(void)
1185 {
1186  int result = 0;
1187 
1188  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, "
1189  "string hex, "
1190  "relative, "
1191  "string hex");
1192  if (bed != NULL)
1193  goto end;
1194 
1195  result = 1;
1196  end:
1197  if (bed != NULL)
1198  DetectByteExtractFree(bed);
1199  return result;
1200 }
1201 
1202 static int DetectByteExtractTest23(void)
1203 {
1204  int result = 0;
1205 
1206  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, "
1207  "string hex, "
1208  "relative, "
1209  "string oct");
1210  if (bed != NULL)
1211  goto end;
1212 
1213  result = 1;
1214  end:
1215  if (bed != NULL)
1216  DetectByteExtractFree(bed);
1217  return result;
1218 }
1219 
1220 static int DetectByteExtractTest24(void)
1221 {
1222  int result = 0;
1223 
1224  DetectByteExtractData *bed = DetectByteExtractParse("24, 2, one, align 4, "
1225  "string hex, "
1226  "relative");
1227  if (bed != NULL)
1228  goto end;
1229 
1230  result = 1;
1231  end:
1232  if (bed != NULL)
1233  DetectByteExtractFree(bed);
1234  return result;
1235 }
1236 
1237 static int DetectByteExtractTest25(void)
1238 {
1239  int result = 0;
1240 
1241  DetectByteExtractData *bed = DetectByteExtractParse("9, 2, one, align 4, "
1242  "little, "
1243  "relative");
1244  if (bed != NULL)
1245  goto end;
1246 
1247  result = 1;
1248  end:
1249  if (bed != NULL)
1250  DetectByteExtractFree(bed);
1251  return result;
1252 }
1253 
1254 static int DetectByteExtractTest26(void)
1255 {
1256  int result = 0;
1257 
1258  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, "
1259  "little, "
1260  "relative, "
1261  "multiplier 65536");
1262  if (bed != NULL)
1263  goto end;
1264 
1265  result = 1;
1266  end:
1267  if (bed != NULL)
1268  DetectByteExtractFree(bed);
1269  return result;
1270 }
1271 
1272 static int DetectByteExtractTest27(void)
1273 {
1274  int result = 0;
1275 
1276  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, "
1277  "little, "
1278  "relative, "
1279  "multiplier 0");
1280  if (bed != NULL)
1281  goto end;
1282 
1283  result = 1;
1284  end:
1285  if (bed != NULL)
1286  DetectByteExtractFree(bed);
1287  return result;
1288 }
1289 
1290 static int DetectByteExtractTest28(void)
1291 {
1292  int result = 0;
1293 
1294  DetectByteExtractData *bed = DetectByteExtractParse("23, 2, one, string, oct");
1295  if (bed == NULL)
1296  goto end;
1297 
1298  result = 1;
1299  end:
1300  if (bed != NULL)
1301  DetectByteExtractFree(bed);
1302  return result;
1303 }
1304 
1305 static int DetectByteExtractTest29(void)
1306 {
1307  int result = 0;
1308 
1309  DetectByteExtractData *bed = DetectByteExtractParse("24, 2, one, string, oct");
1310  if (bed != NULL)
1311  goto end;
1312 
1313  result = 1;
1314  end:
1315  if (bed != NULL)
1316  DetectByteExtractFree(bed);
1317  return result;
1318 }
1319 
1320 static int DetectByteExtractTest30(void)
1321 {
1322  int result = 0;
1323 
1324  DetectByteExtractData *bed = DetectByteExtractParse("20, 2, one, string, dec");
1325  if (bed == NULL)
1326  goto end;
1327 
1328  result = 1;
1329  end:
1330  if (bed != NULL)
1331  DetectByteExtractFree(bed);
1332  return result;
1333 }
1334 
1335 static int DetectByteExtractTest31(void)
1336 {
1337  int result = 0;
1338 
1339  DetectByteExtractData *bed = DetectByteExtractParse("21, 2, one, string, dec");
1340  if (bed != NULL)
1341  goto end;
1342 
1343  result = 1;
1344  end:
1345  if (bed != NULL)
1346  DetectByteExtractFree(bed);
1347  return result;
1348 }
1349 
1350 static int DetectByteExtractTest32(void)
1351 {
1352  int result = 0;
1353 
1354  DetectByteExtractData *bed = DetectByteExtractParse("14, 2, one, string, hex");
1355  if (bed == NULL)
1356  goto end;
1357 
1358  result = 1;
1359  end:
1360  if (bed != NULL)
1361  DetectByteExtractFree(bed);
1362  return result;
1363 }
1364 
1365 static int DetectByteExtractTest33(void)
1366 {
1367  int result = 0;
1368 
1369  DetectByteExtractData *bed = DetectByteExtractParse("15, 2, one, string, hex");
1370  if (bed != NULL)
1371  goto end;
1372 
1373  result = 1;
1374  end:
1375  if (bed != NULL)
1376  DetectByteExtractFree(bed);
1377  return result;
1378 }
1379 
1380 static int DetectByteExtractTest34(void)
1381 {
1382  DetectEngineCtx *de_ctx = NULL;
1383  int result = 0;
1384  Signature *s = NULL;
1385  SigMatch *sm = NULL;
1386  DetectContentData *cd = NULL;
1387  DetectByteExtractData *bed = NULL;
1388 
1389  de_ctx = DetectEngineCtxInit();
1390  if (de_ctx == NULL)
1391  goto end;
1392 
1393  de_ctx->flags |= DE_QUIET;
1394  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1395  "(msg:\"Testing bytejump_body\"; "
1396  "content:\"one\"; "
1397  "byte_extract:4,2,two,relative,string,hex; "
1398  "sid:1;)");
1399  if (de_ctx->sig_list == NULL) {
1400  result = 0;
1401  goto end;
1402  }
1403 
1404  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1405  result = 0;
1406  goto end;
1407  }
1408 
1409  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1410  if (sm->type != DETECT_CONTENT) {
1411  result = 0;
1412  goto end;
1413  }
1414  cd = (DetectContentData *)sm->ctx;
1415  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1416  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1417  cd->flags & DETECT_CONTENT_NOCASE ||
1418  cd->flags & DETECT_CONTENT_WITHIN ||
1419  cd->flags & DETECT_CONTENT_DISTANCE ||
1420  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1421  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1422  cd->flags & DETECT_CONTENT_NEGATED ) {
1423  printf("one failed\n");
1424  result = 0;
1425  goto end;
1426  }
1427 
1428  sm = sm->next;
1429  if (sm->type != DETECT_BYTE_EXTRACT) {
1430  result = 0;
1431  goto end;
1432  }
1433  bed = (DetectByteExtractData *)sm->ctx;
1434  if (bed->nbytes != 4 ||
1435  bed->offset != 2 ||
1436  strncmp(bed->name, "two", cd->content_len) != 0 ||
1437  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1438  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1439  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1440  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1441  bed->align_value != 0 ||
1442  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1443  goto end;
1444  }
1445 
1446  result = 1;
1447 
1448  end:
1449  SigGroupCleanup(de_ctx);
1450  SigCleanSignatures(de_ctx);
1451  DetectEngineCtxFree(de_ctx);
1452 
1453  return result;
1454 }
1455 
1456 static int DetectByteExtractTest35(void)
1457 {
1458  DetectEngineCtx *de_ctx = NULL;
1459  int result = 0;
1460  Signature *s = NULL;
1461  SigMatch *sm = NULL;
1462  DetectContentData *cd = NULL;
1463  DetectPcreData *pd = NULL;
1464  DetectByteExtractData *bed = NULL;
1465 
1466  de_ctx = DetectEngineCtxInit();
1467  if (de_ctx == NULL)
1468  goto end;
1469 
1470  de_ctx->flags |= DE_QUIET;
1471  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1472  "(msg:\"Testing bytejump_body\"; "
1473  "content:\"one\"; pcre:/asf/; "
1474  "byte_extract:4,0,two,relative,string,hex; "
1475  "sid:1;)");
1476  if (de_ctx->sig_list == NULL) {
1477  result = 0;
1478  goto end;
1479  }
1480 
1481  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1482  result = 0;
1483  goto end;
1484  }
1485 
1486  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1487  if (sm->type != DETECT_CONTENT) {
1488  result = 0;
1489  goto end;
1490  }
1491  cd = (DetectContentData *)sm->ctx;
1492  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1493  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1494  cd->flags & DETECT_CONTENT_NOCASE ||
1495  cd->flags & DETECT_CONTENT_WITHIN ||
1496  cd->flags & DETECT_CONTENT_DISTANCE ||
1497  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1498  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1499  cd->flags & DETECT_CONTENT_NEGATED ) {
1500  printf("one failed\n");
1501  result = 0;
1502  goto end;
1503  }
1504 
1505  sm = sm->next;
1506  if (sm->type != DETECT_PCRE) {
1507  result = 0;
1508  goto end;
1509  }
1510  pd = (DetectPcreData *)sm->ctx;
1511  if (pd->flags != DETECT_PCRE_RELATIVE_NEXT) {
1512  result = 0;
1513  goto end;
1514  }
1515 
1516  sm = sm->next;
1517  if (sm->type != DETECT_BYTE_EXTRACT) {
1518  result = 0;
1519  goto end;
1520  }
1521  bed = (DetectByteExtractData *)sm->ctx;
1522  if (bed->nbytes != 4 ||
1523  bed->offset != 0 ||
1524  strcmp(bed->name, "two") != 0 ||
1525  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1526  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1527  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1528  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1529  bed->align_value != 0 ||
1530  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1531  goto end;
1532  }
1533 
1534  result = 1;
1535 
1536  end:
1537  SigGroupCleanup(de_ctx);
1538  SigCleanSignatures(de_ctx);
1539  DetectEngineCtxFree(de_ctx);
1540 
1541  return result;
1542 }
1543 
1544 static int DetectByteExtractTest36(void)
1545 {
1546  DetectEngineCtx *de_ctx = NULL;
1547  int result = 0;
1548  Signature *s = NULL;
1549  SigMatch *sm = NULL;
1550  DetectContentData *cd = NULL;
1551  DetectBytejumpData *bjd = NULL;
1552  DetectByteExtractData *bed = NULL;
1553 
1554  de_ctx = DetectEngineCtxInit();
1555  if (de_ctx == NULL)
1556  goto end;
1557 
1558  de_ctx->flags |= DE_QUIET;
1559  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1560  "(msg:\"Testing bytejump_body\"; "
1561  "content:\"one\"; byte_jump:1,13; "
1562  "byte_extract:4,0,two,relative,string,hex; "
1563  "sid:1;)");
1564  if (de_ctx->sig_list == NULL) {
1565  result = 0;
1566  goto end;
1567  }
1568 
1569  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1570  result = 0;
1571  goto end;
1572  }
1573 
1574  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1575  if (sm->type != DETECT_CONTENT) {
1576  result = 0;
1577  goto end;
1578  }
1579  cd = (DetectContentData *)sm->ctx;
1580  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1581  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1582  cd->flags & DETECT_CONTENT_NOCASE ||
1583  cd->flags & DETECT_CONTENT_WITHIN ||
1584  cd->flags & DETECT_CONTENT_DISTANCE ||
1585  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1586  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1587  cd->flags & DETECT_CONTENT_NEGATED ) {
1588  printf("one failed\n");
1589  result = 0;
1590  goto end;
1591  }
1592 
1593  sm = sm->next;
1594  if (sm->type != DETECT_BYTEJUMP) {
1595  result = 0;
1596  goto end;
1597  }
1598  bjd = (DetectBytejumpData *)sm->ctx;
1599  if (bjd->flags != 0) {
1600  result = 0;
1601  goto end;
1602  }
1603 
1604  sm = sm->next;
1605  if (sm->type != DETECT_BYTE_EXTRACT) {
1606  result = 0;
1607  goto end;
1608  }
1609  bed = (DetectByteExtractData *)sm->ctx;
1610  if (bed->nbytes != 4 ||
1611  bed->offset != 0 ||
1612  strcmp(bed->name, "two") != 0 ||
1613  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1614  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1615  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1616  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1617  bed->align_value != 0 ||
1618  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1619  goto end;
1620  }
1621 
1622  result = 1;
1623 
1624  end:
1625  SigGroupCleanup(de_ctx);
1626  SigCleanSignatures(de_ctx);
1627  DetectEngineCtxFree(de_ctx);
1628 
1629  return result;
1630 }
1631 
1632 static int DetectByteExtractTest37(void)
1633 {
1634  DetectEngineCtx *de_ctx = NULL;
1635  int result = 0;
1636  Signature *s = NULL;
1637  SigMatch *sm = NULL;
1638  DetectContentData *cd = NULL;
1639  DetectContentData *ud = NULL;
1640  DetectByteExtractData *bed = NULL;
1641 
1642  de_ctx = DetectEngineCtxInit();
1643  if (de_ctx == NULL)
1644  goto end;
1645 
1646  de_ctx->flags |= DE_QUIET;
1647  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1648  "(msg:\"Testing bytejump_body\"; "
1649  "content:\"one\"; uricontent:\"two\"; "
1650  "byte_extract:4,0,two,relative,string,hex; "
1651  "sid:1;)");
1652  if (de_ctx->sig_list == NULL) {
1653  result = 0;
1654  goto end;
1655  }
1656 
1657  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1658  result = 0;
1659  goto end;
1660  }
1661 
1662  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1663  if (sm->type != DETECT_CONTENT) {
1664  result = 0;
1665  goto end;
1666  }
1667  cd = (DetectContentData *)sm->ctx;
1668  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1669  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1670  cd->flags & DETECT_CONTENT_NOCASE ||
1671  cd->flags & DETECT_CONTENT_WITHIN ||
1672  cd->flags & DETECT_CONTENT_DISTANCE ||
1673  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1674  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1675  cd->flags & DETECT_CONTENT_NEGATED ) {
1676  printf("one failed\n");
1677  result = 0;
1678  goto end;
1679  }
1680 
1681  if (sm->next != NULL) {
1682  result = 0;
1683  goto end;
1684  }
1685 
1686  sm = s->sm_lists[g_http_uri_buffer_id];
1687  if (sm->type != DETECT_CONTENT) {
1688  result = 0;
1689  goto end;
1690  }
1691  ud = (DetectContentData *)sm->ctx;
1692  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1693  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1694  ud->flags & DETECT_CONTENT_NOCASE ||
1695  ud->flags & DETECT_CONTENT_WITHIN ||
1696  ud->flags & DETECT_CONTENT_DISTANCE ||
1697  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1698  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1699  ud->flags & DETECT_CONTENT_NEGATED ) {
1700  printf("two failed\n");
1701  result = 0;
1702  goto end;
1703  }
1704 
1705  sm = sm->next;
1706  if (sm->type != DETECT_BYTE_EXTRACT) {
1707  result = 0;
1708  goto end;
1709  }
1710  bed = (DetectByteExtractData *)sm->ctx;
1711  if (bed->nbytes != 4 ||
1712  bed->offset != 0 ||
1713  strcmp(bed->name, "two") != 0 ||
1714  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1715  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1716  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1717  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1718  bed->align_value != 0 ||
1719  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1720  goto end;
1721  }
1722 
1723  result = 1;
1724 
1725  end:
1726  SigGroupCleanup(de_ctx);
1727  SigCleanSignatures(de_ctx);
1728  DetectEngineCtxFree(de_ctx);
1729 
1730  return result;
1731 }
1732 
1733 static int DetectByteExtractTest38(void)
1734 {
1735  DetectEngineCtx *de_ctx = NULL;
1736  int result = 0;
1737  Signature *s = NULL;
1738  SigMatch *sm = NULL;
1739  DetectContentData *cd = NULL;
1740  DetectContentData *ud = NULL;
1741  DetectByteExtractData *bed = NULL;
1742 
1743  de_ctx = DetectEngineCtxInit();
1744  if (de_ctx == NULL)
1745  goto end;
1746 
1747  de_ctx->flags |= DE_QUIET;
1748  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1749  "(msg:\"Testing bytejump_body\"; "
1750  "content:\"one\"; uricontent:\"two\"; "
1751  "byte_extract:4,0,two,string,hex; "
1752  "sid:1;)");
1753  if (de_ctx->sig_list == NULL) {
1754  result = 0;
1755  goto end;
1756  }
1757 
1758  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1759  result = 0;
1760  goto end;
1761  }
1762 
1763  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1764  if (sm->type != DETECT_CONTENT) {
1765  result = 0;
1766  goto end;
1767  }
1768  cd = (DetectContentData *)sm->ctx;
1769  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1770  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1771  cd->flags & DETECT_CONTENT_NOCASE ||
1772  cd->flags & DETECT_CONTENT_WITHIN ||
1773  cd->flags & DETECT_CONTENT_DISTANCE ||
1774  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1775  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1776  cd->flags & DETECT_CONTENT_NEGATED ) {
1777  printf("one failed\n");
1778  result = 0;
1779  goto end;
1780  }
1781 
1782  sm = sm->next;
1783  if (sm->type != DETECT_BYTE_EXTRACT) {
1784  result = 0;
1785  goto end;
1786  }
1787  bed = (DetectByteExtractData *)sm->ctx;
1788  if (bed->nbytes != 4 ||
1789  bed->offset != 0 ||
1790  strcmp(bed->name, "two") != 0 ||
1791  bed->flags !=DETECT_BYTE_EXTRACT_FLAG_STRING ||
1792  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1793  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1794  bed->align_value != 0 ||
1795  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1796  goto end;
1797  }
1798 
1799  sm = s->sm_lists[g_http_uri_buffer_id];
1800  if (sm->type != DETECT_CONTENT) {
1801  result = 0;
1802  goto end;
1803  }
1804  ud = (DetectContentData *)sm->ctx;
1805  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1806  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1807  ud->flags & DETECT_CONTENT_NOCASE ||
1808  ud->flags & DETECT_CONTENT_WITHIN ||
1809  ud->flags & DETECT_CONTENT_DISTANCE ||
1810  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1811  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1812  ud->flags & DETECT_CONTENT_NEGATED ) {
1813  printf("two failed\n");
1814  result = 0;
1815  goto end;
1816  }
1817 
1818  if (sm->next != NULL) {
1819  result = 0;
1820  goto end;
1821  }
1822 
1823  result = 1;
1824 
1825  end:
1826  SigGroupCleanup(de_ctx);
1827  SigCleanSignatures(de_ctx);
1828  DetectEngineCtxFree(de_ctx);
1829 
1830  return result;
1831 }
1832 
1833 static int DetectByteExtractTest39(void)
1834 {
1835  DetectEngineCtx *de_ctx = NULL;
1836  int result = 0;
1837  Signature *s = NULL;
1838  SigMatch *sm = NULL;
1839  DetectContentData *cd = NULL;
1840  DetectContentData *ud = NULL;
1841  DetectByteExtractData *bed = NULL;
1842 
1843  de_ctx = DetectEngineCtxInit();
1844  if (de_ctx == NULL)
1845  goto end;
1846 
1847  de_ctx->flags |= DE_QUIET;
1848  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1849  "(msg:\"Testing bytejump_body\"; "
1850  "content:\"one\"; content:\"two\"; http_uri; "
1851  "byte_extract:4,0,two,relative,string,hex; "
1852  "sid:1;)");
1853  if (de_ctx->sig_list == NULL) {
1854  result = 0;
1855  goto end;
1856  }
1857 
1858  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1859  result = 0;
1860  goto end;
1861  }
1862 
1863  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1864  if (sm->type != DETECT_CONTENT) {
1865  result = 0;
1866  goto end;
1867  }
1868  cd = (DetectContentData *)sm->ctx;
1869  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1870  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1871  cd->flags & DETECT_CONTENT_NOCASE ||
1872  cd->flags & DETECT_CONTENT_WITHIN ||
1873  cd->flags & DETECT_CONTENT_DISTANCE ||
1874  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1875  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1876  cd->flags & DETECT_CONTENT_NEGATED ) {
1877  printf("one failed\n");
1878  result = 0;
1879  goto end;
1880  }
1881 
1882  if (sm->next != NULL) {
1883  result = 0;
1884  goto end;
1885  }
1886 
1887  sm = s->sm_lists[g_http_uri_buffer_id];
1888  if (sm->type != DETECT_CONTENT) {
1889  result = 0;
1890  goto end;
1891  }
1892  ud = (DetectContentData *)sm->ctx;
1893  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1894  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1895  ud->flags & DETECT_CONTENT_NOCASE ||
1896  ud->flags & DETECT_CONTENT_WITHIN ||
1897  ud->flags & DETECT_CONTENT_DISTANCE ||
1898  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1899  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1900  ud->flags & DETECT_CONTENT_NEGATED ) {
1901  printf("two failed\n");
1902  result = 0;
1903  goto end;
1904  }
1905 
1906  sm = sm->next;
1907  if (sm->type != DETECT_BYTE_EXTRACT) {
1908  result = 0;
1909  goto end;
1910  }
1911  bed = (DetectByteExtractData *)sm->ctx;
1912  if (bed->nbytes != 4 ||
1913  bed->offset != 0 ||
1914  strcmp(bed->name, "two") != 0 ||
1915  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1916  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1917  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1918  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1919  bed->align_value != 0 ||
1920  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1921  goto end;
1922  }
1923 
1924  result = 1;
1925 
1926  end:
1927  SigGroupCleanup(de_ctx);
1928  SigCleanSignatures(de_ctx);
1929  DetectEngineCtxFree(de_ctx);
1930 
1931  return result;
1932 }
1933 
1934 static int DetectByteExtractTest40(void)
1935 {
1936  DetectEngineCtx *de_ctx = NULL;
1937  int result = 0;
1938  Signature *s = NULL;
1939  SigMatch *sm = NULL;
1940  DetectContentData *cd = NULL;
1941  DetectContentData *ud = NULL;
1942  DetectByteExtractData *bed = NULL;
1943 
1944  de_ctx = DetectEngineCtxInit();
1945  if (de_ctx == NULL)
1946  goto end;
1947 
1948  de_ctx->flags |= DE_QUIET;
1949  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1950  "(msg:\"Testing bytejump_body\"; "
1951  "content:\"one\"; content:\"two\"; http_uri; "
1952  "byte_extract:4,0,two,string,hex; "
1953  "sid:1;)");
1954  if (de_ctx->sig_list == NULL) {
1955  result = 0;
1956  goto end;
1957  }
1958 
1959  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1960  result = 0;
1961  goto end;
1962  }
1963 
1964  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1965  if (sm->type != DETECT_CONTENT) {
1966  result = 0;
1967  goto end;
1968  }
1969  cd = (DetectContentData *)sm->ctx;
1970  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1971  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1972  cd->flags & DETECT_CONTENT_NOCASE ||
1973  cd->flags & DETECT_CONTENT_WITHIN ||
1974  cd->flags & DETECT_CONTENT_DISTANCE ||
1975  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1976  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1977  cd->flags & DETECT_CONTENT_NEGATED ) {
1978  printf("one failed\n");
1979  result = 0;
1980  goto end;
1981  }
1982 
1983  sm = sm->next;
1984  if (sm->type != DETECT_BYTE_EXTRACT) {
1985  result = 0;
1986  goto end;
1987  }
1988  bed = (DetectByteExtractData *)sm->ctx;
1989  if (bed->nbytes != 4 ||
1990  bed->offset != 0 ||
1991  strcmp(bed->name, "two") != 0 ||
1992  bed->flags !=DETECT_BYTE_EXTRACT_FLAG_STRING ||
1993  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1994  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1995  bed->align_value != 0 ||
1996  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1997  goto end;
1998  }
1999 
2000  sm = s->sm_lists[g_http_uri_buffer_id];
2001  if (sm->type != DETECT_CONTENT) {
2002  result = 0;
2003  goto end;
2004  }
2005  ud = (DetectContentData *)sm->ctx;
2006  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
2007  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
2008  ud->flags & DETECT_CONTENT_NOCASE ||
2009  ud->flags & DETECT_CONTENT_WITHIN ||
2010  ud->flags & DETECT_CONTENT_DISTANCE ||
2011  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
2012  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2013  ud->flags & DETECT_CONTENT_NEGATED ) {
2014  printf("two failed\n");
2015  result = 0;
2016  goto end;
2017  }
2018 
2019  if (sm->next != NULL) {
2020  result = 0;
2021  goto end;
2022  }
2023 
2024  result = 1;
2025 
2026  end:
2027  SigGroupCleanup(de_ctx);
2028  SigCleanSignatures(de_ctx);
2029  DetectEngineCtxFree(de_ctx);
2030 
2031  return result;
2032 }
2033 
2034 static int DetectByteExtractTest41(void)
2035 {
2036  DetectEngineCtx *de_ctx = NULL;
2037  int result = 0;
2038  Signature *s = NULL;
2039  SigMatch *sm = NULL;
2040  DetectContentData *cd = NULL;
2041  DetectByteExtractData *bed = NULL;
2042 
2043  de_ctx = DetectEngineCtxInit();
2044  if (de_ctx == NULL)
2045  goto end;
2046 
2047  de_ctx->flags |= DE_QUIET;
2048  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2049  "(msg:\"Testing bytejump_body\"; "
2050  "content:\"one\"; "
2051  "byte_extract:4,0,two,string,hex; "
2052  "byte_extract:4,0,three,string,hex; "
2053  "sid:1;)");
2054  if (de_ctx->sig_list == NULL) {
2055  result = 0;
2056  goto end;
2057  }
2058 
2059  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2060  result = 0;
2061  goto end;
2062  }
2063 
2064  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2065  if (sm->type != DETECT_CONTENT) {
2066  result = 0;
2067  goto end;
2068  }
2069  cd = (DetectContentData *)sm->ctx;
2070  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2071  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2072  cd->flags & DETECT_CONTENT_NOCASE ||
2073  cd->flags & DETECT_CONTENT_WITHIN ||
2074  cd->flags & DETECT_CONTENT_DISTANCE ||
2075  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2076  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2077  cd->flags & DETECT_CONTENT_NEGATED ) {
2078  printf("one failed\n");
2079  result = 0;
2080  goto end;
2081  }
2082 
2083  sm = sm->next;
2084  if (sm->type != DETECT_BYTE_EXTRACT) {
2085  result = 0;
2086  goto end;
2087  }
2088  bed = (DetectByteExtractData *)sm->ctx;
2089  if (bed->nbytes != 4 ||
2090  bed->offset != 0 ||
2091  strcmp(bed->name, "two") != 0 ||
2092  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2093  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2094  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2095  bed->align_value != 0 ||
2096  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2097  goto end;
2098  }
2099  if (bed->local_id != 0) {
2100  result = 0;
2101  goto end;
2102  }
2103 
2104  sm = sm->next;
2105  if (sm->type != DETECT_BYTE_EXTRACT) {
2106  result = 0;
2107  goto end;
2108  }
2109  bed = (DetectByteExtractData *)sm->ctx;
2110  if (bed->nbytes != 4 ||
2111  bed->offset != 0 ||
2112  strcmp(bed->name, "three") != 0 ||
2113  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2114  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2115  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2116  bed->align_value != 0 ||
2117  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2118  goto end;
2119  }
2120  if (bed->local_id != 1) {
2121  result = 0;
2122  goto end;
2123  }
2124 
2125  result = 1;
2126 
2127  end:
2128  SigGroupCleanup(de_ctx);
2129  SigCleanSignatures(de_ctx);
2130  DetectEngineCtxFree(de_ctx);
2131 
2132  return result;
2133 }
2134 
2135 static int DetectByteExtractTest42(void)
2136 {
2137  DetectEngineCtx *de_ctx = NULL;
2138  int result = 0;
2139  Signature *s = NULL;
2140  SigMatch *sm = NULL;
2141  DetectContentData *cd = NULL;
2142  DetectContentData *ud = NULL;
2143  DetectByteExtractData *bed = NULL;
2144 
2145  de_ctx = DetectEngineCtxInit();
2146  if (de_ctx == NULL)
2147  goto end;
2148 
2149  de_ctx->flags |= DE_QUIET;
2150  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2151  "(msg:\"Testing bytejump_body\"; "
2152  "content:\"one\"; "
2153  "byte_extract:4,0,two,string,hex; "
2154  "uricontent: \"three\"; "
2155  "byte_extract:4,0,four,string,hex,relative; "
2156  "byte_extract:4,0,five,string,hex; "
2157  "sid:1;)");
2158  if (de_ctx->sig_list == NULL) {
2159  result = 0;
2160  goto end;
2161  }
2162 
2163  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2164  result = 0;
2165  goto end;
2166  }
2167 
2168  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2169  if (sm->type != DETECT_CONTENT) {
2170  result = 0;
2171  goto end;
2172  }
2173  cd = (DetectContentData *)sm->ctx;
2174  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2175  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2176  cd->flags & DETECT_CONTENT_NOCASE ||
2177  cd->flags & DETECT_CONTENT_WITHIN ||
2178  cd->flags & DETECT_CONTENT_DISTANCE ||
2179  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2180  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2181  cd->flags & DETECT_CONTENT_NEGATED ) {
2182  printf("one failed\n");
2183  result = 0;
2184  goto end;
2185  }
2186 
2187  sm = sm->next;
2188  if (sm->type != DETECT_BYTE_EXTRACT) {
2189  result = 0;
2190  goto end;
2191  }
2192  bed = (DetectByteExtractData *)sm->ctx;
2193  if (bed->nbytes != 4 ||
2194  bed->offset != 0 ||
2195  strcmp(bed->name, "two") != 0 ||
2196  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2197  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2198  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2199  bed->align_value != 0 ||
2200  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2201  goto end;
2202  }
2203  if (bed->local_id != 0) {
2204  result = 0;
2205  goto end;
2206  }
2207 
2208  sm = sm->next;
2209  if (sm->type != DETECT_BYTE_EXTRACT) {
2210  result = 0;
2211  goto end;
2212  }
2213  bed = (DetectByteExtractData *)sm->ctx;
2214  if (bed->nbytes != 4 ||
2215  bed->offset != 0 ||
2216  strcmp(bed->name, "five") != 0 ||
2217  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2218  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2219  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2220  bed->align_value != 0 ||
2221  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2222  goto end;
2223  }
2224  if (bed->local_id != 1) {
2225  result = 0;
2226  goto end;
2227  }
2228 
2229  if (sm->next != NULL)
2230  goto end;
2231 
2232  sm = s->sm_lists[g_http_uri_buffer_id];
2233  if (sm->type != DETECT_CONTENT) {
2234  result = 0;
2235  goto end;
2236  }
2237  ud = (DetectContentData *)sm->ctx;
2238  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
2239  strncmp((char *)ud->content, "three", cd->content_len) != 0 ||
2240  ud->flags & DETECT_CONTENT_NOCASE ||
2241  ud->flags & DETECT_CONTENT_WITHIN ||
2242  ud->flags & DETECT_CONTENT_DISTANCE ||
2243  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
2244  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2245  ud->flags & DETECT_CONTENT_NEGATED ) {
2246  printf("two failed\n");
2247  result = 0;
2248  goto end;
2249  }
2250 
2251  sm = sm->next;
2252  if (sm->type != DETECT_BYTE_EXTRACT) {
2253  result = 0;
2254  goto end;
2255  }
2256  bed = (DetectByteExtractData *)sm->ctx;
2257  if (bed->nbytes != 4 ||
2258  bed->offset != 0 ||
2259  strcmp(bed->name, "four") != 0 ||
2260  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
2261  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
2262  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2263  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2264  bed->align_value != 0 ||
2265  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2266  goto end;
2267  }
2268  if (bed->local_id != 0) {
2269  result = 0;
2270  goto end;
2271  }
2272 
2273  if (sm->next != NULL)
2274  goto end;
2275 
2276  result = 1;
2277 
2278  end:
2279  SigGroupCleanup(de_ctx);
2280  SigCleanSignatures(de_ctx);
2281  DetectEngineCtxFree(de_ctx);
2282 
2283  return result;
2284 }
2285 
2286 static int DetectByteExtractTest43(void)
2287 {
2288  DetectEngineCtx *de_ctx = NULL;
2289  int result = 0;
2290  Signature *s = NULL;
2291  SigMatch *sm = NULL;
2292  DetectContentData *cd = NULL;
2293  DetectByteExtractData *bed = NULL;
2294 
2295  de_ctx = DetectEngineCtxInit();
2296  if (de_ctx == NULL)
2297  goto end;
2298 
2299  de_ctx->flags |= DE_QUIET;
2300  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2301  "(msg:\"Testing bytejump_body\"; "
2302  "content:\"one\"; "
2303  "byte_extract:4,0,two,string,hex; "
2304  "content: \"three\"; offset:two; "
2305  "sid:1;)");
2306  if (de_ctx->sig_list == NULL) {
2307  result = 0;
2308  goto end;
2309  }
2310 
2311  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2312  result = 0;
2313  goto end;
2314  }
2315 
2316  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2317  if (sm->type != DETECT_CONTENT) {
2318  result = 0;
2319  goto end;
2320  }
2321  cd = (DetectContentData *)sm->ctx;
2322  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2323  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2324  cd->flags & DETECT_CONTENT_NOCASE ||
2325  cd->flags & DETECT_CONTENT_WITHIN ||
2326  cd->flags & DETECT_CONTENT_DISTANCE ||
2327  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2328  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2329  cd->flags & DETECT_CONTENT_NEGATED ) {
2330  printf("one failed\n");
2331  result = 0;
2332  goto end;
2333  }
2334 
2335  sm = sm->next;
2336  if (sm->type != DETECT_BYTE_EXTRACT) {
2337  result = 0;
2338  goto end;
2339  }
2340  bed = (DetectByteExtractData *)sm->ctx;
2341  if (bed->nbytes != 4 ||
2342  bed->offset != 0 ||
2343  strcmp(bed->name, "two") != 0 ||
2344  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2345  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2346  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2347  bed->align_value != 0 ||
2348  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2349  goto end;
2350  }
2351  if (bed->local_id != 0) {
2352  result = 0;
2353  goto end;
2354  }
2355 
2356  sm = sm->next;
2357  if (sm->type != DETECT_CONTENT) {
2358  result = 0;
2359  goto end;
2360  }
2361  cd = (DetectContentData *)sm->ctx;
2362  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2363  cd->flags != (DETECT_CONTENT_OFFSET_BE |
2364  DETECT_CONTENT_OFFSET) ||
2365  cd->offset != bed->local_id) {
2366  printf("three failed\n");
2367  result = 0;
2368  goto end;
2369  }
2370 
2371  if (sm->next != NULL)
2372  goto end;
2373 
2374  result = 1;
2375 
2376  end:
2377  SigGroupCleanup(de_ctx);
2378  SigCleanSignatures(de_ctx);
2379  DetectEngineCtxFree(de_ctx);
2380 
2381  return result;
2382 }
2383 
2384 static int DetectByteExtractTest44(void)
2385 {
2386  DetectEngineCtx *de_ctx = NULL;
2387  int result = 0;
2388  Signature *s = NULL;
2389  SigMatch *sm = NULL;
2390  DetectContentData *cd = NULL;
2391  DetectByteExtractData *bed1 = NULL;
2392  DetectByteExtractData *bed2 = NULL;
2393 
2394  de_ctx = DetectEngineCtxInit();
2395  if (de_ctx == NULL)
2396  goto end;
2397 
2398  de_ctx->flags |= DE_QUIET;
2399  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2400  "(msg:\"Testing bytejump_body\"; "
2401  "content:\"one\"; "
2402  "byte_extract:4,0,two,string,hex; "
2403  "byte_extract:4,0,three,string,hex; "
2404  "content: \"four\"; offset:two; "
2405  "content: \"five\"; offset:three; "
2406  "sid:1;)");
2407  if (de_ctx->sig_list == NULL) {
2408  result = 0;
2409  goto end;
2410  }
2411 
2412  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2413  result = 0;
2414  goto end;
2415  }
2416 
2417  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2418  if (sm->type != DETECT_CONTENT) {
2419  result = 0;
2420  goto end;
2421  }
2422  cd = (DetectContentData *)sm->ctx;
2423  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2424  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2425  cd->flags & DETECT_CONTENT_NOCASE ||
2426  cd->flags & DETECT_CONTENT_WITHIN ||
2427  cd->flags & DETECT_CONTENT_DISTANCE ||
2428  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2429  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2430  cd->flags & DETECT_CONTENT_NEGATED ) {
2431  printf("one failed\n");
2432  result = 0;
2433  goto end;
2434  }
2435 
2436  sm = sm->next;
2437  if (sm->type != DETECT_BYTE_EXTRACT) {
2438  result = 0;
2439  goto end;
2440  }
2441  bed1 = (DetectByteExtractData *)sm->ctx;
2442  if (bed1->nbytes != 4 ||
2443  bed1->offset != 0 ||
2444  strcmp(bed1->name, "two") != 0 ||
2445  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2446  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2447  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2448  bed1->align_value != 0 ||
2449  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2450  goto end;
2451  }
2452  if (bed1->local_id != 0) {
2453  result = 0;
2454  goto end;
2455  }
2456 
2457  sm = sm->next;
2458  if (sm->type != DETECT_BYTE_EXTRACT) {
2459  result = 0;
2460  goto end;
2461  }
2462  bed2 = (DetectByteExtractData *)sm->ctx;
2463 
2464  sm = sm->next;
2465  if (sm->type != DETECT_CONTENT) {
2466  result = 0;
2467  goto end;
2468  }
2469  cd = (DetectContentData *)sm->ctx;
2470  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2471  cd->flags != (DETECT_CONTENT_OFFSET_BE |
2472  DETECT_CONTENT_OFFSET) ||
2473  cd->offset != bed1->local_id) {
2474  printf("four failed\n");
2475  result = 0;
2476  goto end;
2477  }
2478 
2479  sm = sm->next;
2480  if (sm->type != DETECT_CONTENT) {
2481  result = 0;
2482  goto end;
2483  }
2484  cd = (DetectContentData *)sm->ctx;
2485  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2486  cd->flags != (DETECT_CONTENT_OFFSET_BE |
2487  DETECT_CONTENT_OFFSET) ||
2488  cd->offset != bed2->local_id) {
2489  printf("five failed\n");
2490  result = 0;
2491  goto end;
2492  }
2493 
2494  if (sm->next != NULL)
2495  goto end;
2496 
2497  result = 1;
2498 
2499  end:
2500  SigGroupCleanup(de_ctx);
2501  SigCleanSignatures(de_ctx);
2502  DetectEngineCtxFree(de_ctx);
2503 
2504  return result;
2505 }
2506 
2507 static int DetectByteExtractTest45(void)
2508 {
2509  DetectEngineCtx *de_ctx = NULL;
2510  int result = 0;
2511  Signature *s = NULL;
2512  SigMatch *sm = NULL;
2513  DetectContentData *cd = NULL;
2514  DetectByteExtractData *bed = NULL;
2515 
2516  de_ctx = DetectEngineCtxInit();
2517  if (de_ctx == NULL)
2518  goto end;
2519 
2520  de_ctx->flags |= DE_QUIET;
2521  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2522  "(msg:\"Testing bytejump_body\"; "
2523  "content:\"one\"; "
2524  "byte_extract:4,0,two,string,hex; "
2525  "content: \"three\"; depth:two; "
2526  "sid:1;)");
2527  if (de_ctx->sig_list == NULL) {
2528  result = 0;
2529  goto end;
2530  }
2531 
2532  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2533  result = 0;
2534  goto end;
2535  }
2536 
2537  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2538  if (sm->type != DETECT_CONTENT) {
2539  result = 0;
2540  goto end;
2541  }
2542  cd = (DetectContentData *)sm->ctx;
2543  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2544  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2545  cd->flags & DETECT_CONTENT_NOCASE ||
2546  cd->flags & DETECT_CONTENT_WITHIN ||
2547  cd->flags & DETECT_CONTENT_DISTANCE ||
2548  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2549  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2550  cd->flags & DETECT_CONTENT_NEGATED ) {
2551  printf("one failed\n");
2552  result = 0;
2553  goto end;
2554  }
2555 
2556  sm = sm->next;
2557  if (sm->type != DETECT_BYTE_EXTRACT) {
2558  result = 0;
2559  goto end;
2560  }
2561  bed = (DetectByteExtractData *)sm->ctx;
2562  if (bed->nbytes != 4 ||
2563  bed->offset != 0 ||
2564  strcmp(bed->name, "two") != 0 ||
2565  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2566  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2567  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2568  bed->align_value != 0 ||
2569  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2570  goto end;
2571  }
2572  if (bed->local_id != 0) {
2573  result = 0;
2574  goto end;
2575  }
2576 
2577  sm = sm->next;
2578  if (sm->type != DETECT_CONTENT) {
2579  result = 0;
2580  goto end;
2581  }
2582  cd = (DetectContentData *)sm->ctx;
2583  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2584  cd->flags != (DETECT_CONTENT_DEPTH_BE |
2585  DETECT_CONTENT_DEPTH) ||
2586  cd->depth != bed->local_id ||
2587  cd->offset != 0) {
2588  printf("three failed\n");
2589  result = 0;
2590  goto end;
2591  }
2592 
2593  if (sm->next != NULL)
2594  goto end;
2595 
2596  result = 1;
2597 
2598  end:
2599  SigGroupCleanup(de_ctx);
2600  SigCleanSignatures(de_ctx);
2601  DetectEngineCtxFree(de_ctx);
2602 
2603  return result;
2604 }
2605 
2606 static int DetectByteExtractTest46(void)
2607 {
2608  DetectEngineCtx *de_ctx = NULL;
2609  int result = 0;
2610  Signature *s = NULL;
2611  SigMatch *sm = NULL;
2612  DetectContentData *cd = NULL;
2613  DetectByteExtractData *bed1 = NULL;
2614  DetectByteExtractData *bed2 = NULL;
2615 
2616  de_ctx = DetectEngineCtxInit();
2617  if (de_ctx == NULL)
2618  goto end;
2619 
2620  de_ctx->flags |= DE_QUIET;
2621  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2622  "(msg:\"Testing bytejump_body\"; "
2623  "content:\"one\"; "
2624  "byte_extract:4,0,two,string,hex; "
2625  "byte_extract:4,0,three,string,hex; "
2626  "content: \"four\"; depth:two; "
2627  "content: \"five\"; depth:three; "
2628  "sid:1;)");
2629  if (de_ctx->sig_list == NULL) {
2630  result = 0;
2631  goto end;
2632  }
2633 
2634  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2635  result = 0;
2636  goto end;
2637  }
2638 
2639  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2640  if (sm->type != DETECT_CONTENT) {
2641  result = 0;
2642  goto end;
2643  }
2644  cd = (DetectContentData *)sm->ctx;
2645  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2646  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2647  cd->flags & DETECT_CONTENT_NOCASE ||
2648  cd->flags & DETECT_CONTENT_WITHIN ||
2649  cd->flags & DETECT_CONTENT_DISTANCE ||
2650  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2651  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2652  cd->flags & DETECT_CONTENT_NEGATED ) {
2653  printf("one failed\n");
2654  result = 0;
2655  goto end;
2656  }
2657 
2658  sm = sm->next;
2659  if (sm->type != DETECT_BYTE_EXTRACT) {
2660  result = 0;
2661  goto end;
2662  }
2663  bed1 = (DetectByteExtractData *)sm->ctx;
2664  if (bed1->nbytes != 4 ||
2665  bed1->offset != 0 ||
2666  strcmp(bed1->name, "two") != 0 ||
2667  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2668  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2669  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2670  bed1->align_value != 0 ||
2671  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2672  goto end;
2673  }
2674  if (bed1->local_id != 0) {
2675  result = 0;
2676  goto end;
2677  }
2678 
2679  sm = sm->next;
2680  if (sm->type != DETECT_BYTE_EXTRACT) {
2681  result = 0;
2682  goto end;
2683  }
2684  bed2 = (DetectByteExtractData *)sm->ctx;
2685 
2686  sm = sm->next;
2687  if (sm->type != DETECT_CONTENT) {
2688  result = 0;
2689  goto end;
2690  }
2691  cd = (DetectContentData *)sm->ctx;
2692  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2693  cd->flags != (DETECT_CONTENT_DEPTH_BE |
2694  DETECT_CONTENT_DEPTH) ||
2695  cd->depth != bed1->local_id) {
2696  printf("four failed\n");
2697  result = 0;
2698  goto end;
2699  }
2700 
2701  sm = sm->next;
2702  if (sm->type != DETECT_CONTENT) {
2703  result = 0;
2704  goto end;
2705  }
2706  cd = (DetectContentData *)sm->ctx;
2707  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2708  cd->flags != (DETECT_CONTENT_DEPTH_BE |
2709  DETECT_CONTENT_DEPTH) ||
2710  cd->depth != bed2->local_id) {
2711  printf("five failed\n");
2712  result = 0;
2713  goto end;
2714  }
2715 
2716  if (sm->next != NULL)
2717  goto end;
2718 
2719  result = 1;
2720 
2721  end:
2722  SigGroupCleanup(de_ctx);
2723  SigCleanSignatures(de_ctx);
2724  DetectEngineCtxFree(de_ctx);
2725 
2726  return result;
2727 }
2728 
2729 static int DetectByteExtractTest47(void)
2730 {
2731  DetectEngineCtx *de_ctx = NULL;
2732  int result = 0;
2733  Signature *s = NULL;
2734  SigMatch *sm = NULL;
2735  DetectContentData *cd = NULL;
2736  DetectByteExtractData *bed = NULL;
2737 
2738  de_ctx = DetectEngineCtxInit();
2739  if (de_ctx == NULL)
2740  goto end;
2741 
2742  de_ctx->flags |= DE_QUIET;
2743  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2744  "(msg:\"Testing bytejump_body\"; "
2745  "content:\"one\"; "
2746  "byte_extract:4,0,two,string,hex; "
2747  "content: \"three\"; distance:two; "
2748  "sid:1;)");
2749  if (de_ctx->sig_list == NULL) {
2750  result = 0;
2751  goto end;
2752  }
2753 
2754  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2755  result = 0;
2756  goto end;
2757  }
2758 
2759  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2760  if (sm->type != DETECT_CONTENT) {
2761  result = 0;
2762  goto end;
2763  }
2764  cd = (DetectContentData *)sm->ctx;
2765  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2766  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2767  cd->flags & DETECT_CONTENT_NOCASE ||
2768  cd->flags & DETECT_CONTENT_WITHIN ||
2769  cd->flags & DETECT_CONTENT_DISTANCE ||
2770  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2771  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2772  cd->flags & DETECT_CONTENT_NEGATED ) {
2773  printf("one failed\n");
2774  result = 0;
2775  goto end;
2776  }
2777 
2778  sm = sm->next;
2779  if (sm->type != DETECT_BYTE_EXTRACT) {
2780  result = 0;
2781  goto end;
2782  }
2783  bed = (DetectByteExtractData *)sm->ctx;
2784  if (bed->nbytes != 4 ||
2785  bed->offset != 0 ||
2786  strcmp(bed->name, "two") != 0 ||
2787  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2788  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2789  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2790  bed->align_value != 0 ||
2791  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2792  goto end;
2793  }
2794  if (bed->local_id != 0) {
2795  result = 0;
2796  goto end;
2797  }
2798 
2799  sm = sm->next;
2800  if (sm->type != DETECT_CONTENT) {
2801  result = 0;
2802  goto end;
2803  }
2804  cd = (DetectContentData *)sm->ctx;
2805  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2806  cd->flags != (DETECT_CONTENT_DISTANCE_BE |
2807  DETECT_CONTENT_DISTANCE) ||
2808  cd->distance != bed->local_id ||
2809  cd->offset != 0 ||
2810  cd->depth != 0) {
2811  printf("three failed\n");
2812  result = 0;
2813  goto end;
2814  }
2815 
2816  if (sm->next != NULL)
2817  goto end;
2818 
2819  result = 1;
2820 
2821  end:
2822  SigGroupCleanup(de_ctx);
2823  SigCleanSignatures(de_ctx);
2824  DetectEngineCtxFree(de_ctx);
2825 
2826  return result;
2827 }
2828 
2829 static int DetectByteExtractTest48(void)
2830 {
2831  DetectEngineCtx *de_ctx = NULL;
2832  int result = 0;
2833  Signature *s = NULL;
2834  SigMatch *sm = NULL;
2835  DetectContentData *cd = NULL;
2836  DetectByteExtractData *bed1 = NULL;
2837  DetectByteExtractData *bed2 = NULL;
2838 
2839  de_ctx = DetectEngineCtxInit();
2840  if (de_ctx == NULL)
2841  goto end;
2842 
2843  de_ctx->flags |= DE_QUIET;
2844  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2845  "(msg:\"Testing bytejump_body\"; "
2846  "content:\"one\"; "
2847  "byte_extract:4,0,two,string,hex; "
2848  "byte_extract:4,0,three,string,hex; "
2849  "content: \"four\"; distance:two; "
2850  "content: \"five\"; distance:three; "
2851  "sid:1;)");
2852  if (de_ctx->sig_list == NULL) {
2853  result = 0;
2854  goto end;
2855  }
2856 
2857  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2858  result = 0;
2859  goto end;
2860  }
2861 
2862  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2863  if (sm->type != DETECT_CONTENT) {
2864  result = 0;
2865  goto end;
2866  }
2867  cd = (DetectContentData *)sm->ctx;
2868  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2869  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2870  cd->flags & DETECT_CONTENT_NOCASE ||
2871  cd->flags & DETECT_CONTENT_WITHIN ||
2872  cd->flags & DETECT_CONTENT_DISTANCE ||
2873  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2874  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2875  cd->flags & DETECT_CONTENT_NEGATED ) {
2876  printf("one failed\n");
2877  result = 0;
2878  goto end;
2879  }
2880 
2881  sm = sm->next;
2882  if (sm->type != DETECT_BYTE_EXTRACT) {
2883  result = 0;
2884  goto end;
2885  }
2886  bed1 = (DetectByteExtractData *)sm->ctx;
2887  if (bed1->nbytes != 4 ||
2888  bed1->offset != 0 ||
2889  strcmp(bed1->name, "two") != 0 ||
2890  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2891  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2892  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2893  bed1->align_value != 0 ||
2894  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2895  goto end;
2896  }
2897  if (bed1->local_id != 0) {
2898  result = 0;
2899  goto end;
2900  }
2901 
2902  sm = sm->next;
2903  if (sm->type != DETECT_BYTE_EXTRACT) {
2904  result = 0;
2905  goto end;
2906  }
2907  bed2 = (DetectByteExtractData *)sm->ctx;
2908 
2909  sm = sm->next;
2910  if (sm->type != DETECT_CONTENT) {
2911  result = 0;
2912  goto end;
2913  }
2914  cd = (DetectContentData *)sm->ctx;
2915  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2916  cd->flags != (DETECT_CONTENT_DISTANCE_BE |
2917  DETECT_CONTENT_DISTANCE |
2918  DETECT_CONTENT_DISTANCE_NEXT) ||
2919  cd->distance != bed1->local_id ||
2920  cd->depth != 0 ||
2921  cd->offset != 0) {
2922  printf("four failed\n");
2923  result = 0;
2924  goto end;
2925  }
2926 
2927  sm = sm->next;
2928  if (sm->type != DETECT_CONTENT) {
2929  result = 0;
2930  goto end;
2931  }
2932  cd = (DetectContentData *)sm->ctx;
2933  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2934  cd->flags != (DETECT_CONTENT_DISTANCE_BE |
2935  DETECT_CONTENT_DISTANCE) ||
2936  cd->distance != bed2->local_id ||
2937  cd->depth != 0 ||
2938  cd->offset != 0) {
2939  printf("five failed\n");
2940  result = 0;
2941  goto end;
2942  }
2943 
2944  if (sm->next != NULL)
2945  goto end;
2946 
2947  result = 1;
2948 
2949  end:
2950  SigGroupCleanup(de_ctx);
2951  SigCleanSignatures(de_ctx);
2952  DetectEngineCtxFree(de_ctx);
2953 
2954  return result;
2955 }
2956 
2957 static int DetectByteExtractTest49(void)
2958 {
2959  DetectEngineCtx *de_ctx = NULL;
2960  int result = 0;
2961  Signature *s = NULL;
2962  SigMatch *sm = NULL;
2963  DetectContentData *cd = NULL;
2964  DetectByteExtractData *bed = NULL;
2965 
2966  de_ctx = DetectEngineCtxInit();
2967  if (de_ctx == NULL)
2968  goto end;
2969 
2970  de_ctx->flags |= DE_QUIET;
2971  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2972  "(msg:\"Testing bytejump_body\"; "
2973  "content:\"one\"; "
2974  "byte_extract:4,0,two,string,hex; "
2975  "content: \"three\"; within:two; "
2976  "sid:1;)");
2977  if (de_ctx->sig_list == NULL) {
2978  result = 0;
2979  goto end;
2980  }
2981 
2982  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2983  result = 0;
2984  goto end;
2985  }
2986 
2987  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2988  if (sm->type != DETECT_CONTENT) {
2989  result = 0;
2990  goto end;
2991  }
2992  cd = (DetectContentData *)sm->ctx;
2993  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2994  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2995  cd->flags & DETECT_CONTENT_NOCASE ||
2996  cd->flags & DETECT_CONTENT_WITHIN ||
2997  cd->flags & DETECT_CONTENT_DISTANCE ||
2998  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2999  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3000  cd->flags & DETECT_CONTENT_NEGATED ) {
3001  printf("one failed\n");
3002  result = 0;
3003  goto end;
3004  }
3005 
3006  sm = sm->next;
3007  if (sm->type != DETECT_BYTE_EXTRACT) {
3008  result = 0;
3009  goto end;
3010  }
3011  bed = (DetectByteExtractData *)sm->ctx;
3012  if (bed->nbytes != 4 ||
3013  bed->offset != 0 ||
3014  strcmp(bed->name, "two") != 0 ||
3015  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3016  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3017  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3018  bed->align_value != 0 ||
3019  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3020  goto end;
3021  }
3022  if (bed->local_id != 0) {
3023  result = 0;
3024  goto end;
3025  }
3026 
3027  sm = sm->next;
3028  if (sm->type != DETECT_CONTENT) {
3029  result = 0;
3030  goto end;
3031  }
3032  cd = (DetectContentData *)sm->ctx;
3033  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
3034  cd->flags != (DETECT_CONTENT_WITHIN_BE |
3035  DETECT_CONTENT_WITHIN) ||
3036  cd->within != bed->local_id ||
3037  cd->offset != 0 ||
3038  cd->depth != 0 ||
3039  cd->distance != 0) {
3040  printf("three failed\n");
3041  result = 0;
3042  goto end;
3043  }
3044 
3045  if (sm->next != NULL)
3046  goto end;
3047 
3048  result = 1;
3049 
3050  end:
3051  SigGroupCleanup(de_ctx);
3052  SigCleanSignatures(de_ctx);
3053  DetectEngineCtxFree(de_ctx);
3054 
3055  return result;
3056 }
3057 
3058 static int DetectByteExtractTest50(void)
3059 {
3060  DetectEngineCtx *de_ctx = NULL;
3061  int result = 0;
3062  Signature *s = NULL;
3063  SigMatch *sm = NULL;
3064  DetectContentData *cd = NULL;
3065  DetectByteExtractData *bed1 = NULL;
3066  DetectByteExtractData *bed2 = NULL;
3067 
3068  de_ctx = DetectEngineCtxInit();
3069  if (de_ctx == NULL)
3070  goto end;
3071 
3072  de_ctx->flags |= DE_QUIET;
3073  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3074  "(msg:\"Testing bytejump_body\"; "
3075  "content:\"one\"; "
3076  "byte_extract:4,0,two,string,hex; "
3077  "byte_extract:4,0,three,string,hex; "
3078  "content: \"four\"; within:two; "
3079  "content: \"five\"; within:three; "
3080  "sid:1;)");
3081  if (de_ctx->sig_list == NULL) {
3082  result = 0;
3083  goto end;
3084  }
3085 
3086  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3087  result = 0;
3088  goto end;
3089  }
3090 
3091  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3092  if (sm->type != DETECT_CONTENT) {
3093  result = 0;
3094  goto end;
3095  }
3096  cd = (DetectContentData *)sm->ctx;
3097  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3098  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3099  cd->flags & DETECT_CONTENT_NOCASE ||
3100  cd->flags & DETECT_CONTENT_WITHIN ||
3101  cd->flags & DETECT_CONTENT_DISTANCE ||
3102  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3103  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3104  cd->flags & DETECT_CONTENT_NEGATED ) {
3105  printf("one failed\n");
3106  result = 0;
3107  goto end;
3108  }
3109 
3110  sm = sm->next;
3111  if (sm->type != DETECT_BYTE_EXTRACT) {
3112  result = 0;
3113  goto end;
3114  }
3115  bed1 = (DetectByteExtractData *)sm->ctx;
3116  if (bed1->nbytes != 4 ||
3117  bed1->offset != 0 ||
3118  strcmp(bed1->name, "two") != 0 ||
3119  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3120  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3121  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3122  bed1->align_value != 0 ||
3123  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3124  goto end;
3125  }
3126  if (bed1->local_id != 0) {
3127  result = 0;
3128  goto end;
3129  }
3130 
3131  sm = sm->next;
3132  if (sm->type != DETECT_BYTE_EXTRACT) {
3133  result = 0;
3134  goto end;
3135  }
3136  bed2 = (DetectByteExtractData *)sm->ctx;
3137 
3138  sm = sm->next;
3139  if (sm->type != DETECT_CONTENT) {
3140  result = 0;
3141  goto end;
3142  }
3143  cd = (DetectContentData *)sm->ctx;
3144  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3145  cd->flags != (DETECT_CONTENT_WITHIN_BE |
3146  DETECT_CONTENT_WITHIN|
3147  DETECT_CONTENT_WITHIN_NEXT) ||
3148  cd->within != bed1->local_id ||
3149  cd->depth != 0 ||
3150  cd->offset != 0 ||
3151  cd->distance != 0) {
3152  printf("four failed\n");
3153  result = 0;
3154  goto end;
3155  }
3156 
3157  sm = sm->next;
3158  if (sm->type != DETECT_CONTENT) {
3159  result = 0;
3160  goto end;
3161  }
3162  cd = (DetectContentData *)sm->ctx;
3163  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
3164  cd->flags != (DETECT_CONTENT_WITHIN_BE |
3165  DETECT_CONTENT_WITHIN) ||
3166  cd->within != bed2->local_id ||
3167  cd->depth != 0 ||
3168  cd->offset != 0 ||
3169  cd->distance != 0) {
3170  printf("five failed\n");
3171  result = 0;
3172  goto end;
3173  }
3174 
3175  if (sm->next != NULL)
3176  goto end;
3177 
3178  result = 1;
3179 
3180  end:
3181  SigGroupCleanup(de_ctx);
3182  SigCleanSignatures(de_ctx);
3183  DetectEngineCtxFree(de_ctx);
3184 
3185  return result;
3186 }
3187 
3188 static int DetectByteExtractTest51(void)
3189 {
3190  DetectEngineCtx *de_ctx = NULL;
3191  int result = 0;
3192  Signature *s = NULL;
3193  SigMatch *sm = NULL;
3194  DetectContentData *cd = NULL;
3195  DetectByteExtractData *bed = NULL;
3196  DetectBytetestData *btd = NULL;
3197 
3198  de_ctx = DetectEngineCtxInit();
3199  if (de_ctx == NULL)
3200  goto end;
3201 
3202  de_ctx->flags |= DE_QUIET;
3203  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3204  "(msg:\"Testing bytejump_body\"; "
3205  "content:\"one\"; "
3206  "byte_extract:4,0,two,string,hex; "
3207  "byte_test: 2,=,10, two; "
3208  "sid:1;)");
3209  if (de_ctx->sig_list == NULL) {
3210  result = 0;
3211  goto end;
3212  }
3213 
3214  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3215  result = 0;
3216  goto end;
3217  }
3218 
3219  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3220  if (sm->type != DETECT_CONTENT) {
3221  result = 0;
3222  goto end;
3223  }
3224  cd = (DetectContentData *)sm->ctx;
3225  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3226  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3227  cd->flags & DETECT_CONTENT_NOCASE ||
3228  cd->flags & DETECT_CONTENT_WITHIN ||
3229  cd->flags & DETECT_CONTENT_DISTANCE ||
3230  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3231  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3232  cd->flags & DETECT_CONTENT_NEGATED ) {
3233  printf("one failed\n");
3234  result = 0;
3235  goto end;
3236  }
3237 
3238  sm = sm->next;
3239  if (sm->type != DETECT_BYTE_EXTRACT) {
3240  result = 0;
3241  goto end;
3242  }
3243  bed = (DetectByteExtractData *)sm->ctx;
3244  if (bed->nbytes != 4 ||
3245  bed->offset != 0 ||
3246  strcmp(bed->name, "two") != 0 ||
3247  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3248  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3249  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3250  bed->align_value != 0 ||
3251  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3252  goto end;
3253  }
3254  if (bed->local_id != 0) {
3255  result = 0;
3256  goto end;
3257  }
3258 
3259  sm = sm->next;
3260  if (sm->type != DETECT_BYTETEST) {
3261  result = 0;
3262  goto end;
3263  }
3264  btd = (DetectBytetestData *)sm->ctx;
3265  if (btd->flags != DETECT_BYTETEST_OFFSET_BE ||
3266  btd->value != 10 ||
3267  btd->offset != 0) {
3268  printf("three failed\n");
3269  result = 0;
3270  goto end;
3271  }
3272 
3273  if (sm->next != NULL)
3274  goto end;
3275 
3276  result = 1;
3277 
3278  end:
3279  SigGroupCleanup(de_ctx);
3280  SigCleanSignatures(de_ctx);
3281  DetectEngineCtxFree(de_ctx);
3282 
3283  return result;
3284 }
3285 
3286 static int DetectByteExtractTest52(void)
3287 {
3288  DetectEngineCtx *de_ctx = NULL;
3289  int result = 0;
3290  Signature *s = NULL;
3291  SigMatch *sm = NULL;
3292  DetectContentData *cd = NULL;
3293  DetectByteExtractData *bed1 = NULL;
3294  DetectBytetestData *btd = NULL;
3295 
3296  de_ctx = DetectEngineCtxInit();
3297  if (de_ctx == NULL)
3298  goto end;
3299 
3300  de_ctx->flags |= DE_QUIET;
3301  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3302  "(msg:\"Testing bytejump_body\"; "
3303  "content:\"one\"; "
3304  "byte_extract:4,0,two,string,hex; "
3305  "byte_extract:4,0,three,string,hex; "
3306  "byte_test: 2,=,two,three; "
3307  "byte_test: 3,=,10,three; "
3308  "sid:1;)");
3309  if (de_ctx->sig_list == NULL) {
3310  result = 0;
3311  goto end;
3312  }
3313 
3314  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3315  result = 0;
3316  goto end;
3317  }
3318 
3319  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3320  if (sm->type != DETECT_CONTENT) {
3321  result = 0;
3322  goto end;
3323  }
3324  cd = (DetectContentData *)sm->ctx;
3325  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3326  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3327  cd->flags & DETECT_CONTENT_NOCASE ||
3328  cd->flags & DETECT_CONTENT_WITHIN ||
3329  cd->flags & DETECT_CONTENT_DISTANCE ||
3330  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3331  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3332  cd->flags & DETECT_CONTENT_NEGATED ) {
3333  printf("one failed\n");
3334  result = 0;
3335  goto end;
3336  }
3337 
3338  sm = sm->next;
3339  if (sm->type != DETECT_BYTE_EXTRACT) {
3340  result = 0;
3341  goto end;
3342  }
3343  bed1 = (DetectByteExtractData *)sm->ctx;
3344  if (bed1->nbytes != 4 ||
3345  bed1->offset != 0 ||
3346  strcmp(bed1->name, "two") != 0 ||
3347  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3348  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3349  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3350  bed1->align_value != 0 ||
3351  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3352  goto end;
3353  }
3354  if (bed1->local_id != 0) {
3355  result = 0;
3356  goto end;
3357  }
3358 
3359  sm = sm->next;
3360  if (sm->type != DETECT_BYTE_EXTRACT) {
3361  result = 0;
3362  goto end;
3363  }
3364 
3365  sm = sm->next;
3366  if (sm->type != DETECT_BYTETEST) {
3367  result = 0;
3368  goto end;
3369  }
3370  btd = (DetectBytetestData *)sm->ctx;
3371  if (btd->flags != (DETECT_BYTETEST_OFFSET_BE |
3372  DETECT_BYTETEST_VALUE_BE) ||
3373  btd->value != 0 ||
3374  btd->offset != 1) {
3375  printf("three failed\n");
3376  result = 0;
3377  goto end;
3378  }
3379 
3380  sm = sm->next;
3381  if (sm->type != DETECT_BYTETEST) {
3382  result = 0;
3383  goto end;
3384  }
3385  btd = (DetectBytetestData *)sm->ctx;
3386  if (btd->flags != DETECT_BYTETEST_OFFSET_BE ||
3387  btd->value != 10 ||
3388  btd->offset != 1) {
3389  printf("four failed\n");
3390  result = 0;
3391  goto end;
3392  }
3393 
3394  if (sm->next != NULL)
3395  goto end;
3396 
3397  result = 1;
3398 
3399  end:
3400  SigGroupCleanup(de_ctx);
3401  SigCleanSignatures(de_ctx);
3402  DetectEngineCtxFree(de_ctx);
3403 
3404  return result;
3405 }
3406 
3407 static int DetectByteExtractTest53(void)
3408 {
3409  DetectEngineCtx *de_ctx = NULL;
3410  int result = 0;
3411  Signature *s = NULL;
3412  SigMatch *sm = NULL;
3413  DetectContentData *cd = NULL;
3414  DetectByteExtractData *bed = NULL;
3415  DetectBytejumpData *bjd = NULL;
3416 
3417  de_ctx = DetectEngineCtxInit();
3418  if (de_ctx == NULL)
3419  goto end;
3420 
3421  de_ctx->flags |= DE_QUIET;
3422  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3423  "(msg:\"Testing bytejump_body\"; "
3424  "content:\"one\"; "
3425  "byte_extract:4,0,two,string,hex; "
3426  "byte_jump: 2,two; "
3427  "sid:1;)");
3428  if (de_ctx->sig_list == NULL) {
3429  result = 0;
3430  goto end;
3431  }
3432 
3433  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3434  result = 0;
3435  goto end;
3436  }
3437 
3438  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3439  if (sm->type != DETECT_CONTENT) {
3440  result = 0;
3441  goto end;
3442  }
3443  cd = (DetectContentData *)sm->ctx;
3444  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3445  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3446  cd->flags & DETECT_CONTENT_NOCASE ||
3447  cd->flags & DETECT_CONTENT_WITHIN ||
3448  cd->flags & DETECT_CONTENT_DISTANCE ||
3449  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3450  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3451  cd->flags & DETECT_CONTENT_NEGATED ) {
3452  printf("one failed\n");
3453  result = 0;
3454  goto end;
3455  }
3456 
3457  sm = sm->next;
3458  if (sm->type != DETECT_BYTE_EXTRACT) {
3459  result = 0;
3460  goto end;
3461  }
3462  bed = (DetectByteExtractData *)sm->ctx;
3463  if (bed->nbytes != 4 ||
3464  bed->offset != 0 ||
3465  strcmp(bed->name, "two") != 0 ||
3466  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3467  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3468  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3469  bed->align_value != 0 ||
3470  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3471  goto end;
3472  }
3473  if (bed->local_id != 0) {
3474  result = 0;
3475  goto end;
3476  }
3477 
3478  sm = sm->next;
3479  if (sm->type != DETECT_BYTEJUMP) {
3480  result = 0;
3481  goto end;
3482  }
3483  bjd = (DetectBytejumpData *)sm->ctx;
3484  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
3485  bjd->offset != 0) {
3486  printf("three failed\n");
3487  result = 0;
3488  goto end;
3489  }
3490 
3491  if (sm->next != NULL)
3492  goto end;
3493 
3494  result = 1;
3495 
3496  end:
3497  SigGroupCleanup(de_ctx);
3498  SigCleanSignatures(de_ctx);
3499  DetectEngineCtxFree(de_ctx);
3500 
3501  return result;
3502 }
3503 
3504 static int DetectByteExtractTest54(void)
3505 {
3506  DetectEngineCtx *de_ctx = NULL;
3507  int result = 0;
3508  Signature *s = NULL;
3509  SigMatch *sm = NULL;
3510  DetectContentData *cd = NULL;
3511  DetectByteExtractData *bed1 = NULL;
3512  DetectBytejumpData *bjd = NULL;
3513 
3514  de_ctx = DetectEngineCtxInit();
3515  if (de_ctx == NULL)
3516  goto end;
3517 
3518  de_ctx->flags |= DE_QUIET;
3519  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3520  "(msg:\"Testing bytejump_body\"; "
3521  "content:\"one\"; "
3522  "byte_extract:4,0,two,string,hex; "
3523  "byte_extract:4,0,three,string,hex; "
3524  "byte_jump: 2,two; "
3525  "byte_jump: 3,three; "
3526  "sid:1;)");
3527  if (de_ctx->sig_list == NULL) {
3528  result = 0;
3529  goto end;
3530  }
3531 
3532  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3533  result = 0;
3534  goto end;
3535  }
3536 
3537  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3538  if (sm->type != DETECT_CONTENT) {
3539  result = 0;
3540  goto end;
3541  }
3542  cd = (DetectContentData *)sm->ctx;
3543  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3544  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3545  cd->flags & DETECT_CONTENT_NOCASE ||
3546  cd->flags & DETECT_CONTENT_WITHIN ||
3547  cd->flags & DETECT_CONTENT_DISTANCE ||
3548  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3549  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3550  cd->flags & DETECT_CONTENT_NEGATED ) {
3551  printf("one failed\n");
3552  result = 0;
3553  goto end;
3554  }
3555 
3556  sm = sm->next;
3557  if (sm->type != DETECT_BYTE_EXTRACT) {
3558  result = 0;
3559  goto end;
3560  }
3561  bed1 = (DetectByteExtractData *)sm->ctx;
3562  if (bed1->nbytes != 4 ||
3563  bed1->offset != 0 ||
3564  strcmp(bed1->name, "two") != 0 ||
3565  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3566  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3567  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3568  bed1->align_value != 0 ||
3569  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3570  goto end;
3571  }
3572  if (bed1->local_id != 0) {
3573  result = 0;
3574  goto end;
3575  }
3576 
3577  sm = sm->next;
3578  if (sm->type != DETECT_BYTE_EXTRACT) {
3579  result = 0;
3580  goto end;
3581  }
3582 
3583  sm = sm->next;
3584  if (sm->type != DETECT_BYTEJUMP) {
3585  result = 0;
3586  goto end;
3587  }
3588  bjd = (DetectBytejumpData *)sm->ctx;
3589  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
3590  bjd->offset != 0) {
3591  printf("three failed\n");
3592  result = 0;
3593  goto end;
3594  }
3595 
3596  sm = sm->next;
3597  if (sm->type != DETECT_BYTEJUMP) {
3598  result = 0;
3599  goto end;
3600  }
3601  bjd = (DetectBytejumpData *)sm->ctx;
3602  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
3603  bjd->offset != 1) {
3604  printf("four failed\n");
3605  result = 0;
3606  goto end;
3607  }
3608 
3609  if (sm->next != NULL)
3610  goto end;
3611 
3612  result = 1;
3613 
3614  end:
3615  SigGroupCleanup(de_ctx);
3616  SigCleanSignatures(de_ctx);
3617  DetectEngineCtxFree(de_ctx);
3618 
3619  return result;
3620 }
3621 
3622 static int DetectByteExtractTest55(void)
3623 {
3624  DetectEngineCtx *de_ctx = NULL;
3625  int result = 0;
3626  Signature *s = NULL;
3627  SigMatch *sm = NULL;
3628  DetectContentData *cd = NULL;
3629  DetectByteExtractData *bed1 = NULL;
3630  DetectByteExtractData *bed2 = NULL;
3631 
3632  de_ctx = DetectEngineCtxInit();
3633  if (de_ctx == NULL)
3634  goto end;
3635 
3636  de_ctx->flags |= DE_QUIET;
3637  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3638  "(msg:\"Testing byte_extract\"; "
3639  "content:\"one\"; "
3640  "byte_extract:4,0,two,string,hex; "
3641  "byte_extract:4,0,three,string,hex; "
3642  "byte_extract:4,0,four,string,hex; "
3643  "byte_extract:4,0,five,string,hex; "
3644  "content: \"four\"; within:two; distance:three; "
3645  "sid:1;)");
3646  if (de_ctx->sig_list == NULL) {
3647  goto end;
3648  }
3649 
3650  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3651  goto end;
3652  }
3653 
3654  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3655  if (sm->type != DETECT_CONTENT) {
3656  goto end;
3657  }
3658  cd = (DetectContentData *)sm->ctx;
3659  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3660  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3661  cd->flags & DETECT_CONTENT_NOCASE ||
3662  cd->flags & DETECT_CONTENT_WITHIN ||
3663  cd->flags & DETECT_CONTENT_DISTANCE ||
3664  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3665  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3666  cd->flags & DETECT_CONTENT_NEGATED ) {
3667  printf("one failed: ");
3668  goto end;
3669  }
3670 
3671  sm = sm->next;
3672  if (sm->type != DETECT_BYTE_EXTRACT) {
3673  goto end;
3674  }
3675  bed1 = (DetectByteExtractData *)sm->ctx;
3676  if (bed1->nbytes != 4 ||
3677  bed1->offset != 0 ||
3678  strcmp(bed1->name, "two") != 0 ||
3679  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3680  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3681  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3682  bed1->align_value != 0 ||
3683  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3684  goto end;
3685  }
3686  if (bed1->local_id != 0) {
3687  goto end;
3688  }
3689 
3690  sm = sm->next;
3691  if (sm->type != DETECT_BYTE_EXTRACT) {
3692  goto end;
3693  }
3694  bed2 = (DetectByteExtractData *)sm->ctx;
3695 
3696  sm = sm->next;
3697  if (sm->type != DETECT_BYTE_EXTRACT) {
3698  goto end;
3699  }
3700 
3701  sm = sm->next;
3702  if (sm->type != DETECT_BYTE_EXTRACT) {
3703  goto end;
3704  }
3705 
3706  sm = sm->next;
3707  if (sm->type != DETECT_CONTENT) {
3708  goto end;
3709  }
3710  cd = (DetectContentData *)sm->ctx;
3711  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3712  cd->flags != (DETECT_CONTENT_DISTANCE_BE |
3713  DETECT_CONTENT_WITHIN_BE |
3714  DETECT_CONTENT_DISTANCE |
3715  DETECT_CONTENT_WITHIN) ||
3716  cd->within != bed1->local_id ||
3717  cd->distance != bed2->local_id) {
3718  printf("four failed: ");
3719  goto end;
3720  }
3721 
3722  if (sm->next != NULL) {
3723  goto end;
3724  }
3725 
3726  result = 1;
3727 
3728  end:
3729  SigGroupCleanup(de_ctx);
3730  SigCleanSignatures(de_ctx);
3731  DetectEngineCtxFree(de_ctx);
3732 
3733  return result;
3734 }
3735 
3736 static int DetectByteExtractTest56(void)
3737 {
3738  DetectEngineCtx *de_ctx = NULL;
3739  int result = 0;
3740  Signature *s = NULL;
3741  SigMatch *sm = NULL;
3742  DetectContentData *cd = NULL;
3743  DetectByteExtractData *bed1 = NULL;
3744  DetectByteExtractData *bed2 = NULL;
3745 
3746  de_ctx = DetectEngineCtxInit();
3747  if (de_ctx == NULL)
3748  goto end;
3749 
3750  de_ctx->flags |= DE_QUIET;
3751  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3752  "(msg:\"Testing bytejump_body\"; "
3753  "uricontent:\"urione\"; "
3754  "content:\"one\"; "
3755  "byte_extract:4,0,two,string,hex; "
3756  "byte_extract:4,0,three,string,hex; "
3757  "byte_extract:4,0,four,string,hex; "
3758  "byte_extract:4,0,five,string,hex; "
3759  "content: \"four\"; within:two; distance:three; "
3760  "sid:1;)");
3761  if (de_ctx->sig_list == NULL) {
3762  result = 0;
3763  goto end;
3764  }
3765 
3766  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3767  result = 0;
3768  goto end;
3769  }
3770 
3771  sm = s->sm_lists[g_http_uri_buffer_id];
3772  if (sm->type != DETECT_CONTENT) {
3773  result = 0;
3774  goto end;
3775  }
3776  cd = (DetectContentData *)sm->ctx;
3777  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3778  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3779  cd->flags & DETECT_CONTENT_NOCASE ||
3780  cd->flags & DETECT_CONTENT_WITHIN ||
3781  cd->flags & DETECT_CONTENT_DISTANCE ||
3782  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3783  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3784  cd->flags & DETECT_CONTENT_NEGATED ) {
3785  printf("one failed\n");
3786  result = 0;
3787  goto end;
3788  }
3789 
3790  if (sm->next != NULL)
3791  goto end;
3792 
3793  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3794  if (sm->type != DETECT_CONTENT) {
3795  result = 0;
3796  goto end;
3797  }
3798  cd = (DetectContentData *)sm->ctx;
3799  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3800  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3801  cd->flags & DETECT_CONTENT_NOCASE ||
3802  cd->flags & DETECT_CONTENT_WITHIN ||
3803  cd->flags & DETECT_CONTENT_DISTANCE ||
3804  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3805  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3806  cd->flags & DETECT_CONTENT_NEGATED ) {
3807  printf("one failed\n");
3808  result = 0;
3809  goto end;
3810  }
3811 
3812  sm = sm->next;
3813  if (sm->type != DETECT_BYTE_EXTRACT) {
3814  result = 0;
3815  goto end;
3816  }
3817  bed1 = (DetectByteExtractData *)sm->ctx;
3818  if (bed1->nbytes != 4 ||
3819  bed1->offset != 0 ||
3820  strcmp(bed1->name, "two") != 0 ||
3821  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3822  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3823  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3824  bed1->align_value != 0 ||
3825  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3826  goto end;
3827  }
3828  if (bed1->local_id != 0) {
3829  result = 0;
3830  goto end;
3831  }
3832 
3833  sm = sm->next;
3834  if (sm->type != DETECT_BYTE_EXTRACT) {
3835  result = 0;
3836  goto end;
3837  }
3838  bed2 = (DetectByteExtractData *)sm->ctx;
3839 
3840  sm = sm->next;
3841  if (sm->type != DETECT_BYTE_EXTRACT) {
3842  result = 0;
3843  goto end;
3844  }
3845 
3846  sm = sm->next;
3847  if (sm->type != DETECT_BYTE_EXTRACT) {
3848  result = 0;
3849  goto end;
3850  }
3851 
3852  sm = sm->next;
3853  if (sm->type != DETECT_CONTENT) {
3854  result = 0;
3855  goto end;
3856  }
3857  cd = (DetectContentData *)sm->ctx;
3858  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3859  cd->flags != (DETECT_CONTENT_DISTANCE_BE |
3860  DETECT_CONTENT_WITHIN_BE |
3861  DETECT_CONTENT_DISTANCE |
3862  DETECT_CONTENT_WITHIN) ||
3863  cd->within != bed1->local_id ||
3864  cd->distance != bed2->local_id ) {
3865  printf("four failed\n");
3866  result = 0;
3867  goto end;
3868  }
3869 
3870  if (sm->next != NULL) {
3871  goto end;
3872  }
3873 
3874  result = 1;
3875 
3876  end:
3877  SigGroupCleanup(de_ctx);
3878  SigCleanSignatures(de_ctx);
3879  DetectEngineCtxFree(de_ctx);
3880 
3881  return result;
3882 }
3883 
3884 static int DetectByteExtractTest57(void)
3885 {
3886  DetectEngineCtx *de_ctx = NULL;
3887  int result = 0;
3888  Signature *s = NULL;
3889  SigMatch *sm = NULL;
3890  DetectContentData *cd = NULL;
3891  DetectByteExtractData *bed1 = NULL;
3892  DetectByteExtractData *bed2 = NULL;
3893  DetectByteExtractData *bed3 = NULL;
3894  DetectByteExtractData *bed4 = NULL;
3895 
3896  de_ctx = DetectEngineCtxInit();
3897  if (de_ctx == NULL)
3898  goto end;
3899 
3900  de_ctx->flags |= DE_QUIET;
3901  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3902  "(msg:\"Testing bytejump_body\"; "
3903  "content:\"one\"; "
3904  "uricontent: \"urione\"; "
3905  "byte_extract:4,0,two,string,hex,relative; "
3906  "byte_extract:4,0,three,string,hex,relative; "
3907  "byte_extract:4,0,four,string,hex,relative; "
3908  "byte_extract:4,0,five,string,hex,relative; "
3909  "uricontent: \"four\"; within:two; distance:three; "
3910  "sid:1;)");
3911  if (de_ctx->sig_list == NULL) {
3912  result = 0;
3913  goto end;
3914  }
3915 
3916  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3917  result = 0;
3918  goto end;
3919  }
3920 
3921  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3922  if (sm->type != DETECT_CONTENT) {
3923  result = 0;
3924  goto end;
3925  }
3926  cd = (DetectContentData *)sm->ctx;
3927  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3928  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3929  cd->flags & DETECT_CONTENT_NOCASE ||
3930  cd->flags & DETECT_CONTENT_WITHIN ||
3931  cd->flags & DETECT_CONTENT_DISTANCE ||
3932  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3933  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3934  cd->flags & DETECT_CONTENT_NEGATED ) {
3935  printf("one failed\n");
3936  result = 0;
3937  goto end;
3938  }
3939 
3940  if (sm->next != NULL)
3941  goto end;
3942 
3943  sm = s->sm_lists[g_http_uri_buffer_id];
3944  if (sm->type != DETECT_CONTENT) {
3945  result = 0;
3946  goto end;
3947  }
3948  cd = (DetectContentData *)sm->ctx;
3949  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3950  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3951  cd->flags & DETECT_CONTENT_NOCASE ||
3952  cd->flags & DETECT_CONTENT_WITHIN ||
3953  cd->flags & DETECT_CONTENT_DISTANCE ||
3954  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3955  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3956  cd->flags & DETECT_CONTENT_NEGATED ) {
3957  printf("one failed\n");
3958  result = 0;
3959  goto end;
3960  }
3961 
3962  sm = sm->next;
3963  if (sm->type != DETECT_BYTE_EXTRACT) {
3964  result = 0;
3965  goto end;
3966  }
3967  bed1 = (DetectByteExtractData *)sm->ctx;
3968  if (bed1->nbytes != 4 ||
3969  bed1->offset != 0 ||
3970  strcmp(bed1->name, "two") != 0 ||
3971  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
3972  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3973  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3974  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3975  bed1->align_value != 0 ||
3976  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3977  goto end;
3978  }
3979  if (bed1->local_id != 0) {
3980  result = 0;
3981  goto end;
3982  }
3983 
3984  sm = sm->next;
3985  if (sm->type != DETECT_BYTE_EXTRACT) {
3986  result = 0;
3987  goto end;
3988  }
3989  bed2 = (DetectByteExtractData *)sm->ctx;
3990  if (bed2->local_id != 1) {
3991  result = 0;
3992  goto end;
3993  }
3994 
3995  sm = sm->next;
3996  if (sm->type != DETECT_BYTE_EXTRACT) {
3997  result = 0;
3998  goto end;
3999  }
4000  bed3 = (DetectByteExtractData *)sm->ctx;
4001  if (bed3->local_id != 2) {
4002  result = 0;
4003  goto end;
4004  }
4005 
4006  sm = sm->next;
4007  if (sm->type != DETECT_BYTE_EXTRACT) {
4008  result = 0;
4009  goto end;
4010  }
4011  bed4 = (DetectByteExtractData *)sm->ctx;
4012  if (bed4->local_id != 3) {
4013  result = 0;
4014  goto end;
4015  }
4016 
4017  sm = sm->next;
4018  if (sm->type != DETECT_CONTENT) {
4019  result = 0;
4020  goto end;
4021  }
4022  cd = (DetectContentData *)sm->ctx;
4023  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
4024  cd->flags != (DETECT_CONTENT_DISTANCE_BE |
4025  DETECT_CONTENT_WITHIN_BE |
4026  DETECT_CONTENT_DISTANCE |
4027  DETECT_CONTENT_WITHIN) ||
4028  cd->within != bed1->local_id ||
4029  cd->distance != bed2->local_id) {
4030  printf("four failed\n");
4031  result = 0;
4032  goto end;
4033  }
4034 
4035  if (sm->next != NULL) {
4036  goto end;
4037  }
4038 
4039  result = 1;
4040 
4041  end:
4042  SigGroupCleanup(de_ctx);
4043  SigCleanSignatures(de_ctx);
4044  DetectEngineCtxFree(de_ctx);
4045 
4046  return result;
4047 }
4048 
4049 static int DetectByteExtractTest58(void)
4050 {
4051  DetectEngineCtx *de_ctx = NULL;
4052  int result = 0;
4053  Signature *s = NULL;
4054  SigMatch *sm = NULL;
4055  DetectContentData *cd = NULL;
4056  DetectByteExtractData *bed1 = NULL;
4057  DetectBytejumpData *bjd = NULL;
4058  DetectIsdataatData *isdd = NULL;
4059 
4060  de_ctx = DetectEngineCtxInit();
4061  if (de_ctx == NULL)
4062  goto end;
4063 
4064  de_ctx->flags |= DE_QUIET;
4065  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4066  "(msg:\"Testing bytejump_body\"; "
4067  "content:\"one\"; "
4068  "byte_extract:4,0,two,string,hex; "
4069  "byte_extract:4,0,three,string,hex; "
4070  "byte_jump: 2,two; "
4071  "byte_jump: 3,three; "
4072  "isdataat: three; "
4073  "sid:1;)");
4074  if (de_ctx->sig_list == NULL) {
4075  result = 0;
4076  goto end;
4077  }
4078 
4079  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4080  result = 0;
4081  goto end;
4082  }
4083 
4084  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4085  if (sm->type != DETECT_CONTENT) {
4086  result = 0;
4087  goto end;
4088  }
4089  cd = (DetectContentData *)sm->ctx;
4090  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4091  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4092  cd->flags & DETECT_CONTENT_NOCASE ||
4093  cd->flags & DETECT_CONTENT_WITHIN ||
4094  cd->flags & DETECT_CONTENT_DISTANCE ||
4095  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4096  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
4097  cd->flags & DETECT_CONTENT_NEGATED ) {
4098  printf("one failed\n");
4099  result = 0;
4100  goto end;
4101  }
4102 
4103  sm = sm->next;
4104  if (sm->type != DETECT_BYTE_EXTRACT) {
4105  result = 0;
4106  goto end;
4107  }
4108  bed1 = (DetectByteExtractData *)sm->ctx;
4109  if (bed1->nbytes != 4 ||
4110  bed1->offset != 0 ||
4111  strcmp(bed1->name, "two") != 0 ||
4112  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
4113  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4114  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4115  bed1->align_value != 0 ||
4116  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4117  goto end;
4118  }
4119  if (bed1->local_id != 0) {
4120  result = 0;
4121  goto end;
4122  }
4123 
4124  sm = sm->next;
4125  if (sm->type != DETECT_BYTE_EXTRACT) {
4126  result = 0;
4127  goto end;
4128  }
4129 
4130  sm = sm->next;
4131  if (sm->type != DETECT_BYTEJUMP) {
4132  result = 0;
4133  goto end;
4134  }
4135  bjd = (DetectBytejumpData *)sm->ctx;
4136  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
4137  bjd->offset != 0) {
4138  printf("three failed\n");
4139  result = 0;
4140  goto end;
4141  }
4142 
4143  sm = sm->next;
4144  if (sm->type != DETECT_BYTEJUMP) {
4145  result = 0;
4146  goto end;
4147  }
4148  bjd = (DetectBytejumpData *)sm->ctx;
4149  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
4150  bjd->offset != 1) {
4151  printf("four failed\n");
4152  result = 0;
4153  goto end;
4154  }
4155 
4156  sm = sm->next;
4157  if (sm->type != DETECT_ISDATAAT) {
4158  result = 0;
4159  goto end;
4160  }
4161  isdd = (DetectIsdataatData *)sm->ctx;
4162  if (isdd->flags != ISDATAAT_OFFSET_BE ||
4163  isdd->dataat != 1) {
4164  printf("isdataat failed\n");
4165  result = 0;
4166  goto end;
4167  }
4168 
4169  if (sm->next != NULL)
4170  goto end;
4171 
4172  result = 1;
4173 
4174  end:
4175  SigGroupCleanup(de_ctx);
4176  SigCleanSignatures(de_ctx);
4177  DetectEngineCtxFree(de_ctx);
4178 
4179  return result;
4180 }
4181 
4182 static int DetectByteExtractTest59(void)
4183 {
4184  DetectEngineCtx *de_ctx = NULL;
4185  int result = 0;
4186  Signature *s = NULL;
4187  SigMatch *sm = NULL;
4188  DetectContentData *cd = NULL;
4189  DetectByteExtractData *bed1 = NULL;
4190  DetectBytejumpData *bjd = NULL;
4191  DetectIsdataatData *isdd = NULL;
4192 
4193  de_ctx = DetectEngineCtxInit();
4194  if (de_ctx == NULL)
4195  goto end;
4196 
4197  de_ctx->flags |= DE_QUIET;
4198  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4199  "(msg:\"Testing bytejump_body\"; "
4200  "content:\"one\"; "
4201  "byte_extract:4,0,two,string,hex; "
4202  "byte_extract:4,0,three,string,hex; "
4203  "byte_jump: 2,two; "
4204  "byte_jump: 3,three; "
4205  "isdataat: three,relative; "
4206  "sid:1;)");
4207  if (de_ctx->sig_list == NULL) {
4208  result = 0;
4209  goto end;
4210  }
4211 
4212  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4213  result = 0;
4214  goto end;
4215  }
4216 
4217  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4218  if (sm->type != DETECT_CONTENT) {
4219  result = 0;
4220  goto end;
4221  }
4222  cd = (DetectContentData *)sm->ctx;
4223  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4224  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4225  cd->flags & DETECT_CONTENT_NOCASE ||
4226  cd->flags & DETECT_CONTENT_WITHIN ||
4227  cd->flags & DETECT_CONTENT_DISTANCE ||
4228  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4229  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
4230  cd->flags & DETECT_CONTENT_NEGATED ) {
4231  printf("one failed\n");
4232  result = 0;
4233  goto end;
4234  }
4235 
4236  sm = sm->next;
4237  if (sm->type != DETECT_BYTE_EXTRACT) {
4238  result = 0;
4239  goto end;
4240  }
4241  bed1 = (DetectByteExtractData *)sm->ctx;
4242  if (bed1->nbytes != 4 ||
4243  bed1->offset != 0 ||
4244  strcmp(bed1->name, "two") != 0 ||
4245  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
4246  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4247  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4248  bed1->align_value != 0 ||
4249  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4250  goto end;
4251  }
4252  if (bed1->local_id != 0) {
4253  result = 0;
4254  goto end;
4255  }
4256 
4257  sm = sm->next;
4258  if (sm->type != DETECT_BYTE_EXTRACT) {
4259  result = 0;
4260  goto end;
4261  }
4262 
4263  sm = sm->next;
4264  if (sm->type != DETECT_BYTEJUMP) {
4265  result = 0;
4266  goto end;
4267  }
4268  bjd = (DetectBytejumpData *)sm->ctx;
4269  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
4270  bjd->offset != 0) {
4271  printf("three failed\n");
4272  result = 0;
4273  goto end;
4274  }
4275 
4276  sm = sm->next;
4277  if (sm->type != DETECT_BYTEJUMP) {
4278  result = 0;
4279  goto end;
4280  }
4281  bjd = (DetectBytejumpData *)sm->ctx;
4282  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
4283  bjd->offset != 1) {
4284  printf("four failed\n");
4285  result = 0;
4286  goto end;
4287  }
4288 
4289  sm = sm->next;
4290  if (sm->type != DETECT_ISDATAAT) {
4291  result = 0;
4292  goto end;
4293  }
4294  isdd = (DetectIsdataatData *)sm->ctx;
4295  if (isdd->flags != (ISDATAAT_OFFSET_BE |
4296  ISDATAAT_RELATIVE) ||
4297  isdd->dataat != 1) {
4298  printf("isdataat failed\n");
4299  result = 0;
4300  goto end;
4301  }
4302 
4303  if (sm->next != NULL)
4304  goto end;
4305 
4306  result = 1;
4307 
4308  end:
4309  SigGroupCleanup(de_ctx);
4310  SigCleanSignatures(de_ctx);
4311  DetectEngineCtxFree(de_ctx);
4312 
4313  return result;
4314 }
4315 
4316 static int DetectByteExtractTest60(void)
4317 {
4318  DetectEngineCtx *de_ctx = NULL;
4319  int result = 0;
4320  Signature *s = NULL;
4321  SigMatch *sm = NULL;
4322  DetectContentData *cd = NULL;
4323  DetectByteExtractData *bed1 = NULL;
4324  DetectIsdataatData *isdd = NULL;
4325 
4326  de_ctx = DetectEngineCtxInit();
4327  if (de_ctx == NULL)
4328  goto end;
4329 
4330  de_ctx->flags |= DE_QUIET;
4331  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4332  "(msg:\"Testing bytejump_body\"; "
4333  "content:\"one\"; "
4334  "byte_extract:4,0,two,string,hex,relative; "
4335  "uricontent: \"three\"; "
4336  "byte_extract:4,0,four,string,hex,relative; "
4337  "isdataat: two; "
4338  "sid:1;)");
4339  if (de_ctx->sig_list == NULL) {
4340  result = 0;
4341  goto end;
4342  }
4343 
4344  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4345  result = 0;
4346  goto end;
4347  }
4348 
4349  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4350  if (sm->type != DETECT_CONTENT) {
4351  result = 0;
4352  goto end;
4353  }
4354  cd = (DetectContentData *)sm->ctx;
4355  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4356  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4357  cd->flags & DETECT_CONTENT_NOCASE ||
4358  cd->flags & DETECT_CONTENT_WITHIN ||
4359  cd->flags & DETECT_CONTENT_DISTANCE ||
4360  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4361  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
4362  cd->flags & DETECT_CONTENT_NEGATED ) {
4363  printf("one failed\n");
4364  result = 0;
4365  goto end;
4366  }
4367 
4368  sm = sm->next;
4369  if (sm->type != DETECT_BYTE_EXTRACT) {
4370  result = 0;
4371  goto end;
4372  }
4373  bed1 = (DetectByteExtractData *)sm->ctx;
4374  if (bed1->nbytes != 4 ||
4375  bed1->offset != 0 ||
4376  strcmp(bed1->name, "two") != 0 ||
4377  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4378  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4379  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4380  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4381  bed1->align_value != 0 ||
4382  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4383  goto end;
4384  }
4385  if (bed1->local_id != 0) {
4386  result = 0;
4387  goto end;
4388  }
4389 
4390  sm = sm->next;
4391  if (sm->type != DETECT_ISDATAAT) {
4392  result = 0;
4393  goto end;
4394  }
4395  isdd = (DetectIsdataatData *)sm->ctx;
4396  if (isdd->flags != (ISDATAAT_OFFSET_BE) ||
4397  isdd->dataat != bed1->local_id) {
4398  printf("isdataat failed\n");
4399  result = 0;
4400  goto end;
4401  }
4402 
4403  if (sm->next != NULL)
4404  goto end;
4405 
4406  if (s->sm_lists_tail[g_http_uri_buffer_id] == NULL) {
4407  result = 0;
4408  goto end;
4409  }
4410 
4411  sm = s->sm_lists[g_http_uri_buffer_id];
4412  if (sm->type != DETECT_CONTENT) {
4413  result = 0;
4414  goto end;
4415  }
4416  cd = (DetectContentData *)sm->ctx;
4417  if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4418  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
4419  printf("one failed\n");
4420  result = 0;
4421  goto end;
4422  }
4423 
4424  sm = sm->next;
4425  if (sm->type != DETECT_BYTE_EXTRACT) {
4426  result = 0;
4427  goto end;
4428  }
4429  bed1 = (DetectByteExtractData *)sm->ctx;
4430  if (bed1->nbytes != 4 ||
4431  bed1->offset != 0 ||
4432  strcmp(bed1->name, "four") != 0 ||
4433  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4434  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4435  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4436  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4437  bed1->align_value != 0 ||
4438  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4439  goto end;
4440  }
4441  if (bed1->local_id != 0) {
4442  result = 0;
4443  goto end;
4444  }
4445 
4446  if (sm->next != NULL)
4447  goto end;
4448 
4449  result = 1;
4450 
4451  end:
4452  SigGroupCleanup(de_ctx);
4453  SigCleanSignatures(de_ctx);
4454  DetectEngineCtxFree(de_ctx);
4455 
4456  return result;
4457 }
4458 
4459 static int DetectByteExtractTest61(void)
4460 {
4461  DetectEngineCtx *de_ctx = NULL;
4462  int result = 0;
4463  Signature *s = NULL;
4464  SigMatch *sm = NULL;
4465  DetectContentData *cd = NULL;
4466  DetectByteExtractData *bed1 = NULL;
4467  DetectIsdataatData *isdd = NULL;
4468 
4469  de_ctx = DetectEngineCtxInit();
4470  if (de_ctx == NULL)
4471  goto end;
4472 
4473  de_ctx->flags |= DE_QUIET;
4474  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4475  "(msg:\"Testing bytejump_body\"; "
4476  "content:\"one\"; "
4477  "byte_extract:4,0,two,string,hex,relative; "
4478  "uricontent: \"three\"; "
4479  "byte_extract:4,0,four,string,hex,relative; "
4480  "isdataat: four, relative; "
4481  "sid:1;)");
4482  if (de_ctx->sig_list == NULL) {
4483  result = 0;
4484  goto end;
4485  }
4486 
4487  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4488  result = 0;
4489  goto end;
4490  }
4491 
4492  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4493  if (sm->type != DETECT_CONTENT) {
4494  result = 0;
4495  goto end;
4496  }
4497  cd = (DetectContentData *)sm->ctx;
4498  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4499  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4500  cd->flags & DETECT_CONTENT_NOCASE ||
4501  cd->flags & DETECT_CONTENT_WITHIN ||
4502  cd->flags & DETECT_CONTENT_DISTANCE ||
4503  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4504  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
4505  cd->flags & DETECT_CONTENT_NEGATED ) {
4506  printf("one failed\n");
4507  result = 0;
4508  goto end;
4509  }
4510 
4511  sm = sm->next;
4512  if (sm->type != DETECT_BYTE_EXTRACT) {
4513  result = 0;
4514  goto end;
4515  }
4516  bed1 = (DetectByteExtractData *)sm->ctx;
4517  if (bed1->nbytes != 4 ||
4518  bed1->offset != 0 ||
4519  strcmp(bed1->name, "two") != 0 ||
4520  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4521  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4522  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4523  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4524  bed1->align_value != 0 ||
4525  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4526  goto end;
4527  }
4528  if (bed1->local_id != 0) {
4529  result = 0;
4530  goto end;
4531  }
4532 
4533  if (sm->next != NULL)
4534  goto end;
4535 
4536  if (s->sm_lists_tail[g_http_uri_buffer_id] == NULL) {
4537  result = 0;
4538  goto end;
4539  }
4540 
4541  sm = s->sm_lists[g_http_uri_buffer_id];
4542  if (sm->type != DETECT_CONTENT) {
4543  result = 0;
4544  goto end;
4545  }
4546  cd = (DetectContentData *)sm->ctx;
4547  if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4548  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
4549  printf("one failed\n");
4550  result = 0;
4551  goto end;
4552  }
4553 
4554  sm = sm->next;
4555  if (sm->type != DETECT_BYTE_EXTRACT) {
4556  result = 0;
4557  goto end;
4558  }
4559  bed1 = (DetectByteExtractData *)sm->ctx;
4560  if (bed1->nbytes != 4 ||
4561  bed1->offset != 0 ||
4562  strcmp(bed1->name, "four") != 0 ||
4563  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4564  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4565  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4566  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4567  bed1->align_value != 0 ||
4568  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4569  goto end;
4570  }
4571  if (bed1->local_id != 0) {
4572  result = 0;
4573  goto end;
4574  }
4575 
4576  sm = sm->next;
4577  if (sm->type != DETECT_ISDATAAT) {
4578  result = 0;
4579  goto end;
4580  }
4581  isdd = (DetectIsdataatData *)sm->ctx;
4582  if (isdd->flags != (ISDATAAT_OFFSET_BE |
4583  ISDATAAT_RELATIVE) ||
4584  isdd->dataat != bed1->local_id) {
4585  printf("isdataat failed\n");
4586  result = 0;
4587  goto end;
4588  }
4589 
4590  if (sm->next != NULL)
4591  goto end;
4592 
4593  result = 1;
4594 
4595  end:
4596  SigGroupCleanup(de_ctx);
4597  SigCleanSignatures(de_ctx);
4598  DetectEngineCtxFree(de_ctx);
4599 
4600  return result;
4601 }
4602 
4603 static int DetectByteExtractTest62(void)
4604 {
4605  DetectEngineCtx *de_ctx = NULL;
4606  int result = 0;
4607  Signature *s = NULL;
4608  SigMatch *sm = NULL;
4609  DetectByteExtractData *bed = NULL;
4610 
4611  de_ctx = DetectEngineCtxInit();
4612  if (de_ctx == NULL)
4613  goto end;
4614 
4615  de_ctx->flags |= DE_QUIET;
4616  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4617  "(file_data; byte_extract:4,2,two,relative,string,hex; "
4618  "sid:1;)");
4619  if (de_ctx->sig_list == NULL) {
4620  goto end;
4621  }
4622 
4623  if (s->sm_lists_tail[g_file_data_buffer_id] == NULL) {
4624  goto end;
4625  }
4626 
4627  sm = s->sm_lists[g_file_data_buffer_id];
4628  if (sm->type != DETECT_BYTE_EXTRACT) {
4629  result = 0;
4630  goto end;
4631  }
4632  bed = (DetectByteExtractData *)sm->ctx;
4633  if (bed->nbytes != 4 ||
4634  bed->offset != 2 ||
4635  strncmp(bed->name, "two", 3) != 0 ||
4636  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4637  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4638  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4639  bed->align_value != 0 ||
4640  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4641  goto end;
4642  }
4643 
4644  result = 1;
4645 
4646  end:
4647  SigGroupCleanup(de_ctx);
4648  SigCleanSignatures(de_ctx);
4649  DetectEngineCtxFree(de_ctx);
4650 
4651  return result;
4652 }
4653 
4654 static int DetectByteExtractTest63(void)
4655 {
4656  int result = 0;
4657 
4658  DetectByteExtractData *bed = DetectByteExtractParse("4, -2, one");
4659  if (bed == NULL)
4660  goto end;
4661 
4662  if (bed->nbytes != 4 ||
4663  bed->offset != -2 ||
4664  strcmp(bed->name, "one") != 0 ||
4665  bed->flags != 0 ||
4666  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
4667  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
4668  bed->align_value != 0 ||
4669  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4670  goto end;
4671  }
4672 
4673  result = 1;
4674  end:
4675  if (bed != NULL)
4676  DetectByteExtractFree(bed);
4677  return result;
4678 }
4679 
4680 static int DetectByteExtractTestParseNoBase(void)
4681 {
4682  int result = 0;
4683 
4684  DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, string");
4685  if (bed == NULL)
4686  goto end;
4687 
4688  if (bed->nbytes != 4) {
4689  goto end;
4690  }
4691  if (bed->offset != 2) {
4692  goto end;
4693  }
4694  if (strcmp(bed->name, "one") != 0) {
4695  goto end;
4696  }
4697  if (bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING) {
4698  goto end;
4699  }
4700  if (bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE) {
4701  goto end;
4702  }
4703  if (bed->base != DETECT_BYTE_EXTRACT_BASE_DEC) {
4704  goto end;
4705  }
4706  if (bed->align_value != 0) {
4707  goto end;
4708  }
4709  if (bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4710  goto end;
4711  }
4712 
4713  result = 1;
4714  end:
4715  if (bed != NULL)
4716  DetectByteExtractFree(bed);
4717  return result;
4718 }
4719 
4720 #endif /* UNITTESTS */
4721 
4722 static void DetectByteExtractRegisterTests(void)
4723 {
4724 #ifdef UNITTESTS
4725  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
4726  g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
4727 
4728  UtRegisterTest("DetectByteExtractTest01", DetectByteExtractTest01);
4729  UtRegisterTest("DetectByteExtractTest02", DetectByteExtractTest02);
4730  UtRegisterTest("DetectByteExtractTest03", DetectByteExtractTest03);
4731  UtRegisterTest("DetectByteExtractTest04", DetectByteExtractTest04);
4732  UtRegisterTest("DetectByteExtractTest05", DetectByteExtractTest05);
4733  UtRegisterTest("DetectByteExtractTest06", DetectByteExtractTest06);
4734  UtRegisterTest("DetectByteExtractTest07", DetectByteExtractTest07);
4735  UtRegisterTest("DetectByteExtractTest08", DetectByteExtractTest08);
4736  UtRegisterTest("DetectByteExtractTest09", DetectByteExtractTest09);
4737  UtRegisterTest("DetectByteExtractTest10", DetectByteExtractTest10);
4738  UtRegisterTest("DetectByteExtractTest11", DetectByteExtractTest11);
4739  UtRegisterTest("DetectByteExtractTest12", DetectByteExtractTest12);
4740  UtRegisterTest("DetectByteExtractTest13", DetectByteExtractTest13);
4741  UtRegisterTest("DetectByteExtractTest14", DetectByteExtractTest14);
4742  UtRegisterTest("DetectByteExtractTest15", DetectByteExtractTest15);
4743  UtRegisterTest("DetectByteExtractTest16", DetectByteExtractTest16);
4744  UtRegisterTest("DetectByteExtractTest17", DetectByteExtractTest17);
4745  UtRegisterTest("DetectByteExtractTest18", DetectByteExtractTest18);
4746  UtRegisterTest("DetectByteExtractTest19", DetectByteExtractTest19);
4747  UtRegisterTest("DetectByteExtractTest20", DetectByteExtractTest20);
4748  UtRegisterTest("DetectByteExtractTest21", DetectByteExtractTest21);
4749  UtRegisterTest("DetectByteExtractTest22", DetectByteExtractTest22);
4750  UtRegisterTest("DetectByteExtractTest23", DetectByteExtractTest23);
4751  UtRegisterTest("DetectByteExtractTest24", DetectByteExtractTest24);
4752  UtRegisterTest("DetectByteExtractTest25", DetectByteExtractTest25);
4753  UtRegisterTest("DetectByteExtractTest26", DetectByteExtractTest26);
4754  UtRegisterTest("DetectByteExtractTest27", DetectByteExtractTest27);
4755  UtRegisterTest("DetectByteExtractTest28", DetectByteExtractTest28);
4756  UtRegisterTest("DetectByteExtractTest29", DetectByteExtractTest29);
4757  UtRegisterTest("DetectByteExtractTest30", DetectByteExtractTest30);
4758  UtRegisterTest("DetectByteExtractTest31", DetectByteExtractTest31);
4759  UtRegisterTest("DetectByteExtractTest32", DetectByteExtractTest32);
4760  UtRegisterTest("DetectByteExtractTest33", DetectByteExtractTest33);
4761  UtRegisterTest("DetectByteExtractTest34", DetectByteExtractTest34);
4762  UtRegisterTest("DetectByteExtractTest35", DetectByteExtractTest35);
4763  UtRegisterTest("DetectByteExtractTest36", DetectByteExtractTest36);
4764  UtRegisterTest("DetectByteExtractTest37", DetectByteExtractTest37);
4765  UtRegisterTest("DetectByteExtractTest38", DetectByteExtractTest38);
4766  UtRegisterTest("DetectByteExtractTest39", DetectByteExtractTest39);
4767  UtRegisterTest("DetectByteExtractTest40", DetectByteExtractTest40);
4768  UtRegisterTest("DetectByteExtractTest41", DetectByteExtractTest41);
4769  UtRegisterTest("DetectByteExtractTest42", DetectByteExtractTest42);
4770 
4771  UtRegisterTest("DetectByteExtractTest43", DetectByteExtractTest43);
4772  UtRegisterTest("DetectByteExtractTest44", DetectByteExtractTest44);
4773 
4774  UtRegisterTest("DetectByteExtractTest45", DetectByteExtractTest45);
4775  UtRegisterTest("DetectByteExtractTest46", DetectByteExtractTest46);
4776 
4777  UtRegisterTest("DetectByteExtractTest47", DetectByteExtractTest47);
4778  UtRegisterTest("DetectByteExtractTest48", DetectByteExtractTest48);
4779 
4780  UtRegisterTest("DetectByteExtractTest49", DetectByteExtractTest49);
4781  UtRegisterTest("DetectByteExtractTest50", DetectByteExtractTest50);
4782 
4783  UtRegisterTest("DetectByteExtractTest51", DetectByteExtractTest51);
4784  UtRegisterTest("DetectByteExtractTest52", DetectByteExtractTest52);
4785 
4786  UtRegisterTest("DetectByteExtractTest53", DetectByteExtractTest53);
4787  UtRegisterTest("DetectByteExtractTest54", DetectByteExtractTest54);
4788 
4789  UtRegisterTest("DetectByteExtractTest55", DetectByteExtractTest55);
4790  UtRegisterTest("DetectByteExtractTest56", DetectByteExtractTest56);
4791  UtRegisterTest("DetectByteExtractTest57", DetectByteExtractTest57);
4792 
4793  UtRegisterTest("DetectByteExtractTest58", DetectByteExtractTest58);
4794  UtRegisterTest("DetectByteExtractTest59", DetectByteExtractTest59);
4795  UtRegisterTest("DetectByteExtractTest60", DetectByteExtractTest60);
4796  UtRegisterTest("DetectByteExtractTest61", DetectByteExtractTest61);
4797  UtRegisterTest("DetectByteExtractTest62", DetectByteExtractTest62);
4798  UtRegisterTest("DetectByteExtractTest63", DetectByteExtractTest63);
4799 
4800  UtRegisterTest("DetectByteExtractTestParseNoBase",
4801  DetectByteExtractTestParseNoBase);
4802 #endif /* UNITTESTS */
4803 
4804  return;
4805 }
DetectContentData_::distance
int32_t distance
Definition: detect-content.h:101
DetectByteExtractData_::offset
int32_t offset
Definition: detect-byte-extract.h:49
STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
Definition: detect-byte-extract.c:74
ISDATAAT_OFFSET_BE
#define ISDATAAT_OFFSET_BE
Definition: detect-isdataat.h:30
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1409
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:564
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1150
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
detect-content.h
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
DETECT_BYTE_EXTRACT_FLAG_STRING
#define DETECT_BYTE_EXTRACT_FLAG_STRING
Definition: detect-byte-extract.h:30
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1392
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id...
Definition: detect-parse.c:479
DetectBytetestData_::offset
int32_t offset
Definition: detect-bytetest.h:57
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:815
Signature_::flags
uint32_t flags
Definition: detect.h:497
NO_STRING_MAX_BYTES_TO_EXTRACT
#define NO_STRING_MAX_BYTES_TO_EXTRACT
Definition: detect-byte-extract.c:76
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:1936
DetectBytejumpData_
Definition: detect-bytejump.h:43
DETECT_BYTE_EXTRACT_BASE_DEC
#define DETECT_BYTE_EXTRACT_BASE_DEC
Definition: detect-byte-extract.c:59
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:730
DetectBytetestData_::value
uint64_t value
Definition: detect-bytetest.h:58
DETECT_BYTE_EXTRACT_BASE_HEX
#define DETECT_BYTE_EXTRACT_BASE_HEX
Definition: detect-byte-extract.c:58
offset
uint64_t offset
Definition: util-streaming-buffer.h:1478
DetectIsdataatData_
Definition: detect-isdataat.h:35
SigMatchData_
Data needed for Match()
Definition: detect.h:331
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
DETECT_CONTENT_DISTANCE_BE
#define DETECT_CONTENT_DISTANCE_BE
Definition: detect-content.h:47
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
DetectBytetestData_
Definition: detect-bytetest.h:52
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:995
SigTableElmt_::name
const char * name
Definition: detect.h:1164
Signature_
Signature container.
Definition: detect.h:496
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:223
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:42
STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
Definition: detect-byte-extract.c:72
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:326
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:724
DETECT_CONTENT_RAWBYTES
#define DETECT_CONTENT_RAWBYTES
Definition: detect-content.h:38
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:239
DETECT_CONTENT_WITHIN_BE
#define DETECT_CONTENT_WITHIN_BE
Definition: detect-content.h:48
DetectBytejumpData_::flags
uint8_t flags
Definition: detect-bytejump.h:46
DETECT_CONTENT_DISTANCE_NEXT
#define DETECT_CONTENT_DISTANCE_NEXT
Definition: detect-content.h:58
DE_QUIET
#define DE_QUIET
Definition: detect.h:296
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:698
DETECT_BYTE_EXTRACT_BASE_OCT
#define DETECT_BYTE_EXTRACT_BASE_OCT
Definition: detect-byte-extract.c:60
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:725
DetectContentData_::offset
uint16_t offset
Definition: detect-content.h:100
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1155
DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT
Definition: detect-byte-extract.c:65
DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT
#define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT
Definition: detect-byte-extract.c:53
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
Definition: detect-parse.c:2302
DETECT_BYTE_EXTRACT_FLAG_RELATIVE
#define DETECT_BYTE_EXTRACT_FLAG_RELATIVE
Definition: detect-byte-extract.h:28
DetectByteExtractDoMatch
int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd, const Signature *s, uint8_t *payload, uint16_t payload_len, uint64_t *value, uint8_t endian)
Definition: detect-byte-extract.c:110
DetectByteExtractData_::endian
uint8_t endian
Definition: detect-byte-extract.h:52
DETECT_BYTETEST_VALUE_BE
#define DETECT_BYTETEST_VALUE_BE
Definition: detect-bytetest.h:49
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:118
DETECT_BYTE_EXTRACT_ENDIAN_BIG
#define DETECT_BYTE_EXTRACT_ENDIAN_BIG
Definition: detect-byte-extract.h:36
DetectByteExtractData_::align_value
uint8_t align_value
Definition: detect-byte-extract.h:54
Signature_::alproto
AppProto alproto
Definition: detect.h:500
DETECT_CONTENT_WITHIN_NEXT
#define DETECT_CONTENT_WITHIN_NEXT
Definition: detect-content.h:57
BYTE_BIG_ENDIAN
#define BYTE_BIG_ENDIAN
Definition: util-byte.h:29
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1964
DetectBytejumpData_::offset
int32_t offset
Definition: detect-bytejump.h:48
SigMatch_::type
uint8_t type
Definition: detect.h:323
DetectContentData_::within
int32_t within
Definition: detect-content.h:102
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:88
DETECT_BYTE_EXTRACT_BASE_NONE
#define DETECT_BYTE_EXTRACT_BASE_NONE
Definition: detect-byte-extract.c:57
BYTE_LITTLE_ENDIAN
#define BYTE_LITTLE_ENDIAN
Definition: util-byte.h:30
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:490
DetectContentData_
Definition: detect-content.h:86
DetectByteExtractData_::name
const char * name
Definition: detect-byte-extract.h:50
DETECT_BYTE_EXTRACT_ENDIAN_LITTLE
#define DETECT_BYTE_EXTRACT_ENDIAN_LITTLE
Definition: detect-byte-extract.h:37
DetectByteExtractRetrieveSMVar
SigMatch * DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
Lookup the SigMatch for a named byte_extract variable.
Definition: detect-byte-extract.c:642
SignatureInitData_::smlists_array_size
uint32_t smlists_array_size
Definition: detect.h:488
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:325
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:166
DETECT_CONTENT_OFFSET_BE
#define DETECT_CONTENT_OFFSET_BE
Definition: detect-content.h:45
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:61
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
DetectByteExtractData_::base
uint8_t base
Definition: detect-byte-extract.h:53
SCFree
#define SCFree(a)
Definition: util-mem.h:228
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
DETECT_BYTE_EXTRACT_FLAG_ALIGN
#define DETECT_BYTE_EXTRACT_FLAG_ALIGN
Definition: detect-byte-extract.h:31
DetectByteExtractData_::multiplier_value
uint16_t multiplier_value
Definition: detect-byte-extract.h:56
SignatureInitData_::list
int list
Definition: detect.h:472
DetectBytetestData_::flags
uint8_t flags
Definition: detect-bytetest.h:56
STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
Definition: detect-byte-extract.c:73
DetectByteExtractData_::local_id
uint8_t local_id
Definition: detect-byte-extract.h:45
DetectIsdataatData_::dataat
uint16_t dataat
Definition: detect-isdataat.h:36
SigTableElmt_::Match
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1133
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us. ...
Definition: detect-parse.c:407
ByteExtractUint64
int ByteExtractUint64(uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Definition: util-byte.c:122
DetectByteExtractData_::flags
uint8_t flags
Definition: detect-byte-extract.h:51
DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT
Definition: detect-byte-extract.c:67
DetectByteExtractRegister
void DetectByteExtractRegister(void)
Registers the keyword handlers for the "byte_extract" keyword.
Definition: detect-byte-extract.c:99
DETECT_BYTETEST_OFFSET_BE
#define DETECT_BYTETEST_OFFSET_BE
Definition: detect-bytetest.h:50
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
SCStrdup
#define SCStrdup(a)
Definition: util-mem.h:212
DetectPcreData_
Definition: detect-pcre.h:37
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:99
DETECT_BYTE_EXTRACT_ENDIAN_NONE
#define DETECT_BYTE_EXTRACT_ENDIAN_NONE
Definition: detect-byte-extract.h:35
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER
#define DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER
Definition: detect-byte-extract.h:29
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:32
DetectByteExtractData_::nbytes
uint8_t nbytes
Definition: detect-byte-extract.h:47
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:64
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT
Definition: detect-byte-extract.c:68
DETECT_BYTE_EXTRACT_FLAG_ENDIAN
#define DETECT_BYTE_EXTRACT_FLAG_ENDIAN
Definition: detect-byte-extract.h:32
len
uint8_t len
Definition: app-layer-dnp3.h:2643
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:87
DetectEngineThreadCtx_
Definition: detect.h:966
DetectByteExtractData_
Holds data related to byte_extract keyword.
Definition: detect-byte-extract.h:43
DETECT_BYTEJUMP_OFFSET_BE
#define DETECT_BYTEJUMP_OFFSET_BE
Definition: detect-bytejump.h:41
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:561
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-byte-extract.c:78
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:97
DETECT_CONTENT_DEPTH_BE
#define DETECT_CONTENT_DEPTH_BE
Definition: detect-content.h:46
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1686
DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_OFFSET
Definition: detect-content.h:32
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1156
SigMatch_
a single match condition for a signature
Definition: detect.h:322
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:334
DETECT_BYTE_EXTRACT_ENDIAN_DCE
#define DETECT_BYTE_EXTRACT_ENDIAN_DCE
Definition: detect-byte-extract.h:38
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1641